On Mon, Dec 16, 2013 at 01:35:58PM -0500, Sam Hartman wrote:
"Bjoern" == Bjoern Hoehrmann <derhoermi(_at_)gmx(_dot_)net> writes:
Bjoern> tell, is telling us that Google Analytics is an attack. The
So, our threat model has included passive monitoring basically since we
first wrote it down.
Yes, but that doesn't rule out Google Analytics, as long as the user
knows about it and desires it, right?
I think, therefore, this bit needs an addition:
For the purposes of this BCP "pervasive monitoring" means very
widespread privacy-invasive gathering of protocol artefacts including
application content, protocol meta-data (such as headers) or keys
used to secure protocols. Other forms of traffic analysis, for
example, correlation, timing or measuring packet sizes can also be
used for pervasive monitoring.
Adding the sentence, "In addition, to qualify as pervasive monitoring,
the activity should be either unknown to or unwelcome by the target of
the monitor," would make the difference explicit.
Best regards,
A
--
Andrew Sullivan
ajs(_at_)anvilwalrusden(_dot_)com