W3C

Results of Questionnaire [Call for Objections] Auditability requirement

The results of this questionnaire are available to anybody. In addition, answers are sent to the following email address: team-tracking-chairs@w3.org

This questionnaire was open from 2014-11-19 to 2014-12-05.

5 answers have been received.

Jump to results for question:

  1. Objections to Option A: Remove auditability requirement from security section
  2. Objections to Option B: Add explanatory text for "auditable"

1. Objections to Option A: Remove auditability requirement from security section

Option A: Remove auditability requirement from security section

Remove the text below from the Reasonable Security section.

Third parties SHOULD ensure that the access and use of data retained for permitted uses is auditable.

If you have an objection to this option, please describe your objection, with clear and specific reasoning.

Details

Responder Objections to Option A: Remove auditability requirement from security section
David Singer We object to this removal, although it is not strictly needed. Anyone claiming to comply with the rule that data retained retained for a permitted use is only used for that use, may at some point be challenged and will have to show that they comply -- whether or not this sentence is there. This sentence may state the obvious but it should stay.
Walter van Holst Not having any obligation for an audit trail regarding acces and use of data shifts the burden of proof to regulators and users. The onus for proving compliance with the specification should lie on the shoulders of those who claim compliance. Removal of this obligation would result in a loophole in the compliance specification.
Roy Fielding
Mike O'Neill The requirement for auditability for permitted use is important because it underlines that the reason for ignoring DNT should be claimed only for the specific purpose, and must not seen as a "get out of jail free" card. It is entirely reasonable that companies should be able to prove this, and removing the text requiring it is a bad signal that would reduce the credibility of DNT for users and companies.
Shane Wiley The most reasonable path forward that maintains a tight focus on the core issues at hand and doesn't meaninglessly create ambiguity and legal uncertainty for implementors.

2. Objections to Option B: Add explanatory text for "auditable"

Option B: Add explanatory text for "auditable"

Retain existing text and add the following paragraph to the Reasonable Security section.

For the purposes of this recommendation, auditable is understood as having sufficient records of access and use of data retained such that an independent auditor would have a reasonable level of confidence that the data retained is exclusively used for the permitted uses or that breaches of this can be detected ex-post. For example, an auditor might use a similar level of confidence to that required for the organization's financial records.

If you have an objection to this option, please describe your objection, with clear and specific reasoning.

Details

Responder Objections to Option B: Add explanatory text for "auditable"
David Singer We mildly object to this text; we don't need to say how companies prove that they adhere to the rule. We just need to say that they may need to prove it (the existing text).

Overall, we prefer 'no change', which the poll doesn't offer.
Walter van Holst
Roy Fielding I object to the existing text

"Third parties SHOULD ensure that the access and use of data retained for permitted uses is auditable."

with or without the additional explanatory text.

I have no idea how to implement such a thing. I see no need to require something that is essentially for the business's own benefit, assuming someone does come along with a standard method of auditing procedures for handling data marked as DNT:1.

This does not mean the business is less responsible for adhering to its own statements about DNT.

What I expect is that some party who claims to adhere to DNT will eventually be inspected by regulators and found wanting, and at that time the regulator will post a list of deficiencies that can be used by auditing companies as the basis for coming up with expected guidelines and procedures specific to DNT. Then, companies will be pressed by their own lawyers to make their processes auditable along the same lines. This will iterate and repeat over many years as regulators and businesses figure out the right balance between auditability and responsible data destruction (for privacy).
Mike O'Neill
Shane Wiley This is unneeded as an element of the TCS. Regulators already have the tools needed to inspect companies they believe to be in violation of their privacy promises to users. The proposed language creates legal uncertainty for companies that anything they purge with the goal of data minimization in mind would now be subject to retention requirements for "auditability". This is a slippery slope with considerable complexity with little to no value in return.

More details on responses

  • David Singer: last responded on 3, December 2014 at 19:28 (UTC)
  • Walter van Holst: last responded on 3, December 2014 at 20:12 (UTC)
  • Roy Fielding: last responded on 3, December 2014 at 22:50 (UTC)
  • Mike O'Neill: last responded on 4, December 2014 at 14:41 (UTC)
  • Shane Wiley: last responded on 5, December 2014 at 08:43 (UTC)

Everybody has responded to this questionnaire.


Compact view of the results / list of email addresses of the responders

WBS home / Questionnaires / WG questionnaires / Answer this questionnaire