search

IRTF-PEARG / draft-ip-address-privacy

Internet-Draft on IP address privacy
http://pearg.org/draft-ip-address-privacy/
Other
17 stars 5 forks source link

Update draft-irtf-pearg-ip-address-privacy-considerations.md #33

Closed ggx closed 1 year ago

ggx commented 2 years ago

Update PR for the privacy section. The PR looks good now (not a whole file change)

Luigi

arichiv commented 2 years ago

Thanks for this! Will review shortly

ggx commented 2 years ago

Thanks Brad,

I’ve push a new commit integrating your suggestions.

Ciao

L.

On 1 Jul 2022, at 15:53, Brad Lassey @.***> wrote:

@bslassey commented on this pull request.

In draft-irtf-pearg-ip-address-privacy-considerations.md https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#discussion_r911981937:

@@ -180,14 +199,24 @@ As such, any observer along the path can pick it up and use it for various track

IP Privacy Protection and Law

-This section aim at providing some basic information about main example of laws adopted worldwide and related to IP address privacy (usually these laws area by product of the broader user privacy protection). +Various countries, in the last decade, have adopted, or updated, laws that aim at protecting citizens privacy, which includes IP addresses.
+Very often, these laws are actually part of bigger regulations aiming +at protecting users' Personal Identifiable Information (PII) in a +broad sense. +{{table:laws}} provides a snapshot of relevant existing regulations. + +|Country|Law|IP Address is PII|Consent| +|-------|---|----------|-------| +|Brazil |{{LGPD}} - Lei General de Protecao de Dados Pessoals |Yes (not explicitly stated)|Explicit| +|Canada |{{PIPEDA}} - Personal Information Protection and Electronic Documents Act|Yes |Implicit| +|China |{{PIPL}} - Personal Information Protection Law |Yes |Explicit| +|European Union |{{GDPR}} - General Data Protection Regulation |Yes |Explicit| +|Japan |{{APPI}} - Act of Protection of Personal Information |Yes (including anonymized data)|Explicit| +|USA | |No | | Since this table is summarizing laws, it seems odd to list a jurisdiction (USA) with no relevant law. I'd suggest dropping this row. It might be worth keeping the USA section of the deleted text as a footnote to note that the US has sector-specific laws pertaining to privacy that would be too difficult to summarize in this table.

In draft-irtf-pearg-ip-address-privacy-considerations.md https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#discussion_r911982233:

-Possible content (to focus only on technical IP address related aspects): +Basically all of the major laws recognizes IP addresses as personal identification information. Brazil does not mention IP addresses explicitly but includes them de facto. Japan does protect even anonymized data. All require an explicit action from the user to grant permission to use PII, except for Canada that allows implicit consent. USA does not have a general federal law, and IP addresses are not considered personally identifiable information {{IP2009}}. wording nit: Change "Basically" to "In summary"

— Reply to this email directly, view it on GitHub https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#pullrequestreview-1026248583, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB5HQCULEAYCNASEM22JE3DVR3Z5NANCNFSM52JENA2A. You are receiving this because you authored the thread.

ggx commented 2 years ago

Hi Ari,

Excellent suggestions.

Please see inline my comments (marked [LUIGI])

On 6 Jul 2022, at 13:04, Ari Chivukula @.***> wrote:

@arichiv requested changes on this pull request.

Thanks for this new version! I think it's really close

In draft-irtf-pearg-ip-address-privacy-considerations.md https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#discussion_r914707929:

@@ -66,6 +66,25 @@ informative: WEBAUTHN: title: "Web Authentication: An API for accessing Public Key Credentials Level 2" target: https://www.w3.org/TR/webauthn-2/

[LUIGI] Updated.

In draft-irtf-pearg-ip-address-privacy-considerations.md https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#discussion_r914708154:

@@ -66,6 +66,25 @@ informative: WEBAUTHN: title: "Web Authentication: An API for accessing Public Key Credentials Level 2" target: https://www.w3.org/TR/webauthn-2/

[LUIGI] Updated

In draft-irtf-pearg-ip-address-privacy-considerations.md https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#discussion_r914708416:

@@ -66,6 +66,25 @@ informative: WEBAUTHN: title: "Web Authentication: An API for accessing Public Key Credentials Level 2" target: https://www.w3.org/TR/webauthn-2/

[LUIGI] Actually added your link and official Chinese link.

In draft-irtf-pearg-ip-address-privacy-considerations.md https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#discussion_r914708864:

@@ -180,14 +199,23 @@ As such, any observer along the path can pick it up and use it for various track

IP Privacy Protection and Law

-This section aim at providing some basic information about main example of laws adopted worldwide and related to IP address privacy (usually these laws area by product of the broader user privacy protection). +Various countries, in the last decade, have adopted, or updated, laws that aim at protecting citizens privacy, which includes IP addresses.
+Very often, these laws are actually part of bigger regulations aiming +at protecting users' Personal Identifiable Information (PII) in a +broad sense. +{{table:laws}} provides a snapshot of relevant existing regulations. + +|Country|Law|IP Address is PII|Consent| The Consent column should likely be omitted as all locals seem to provide for some explicit requirement while also providing allowances for implicit consent in emergencies or other situations. This area of the law seems to difficult to summarize in a single column and I think it could be followup work

[LUIGI] I can agree that the column does not add that much information. The point is just to bring to attention that as a general approach some laws demand explicit consent others are happy with an implicit consent. There is no harm in keeping the column and there is no need to go any further here with the details of exceptions & Co. (we can discuss the follow up work).

In draft-irtf-pearg-ip-address-privacy-considerations.md https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#discussion_r914709458:

-Possible content (to focus only on technical IP address related aspects): +In summary, all of the major laws recognizes IP addresses as personal identification information. Brazil does not mention IP addresses explicitly but includes them de facto. Japan does protect even anonymized data. All require an explicit action from the user to grant permission to use PII, except for Canada that allows implicit consent. USA does not have a general federal law, but sector-specific laws pertaining to privacy that would be too difficult to summarize. USA does not consider IP addresses as personally identifiable information {{IP2009}}. It would be better to cite the CCPA https://oag.ca.gov/privacy/ccpa rather than the decision in W.D. Wash https://www.huntonprivacyblog.com/2009/07/10/washington-court-rules-that-ip-addresses-are-not-personally-identifiable-information/. That indicates to the reader they need to examine the rules state-by-state rather than expecting a consistent governing rule.

[LUIGI] Added a CCPA reference. Still consider the Wash case relevant as is very specific to IP addresses.

Let know what you think.

Ciao

Luigi

— Reply to this email directly, view it on GitHub https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#pullrequestreview-1029904816, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB5HQCULXT47DFRMZDCVFYLVSVR5LANCNFSM52JENA2A. You are receiving this because you authored the thread.

arichiv commented 2 years ago

Thanks for the quick response! I still have concerns on a couple points: (1) I worry that the consent column isn't accurate and implies a more firm stance than the laws take. Maybe the column could be replaced with a sentence in the final paragraph about how explicit/implicit consent varies by locale and exception types? (2) The W.D. Wash decision is used to imply a firm stance by the US generally, but district court decisions do not set binding precedent across the federal judiciary. I worry the language here implies this decision somehow set national policy.

ggx commented 2 years ago

Hi Ari,

On 7 Jul 2022, at 16:17, Ari Chivukula @.***> wrote:

Thanks for the quick response! I still have concerns on a couple points: (1) I worry that the consent column isn't accurate and implies a more firm stance than the laws take. Maybe the column could be replaced with a sentence in the final paragraph about how explicit/implicit consent varies by locale and exception types?

I added a sentence that explain that there may be exceptions that are too hard to summarize.

(2) The W.D. Wash decision is used to imply a firm stance by the US generally, but district court decisions do not set binding precedent in the federal judiciary. I worry the language here implies this decision somehow set national policy.

That sentence can be used at federal level, right? Anyway I am not a lawyer. I think it is important to mention it but you are right that the current sentence gives the wrong idea. I modified the sentence so that is clear that it is really state-dependent.

Ciao

L.

— Reply to this email directly, view it on GitHub https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#issuecomment-1177687896, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB5HQCTX37CTWW6WUWV3XDLVS3RHLANCNFSM52JENA2A. You are receiving this because you authored the thread.

ggx commented 2 years ago

Hi All,

What about merging the two open PL and submit a new revision of the document? (It is expiring in 3 days)

Ciao

L.

On 8 Jul 2022, at 16:13, Luigi Iannone @.***> wrote:

Hi Ari,

On 7 Jul 2022, at 16:17, Ari Chivukula @. @.>> wrote:

Thanks for the quick response! I still have concerns on a couple points: (1) I worry that the consent column isn't accurate and implies a more firm stance than the laws take. Maybe the column could be replaced with a sentence in the final paragraph about how explicit/implicit consent varies by locale and exception types?

I added a sentence that explain that there may be exceptions that are too hard to summarize.

(2) The W.D. Wash decision is used to imply a firm stance by the US generally, but district court decisions do not set binding precedent in the federal judiciary. I worry the language here implies this decision somehow set national policy.

That sentence can be used at federal level, right? Anyway I am not a lawyer. I think it is important to mention it but you are right that the current sentence gives the wrong idea. I modified the sentence so that is clear that it is really state-dependent.

Ciao

L.

— Reply to this email directly, view it on GitHub https://github.com/ShivanKaul/draft-ip-address-privacy/pull/33#issuecomment-1177687896, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB5HQCTX37CTWW6WUWV3XDLVS3RHLANCNFSM52JENA2A. You are receiving this because you authored the thread.

bslassey commented 2 years ago

[LUIGI] I can agree that the column does not add that much information. The point is just to bring to attention that as a general approach some laws demand explicit consent others are happy with an implicit consent. There is no harm in keeping the column and there is no need to go any further here with the details of exceptions & Co. (we can discuss the follow up work).

I think that with all the exceptions these laws define, the implicit/explicit distinction is a bit too complicated to describe in this table and I worry that it actually confuses the point. May I suggest dropping this column and instead adding some prose to the effect of "Most of these laws require explicit consent when they do require consent for use of IP Addresses, however Canada's regulation makes allowances for implicit consent". It might be better to open another PR to discuss ways to summarize that clearly in table form, but I suspect that debate will derail getting this PR in.

ggx commented 1 year ago

Hello,

should we merge this pull request and and resurrect this document?

Ciao

Luigi

bslassey commented 1 year ago

Hello,

should we merge this pull request and and resurrect this document?

Ciao

Luigi

I think we're close, and again apologies for being inattentive here. If we can incorporate @sysrqb's feedback and make sure the pre-commit checks pass we should be able to merge this in.

sysrqb commented 1 year ago

I briefly discussed this PR with the chairs at the last meeting, and we may move some of this information into an appendix in the future, but we can merge it (with the above requested change) and continue iterating on it in the future.

ggx commented 1 year ago

Hi, I've just pushed an new commit with the sentence suggested by @bslassey.

Ciao

L.

sysrqb commented 1 year ago

Thanks!