Erin Kenneally | 20 Apr 21:39 2015

Re: ietf-privacy Digest, Vol 41, Issue 8

I use the following def and have yet to find situations that aren't encompassed within:

Information Privacy = the rights and interests between and among persons and organizations regarding contexts for the collection, use and/or disclosure of information.


-- Erin E. Kenneally, M.F.S., J.D. CEO, Founder eLCHEMY, Inc. 8677 Villa La Jolla Dr., #1133 La Jolla, CA 92037

On 4/20/15 12:00 PM, ietf-privacy-request <at> wrote:
Send ietf-privacy mailing list submissions to ietf-privacy <at> To subscribe or unsubscribe via the World Wide Web, visit or, via email, send a message with subject or body 'help' to ietf-privacy-request <at> You can reach the person managing the list at ietf-privacy-owner <at> When replying, please edit your Subject line so it is more specific than "Re: Contents of ietf-privacy digest..."

Today's Topics: 1. Re: Is there an official working definition for Privacy Online? (Fred Yeboah)

_______________________________________________ ietf-privacy mailing list ietf-privacy <at>

ietf-privacy mailing list
ietf-privacy <at>
Fred Yeboah | 16 Apr 16:51 2015

Is there an official working definition for Privacy Online?

Dear all,
Can some help me with the official working definition of Online Privacy as used by IETF-Privacy group?
Thank you
-- Best regards Fred Yeboah
ietf-privacy mailing list
ietf-privacy <at>
S Moonesamy | 6 Jun 08:39 2014

Logging Recommendations for Internet-Facing Servers


BCP 162 contains logging recommendations for internet-facing 
servers.  Quoting the document:

   "Discussions about data-retention policies are out of scope for this
    document.  Server security and transport security are important for
    the protection of logs for Internet-facing systems.  The operator of
    the Internet-facing server must consider the risks, including the
    data and services on the server, to determine the appropriate
    measures.  The protection of logs is critical in incident
    investigations.  If logs are tampered with, evidence could be

In other words, the BCP makes a recommendation without any discussion 
about privacy considerations.  The issue is traceability.  It has 
been the practice to log IP addresses.  Keeping the logs for years is 
not a good idea as it is difficult to argue that the information is necessary.

I suggest that the BCP be reconsidered given the lack of privacy 

S. Moonesamy 
David Singer | 28 May 00:03 2014

cursory PPM Review of RFC 4368


This is about low-level access (SNMP) to low-level (multi-protocol switching) network information, and
has an apparently well-developed security considerations. Privacy is only mentioned once:
"It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy)."

Since not even IP addresses are exposed, or traffic details, it's hard to see direct privacy implications
here. However, the whole area of being able to interrogate network equipment over protocols such as SNMP
might well have such implications (e.g. if it's possible to work out which addresses a given IP address is
communicating with). 

David Singer
Manager, Software Standards, Apple Inc.
=JeffH | 15 May 00:59 2014

Big Data Ethics (was: recent scholarship wrt privacy law, obligations, legal theories & frameworks

And, building upon Solove's work, there's this...

Big Data Ethics

Neil M. Richards
Jonathan H. King

January 23, 2014

Wake Forest Law Review, 2014


We are on the cusp of a "Big Data" Revolution, in which increasingly large 
datasets are mined for important predictions and often surprising insights. 
The predictions and decisions this revolution will enable will transform our 
society in ways comparable to the Industrial Revolution. We are now at a 
critical moment; big data uses today will be sticky and will settle both 
default norms and public notions of what is "no big deal" regarding big data 
predictions for years to come.

In this paper, we argue that big data, broadly defined, is producing 
increased powers of institutional awareness and power that require the 
development of a Big Data Ethics. We are building a new digital society, and 
the values we build or fail to build into our new digital structures will 
define us. Critically, if we fail to balance the human values that we care 
about, like privacy, confidentiality, transparency, identity and free choice 
with the compelling uses of big data, our Big Data Society risks abandoning 
these values for the sake of innovation and expediency.

