I would use this discussion to provide some 'small' edits to the document. I would offer that to explain that the correlation of separate items of information will be used by those who wish to circumvent the privacy desires of a user fits within the document. This is then justification for using only the minimal amount of data needed for a specific function or protocol to help minimise the risk. Correlation also justifies the assertion of false information and therefore designers need to be aware of the existence of such false information.
Bryan PS I agree this may also need further research. Perhaps there is need for personal 'misinformation' services. Just as there are products to switch your TV and or lights on to infer you are at home to deter burglar's? I would imagine that the value would come from intelligent rather than random misinformation? Only the justice authorities would need to know which were accurate and which were misinformation. From: [email protected] [mailto:[email protected]] On Behalf Of Robin Wilton Sent: 10 August 2012 09:58 To: [email protected] Cc: [email protected] Subject: Re: [ietf-privacy] New Version Notification for draft-iab-privacy-considerations-03.txt Hmm - but unacceptable to whom? There are definitely times when I am perfectly comfortable self-asserting a false location. In fact, I'd go further and say that in general, I have no use for location-based services... To be honest, I think service providers often get the location-based services argument the wrong way round; what's useful to me, as a user, is the ability to go online and locate something (say, a restaurant) regardless of *my* current location. (So, for instance, I can find out where my hotel in San Diego for next week is, even though I'm in the UK). I am less interested in passively disclosing my location so that I can be told what is in my immediate vicinity. I take Martin's point about location fuzzing: the fact that I state a false location on Twitter won't fool someone who carefully monitors the times at which I tweet... they will quickly figure out that either I often tweet at 3 in the morning, or I'm not where I claim to be. But I think we should be careful about how we frame the problem and the potential goals. It is almost certainly not realistic to aim make it impossible for anyone to de-identify any data about me: in privacy terms, it's more viable to aim to raise the threshold of data needed for *some* third parties to infringe my privacy. The EU Article 29 Working Group implies this with its findings on what constitutes personal data. Their view is that some items of data (such as an IP address) are sometimes personally identifiable and sometimes not, depending on whether a third party is in a position to link them to other data items. Thus, as far as my ISP is concerned, my IP address is easy to link with a subscriber address... whereas to most other third parties, it is a relatively fuzzy identifier. Bottom line: I'm not sure if the required action here is further research work or changes to the draft, but I do think the problem would benefit from being explored and defined more fully... HTH, Robin Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: [email protected]<mailto:[email protected]> Phone: +44 705 005 2931 Twitter: @futureidentity
_______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
