- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 5 Nov 2014 10:03:16 -0800
- To: Walter van Holst <walter.van.holst@xs4all.nl>
- Cc: Tracking Protection Working Group <public-tracking@w3.org>
On Nov 5, 2014, at 8:59 AM, Walter van Holst wrote: > On 2014-11-05 17:15, David Singer wrote: >> Audit-ability could as easily be process rather than data based, >> couldn’t it? An auditor could check what processes and procedures are >> defined, and that they are followed in practice. > > Anyone who has ever been in the remote vicinity of EDP audits will tell you that audits are first and foremost about process and if they are data based, they focus on data on the execution of the processes and not so much on the data itself. Because the data is at best relevant to a pure financial audit, which still would be worthless if the data cannot be relied on because the processes for maintaining its integrity weren't in place. When it comes to auditing whether data has or hasn't been shared the data itself is beyond useless because you can never tell who has had access to it. That's what process logs are for. > > Genuinely puzzled here, Processes are inherently auditable, so your requirement is meaningless unless it also requires specific retention of data by the folks who are supposed to adhere to that requirement. If we agree that the process is what is audited, then your additional requirement serves no useful purpose and should not be added to the spec. Many people can agree to requirements on financial audits because there are standards for how to do a financial audit and what records must be retained for that purpose. We don't have any standards for how to do a DNT audit. At best, we rely on regulators to create (and, more importantly, enforce) those standards over time. Regardless, it is not necessary to add requirements for them. Audits define their own requirements. ....Roy
Received on Wednesday, 5 November 2014 18:03:39 UTC