P3WG Meeting Minutes 2009-09-18

Kantara Initiative Privacy & Public Policy Teleconference

Date and Time

  • Date: Friday, Sept. 18, 2009
  • Time: 8 PDT | 11 EDT | 15:00 UTC

Meeting Minute Status

Working Draft

This page is a Working Draft subject to further revision and has not yet been approved by the Privacy & Public Policy Work Group.

Attendees

  • Jeff Stollman
  • Bob Pinheiro
  • Colin Soutar
  • Mark Lizar was unable to connect

QUORUM was not met

Apologies

  • Iain Henderson
  • Susan Landau
  • Robin Wilton

Minutes

ICAM letter status (Jeff)
  • ICAM’s announcement
  • Ballot Results
  • Next actions
    • Operating Procedures, section 3.7¸ which states: All Participants present at a WG meeting are voting members of the WG. For the purpose of maintaining a reasonable ability to achieve Quorum, any Participant in a WG who fails to attend two consecutive meetings of the WG may, at the discretion of the Chair, be re-classified as a non-voting member. Voting member status may be reacquired by attending a meeting of the WG. In the case of an electronic vote of the WG, if the electronic vote occurs while a Participant is in non-voting status, the Participant may not vote in that electronic vote.
    • ACTION ITEM: Chair to contact those who are not in compliance to clarify voting intentions. Results to be displayed in our “Roster” section.
    • Recommendation to add an “observer status” option to the GPA. Several voiced interest in participating in the WG but not desiring vote status at this point.
    • ACTION ITEM: Britta is already sending these recommendations to the LC chair, as a result of them having been brought up in an IAWG call (DONE).
US Federal Trade Commission (FTC) Privacy Roundtable 07 DEC in Washington, DC (Mark Lizar)
  • FTC’s Focus
    • What risks, concerns, and benefits arise from the collection, sharing, and use of consumer information? For example, consider the risks and/or benefits of information practices in the following contexts: retail or other commercial environments involving a direct consumer-business relationship; data broker and other business-to-business environments involving no direct consumer relationship; platform environments involving information sharing with third party application developers; the mobile environment; social networking sites; behavioral advertising; cloud computing services; services that collect sensitive data, such as information about adolescents or children, financial or health information, or location data; and any other contexts you wish to address.
    • Jeff: We should submit a recommendation that FTC develop a methodology/metrics for measuring risk of improper use of Personally Identifiable Information (PII).
      • Physical harm (e.g., from government or rebel groups)
      • Financial harm (e.g., from governments, criminals)
      • Reputational harm
      • National security
    • Risk needs to be measured at a data item level, not merely PII as a class
    • ACTION ITEM (Jeff): I’ll create a draft description of this recommendation and post it/distribute it to group for review and comment.
      • Are there commonly understood or recognized consumer expectations about how information concerning consumers is collected and used? Do consumers have certain general expectations about the collection and use of their information when they browse the Internet, participate in social networking services, obtain products from retailers both online and offline, or use mobile communications devices? Is there empirical data that allows us reliably to measure any such consumer expectations? How determinative should consumer expectations be in developing policies about privacy?
      • Bob: Let’s find out what other countries are doing, since they are ahead of the US.
      • Colin: Other countries are mostly looking at PII as a class and concerning themselves with inappropriate disclosure, not with risk associated with disclosure.
        • Do the existing legal requirements and self-regulatory regimes in the United States today adequately protect consumer privacy interests? If not, what are the particular privacy interests that warrant increased protection? How have changes in technology, and in the way consumer data is collected, stored, and shared, affected consumer privacy? What are the costs, benefits, and feasibility of technological innovations, such as browser-based controls, that enable consumers to exercise control over information collection? How might increased privacy protections affect technological innovation?
      • Jeff: Recommend standardization of privacy policies, to make them easier to evaluate. If policies had a standard menu, they could be easily and rapidly evaluated and compared. For example,
        • A checklist could be given for what data items are collected.
        • A second section could detail whether the information was disclosed to other departments of the same company, partner companies, third-party aggregators, third-party enterprises, government, etc.
