On Jan 13, 2014, at 11:28 AM, Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote: > It means > that, if asked, there needs to be a good answer to the question "is > pervasive monitoring relevant to this work and if so how has it been > considered?" Just a thought - that might be a good question to add to the shepherd's report. In that case, I might suggest a minor change, however. We discuss "Pervasive monitoring" in a "big brother is watching" sense, and (at least in perpass) concern ourselves with data that could have been hidden had encryption or some other code used. I'll argue that, however dreadful Big Brother might be, location-based services can be a lot scarier. http://online.wsj.com/news/articles/SB10001424052702303453004579290632128929194?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702303453004579290632128929194.html Data point: a lot of these operate without specific knowledge of an individual, but can. For example, the article talks a lot about aggregating information and providing it without identifying information. However, it goes on to say that if someone logs into a service using, for example, a Facebook identifier, they can remain identified to the system as they wander around in it. The messages themselves contain no identifying information per se, but they contain information that can be correlated back to that login. And the login wasn't "data in flight", it was "creating state with a service at rest". So the question in the shepherd's report should not be "tell me you thought about the EU Data Retention Initiative and whether your protocol's data identifies an individual". It should be "what personal, equipment, or session identifiers, encrypted or otherwise, are carried in your protocol? How might they be correlated with offline data or otherwise used to infer the identity or behavior of an individual?"
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail