[Wg-p3] P3wg minutes from call Friday 18 SEP

j stollman stollman.j at gmail.com
Sat Sep 19 11:55:16 PDT 2009


Below are the draft minutes from our last call.

[Britta if you would be so kind as to post these as I remain unable to do so
because of permissions.]

Call Held:  Thursday 18 SEP, 2009 @ 15:00 UTC

  US/Canada toll-free number:  1.866.305.1460
    * Direct dial (toll) number: +1.416.620.1296
    * Attendee Code: 9247530


Jeff Stollman

Bob Pinheiro

Colin Soutar

Mark Lizare was unable to connect

QUORUM was not met.


Iain Henderson

Susan Landau

Robin Wilton


1.       Roll call

2.       ICAM letter status (Jeff)

a.       ICAM’s announcement

b.      Ballot Results

c.       Next actions

Procedures, section 3.7¸ which states: All Participants present at a WG
meeting are voting members of the WG. For the purpose of maintaining a
reasonable ability to achieve Quorum, any Participant in a WG who fails to
attend two consecutive meetings of the WG may, at the discretion of the
Chair, be re-classified as a non-voting member. Voting member status may be
reacquired by attending a meeting of the WG. In the case of an electronic
vote of the WG, if the electronic vote occurs while a Participant is in
non-voting status, the Participant may not vote in that electronic vote.

                                                             ii.      *ACTION
ITEM:* Chair to contact those who are not in compliance to clarify voting
intentions. Results to be displayed in our “Roster” section.

to add an “observer status” option to the GPA. Several voiced interest in
participating in the WG but not desiring vote status at this point.

                                                           iv.      *ACTION
ITEM*: Britta is already sending these recommendations to the LC chair, as a
result of them having been brought up in an IAWG call.

3.       US Federal Trade Commission (FTC) Privacy Roundtable 07 DEC in
Washington, DC (Mark Lizare)

a.       FTC’s Focus

                                                               i.      What
risks, concerns, and benefits arise from the collection, sharing, and use of
consumer information?  For example, consider the risks and/or benefits of
information practices in the following contexts: retail or other commercial
environments involving a direct consumer-business relationship; data broker
and other business-to-business environments involving no direct consumer
relationship; platform environments involving information sharing with third
party application developers; the mobile environment; social networking
sites; behavioral advertising; cloud computing services; services that
collect sensitive data, such as information about adolescents or children,
financial or health information, or location data; and any other contexts
you wish to address.

1.       Jeff:  We should submit a recommendation that FTC develop a
methodology/metrics for measuring risk of improper use of Personally
Identifiable Information (PII).

a.       Physical harm (e.g., from government or rebel groups)

b.      Financial harm (e.g., from governments, criminals)

c.       Reputational harm

d.      National security

2.       Risk needs to be measured at a data item level, not merely PII as a

3.       Jeff: I’ll create a draft description of this recommendation and
post it/distribute it to group for review and comment.

                                                             ii.      Are
there commonly understood or recognized consumer expectations about how
information concerning consumers is collected and used? Do consumers have
certain general expectations about the collection and use of their
information when they browse the Internet, participate in social networking
services, obtain products from retailers both online and offline, or use
mobile communications devices? Is there empirical data that allows us
reliably to measure any such consumer expectations?  How determinative
should consumer expectations be in developing policies about privacy?

1.       Bob:  Let’s find out what other countries are doing, since they are
ahead of the US.

2.       Colin:  Other countries are mostly looking at PII as a class and
concerning themselves with inappropriate disclosure, not with risk
associated with disclosure.

                                                            iii.      Do the
existing legal requirements and self-regulatory regimes in the United States
today adequately protect consumer privacy interests? If not, what are the
particular privacy interests that warrant increased protection? How have
changes in technology, and in the way consumer data is collected, stored,
and shared, affected consumer privacy? What are the costs, benefits, and
feasibility of technological innovations, such as browser-based controls,
that enable consumers to exercise control over information collection? How
might increased privacy protections affect technological innovation?

1.       Jeff:  Recommend standardization of privacy policies, to make them
easier to evaluate.  If policies had a standard menu, they could be easily
and rapidly evaluated and compared.  For example,

a.       A checklist could be given for what data items are collected.

b.      A second section could detail whether the information was disclosed
to other departments of the same company, partner companies, third-party
aggregators, third-party enterprises, government, etc.

c.       A third section might include opt-in/opt-out information for
releasing particular data.

2.       Jeff: I’ll create a draft description of this recommendation and
post it/distribute it to group for review and comment.

b.      File a comment?