        • A third section might include opt-in/opt-out information for releasing particular data.
      • Jeff: I’ll create a draft description of this recommendation and post it/distribute it to group for review and comment.
      • File a comment?
        • Bob: Valuable to develop a position paper. Concerned about resources to develop the papers.
        • Colin: Like to contribute, but need someone to lead the effort.
        • ACTION ITEM: As noted above, Jeff will create draft descriptions of recommendations for both risk analysis methodology and standardization of privacy policies and post them/distribute them to group for review and comment.
      • Panelist Participation?
        • Jeff: I would be willing to represent position paper as a panelist, since I live close to DC.
Las Vegas Plenary Report (Jeff)
  • Broadening Participation
    • Government outreach
      • Judy Spencer
      • Dave Temoshok
      • EU ENISA
      • UK Information Commissioner's Office (RW task?)
      • Deborah Diener, US Internal Revenue Service (Brett)
      • Dawn Wiggins, US Social Security Administration (Brett)
      • Naomi Lefkovitz, US Federal Trade Commission (Brett)
      • Jim Lewis (Brett)
      • Lee Tien, EFF (Brett)
      • Ari Schwartz (Brett)
      • other suitable EU candidates (e.g. from PrimeLife or other projects)
      • Paul Hasson (CPO - US Visit) (RW task)
    • eGov WG and P3 outreach (Jeff)
      • We agreed to work with eGov to identity candidates and determine which group would take the lead in pursuing government officials so as not to overwhelm them or confuse the issue.
        • Generally, higher officials would probably be pursued by eGov, while P3 would pursue people more on the implementation level.
      • CPO outreach (Robin)
        • Robin believes that we need to pursue CPO participation from commercial enterprises (including Kantara members)
        • We are open to comments and suggestions here.
          • Bob: We might need to define responsibilities of participants so they know what they are getting into if they join.
          • Bob & Colin: We will need to define what Kantara membership offers to participants lure people to join us.
    • Liaison with VPI and eGov (IAW was not in attendance)
      • Scenario specification
      • Looking at Iain’s car buying scenario as a first example
        • We need to decide on a venue for this, since regulations impact the flow. Current thinking is the UK.
        • Once we develop a model, we can iterate for other localities to determine what changes occur and the impact of these changes.
      • Want to look at it from multiple perspectives
        • Subject
        • Identity Provider
        • Relying Party
        • Criminal
        • Bad government
        • Benign government
        • Data aggregator
          • Bob: Concerned about IP issues when different IP policies are in place between eGov, VPI, and P3.
    • Robin will transcribe and publish notes from the Plenary sessions
Call Schedule
  • Migrate to weekly calls
  • Maintain the same call schedule to avoid confusion
    • 15:00 UTC / 11:00 EDT / 08:00 PDT / 03:00 New Zealand (Friday)
  • New calls will begin on Thursday 24 SEP
  • Bob: Can we cut down on calls with some way to focus on issues.
Kantara should create a matrix of mandates of different groups
  • Could include charters, call times, IP policy, etc.
Tabled until next call
  • Collaboration site URL (Randy van der Hoof)
  • Comparison of US/UK LoA (Patrick Curry)
  • Broadening P3-wg participation
  • Funding ideas (Robin)
    • SmartCard Alliance meeting (Randy)
  • Vice-chair & secretary nominations (Robin)
Action Items
  • Robin:
    • Develop matrix of which members attended/failed to attend recent calls.
    • Contact those who are not in compliance to clarify voting intentions. Results to be displayed in our “Roster” section.
    • Schedule next call and arrange conference bridge for Thursday 25 SEP @ 15:00 UTC and continuing weekly after that at the same time.
    • Pursue outreach to government officials identified in Item 4.A.i.1 above.
    • Pursue outreach to government officials identified in Item 4.A.i.2 above.
  • Jeff
    • Create draft descriptions of recommendations for risk analysis methodology and post it/distribute it to group for review and comment.
    • Create draft descriptions of recommendations for standardization of privacy policies and post it/distribute it to group for review and comment.
  • Brett
    • Pursue outreach to government officials identified in Item 4.A.i.1 above.
  • Iain
    • Present car-buying scenario to P3wg when initial draft is completed.

Next Meeting

  • Date: Thursday, Sept. 24, 2009
  • Time: 8:00 PDT | 11:00 EDT | 15:00 UTC (Time Chart)
    Dial-in details:
  • US/Canada toll-free number: 1.866.305.1460
  • Direct dial (toll) number: +1.416.620.1296
  • Attendee Code: 9247530
  • International toll-free numbers:
    o UK: 0800 917 5847
    o Netherlands: 08002659007
    o Belgium: 080079491
    o Japan: 00531160345
    These toll-free numbers are generously provided by BIPAC.