Re: [pbd-se] Groups - pbd-se-v1 0-wd04 - feedback

[Dawn Jutla <dawn.jutla@gmail.com>]

Hi Mike:

Thanks for the below. I am about to submit an update to revision 4 to Kavi with John's edits and some minor clarifications for the TC to use as weekend reading..

Here are some brief answers to your questions. We will clarify these across our future meetings. 

Re: (1), our focus has been on PbD and software engineering. PbD itself is an UNIFYING umbrella for a lot of work in privacy.

(2) Agreed. We have another example use case for the PMRM methodology that will be referenced as a resource later on. 

(3) Agreed. The references used so far are those that PbD-SE editors have  actively used to create the current draft. They are not intended to be a PbD and software engineering bibliography. Although, it may be a great idea to make such a bibliography available in future. Also, we will certainly add to and diversify the current non normative reference list as the draft matures.

(4) As in (1) - the focus of our vision is to make Privacy by Design instinctual on the Internet, on purpose, and in a managed way.

(5) Yes, we are covering everything software-related whether mobile, IoT, M2M, emerging, or classic etc. In addition, the application of the PbD-SE and PMRM methodologies can be iterative in slices which aligns with agile methodologies.

Chat soon,

Dawn.

On Thu, Jun 5, 2014 at 10:04 PM, Mike Davis <mike.davis.sd@gmail.com> wrote:

Dawn, All,

Some quick-look, higher level, comments from my strategic cyber view.

I skimmed the document and concur with  John’s observations.

We can discuss my questions / observations on next telecom on WED - as needed.

CIAO

Mike

 

A couple of framing questions

(as a new guy to this group, though I did skim the PMRM too… great processes therein btw – especially the privacy services in 4.1 – 4.3…

So….  sorry if I cover old ground… ignore as needed)

 

1 – Is there an intent to harmonize with the EU data protection directive at some point and thus also facilitate the safe harbor use?

http://www.huntonregulationtracker.com/proposed_framework/

Same question on harmonizing with the USA FTC privacy plans

http://www.ftc.gov/sites/default/files/documents/public_statements/privacy-today-ftcs-2014-privacy-agency/131206privacytodayjrich.pdf

 

 

2 – A representative PbD use case is an essential aspect for all to use.  Section 5.1, use case template, is a solid effort, which would even be better with a specific example – maybe use the one in the PMRM (para 2.1) to demonstrate the methods / references / etc..

Will there be notional profiles / avatars considered (e.g., account for levels: public, private, work, etc) to assist in the tailoring of the template?  Whereas the security policy controls will need to be able to accommodate various levels of access, temporal aspects, etc… Besides relatively clear requirements, a generally representative use case is an essential tool to have / relate to…. And it helps with the security design, architecture, etc…  trade-offs, alternatives, etc..

 

3 -  Sec 1.7 - Non-normative references -  while they may be listed in other PbD documents, it seems there are more to at least refer to in this section…

A -  added refs provide some level of general awareness / perspective on privacy references, even if they are still in need of updating…  It seems clear that what privacy actually entails is fuzzy… (e.g., PII 2.0,  EU vs USA,  et al), where there is no shortage of links to privacy refs / laws, the key ones might be best if at least listed herein:

http://www.gsa.gov/portal/content/104250

http://srufaculty.sru.edu/david.dailey/privacy/privacyref.htm

B – How does the OECD privacy framework relate / integrate? I’m sure many here helped with that too?

http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf

Ideally any framework / design would integrate into the NIST Special Publication 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems…  (as would your section 3.6 on design, and where section 5.3 should also link to that (which is a great start btw!)

https://csrc.nist.gov/publications/drafts/800-160/sp800_160_draft.pdf

 

 

4 – Is there ‘a’ vision of a privacy future, however notional at this point, or does anyone have something close to leverage?  In developing any capability, knowing at least a notional end-state helps build the functions required and adjust related technical specifications as well.

A - These folks seem to have started that “The Future of Privacy Forum has launched a PbD initiative, Design For Trust, that focuses on the design part of the process…”   

http://www.futureofprivacy.org/design-for-trust/

though it’s not clear how far along they are…  (though they should follow SP800-160 too)

(note - We presume our “cyber model 4 PbD” will also fit their approach….)

 

B – Will the ‘mobile aspect’ be addressed…  as I am sure you all know of the CA AG’s “Privacy on the go”  - how will that be addressed?   Or is this document / approach ‘agnostic’ to the environment (thus covering mobile, IoT, etc… albeit at a high level)

http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf

Thanks for ‘listening’ – I hope I did not cover old ground… nor try to eat the privacy elephant all at once!

 

Ciao

Mike

 

Cyber security is serious business for us all – so ACT accordingly!

LinkedIn Profile

http://www.linkedin.com/in/mikedavissd

Qualifications and Experience background

http://www.sciap.org/blog1/?page_id=1684

 

From: pbd-se@lists.oasis-open.org [mailto:pbd-se@lists.oasis-open.org] On Behalf Of Dawn Jutla
Sent: Tuesday, June 3, 2014 11:22 AM
To: John.Annapolis Verizon
Cc: pbd-se@lists.oasis-open.org
Subject: Re: [pbd-se] Groups - pbd-se-v1 0-wd04.docx

 

Hi John:

 

Many thanks for your excellent catches, comments and edits. A How To Use this Document is a very good suggestion. 

 

On Tue, Jun 3, 2014 at 11:07 AM, John.Annapolis Verizon <john.annapolis@verizon.net> wrote:

Dawn,

 

I've reviewed the Rev 4 document, and the work is really impressive.  Attached is a copy with my comments and suggested edits in tracking mode.

 

One additional comment: I would recommend that we consider including a "How to Use this Document" section or something similar (to complement Section 1.4, "Outline of the Specification) because of the complexity of the material and at times overlapping and cross-referenced material across sections.

 

-=-=--

 

 

From: pbd-se@lists.oasis-open.org [mailto:pbd-se@lists.oasis-open.org] On Behalf Of Gershon Janssen
Sent: Thursday, June 5, 2014 1:26 PM
To: pbd-se@lists.oasis-open.org
Subject: [pbd-se] Next meeting and additional June TC meetings

 

Hi all,

 

Please note that our next regular PbD-SE TC meeting is scheduled for Wednesday June 11, 2014 at 1:30-3:00 PM EDT.

 

Given the current timeline for completing the TC work, we like to ask you to also reserve the following meeting dates in your calendars, in order to take our working draft into a Committee Specification Draft this month:

 

- Wednesday June 18, 2014 at 1:30-3:00 PM EDT

 

- Wednesday June 25, 2014 at 1:30-3:00 PM EDT

 

An updated version of our working draft has been posted a few days ago for consideration to adopt as our base Committee Specification Draft after a further round of discussion / input / recommendations / suggested edits from TC members.

 

You can find this working draft at the following URL: 

https://www.oasis-open.org/committees/download.php/53193/pbd-se-v1%200-wd04.docx

 

All TC members are kindly requested to review this revision and provide feedback and input, preferably by email to the TC email list (pbd-se@lists.oasis-open.org) or at the next TC meeting.