[WG-P3] Anna Slomovic's Follow up thread (RE: IAWG P3 Agendas going into Berlin)

j stollman stollman.j at gmail.com
Mon May 9 06:46:40 EDT 2011

While I can't disagree that usability demands that we minimize the factors
that one needs to evaluate before entering a transaction, there is an
important balance that needs to be achieved between the minimization of
factors and the effectiveness of any particular metric (LOA or Level of

If we assume for illustration that we develop 4 levels of privacy and for
each level we specify a differing bundle of factor that increase in
perceived value to the entity considering a transaction.  It may be that a
large group of entities do not feel that they gain any worthwhile protection
unless their counter-parties provide Level 4 (the highest) notice.  For this
group, the granularity provided by the other three levels is immaterial
because they won't engage without the notice certification that comes with
Level 4.  The rest of the levels have no value.

If the factors that we combine into our privacy levels are orthogonal to one
another, the well-intended force-fitting of combinations of these factors
into a highly "usable" metric may well create ineffective measures.  In the
LEVELS OF PROTECTION (LOPS) proposal by Mary Rundle and Sue Glueck (
download.microsoft.com/.../Levels%20of%20Protection%20_Microsoft.pdf), the
authors sought to force-fit numerous privacy characteristics into a
four-level scheme.  In reviewing appendix B which describes the
requirements for each factor included in each level, I found myself both
frustrated at not finding any rationale for the particular choices and
troubled that someone else was dictating to me how my preferences should be
grouped.  (In fairness, I am one of those people who cringes at such
simplifications as setting my security software at "medium" without knowing
what this really means.)

A balance of usefulness and effectiveness is needed.  This is an aphorism
with which it is hard to disagree, but which is equally hard to implement.


On Sun, May 8, 2011 at 9:07 PM, Susan Landau <susan.landau at privacyink.org>wrote:

>  On 5/8/11 9:04 PM, Anna Slomovic/Equifax wrote:
> I disagree. Notice has been part of privacy work since the first work on Fair Information Practices in the early 1970s. It is part of every privacy framework of which I am aware anywhere in the world. I would urge this group not to ignore the work of decades done by the privacy community without a very good reason.
> I do not believe that we want to measure Principles. AICPA and CICA have come up with a framework for measuring individual principles, and I sent it around. This is not, in my view, where we want to go. We want to come up with composite measures, like LOA, which include multiple principles and concepts, but are easy for people to understand.
>  I think Anna is completely right here.  Otherwise we run the risk of a P3P
> situation.
>  i think it's pretty easy to explain LOA (the extent to which I am sure in someone's claimed identity) without going into details about levels of complexity in passwords. That's what we should be after.
>  Susan
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3

Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20110509/43f80a5a/attachment.html 

More information about the WG-P3 mailing list