Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-Privacy] IEEE 802E Privacy teleconferences



Teleconferences to discuss P802E will be held:

24th February 2016 10.00 am Pacific Time (1 pm Eastern)

9th March 2016 10.00 am Pacific Time (1 pm Eastern)

Webex and dial-in details will be circulated to the email lists nearer the date.

It is anticipated that our editor, Jerome Henry, will prepare an early draft, following the structural outlines discussed in the evening session at the recent face to face (18th Jan), and that this draft will help structure the teleconference discussions, as we move from generalities to what we will be specifically writing in the Recommended Practice.

Discussion of this draft will be the priority item on the agenda in the 24th February teleconference, but wider discussion on the reflector is most welcome. Requests for presentation time to me directly, please. In our first teleconference we will also discuss future teleconference scheduling. We operate under a 30 day notice requirement for both teleconference times and agenda.

Much of what was said in the January 18th discussion is already captured in Jerome's presentation (pointer previously distributed to this email list) and the other significant points of agreement will be captured in the initial draft. However there were a few major points of rough consensus that may help those who were not present and are planning contributions:

1. We are focused on PII (Personally identifiable information) that is in or or more of the following categories: (i) specified/defined/created and used within an 802 standard; (ii) specified etc. within an 802 standard and used by other standards (iii) specified etc. external to 802 standards but whose use is part of the specified operation of an 802 standard [short form (i) 802 internal, (ii) exported, (iii) imported]. This matches the Purpose of our PAR (... promote a consistent approach by IEEE 802 protocol developers to mitigate privacy threats ...), and does not take on the much bigger subject of all the PIII that might be carried as simple data by 802 technologies (except for identifying the need to support security with confidentiality so that data is not exposed).

2. We adopt the same general approach as that of the IETF to the complexity of the legal and non-technical aspects of privacy policy, and indeed of the different understanding of the legal concept of privacy in different jurisdictions. Our job is to clarify the technical possibilities and what can be done (and how that can be clearly expressed) by the developers of 802 technologies so that the users of the protocols we specify retain control over PII, not whether exercising that control is legally required (or indeed possibly prohibited) in certain jurisdictions. [Juan Carlos, I think you had a very specific piece of IETF text in mind when you were talking about this in the meeting, beyond RFC 6973, can you provide a pointer, thanks].

3. It is easy when considering the challenges of retaining privacy in the face of a sophisticated attacker (who can deploy a full range of correlation and inference tools) that any attempt to ensure privacy is futile. However the usual security considerations apply, the goal is to raise the cost/benefit ratio so far as the attacker is concerned, and thus deter attacks. Moreover not all of the attackers of interest are so powerful. We should not let the prospect of only being able to do a little deter us from doing anything at all, and should focus on what can be done.

Quite a number of those who have expressed interest in participating in P802E have not previously had the opportunity of attending IEEE 802 face to face meetings. All participants should be familiar with their obligations under the IEEE-SA Policies & Procedures, and in particular with the IEEE Patent Policy and the need to conduct all meetings (including teleconferences) in compliance with all laws including antitrust and competition laws. A presentation that provides a brief but authoritative summary and also provides additional informative links can be found at:

https://development.standards.ieee.org/myproject/Public/mytools/mob/slideset.ppt

Mick Seaman
Chair, IEEE 802.1 Security Task Group