[WG-P3] NIST 800-53, Appendix J, comments v2

Mark Lizar mark.lizar at gmail.com
Mon Aug 29 16:41:42 EDT 2011


First, when I think of a higher standard, I mean that more information  
should be available and functionally usable in context in which the  
notice (or consent) is provided.  Without consent or data provision by  
the subject a notice needs to compensate with functionally to enable a  
data subject access to use privacy controls.


On 29 Aug 2011, at 13:57, Anna Slomovic/Equifax wrote:

> Mark,
>
> Question for you with regard to the following statement:
>
> From the point of view of developing assessments, a quality  
> notification assessment criteria should be set above the minimum  
> standards and legislation that currently exist.  In fact, IMHO, a  
> compliance standard and assessment criteria for notice should be  
> aimed higher than existing standards and legislation as to provide  
> an 'extensible' standard privacy controls not only to the  
> organisations using them  but also across jurisdictions (or in the  
> cloud).
>
> My concern with setting assessment criteria too high is that  
> organizations may not be able to pass if they choose to comply with  
> the law. Do we have a plan for what to do when this happens?
>


I would suggest a compliance approach  which keep the notice  
requirements (privacy controls) proportional to the purposes of data  
processing.   E.g. Where consent is not available a higher standard of  
notice to provide a quality context should be enforceable by  
regulators. This way privacy invasive and onerous practices are  
discouraged.   I think the pen ultimate point to make here is that  
privacy controls are in need of being digitally  updated and  
functional for  the information age. Something I think the NIST  
Appendix sets the stage for.

If an individual does not control their identity profile (like with  
UMA) a higher quality of notice should be required, if an individual  
does not provide consent, or data is not provided by  the data  
subject, an even higher functional standard should apply.  If an  
organisation has exceptional conditions and qualifiers for access to  
data (especially by third parties) then oversight (and transparency  
over that oversight) should be functional and required directly  
through the notice.  A notice at the minimum should have enough  
quality for a data subject to interact (via email or a link directly  
with the data controller) If not an organisation should be deemed non  
compliant with the standard when assessed.

What I think many are shocked to see is that notice regulation already  
exist but they are not yet being enforced, a point made by the German  
Data Protection Commission in the context of Facebook last week.      
If the privacy controls are set to too low of a standard then  
interoperability as one jurisdictions privacy control standards will  
be set below anothers.   E.g. Facebook can't operate Like Buttons in  
Germany and EU data is illegally being taken by Facebook.    I

