My 2c - as I said in my last message, I think the most the draft should do is mention that data perturbation is an option, and give links to further material. When we discuss anonymisation we don't go into detail about the various methods that can be used to achieve it. We shouldn't with this either. The draft is not about defining *how* to achieve privacy, but to discuss what privacy is, give an overview of ways of protecting it (but not in any detail), and to provide guidance on how to talk about privacy.
There are various methods available to achieve the effect of "fuzzing" data, each of them fairly dependent on the domain in use. E.g. algorithms to achieve it across large data sets to achieve privacy of single tuples are completely different to those that achieve geographic privacy for a user for geo-located data which are completely different to those attempting to achieve privacy by putting false traffic into something like an anonymisation network (e.g. Tor) to hinder traffic analysis, etc etc etc. So a full discussion about it would probably be a full journal paper in its own right. In fact, a full discussion about data perturbation per domain is a journal paper in its own right, or indeed, a whole class - cf. http://theory.stanford.edu/~nmishra/cs369-2004.html for statistical databases, the geopriv discussions for geographic information, etc. I'm very wary of introducing major new topics into the draft, given past feedback has been that it's already too complex. The privacy considerations draft needs to kept as short and snappy as possible if it's going to have any chance of the IETF community reading it, understanding it, and using it. So my opinion, just to restate - is that the draft should mention that data perturbation is an option, and give links to further material. Couple of paras at most. R. -- Dr Rhys Smith Identity, Access, and Middleware Specialist Cardiff University & Janet - the UK's education and research network email: [email protected] / [email protected] GPG: 0xDE2F024C On 10 Aug 2012, at 09:58, Robin Wilton wrote: > Hmm - but unacceptable to whom? There are definitely times when I am > perfectly comfortable self-asserting a false location. In fact, I'd go > further and say that in general, I have no use for location-based services… > To be honest, I think service providers often get the location-based services > argument the wrong way round; what's useful to me, as a user, is the ability > to go online and locate something (say, a restaurant) regardless of *my* > current location. (So, for instance, I can find out where my hotel in San > Diego for next week is, even though I'm in the UK). I am less interested in > passively disclosing my location so that I can be told what is in my > immediate vicinity. > > I take Martin's point about location fuzzing: the fact that I state a false > location on Twitter won't fool someone who carefully monitors the times at > which I tweet… they will quickly figure out that either I often tweet at 3 in > the morning, or I'm not where I claim to be. But I think we should be careful > about how we frame the problem and the potential goals. It is almost > certainly not realistic to aim make it impossible for anyone to de-identify > any data about me: in privacy terms, it's more viable to aim to raise the > threshold of data needed for *some* third parties to infringe my privacy. The > EU Article 29 Working Group implies this with its findings on what > constitutes personal data. Their view is that some items of data (such as an > IP address) are sometimes personally identifiable and sometimes not, > depending on whether a third party is in a position to link them to other > data items. Thus, as far as my ISP is concerned, my IP address is easy to > link with a subscriber address… whereas to most other third parties, it is a > relatively fuzzy identifier. > > Bottom line: I'm not sure if the required action here is further research > work or changes to the draft, but I do think the problem would benefit from > being explored and defined more fully… > > HTH, > Robin > > > Robin Wilton > Technical Outreach Director - Identity and Privacy > Internet Society > > email: [email protected] > Phone: +44 705 005 2931 > Twitter: @futureidentity > > _______________________________________________ > ietf-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ietf-privacy _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
