September142007

IDTheft SIG Call Notes, Sept. 14, 2007

Attendees:
Robin Wilton
Kevin O’Neill
Abhilasha
Dave Weitzel
Eric Nelson
Britta Glade

Discussion about privacy/policy commonalities across reported breaches (following up from last week’s call).

Robin: things of general interest. Didn’t find anything on track with what we’ve talked about. Still in brainstorming mode. Robin’s done some blog links on his findings (Blogs.sun.com/racingsnake). Three perspectives: 1) New Zealand privacy commissioner—what to do in case of a data breach (nothing hugely different from Canadian guidelines)—it’s four steps….containment, analysis, quantify and notify, remediation in longer term to prevent happening again. Look at breach analysis from perspective of privacy commissioner. 2) Google privacy guidelines—the privacy legislation and regulatory model across the world is patchy. Unsure about what rights they have given it’s patchy. But there are more practical considerations. One of the things we could do is say “These are the practical issues we could state out directly and we haven’t seen them (consumers knowing where breach originates from, etc) ( European Data Privacy Commission (Peter Hustinx)—issued an “opinion” a few days ago—set out eight points of things people should be keeping an eye on, three relative to the IDTheft conversation. Stop complaining about it and implement it--think back to threat vector matrix. Global perspective needs to be taken to international data transfer. Member states should do more to ensure that individual information protected, beyond law enforcement requests (don’t assume they’ll do it all). Driver for this statement, we believe, was EU review of the data protection act.

Kevin: SB1386, remembers arguments from then. Debate around what crosses the line and produces data breach…..unaccounted for hardware? Some of these nuances continue to be brought up. Who decides what necessitates announcement….necessary remedial steps. IGF worth looking at as well.

Discussion around what really constitutes a breach.

Difference between threat analysis and vulnerability analysis.

Kevin sent through paper on value concise design: http://michaelzimmer.org/dissertation/

The Quest for the Perfect Search Engine: Values, Technical Design, and the Flow of Personal Information in Spheres of Mobility
(download PDF version of this abstract here)
David W. sent through some materials:
1. http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm (EU Data Protection Commission information)
2. http://www.ico.gov.uk/about_us/news_and_views/current_topics/Surveillance_society_report.aspx (Surveillance Society report)
3. http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf
4. http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Robin sent through the following from CDT as a resource:
http://www.cdt.org/privacy/eudirective/

Discussion about the surveillance aspects of this—if someone opts out and does something bad, where does that fall (ecommerce example).

Discussion about UK identity work and identity repository.

Discussion about setting up a PPEG sub-team to advance some of this work and contribute to discussion on this topic. They define topics of interest and then do that work with folks.

I3P and Identity and Privacy would be interested in working on this. Discussion about ITUT and massive amounts of work they’ve done here. Tony R.—invite him to present on this to IDTheft SIG. Seemed of interest to the group. Britta to arrange.

Discussion—where is there disconnect within organizations in understanding identity implications? From a technical, legal and business standpoint.

Question: to what extent does open source community take into consideration privacy and security issues in a critical infrastructure.

Invite CDT folks on the call? There’s probably an interesting discussion brewing here.