In Part I, we trace the origins and rapid growth of the Information 
Revolution. In Part II, we call for the development of a "Big Data Ethics," 
a set of four related principles that should govern data flows in our 
information society, and inform the establishment of big data norms. First, 
we must recognize "privacy" as an inevitable system of information rules 
rather than merely secrecy. Second, we must recognize that shared private 
information can remain "confidential." Third, we must recognize that big 
data requires transparency. Fourth, we must recognize that big data can 
compromise identity. In Part III, we suggest how we might integrate big data 
ethics into our society. Law will be an important part of Big Data Ethics, 
but so too must the establishment of ethical principles and best practices 
that guide government, corporations, and users. We must all be part of the 
conversation, and part of the solution. Big Data Ethics are for everyone.
=JeffH | 15 May 00:59 2014

recent scholarship wrt privacy law, obligations, legal theories & frameworks

Some interesting recent research/thinking around privacy law, obligations, 
legal theories & frameworks...

The FTC and the New Common Law of Privacy
by Daniel Solove * April 13, 2014

10 Reasons Why Privacy Matters
by Daniel Solove * January 14, 2014

What Is Personally Identifiable Information (PII)? Finding Common Ground in 
the EU and US
by Daniel Solove * June 26, 2013

Privacy Self-Management and the Consent Dilemma
by Daniel Solove * May 21, 2013

Harvard Law Review Privacy Symposium Issue
May 21, 2013

The privacy symposium issue of the Harvard Law Review is hot off the 
presses.  Here are the articles:

Introduction: Privacy Self-Management and the Consent Dilemmas
Daniel J. Solove

What Privacy is For
Julie E. Cohen

The Dangers of Surveillance
Neil M. Richards

The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures
Paul M. Schwartz

Toward a Positive Theory of Privacy Law
Lior Jacob Strahilevitz
Hannes Tschofenig | 5 May 19:43 2014


Hi all,

I was wondering what the status of the review activities is.
Various folks expressed interest to do some reviews at the last f2f
meeting in London.

Did anything happen already?


ietf-privacy mailing list
ietf-privacy <at>
S Moonesamy | 29 Apr 22:14 2014

Re: CFP: The 6th International Symposium on Cyberspace Safety and Security (off-topic)


Was the message at 
approved by the ietf-privacy mailing list moderator?

S. Moonesamy
Peter Mueller | 29 Apr 21:37 2014

CFP: The 6th International Symposium on Cyberspace Safety and Security

The 6th International Symposium on Cyberspace Safety and Security
August 20-22, 2014, Paris, France
Paper submission: 28 April, 2014 -> Extended to 12 May, 2014
Notification of acceptance: 23 June, 2014
Camera-Ready due: 15 July, 2014

A large fraction of the population in the world now spends a great deal of time in cyberspace. Cyberspace has become a critical infrastructure that is embedded in almost all other critical infrastructures and enables every movement of human society. It is thus very much in the public interest to have a safe and secure cyberspace.
In the past several years, there has been large number of attacks in cyberspace, such as attacks on the Internet, attacks on embedded/real-time computing and control systems, and attacks on dedicated computing facilities. Many research efforts have been made to achieve cyberspace safety and security, such as blocking and limiting the impact of compromise, enabling accountability, promoting deployment of defense systems, and deterring potential attackers and penalizing attackers.
In this context, we focus our program on Cyberspace Safety and Security, such as authentication, access control, availability, integrity, privacy, confidentiality, dependability and sustainability issues of cyberspace. The aim of this symposium is to provide a leading edge forum to foster interaction between researchers and developers with the cyberspace safety and security communities, and to give attendees an opportunity to network with experts in this area. The symposium will be a highly focused, professional, high quality, and social event.

Distinguished papers presented at the conference, after further revision, will be recommended for possible publication in special issues of the SCI Indexed Journals.
Topics of interest include, but are not limited to:

(1) Data and Applications Security
- Digital Rights Management
- Secure Information Integration and Transaction Processing
- Secure Semantic Web and Web Services
- Security in E-Commerce and M-Commerce
- Watermarking
- Privacy and Data Protection
- Emerging Technologies and Applications
- Database Security
- Data Mining Security

(2) Network and Communications Security
- Active Defense Techniques and Systems
- Distributed Intrusion Detection/Prevention Systems
- Denial-of-Service Attacks and Countermeasures
- Intelligent Defense Systems
- Internet and Network Forensics
- Secure Network Architectures
- Security for Ad-Hoc and Sensor Networks
- Spam Detection and Prevention
- 5G Mobile Networks Security and Trust
- Trust, Security and Privacy in Social Networks
- Privacy Enhancement Technologies
- Security issues in emerging networking technologies (e.g., SDN, CCN)

