Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security below:

Privacy/TPWG/Change Proposal Security - W3C Wiki

To the extent proportionate and reasonably necessary for detecting security risks and fraudulent or malicious activity, parties MAY collect, retain, and use data regardless of a DNT signal. This includes data reasonably necessary for enabling authentication/verification, detecting hostile and invalid transactions and attacks, providing fraud prevention, and maintaining system integrity. In the context of this specific permitted use, this data MAY be used to alter the user's experience in order to reasonably keep a service secure or prevent fraud. Issue 24: Possible exemption for fraud detection and defense

This section is non-normative.

When feasible, a graduated response to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of user agent string and other protocol information, the party could retain logs on all transactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.

A graduated response a methodology where the action taken is proportional to the size of the problem or risk that is trying to be mitigated. In the context of this document, the term is used to describe an increase in the collection of data about a user or transaction in response to a specific problem that a party has become aware of, such as an increase in fraudulent activity originating from a particular network or IP address range resulting in increased logging of data relating to transactions from that specific range of IP addresses as opposed to increased logging for all users in general.

Proposal from Chris Mejia: email; issue-24

Remove 2.11 and 5.3.3.1; replace 5.3.3 with the following text.

Detection, Prevention or Prosecution of Malicious, Nefarious or Disingenuous Activity

Data may be collected, retained and used to the extent reasonably necessary for detecting and/or preventing malicious, nefarious or disingenuous activity. Additionally, data related to malicious, nefarious or disingenuous activity may be retained when reasonably necessary to support civil or criminal prosecution of parties that conduct, support or perpetuate malicious, nefarious or disingenuous activity. This data may also be used to alter the user's experience in order to preserve or bolster the security of a site/service/user(s), or to prevent malicious, nefarious or disingenuous activity.

The term "malicious, nefarious or disingenuous activity" means:

(a) disingenuous Web traffic/server requests (for example: non-human activity generating bogus server requests, ad-impressions or clicks);

(b) bogus, malicious, automated or non-human Web-form submissions;

(c) attacks intended to disrupt a site, service or user experience;

(d) malicious or nefarious intrusions, or attempts to intrude into private or corporate networks;

(e) fraudulent activity, including any activity that's purpose is to defraud a site, service or users of a site or service;

(f) any activity that's reasonably determined to abuse, or attempts to abuse a site/service/user in any way.

Proposal from John Simpson: email, working from text from Roy Fielding: email

Rewrites the paragraph in 5.3.3 and keeps the text in 5.3.3.1; Roy believes the definition of graduated response in 2.11 is redundant since the term is only used here.

Regardless of the tracking preference expressed, data MAY be collected, retained, and used to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity, provided that such data is not used for operational behavior (profiling or personalization) beyond what is reasonably necessary to protect the service or institute a graduated response.

When feasible, a graduated response to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of User Agent and other protocol information, the party could retain logs on all transactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.

Proposal from Lee Tien.

Remove 2.11 and 5.3.3.1; replace 5.3.3 with the following text.

A third party may collect, retain, and use data about a particular user or user agent for the sole purpose of preventing fraud, provided that there are reasonable grounds to believe the user or user agent is presently attempting to commit fraud. Data may only be retained as long as necessary to mitigate the present threat.

When a user meaningfully interacts with third-party content (e.g. clicking an ad), the third party can collect, retain, and use information for fraud prevention. Third parties can also use protocol logs for fraud prevention. This exception provides an additional capability to, in certain circumstances, track impressions for fraud prevention.

A third party may collect, retain, and use data about a particular user or user agent for the sole purpose of ensuring its security, provided that there are reasonable grounds to believe the user or user agent is presently attempting to breach the party's security. Data may only be retained as long as necessary to mitigate the present threat.

This exception grants third parties (e.g. advertising networks) some latitude to mitigate security risks. Websites that users store sensitive personal information on (e.g. financial services and webmail) are all first-party; they are able to collect, retain, and use information about all users for security purposes."

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.3