                                                               i.      Bob:
Valuable to develop a position paper.  Concerned about resources to develop
the papers.

                                                             ii.      Colin:
Like to contribute, but need someone to lead the effort.

                                                            iii.      *ACTION
ITEM*: As noted above, Jeff will create draft descriptions of
recommendations for both risk analysis methodology and standardization of
privacy policies and post them/distribute them to group for review and

c.       Panelist Participation?

                                                               i.      Jeff:
I would be willing to represent position paper as a panelist, since I live
close to DC.

4.       Las Vegas Plenary Report (Jeff)

a.       Broadening Participation


1.       eGov and P3 outreach (no update)

a.       Judy Spencer

b.      Dave Temoshok

c.       EU ENISA

d.      UK Information Commissioner's Office (RW task?)

e.      Deborah Diener, US Internal Revenue Service (Brett)

f.        Dawn Wiggins, US Social Security Administration (Brett)

g.       Naomi Lefkovitz, US Federal Trade Commission (Brett)

h.      Jim Lewis (Brett)

i.         Lee Tien, ESS (Brett)

j.        Ari Schwartz (Brett)

k.       other suitable EU candidates (e.g. from PrimeLife or other

l.         Paul Hasson (CPO - US Visit) (RW task)

2.       eGov and P3 outreach (Jeff)

a.       We agreed to work with eGov to identity candidates and determine
which group would take the lead in pursuing government officials so as not
to overwhelm them or confuse the issue.

i.      Generally, higher officials would probably be pursued by eGov, while
P3 would pursue people more on the implementation level.

                                                             ii.      CPO
outreach (Robin)

1.       Robin believes that we need to pursue CPO participation from
commercial enterprises (including Kantara members)

2.       We are open to comments and suggestions here.

                                                            iii.      Bob:  We
might need to define responsibilities of participants so they know what they
are getting into if they join.

                                                           iv.      Bob &
Colin:  We will need to define what Kantara membership offers to
participants lure people to join us.

b.      Liaison with VPI and eGov (IAW was not in attendance)

                                                               i.      Scenario

1.       Looking at Iain’s car buying scenario as a first example

a.       We need to decide on a venue for this, since regulations impact the
flow.  Current thinking is the UK.

b.      Once we develop a model, we can iterate for other localities to
determine what changes occur and the impact of these changes.

2.       Want to look at it from multiple perspectives

a.       Subject

b.      Identity Provider

c.       Relying Party

d.      Criminal

e.      Bad government

f.        Benign government

g.       Data aggregator

Bob:  Concerned
about IP issues when different IP policies are in place between eGov, VPI,
and P3.

c.       Robin will transcribe and publish notes from the Plenary sessions

5.       Next call

a.       Migrate to weekly calls

b.      Maintain the same call schedule to avoid confusion

                                                               i.      at
15:00 UTC / 11:00 EDT / 08:00 PDT / 03:00 New Zealand (Friday)

c.       New calls will begin on Thursday 24 SEP

d.      Bob:  Can we cut down on calls with some way to focus on issues.

6.       Colin:  Kantara should create a matrix of mandates of different

a.       Could include charters, call times, IP policy, etc.

7.       Tabled until next call

a.       Collaboration site URL (Randy van der Hoof)

b.      Comparison of US/UK LoA (Patrick Curry)

c.       Broadening P3-wg participation

d.      Funding ideas (Robin)

Alliance meeting (Randy)

e.      Vice-chair & secretary nominations (Robin)

8.       All other business

9.       Update Roll Call


1.       Robin:

a.       Develop matrix of which members attended/failed to attend recent

b.      Contact those who are not in compliance to clarify voting
intentions. Results to be displayed in our “Roster” section.

c.       Schedule next call and arrange conference bridge for Thursday 25
SEP @ 15:00 UTC and continuing weekly after that at the same time.

d.      Pursue outreach to government officials identified in Item 4.A.i.1

e.      Pursue outreach to government officials identified in Item 4.A.i.2

2.       Jeff

a.       Create draft descriptions of recommendations for risk analysis
methodology and post it/distribute it to group for review and comment.

b.      Create draft descriptions of recommendations for standardization of
privacy policies and post it/distribute it to group for review and comment.

3.       Brett

a.       Pursue outreach to government officials identified in Item 4.A.i.1


4.       Iain

a.       Present car-buying scenario to P3wg when initial draft is

Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20090919/1160a66f/attachment-0001.html>

More information about the Wg-p3 mailing list