Thanks for sharing this draft, it's an interesting read. A couple of questions kept cropping up for me while reading it. In particular: who is the audience for this draft and what do you intend to communicate to them?
If the intention is to provide an exhaustive listing of identifiers in particular, their legal status and potential privacy concerns, I think there are a few key pieces missing. While IP address cookies (persistent or session-based) and email address are good examples, there may be many other mechanisms for storing identifiers (the "evercookie" is a good example at the Web-level). I also think we should be cognizant of fingerprinting possibilities [0] when considering the privacy implications of identifiers -- user machines and user agents may be identifiable (with the same potential to correlate information about an individual) not because of the presence of a particular number transmitted by their device but because of the unique (or at least uncommon) combination of configuration variables. I'm also not sure the concept of privacy here is complete. I would personally disagree with emphasizing a dichotomy between the "private realm" and the Internet. Some theorists suggest that privacy is a societal quality rather than individual control, or that the value is in contextual integrity rather than just self-determination. I like the RFC 3365 reference, but would echo Hannes in adding the IAB Privacy Considerations draft [0] as another example. I also think the earlier draft from Morris/Davidson on Public Policy Considerations is worth looking at, it specifically calls out the creation of new persistent unique identifiers as a privacy risk in protocol design [1]. Finally, I suspect we could aggregate more legal questions and decisions if providing some legal context for protocol authors or implementers is the goal. (Offhand, I think there are some interesting positions taken by the US Department of Justice, or distinctions in the Electronic Communications Privacy Act, that would be relevant.) Kasey has suggested doing some of this work within the W3C Privacy Interest Group (PING). Thanks for prompting this interesting discussion! I'm hoping the W3C PING will continue to engage on some of these questions regarding advice for protocol authoring and may point them to this work. Thanks, Nick [0] https://panopticlick.eff.org/ [1] http://tools.ietf.org/html/draft-iab-privacy-considerations-03#section-4 [2] http://tools.ietf.org/id/draft-morris-policy-considerations-00.txt On Sep 2, 2012, at 4:18 PM, S Moonesamy <sm+i...@elandsys.com> wrote: > Hello, > > I would appreciate some feedback about draft-moonesamy-privacy-identifiers-00. > > Abstract: > The Internet provides the ability for information to be spread beyond > geographical boundaries at the speed of light. Once information is > available over the Internet it leaves the private realm. If the > information can be used to identify a person it can affect the > privacy of the individual. There are cases when it can increase the > physical risk to the individual or where it can have a negative > financial impact. Some types of information can be an embarassment > to an individual and negatively affect the person's reputation. > > This document discusses about whether Internet Identifiers and > Session Identifiers can be information about an individual and > whether consent is necessary. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-moonesamy-privacy-identifiers > > Regards, > S. Moonesamy > > _______________________________________________ > ietf-privacy mailing list > ietf-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-privacy _______________________________________________ ietf-privacy mailing list ietf-privacy@ietf.org https://www.ietf.org/mailman/listinfo/ietf-privacy
