Hi! > -----Original Message----- > From: S Moonesamy [mailto:sm+ietf@xxxxxxxxxxxx] > Sent: Friday, September 27, 2019 7:29 PM > To: Stephen Farrell <stephen.farrell@xxxxxxxxx>; ietf@xxxxxxxx > Cc: Roman Danyliw <rdd@xxxxxxxx> > Subject: Re: Next steps on Web Analytics Project > > Hi Stephen, > At 03:11 PM 27-09-2019, Stephen Farrell wrote: > >Yes, tracking what and when becomes possible. > > > >I'm also unhappy with that. Is there no way to ensure that addresses > >and geolocated regions are sufficiently aggregated so as to not > >identify individuals? > > > >/16's and countries are not sufficient for all IETFers. > > > >I'm sure someone who reads this list would have a fair chance at > >(re-)identifying various individuals based on time, /16 or /48, and > >URL. > > It is technically possible to identify a person or a small set of persons even if > the IPv4 addresses are aggregated by /14. I suggest stepping back a little. > The technical solution is being used to drive the policy statement. Would it > be better to do the reverse to figure out what is feasible [1]? That would > entail flushing out the policy statement to get a sense of what information > IESG members [2][3] would find useful. I'm not entirely following how the technical solution is driving the policy statement (i.e., motivation for the project). Section 1.1 identifies what information is useful -- the use cases and questions that would be helpful to answering for improving the web-site. Section 2.2 describes a candidate solution based on needs dictated by the use cases. Section 2.3 provides a mapping between the individual data elements that will be collected by the solution and these motivating use cases. Section 3 and 4 acknowledges that there are security and privacy issues in implementing this policy and provides a series of mitigations. You're right, ultimately, the technology solution (Matamo) does drive some of the mitigations as it provides only certain types of anonymization and aggregation primitives. Regards, Roman > The data processor could then use a > "custom dimension" to decrease the probability of identification of that > small set of persons. > > Regards, > S. Moonesamy > > 1. Please see the P.S. in your email > 2. One of the issues is that web analytics usually use the IP addresses to > aggregate by country. Does an IESG member need to know whether Country > X has expressed an interest in, for example, the IESG history of appeals? > 3. Does an IETF LLC Director need to know who is reading the monthly > financial statements?
