P3WG Meeting Notes 2013-01-10
P3WG Plenary Meeting 10 January 2013
Date and Time
- Date: Thursday, 10 January 2013
- Time: 08:00 PT | 11:00 ET | 16:00 UTC (time chart)
Dial in info: Skype: +99051000000481 North American Dial-In: +1-805-309-2350 Conference ID: 402-2737
Agenda
- Administration:
- Roll Call
- Agenda Confirmation
- Review minutes:Â P3WG Meeting Minutes 2012-10-04, P3WG Meeting Minutes 2012-10-18
- Privacy Assessment Criteria - update
- AOB
- Adjourn
Attendees
- Bill Braithwaite
- Myisha Frazier-McElveen
Quorum is 3 of 5 as of 10 January 2013
Staff
- Heather Flanagan (scribe)
Non-Voting
- Rich Furr
- Tom Smedinghoff
- Peter Capek
- Anna Slomovic (removed from quorum at her request)
- Colin Wallis
Apologies:
- Colin Soutar
- Peter Alterman
Minutes & Notes
Administration
Motion for minutes -
- Motions must be made by voting members; call not at quorum
Discussion
- Review of the Privacy Assessment Criteria
- 3.4.1 - Informed Consent = our intended audience is the CSP, and the list of what the CSP must do seems to be a bit much and probably impossible
- Anna: the problem with the notices now is that no one understands them and they are way too long; how else are we supposed to measure clarity, conciseness, and readability?
- Tom: other than 1 on that list, which seems rather broad, the other seem important
- ColinW: merge 2 and 3 together
- Tom: maybe 1 doesn't belong here at all, or it requires a lot more specificity; Anna: how does this interact with a notice that's supposed to come through the identity framework? if you don't understand how the CSP works, you don't know if the information it collects or discloses, how can you evaluate? you can't judge 2, 3, and 4 if you don't understand how the data is used
- Rich: part of my concern is that we're putting a burden on the CSP which should instead be handled by the RP; Anna: the CSP has its own data it collects, and at minimum it collects email, credential number, something it collects to provide a credential; Rich: the CSP provides the credential, but based on the identity proofing we've done, and other attribute providers will have different criteria that might need to be applied
- Bill: keeping in mind the purpose in doing this, we're looking at people who don't understand why information is being collected about them; we're looking at how to generate trust in users
- Peter: So what should our requirements say? Tom: just a sentence "describe how the CSP operates" is too broad to know how to meet the qualifications; if we can break this down somewhat "indicate if you use subcontractors, if you do this behavior or that one"; Peter: maybe it would be appropriate to include an example? Anna: a place to start is to understand the content of the notice that's already required under the IAF - there are requirements under the IAF about how this works - we should rely on that
- Myisha: agree, and coming back to Tom's point, what is the delta based on what's already been provided can be described in this section
- Peter: what course do we want to steer between precision and detail and giving information that people will actually pay attention to? Tom: also a practical question for the entity trying to comply, don't know if a sentence or paragraph is an adequate description, or if a 10-page monograph is appropriate? What is relevant to the user? Rich: CSPs should just say we are verifying that you are who you say you are, and we will be doing that verification in this way. Tom: that's a generic sentence that doesn't provide enough specifics to know what a CSP is doing; Anna: what about layered notices? we don't have to reinvent any of this
- Anna: how specific does this document have to be? Don't we have a Best Practices document we can reference? We never seem to get back the Notice and yet there is a lot more to review in this document
- Peter: would it be more helpful for Peter to just write the document and let people react to the different components? Yes
- Tom: what other questions were on the list? Peter: they were all similar to the above item and discussion
- Tom: we are still struggling with the higher policy level as to what this document is supposed to be
- Another area of concern: unique identifiers - Anna: why is the question of unique identifiers in this document?
- Peter: will post an update to the list prior to the next call
- 3.4.1 - Informed Consent = our intended audience is the CSP, and the list of what the CSP must do seems to be a bit much and probably impossible
AOB
Â
Next call
- Date: January 24, 2013
- Time: 08:00 PT | 11:00 ET | 15:00 UTC (time chart)
Dial in info: Skype: +99051000000481 North American Dial-In: +1-805-309-2350 Conference ID: 402-2737