On Jan 13, 2014, at 11:28 AM, Stephen Farrell
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> wrote:
It means
that, if asked, there needs to be a good answer to the question "is
pervasive monitoring relevant to this work and if so how has it been
considered?"
Just a thought - that might be a good question to add to the shepherd's report.
In that case, I might suggest a minor change, however. We discuss "Pervasive
monitoring" in a "big brother is watching" sense, and (at least in perpass)
concern ourselves with data that could have been hidden had encryption or some
other code used. I'll argue that, however dreadful Big Brother might be,
location-based services can be a lot scarier.
http://online.wsj.com/news/articles/SB10001424052702303453004579290632128929194?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702303453004579290632128929194.html
Data point: a lot of these operate without specific knowledge of an individual,
but can. For example, the article talks a lot about aggregating information and
providing it without identifying information. However, it goes on to say that
if someone logs into a service using, for example, a Facebook identifier, they
can remain identified to the system as they wander around in it. The messages
themselves contain no identifying information per se, but they contain
information that can be correlated back to that login. And the login wasn't
"data in flight", it was "creating state with a service at rest".
So the question in the shepherd's report should not be "tell me you thought
about the EU Data Retention Initiative and whether your protocol's data
identifies an individual". It should be "what personal, equipment, or session
identifiers, encrypted or otherwise, are carried in your protocol? How might
they be correlated with offline data or otherwise used to infer the identity or
behavior of an individual?"
signature.asc
Description: Message signed with OpenPGP using GPGMail