Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-Privacy] IEEE 802E Privacy teleconferences



Thank you Mick for this very helpful overview.

A couple of very small comments below.

Christine Runnegar

> On 1 Feb 2016, at 4:37 AM, Juan Zuniga <j.c.zuniga@xxxxxxxx> wrote:
> 
> Hello Mick,
> 
> Comments in-line:
> 
> 
>> From: Mick Seaman <mickseaman@xxxxxxxxxxxxx>
>> Date: January 22, 2016 at 18:02:16 GMT-5
>> To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
>> Subject: [STDS-802-Privacy] IEEE 802E Privacy teleconferences
>> Reply-To: Mick Seaman <mickseaman@xxxxxxxxxxxxx>
>> 
>> Teleconferences to discuss P802E will be held:
>> 
>> 24th February 2016 10.00 am Pacific Time (1 pm Eastern)
>> 
>> 9th March 2016 10.00 am Pacific Time (1 pm Eastern)
>> 
>> Webex and dial-in details will be circulated to the email lists nearer the date.
>> 
>> It is anticipated that our editor, Jerome Henry,  will prepare an early draft, following the structural outlines discussed in the evening session at the recent face to face (18th Jan), and that this draft will help structure the teleconference discussions, as we move from generalities to what we will be specifically writing in the Recommended Practice.
>> 
>> Discussion of this draft will be the priority item on the agenda in the 24th February teleconference, but wider discussion on the reflector is most welcome. Requests for presentation time to me directly, please. In our first teleconference  we will also discuss future teleconference scheduling. We operate under a 30 day notice requirement for both teleconference times and agenda.
>> 
>> Much of what was said in the January 18th discussion is already captured in Jerome's presentation (pointer previously distributed to this email list) and the other significant points of agreement will be captured in the initial draft. However there were a few major points of rough consensus that may help those who were not present and are planning contributions:
>> 
>> 1. We are focused on PII (Personally identifiable information) that is in or or more of the following categories:  (i) specified/defined/created  and used within an 802 standard; (ii) specified etc. within an 802 standard and used by other standards (iii) specified etc. external to 802 standards but whose use is part of the specified operation of an 802 standard [short form (i) 802 internal, (ii) exported, (iii) imported]. This matches the Purpose of our PAR (... promote a consistent approach by IEEE 802 protocol developers to mitigate privacy threats ...), and does not take on the much bigger subject of all the PIII that might be carried as simple data by 802 technologies (except for identifying the need to support security with confidentiality so that data is not exposed).

I would like to know more (on the call next week) about the focus on PII rather than “personal data” or “personal information”. PII is very familiar terminology in the US, but less so in other jurisdictions. 

Also, while it is important to understand what privacy is to be able to standardise recommended practice for privacy considerations of IEEE 802 technologies and to appreciate the broader privacy considerations, I think you are right to confine this work to identifying and mitigating specific privacy threats associated with an 802 standard. 
>> 
>> 2. We adopt the same general approach as that of the IETF to the complexity of the legal and non-technical aspects of privacy policy, and indeed of the different understanding of the legal concept of privacy in different jurisdictions. Our job is to clarify the technical possibilities and what can be done (and how that can be clearly expressed) by the developers of 802 technologies so that the users of the protocols we specify retain control over PII, not whether exercising that control is legally required (or indeed possibly prohibited) in certain jurisdictions. [Juan Carlos, I think you had a very specific piece of IETF text in mind when you were talking about this in the meeting, beyond RFC 6973, can you provide a pointer, thanks].
> Yes. What I mentioned at the meeting was that we can adopt an approach along the lines of what it is mentioned in RFC 7258. We should mitigate the privacy threats strictly from the technical point of view (e.g. protecting PIIs), and regardless of the motivation of the attacker. If the attacker does it for criminal reasons, privacy-unfriendly commercial reasons, etc. and legally or illegally, it is irrelevant. The actions of the attacker are technically indistinguishable and we should mitigate them in the same way. 

I agree with Juan Carlos that the group’s approach should be mitigation of privacy threats, regardless of what the motivation of a potential attacker may or may not be.

> 
> Juan-Carlos 
> 
>> 
>> 
>> 3. It is easy when considering the challenges of retaining privacy in the face of a sophisticated attacker (who can deploy a full range of correlation and inference tools) that any attempt to ensure privacy is futile. However the usual security considerations apply, the goal is to raise the cost/benefit ratio so far as the attacker is concerned, and thus deter attacks. Moreover not all of the attackers of interest are so powerful. We should not let the prospect of only being able to do a little deter us from doing anything at all, and should focus on what can be done.

Yes, even small changes can make a difference.
>> 
>> Quite a number of those who have expressed interest in participating in P802E have not previously had the opportunity of attending IEEE 802 face to face meetings. All participants should be familiar with their obligations under the IEEE-SA Policies & Procedures, and in particular with the IEEE Patent Policy and the need to conduct all meetings (including teleconferences) in compliance with all laws including antitrust and competition laws. A presentation that provides a brief but authoritative summary  and also provides additional informative links can be found at:
>> 
>> https://development.standards.ieee.org/myproject/Public/mytools/mob/slideset.ppt
>> 
>> Mick Seaman
>> Chair, IEEE 802.1 Security Task Group