RE: ACTION-371: text defining de-identified data from Rob van Eijk on 2013-03-13 (public-tracking@w3.org from March 2013)

From: Rob van Eijk <rob@blaeu.com>
Date: Wed, 13 Mar 2013 13:56:58 +0100
To: <public-tracking@w3.org>
Message-ID: <e10854c1b32d5fdb50efc935bf6ef3a2@xs4all.nl>
Dan, Kevin,

I would really want the unlinkability in there as well. I propose to 
add the text:  made unlinkable

Normative text: Data can be considered sufficiently de-identified to 
the extent that it has been deleted, made unlinkable, modified, 
aggregated, anonymized or otherwise manipulated in order to achieve a 
reasonable level of justified confidence that the data cannot reasonably 
be used to infer information about, or otherwise be linked to, a 
particular user, user agent, computer or device.


In terms of privacy by design, de-identification through unlinkability 
is the strongest form of de-identtification IMHO.

Rob

Kevin Kiley schreef op 2013-03-12 19:03:
> Dan,
> 
> In case I wasn't being clear in my last post, I (personally) believe 
> that
> 
> User-agent should *NOT* be removed from the proposed text.
> 
> I actually don't think it would do any harm to *ADD* the word 
> 'Computer'
> 
> as well ( which is present in the current FTC definition ) so it
> reads like this…
> 
> Normative text:
> 
> Data can be considered sufficiently de-identified to the extent that 
> it
> 
> has been deleted, modified, aggregated, anonymized or otherwise
> 
> manipulated in order to achieve a reasonable level of justified
> 
> confidence that the data cannot reasonably be used to infer 
> information
> 
> about, or otherwise be linked to, a particular user, user agent,
> computer or device.
> 
> I think that covers it pretty well, and *NO* 'clarifying text' is 
> necessary.
> 
> Just my 2 cents.
> 
> Kevin Kiley
> 
> Previous message(s)…
> 
> Dan,
> 
> Perhaps you can add text clarifying this perspective or, much like
> the FTC, suffice with "device" which I believe more than covers what
> you're looking for here.
> 
> - Shane
> 
> From: Dan Auerbach [mailto:dan@eff.org]
> 
> Sent: Tuesday, March 12, 2013 8:57 AM
> 
> To: public-tracking@w3.org
> 
> Subject: Re: ACTION-371: text defining de-identified data
> 
> Shane and Kevin -- The phrase "user agent" in the text is intended to
> refer to a particular user agent (not "Chrome 26" but rather "the
> browser running on Dan's laptop". I hoped that would be clear from
> context, but if it's not we can clarify. I may not be able to identify
> your device per se, but can identify that this is the same browser as
> I saw before. I think this is the case with using cookies, for
> example. It seems more accurate to me than lumping it all under
> "device", and appropriate since the text of our document is elsewhere
> focused on user agents, unlike the FTC text.
> 
> Best,
> 
> Dan
> 
> On 03/12/2013 12:19 AM, Kevin Kiley wrote:
> 
>>> Shane Wiley wrote...
> 
>>> I had removed "user agent" in the suggested edit as this could be 
>>> something as generic as "Chrome 26".
> 
> It can also be something VERY specific... and tell you a LOT about
> the Computer/OS/Device being used.
> 
> In the case of Mobile... it will pretty much tell you EXACTLY what
> 'Device' is being used.
> 
>>> The FTC likewise does not use "user agent" in their definition.
> 
> That's true... but BOTH definitions (W3C and FTC) currently mention
> 'Device'... and the FTC
> 
> reports go to great lengths about how important it is to exclude any
> knowledge of 'the Device'
> 
> from the de-identified data ( especially in the case of 'Mobile 
> Devices' ).
> 
> Kevin Kiley
Received on Wednesday, 13 March 2013 12:57:26 UTC