Mark


> Anna
>
> Anna Slomovic
> Chief Privacy Officer
> Equifax, Inc.
> 1010 N. Glebe Rd.
> Suite 500
> Arlington, VA 22201
>
> P: 703.888.4620
> M: 703.254.9656
> F: 703.243.7576
> E: Anna.Slomovic at equifax.com
>
> From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org 
> ] On Behalf Of Mark at Identity Trust
> Sent: Monday, August 29, 2011 12:48 PM
> To: Susan Landau
> Cc: Kantara P3WG
> Subject: Re: [WG-P3] NIST 800-53, Appendix J, comments v2
>
> Susan,
>
> As the NIST privacy control are intended to apply to the operational  
> environments of the organizations using them with the US gov, it  
> seems clear that the intention is for these privacy controls to  
> become extensible.  In this regard, I specifically refer to the  
> privacy control of notification when consent or data is not provided  
> by the data subject. This point is important for privacy control  
> extensibility.  In such a context a high quality standard for  
> notification and notification assessment is not only required but  
> also needed.
>
> This is a point  illustrated in the ISTPA Analysis of Privacy  
> Principles in that "There are exceptional notice  conditions and  
> qualifiers, and these require notice management capabilities long  
> after the initial collection." (p.28)  An important observation to  
> bring up as NSTIC policies may encounter some function creep over  
> time, and of course policies change.
>
> From the point of view of developing assessments, a quality  
> notification assessment criteria should be set above the minimum  
> standards and legislation that currently exist.  In fact, IMHO, a  
> compliance standard and assessment criteria for notice should be  
> aimed higher than existing standards and legislation as to provide  
> an 'extensible' standard privacy controls not only to the  
> organisations using them  but also across jurisdictions (or in the  
> cloud).  Bottom line I would like folks at NIST to consider this  
> issue, if not the comment.
>
> Although, upon reflection, it is clear that from the P3  identity  
> management perspective, and the Kantara role with FICAM, this  
> comment may very well be  redundant as NSTIC privacy control should  
> inherently be in place. Perhaps a more appropriate comment can be  
> made to reflect this point?
>
> Since we have little time to draft this comment, and with the  
> absence of comment with consensus.  I will withdraw my comment to  
> support  submitting a general approval/appreciation of the Appendix  
> by P3.
>
> Thanks,
>
>
> Mark
>
>
> Even so, I still feel that this an important issue to raise from a  
> privacy and public policy perspective.
>
>
> On 27 Aug 2011, at 13:04, Susan Landau wrote:
>
>
> The NSTIC requirements include no activity tracking, which means  
> that if an identity provider is used to log onto a federal  
> government site, the identity provider is not permitted to make use  
> of tracking information on the federal sites.  Nor is the identity  
> provider allowed to share that data with third parties.  My feeling  
> is that this obviates the need for an additional comment below.
>
> Best,
>
> Susan
>
> On 8/26/11 8:12 PM, Mark at Identity Trust wrote:
> ...
>
> The NIST Appendix, if the privacy control within were applied to  
> this use case does provide guidance for assessing the points being  
> argued by the ULD.  Although, this guidance is of limited use for  
> non-consensual data capture.  There is no distinction made in the  
> NIST Appendix between notification requirements when consent  is  
> not  available, (e.g. when a user is not logged into Facebook and  
> service traffic is transferred, or even more generally under IP  
> based video surveillance in a commercial premise, third party data  
> transfers) in particular when consent for that data use does not  
> come directly from the data subject.
>
> Comment: Notice in the absence of consent should be specified in the  
> privacy controls that NIST is presenting in the Appendix.   Perhaps  
> an emphasis could be suggest in TR-1 b). on page 4 of the appendix  
> to the non consensual requirements for notice. E.g. Altering section,
>
> "(iv)  whether individuals have the ability to consent to specific  
> uses or sharing of PII and how to exercise any such consent;" should  
> be further considered and discussed.
>
> To,
>
>   (iv) whether (or not) individuals have the ability to consent to  
> specific uses or sharing of PII and how to exercise any such  
> consent; (Or with the absence of consent  from the data subject  
> (sufficiently functional notice for the systematic use of the  
> subjects data rights.)
>
>
> Best Regards,
>
> Mark Lizar
>
> On 25 Aug 2011, at 15:38, Anna Slomovic/Equifax wrote:
>
>
> Everyone,
>
> As we discussed, I am sending along a drafty draft of possible  
> comments on NIST 800-53, Appendix J, Privacy Control Catalog. As  
> Mark noted in the notes from our call today, the plan is:
>
> - Anna is submitting an initial draft today.
> - Please submit comments to the list or directly to Ann Geyer for  
> Monday.
> - Comment discussion and draft for Wednesday t
> - To be voted on in an email ballot on Thursday
> - Which will close at 12 noon EST on Friday the 2nd of September.
>
> Thanks!
>
> Anna
>
> Anna Slomovic
> Chief Privacy Officer
> Equifax, Inc.
> 1010 N. Glebe Rd.
> Suite 500
> Arlington, VA 22201
>
> P: 703.888.4620
> M: 703.254.9656
> F: 703.243.7576
> E: Anna.Slomovic at equifax.com
>
>
> This message contains information from Equifax Inc. which may be  
> confidential and privileged. If you are not an intended recipient,  
> please refrain from any disclosure, copying, distribution or use of  
> this information and note that such actions are prohibited. If you  
> have received this transmission in error, please notify by e-mail postmaster at equifax.com 
> .
> <P3WG NIST 800-53 App J comments  
> v2.docx>_______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
>
>
>
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
>
>
> This message contains information from Equifax Inc. which may be  
> confidential and privileged. If you are not an intended recipient,  
> please refrain from any disclosure, copying, distribution or use of  
> this information and note that such actions are prohibited. If you  
> have received this transmission in error, please notify by e-mail postmaster at equifax.com 
> .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110829/dd56d856/attachment-0001.html 


More information about the WG-P3 mailing list