Re: [Secdispatch] CCPA Do-Not-Sell
Sebastian Zimmeck <szimmeck@wesleyan.edu> Sat, 28 March 2020 17:37 UTC
Return-Path: <szimmeck@wesleyan.edu>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD06F3A08E3 for <secdispatch@ietfa.amsl.com>; Sat, 28 Mar 2020 10:37:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wesleyan.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2caMbXdnxcA for <secdispatch@ietfa.amsl.com>; Sat, 28 Mar 2020 10:37:41 -0700 (PDT)
Received: from mail-il1-x143.google.com (mail-il1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B22C43A08FB for <secdispatch@ietf.org>; Sat, 28 Mar 2020 10:37:41 -0700 (PDT)
Received: by mail-il1-x143.google.com with SMTP id x16so11813465ilp.12 for <secdispatch@ietf.org>; Sat, 28 Mar 2020 10:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wesleyan.edu; s=wesgmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YR76ErmUyMlqL5Dw13HqFL/+KgtZZqn2ypx55mR0/ds=; b=UV/OY1TS3QEgPXvadbTp+ml9hcVvLXP/KOjFP4ZvZPDEdlDFGRJtFXdQppab4JYXI2 Q/ySTN/4spo8kZSnt0Qo3Sz4BIuJUYz/ZqKdlFVFWO6QhaQtWLX+UlLGWSkGtyFmT1bK aZ3U++mRwxAIdw7dA8d+mq/eg7KJSywHM1A8c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YR76ErmUyMlqL5Dw13HqFL/+KgtZZqn2ypx55mR0/ds=; b=ADhLdrLQ3ZPwDEebzuucZP3SJUSw4GbWYo19nUkwu7NRKxbkpF0zB+qGSSHJN5HACD 734XdyoaNo6ZaPC3UIj/HHHV25iXmUztUGFhTJmu0o/s9Iv1MA6MJDRd5n3+Par8h1+S UQrV72epdmGP5BAuzT6Mzg4ipupH84pMsFAEi3xhcA0nR5JmsXbn2GBBIpmTgEf2xAM5 IhD3GrkZ4y/aOT16mlPGwxzDp4DKnvkygRY35Jd4YWMGlpplcHIKM8eYivvqkMUOEAAI IxoDI+xG4OyAlEPEmqXp45pSzWzZV8SP7XFiZvCGbnSmQJKGoQbBqZDErndDtui6KQbm ZBzQ==
X-Gm-Message-State: ANhLgQ1jdQshZZb6sSFDhqhFlpTd6BdPu+3kvcJvjAQ+I45NKY50CNLH 9/nbm5JZ0TZltc5RatFxmgu9xUHTksaDO5omz5/ggw==
X-Google-Smtp-Source: ADFU+vuF6ct6uAGuirOEH2lf9L+YSN1akOrwyM9+7xwsVBHwf0MngZRWBteKEOgNOGSnO/eCfOICH28pFG4IzmBOcug=
X-Received: by 2002:a92:6501:: with SMTP id z1mr4535288ilb.235.1585417060931; Sat, 28 Mar 2020 10:37:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAD-GkkVSkS63pvMG7g355xLX3MDO10Mg0nrVgj1dh33JNymvpw@mail.gmail.com> <20200327192812.GP50174@kduck.mit.edu>
In-Reply-To: <20200327192812.GP50174@kduck.mit.edu>
From: Sebastian Zimmeck <szimmeck@wesleyan.edu>
Date: Sat, 28 Mar 2020 13:37:29 -0400
Message-ID: <CAD-GkkUXNu7j9KgTCPUNW4uDrG9NJ_OcUHDBGm6KLDdE79oiqw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: secdispatch@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bcf1b705a1edace5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/Ub9ajAMkfyZx5x88-2xWkedGK-E>
Subject: Re: [Secdispatch] CCPA Do-Not-Sell
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Mar 2020 17:37:44 -0000
Indeed, from a technical standpoint the implementation of a header field is straightforward. Though, there are related policy implications. Given the broad scope of what is considered a sale per the CCPA, especially, a lot of data collected by ad networks would be subject to Do-Not-Sell. Also, it would be nice to create a solution going beyond the browser, particularly, covering mobile apps. Best regards, Sebastian _______________________________________________ Check out PrivacyFlash Pro <https://github.com/privacy-tech-lab/privacyflash-pro> Developed at the privacy-tech-lab <https://privacy-tech-lab.github.io/>, Wesleyan University On Fri, Mar 27, 2020 at 3:28 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > On Sat, Mar 21, 2020 at 08:08:40PM -0400, Sebastian Zimmeck wrote: > > At the beginning of this year the California Consumer Privacy Act (CCPA) > > became effective. In addition to the rights of data access and deletion, > > this new privacy law gives consumers the right to opt out from the sale > of > > personal information. A "sale" is understood broadly and likely covers, > for > > example, a website or app disclosing location data or device identifiers > to > > an ad network for purposes of monetization. Now, the most recent > regulations > > to the CCPA > > < > https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf > ?> > > published > > by the California Attorney General specify that automatic signals > > communicating a user's decision to opt out must be respected. Here is the > > relevant language: > > > > "If a business collects personal information from consumers online, the > > business shall treat user-enabled global privacy controls, such as a > > browser plugin or privacy setting, device setting, or other mechanism, > that > > communicate or signal the consumer’s choice to opt-out of the sale of > their > > personal information as a valid request ... ." > > > > I am interested in setting up a working group on such device controls. > The > > Do-Not-Sell signal could be similar to a Do-Not-Track (DNT) signal. > > However, the difference is that recipients of the DNT signal were not > > required to comply with the signal. Rather, they only needed to *say* > > whether they would comply; per the California Online Privacy Protection > Act > > (CalOPPA). > > > > Also, the CCPA may have substantial impact beyond California as some > > companies, e.g., Microsoft, already made clear that they would apply the > > CCPA to all consumers in the US. > > > > It would be great to get a discussion started ... > > It's not really clear to me how much discussion is needed... > if one assumes that you're just considering a HTTP header field, then the > only technical question I can think of is whether there's intended to be > some level of richness of expressivity vs. a boolean signal "don't sell my > data". At that point it is mostly a matter of writing down the expected > semantics (the header field registry requires only Expert Review for > allocations). > > -Ben > >
- [Secdispatch] CCPA Do-Not-Sell Sebastian Zimmeck
- Re: [Secdispatch] CCPA Do-Not-Sell Benjamin Kaduk
- Re: [Secdispatch] CCPA Do-Not-Sell Sebastian Zimmeck