Re: ISSUE-235 (Auditability requirement for security) from Shane M Wiley on 2014-11-20 (public-tracking@w3.org from November 2014)

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Thu, 20 Nov 2014 16:45:07 +0000 (UTC)
To: David Singer <singer@mac.com>, Tracking Protection Working Group <public-tracking@w3.org>
Message-ID: <407236993.2020281.1416501907461.JavaMail.yahoo@jws10099.mail.ne1.yahoo.com>

David - I believe many of us agree and that's why we feel this statement is worthless in the document and creates the perception its more than what you've stated below.  Any technical process can be audited - its redundant to state that.
- Shane Shane Wiley
VP, Privacy & Data Governance
Yahoo
      From: David Singer <singer@mac.com>
 To: Tracking Protection Working Group <public-tracking@w3.org> 
 Sent: Thursday, November 20, 2014 2:54 AM
 Subject: Re: ISSUE-235 (Auditability requirement for security)

I guess it’s out for CfO so this may be pointless, but I think it’s worth pointing out that it may be immaterial what we say about auditability.

We have a clear requirement that data collected for a permitted use is only used for that use.

So, imagine a company that appears it may be mis-using the data.  Someone — a researcher, a member of government, a regulator, a court, whoever — asks “so, why should we believe that you adhere to the requirement?”.  At some point, if life gets tough enough, they’re going to have to show to that person’s satisfaction that they follow the requirement. That is, in effect, an audit. Their need to be able to show this seems entirely independent of whether or not we have language to require auditability, doesn’t it?

Dave Singer

singer@mac.com

Received on Thursday, 20 November 2014 16:46:35 UTC