[STDS-802-Privacy] IEEE 802E Privacy teleconferences
Teleconferences to discuss P802E will be held:
24th February 2016 10.00 am Pacific Time (1 pm Eastern)
9th March 2016 10.00 am Pacific Time (1 pm Eastern)
Webex and dial-in details will be circulated to the email lists nearer
the date.
It is anticipated that our editor, Jerome Henry, will prepare an early
draft, following the structural outlines discussed in the evening
session at the recent face to face (18th Jan), and that this draft will
help structure the teleconference discussions, as we move from
generalities to what we will be specifically writing in the Recommended
Practice.
Discussion of this draft will be the priority item on the agenda in the
24th February teleconference, but wider discussion on the reflector is
most welcome. Requests for presentation time to me directly, please. In
our first teleconference we will also discuss future teleconference
scheduling. We operate under a 30 day notice requirement for both
teleconference times and agenda.
Much of what was said in the January 18th discussion is already captured
in Jerome's presentation (pointer previously distributed to this email
list) and the other significant points of agreement will be captured in
the initial draft. However there were a few major points of rough
consensus that may help those who were not present and are planning
contributions:
1. We are focused on PII (Personally identifiable information) that is
in or or more of the following categories: (i)
specified/defined/created and used within an 802 standard; (ii)
specified etc. within an 802 standard and used by other standards (iii)
specified etc. external to 802 standards but whose use is part of the
specified operation of an 802 standard [short form (i) 802 internal,
(ii) exported, (iii) imported]. This matches the Purpose of our PAR (...
promote a consistent approach by IEEE 802 protocol developers to
mitigate privacy threats ...), and does not take on the much bigger
subject of all the PIII that might be carried as simple data by 802
technologies (except for identifying the need to support security with
confidentiality so that data is not exposed).
2. We adopt the same general approach as that of the IETF to the
complexity of the legal and non-technical aspects of privacy policy, and
indeed of the different understanding of the legal concept of privacy in
different jurisdictions. Our job is to clarify the technical
possibilities and what can be done (and how that can be clearly
expressed) by the developers of 802 technologies so that the users of
the protocols we specify retain control over PII, not whether exercising
that control is legally required (or indeed possibly prohibited) in
certain jurisdictions. [Juan Carlos, I think you had a very specific
piece of IETF text in mind when you were talking about this in the
meeting, beyond RFC 6973, can you provide a pointer, thanks].
3. It is easy when considering the challenges of retaining privacy in
the face of a sophisticated attacker (who can deploy a full range of
correlation and inference tools) that any attempt to ensure privacy is
futile. However the usual security considerations apply, the goal is to
raise the cost/benefit ratio so far as the attacker is concerned, and
thus deter attacks. Moreover not all of the attackers of interest are so
powerful. We should not let the prospect of only being able to do a
little deter us from doing anything at all, and should focus on what can
be done.
Quite a number of those who have expressed interest in participating in
P802E have not previously had the opportunity of attending IEEE 802 face
to face meetings. All participants should be familiar with their
obligations under the IEEE-SA Policies & Procedures, and in particular
with the IEEE Patent Policy and the need to conduct all meetings
(including teleconferences) in compliance with all laws including
antitrust and competition laws. A presentation that provides a brief but
authoritative summary and also provides additional informative links
can be found at:
https://development.standards.ieee.org/myproject/Public/mytools/mob/slideset.ppt
Mick Seaman
Chair, IEEE 802.1 Security Task Group