On 12/06/2015 12:24 AM, SM wrote:
An attack on organization is a security issue; it isn't a privacy issue. The privacy issue is about mail-related metadata which can be collected by state surveillance agencies. Will the proposed working group attempt to fix that?
Privacy is only about state surveillance? That seems to be a, um, remarkably narrow definition, and completely ignores the privacy issues that people usually get harmed by. Furthermore, state surveillance doesn't need to scrape headers, they just get the providers to reveal the contents of their logs, which no amount of header obfuscation can hide.
The NSA didn't get their 5 years worth of universal phone penlogs from tapping wires, they did it with taps right into the provider's equipment. No amount of on-the-wire fussing would have done a thing.
This harks back to a big investigation I was involved with in the late 1970's/early 80's[*], prompted by a huge public uproar over (supposed) LE access to medical information from Canada's (Ontario's) health insurance programme (and later spread to Workman's Compensation).
Our investigation showed that there were indeed a few (on the order of a dozen or two) LE-related incidents, and as far as I remember, not one of them involved medical information (they were current address searches in order to serve warrants). The real problem was 3rd party private insurers accessing full medical information of thousands of people (we proved out more than 5000 incidents with one insurer alone) that could result in severe financial or in some cases medical harm. At least one suicide resulted, probably more. Oh, and yes, some of the access claims were entirely bogus (eg: claims of accessing information that didn't and couldn't exist) - made up by people who were happy to lie to the journalists and get their own tiny bits of fame and a few beers.
The biggest fault with the charter that there is no mandate whatsoever to explore/mention/define the risks (of either revealing the information or omitting it).
I can see a BCP on privacy protection arising out of this effort, but without any serious attempt to give the reader guidance on pro/con, it'll do more harm than good.
[*] The Royal Commission of Enquiry into the Confidentiality of Health Records in Ontario. I was the computer security consultant/advisor ro the commission. The first "Krevor Commission". Most Canadians will associate Justice Krevor (Ontario Supreme Court Judge) with the tainted blood Commission years later.
We plugged quite a few policy/procedural holes, the Ministry of Health got bruised and battered by it, but survived. A lot of really good things happened from that Commission and carried over to other jurisdictions and even other countries, I'm quite proud of my minor contributions.
_______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
