That works for me… it's compatible with further discussion that doesn't result in changes to the draft's scope of contents.
R Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: [email protected] Phone: +44 705 005 2931 Twitter: @futureidentity On 10 Aug 2012, at 10:43, Rhys Smith wrote: > My 2c - as I said in my last message, I think the most the draft should do is > mention that data perturbation is an option, and give links to further > material. When we discuss anonymisation we don't go into detail about the > various methods that can be used to achieve it. We shouldn't with this > either. The draft is not about defining *how* to achieve privacy, but to > discuss what privacy is, give an overview of ways of protecting it (but not > in any detail), and to provide guidance on how to talk about privacy. > > There are various methods available to achieve the effect of "fuzzing" data, > each of them fairly dependent on the domain in use. E.g. algorithms to > achieve it across large data sets to achieve privacy of single tuples are > completely different to those that achieve geographic privacy for a user for > geo-located data which are completely different to those attempting to > achieve privacy by putting false traffic into something like an anonymisation > network (e.g. Tor) to hinder traffic analysis, etc etc etc. So a full > discussion about it would probably be a full journal paper in its own right. > In fact, a full discussion about data perturbation per domain is a journal > paper in its own right, or indeed, a whole class - cf. > http://theory.stanford.edu/~nmishra/cs369-2004.html for statistical > databases, the geopriv discussions for geographic information, etc. > > I'm very wary of introducing major new topics into the draft, given past > feedback has been that it's already too complex. The privacy considerations > draft needs to kept as short and snappy as possible if it's going to have any > chance of the IETF community reading it, understanding it, and using it. > > So my opinion, just to restate - is that the draft should mention that data > perturbation is an option, and give links to further material. Couple of > paras at most. > > R. > -- > Dr Rhys Smith > Identity, Access, and Middleware Specialist > Cardiff University & Janet - the UK's education and research network > > email: [email protected] / [email protected] > GPG: 0xDE2F024C > > > > > > On 10 Aug 2012, at 09:58, Robin Wilton wrote: > >> Hmm - but unacceptable to whom? There are definitely times when I am >> perfectly comfortable self-asserting a false location. In fact, I'd go >> further and say that in general, I have no use for location-based services… >> To be honest, I think service providers often get the location-based >> services argument the wrong way round; what's useful to me, as a user, is >> the ability to go online and locate something (say, a restaurant) regardless >> of *my* current location. (So, for instance, I can find out where my hotel >> in San Diego for next week is, even though I'm in the UK). I am less >> interested in passively disclosing my location so that I can be told what is >> in my immediate vicinity. >> >> I take Martin's point about location fuzzing: the fact that I state a false >> location on Twitter won't fool someone who carefully monitors the times at >> which I tweet… they will quickly figure out that either I often tweet at 3 >> in the morning, or I'm not where I claim to be. But I think we should be >> careful about how we frame the problem and the potential goals. It is almost >> certainly not realistic to aim make it impossible for anyone to de-identify >> any data about me: in privacy terms, it's more viable to aim to raise the >> threshold of data needed for *some* third parties to infringe my privacy. >> The EU Article 29 Working Group implies this with its findings on what >> constitutes personal data. Their view is that some items of data (such as an >> IP address) are sometimes personally identifiable and sometimes not, >> depending on whether a third party is in a position to link them to other >> data items. Thus, as far as my ISP is concerned, my IP address is easy to >> link with a subscriber address… whereas to most other third parties, it is a >> relatively fuzzy identifier. >> >> Bottom line: I'm not sure if the required action here is further research >> work or changes to the draft, but I do think the problem would benefit from >> being explored and defined more fully… >> >> HTH, >> Robin >> >> >> Robin Wilton >> Technical Outreach Director - Identity and Privacy >> Internet Society >> >> email: [email protected] >> Phone: +44 705 005 2931 >> Twitter: @futureidentity >> >> _______________________________________________ >> ietf-privacy mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/ietf-privacy >
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