(3) Software and Systems Security
- Analysis, identification, prevention, and removal of vulnerabilities
- Audit and digital forensics
- Authorization and access control of software objects
- Dependable computing and fault tolerance
- Detection of, defense against, containment of, and recovery from attacks
- Operating system and mobile operating system security
- Risk modeling, assessment, and management in software engineering
- Security for large-scale systems and critical infrastructures
- Security in distributed systems and pervasive computing
- Viruses, worms, Trojans, and other malicious codes

(4) Cloud Security
- Cloud and mobile cloud computing data access control
- Privacy preservation and data privacy in cloud
- Trust management in cloud computing
- Big data trust in cloud
- Secure cloud data storage
- Verifiable cloud computing
- Security solutions based on cloud computing
- Trustworthy identity management in cloud
- Media cloud security and cloud security policy
- Security for personal cloud

(5) Cyberspace Safety
-Access Control and Trust Management
-Identity Management and Authentication
-Security and Usability
-Security in Pervasive and Embedded Systems
-Privacy Models, Privacy Enhancing Technologies
-Human Factors in Computer Security
-Risk Assessment in Cyber Security
-Cyber-Physical System Security
-Benchmark, Analysis and Evaluation of Cyber Security
-Implementation, Deployment and Management of Cyber Security

Previously CSS has been held in Zhangjiajie, China (2013), Melbourne, Australia (2012), Milan, Italy (2011), Chengdu, China (2009), and Sydney, Australia (2008).

Submitted manuscripts should be written in English conforming to the IEEE conference proceedings format (8.5" x 11", Two-Column, template available at Manuscripts should not exceed 8 pages for full papers and 4 pages for short papers, including tables and figures. All paper submissions must represent original and unpublished work. Papers must be submitted electronically in PDF format through EasyChair:
For more information on submission please contact:
css2014-0 <at>

The accepted papers from this conference will be submitted for publication in IEEE Xplore as well as other Abstracting and Indexing (A&I) databases (EI Compendex). Distinguished papers, after further revisions, will be considered for possible publication in several SCI & EI indexed special issues of prestigious international journals. By submitting a paper to the conference, authors assure that if the paper is accepted, at least one author will attend the conference and present the paper. Selected excellent papers of CSS2014 will be recommended to be published in reputable journal SIs after further extension and improvement.

General Chairs
Julien Bourgeois, UFC/FEMTO-ST Institute, France
Frédéric Magoulès, Ecole Centrale Paris, France

Program Chairs
Zheng Yan, Xidian University, China / Aalto University, Finland
Peter Mueller, IBM Zurich Research, Switzerland
Robert H. Deng, Singapore Management University, Singapore

Steering Chairs
Yang Xiang, Deakin University, Australia
Laurence T. Yang, St. Francis Xavier University, Canada

Vice-program Chairs
(1) Data and Applications Security
Xinyi Huang, Fujian Normal University, China
Ioanna Dionysiou, University of Nicosia, Cyprus

(2) Network and Communications Security
Marinella Petrocchi, istituto di Informatica eTelematica, CNR, Italy
Tanveer A Zia, Charles Sturt University Australia

(3) Software and Systems Security
WenTao Zhu, Chinese Academy of Sciences, China
Jin Li, Guang Zhou University, China

(4) Cloud Security
Honggang Wang, University of Massachusetts Dartmouth, USA
Igor Kotenko, SPIIRAS, Russia

(5) Cyberspace Safety
Ming Li, Utah State University, USA
Shucheng Yu, University of Arkansas at Little Rock, USA

Program Committee
Track 1: Data and Applications Security

Man Ho Au, University of Wollongong, Australia
Xiaofeng Chen, Xidian University, China
Thoshitha Gamage, Washington State University, USA
Jinguang Han, Nanjing University of Finance & Economics, China
David Johnson, Imperial College London, UK
Daniel Conte de Leon, University of Idaho, USA
Jiguo Li, Hohai University, China
Joseph Liu, Institute for Infocomm Research, Singapore
Yuko Murayama, Iwate Prefectural University, Japan
Luca Spalazzi, Università Politecnica Delle Marche, Italy
Chunhua Su, JAIST, Japan
Ruben Trapero, TU Darmstadt, Germany
Raylin Tso, National Chengchi University, Taiwan
Wun-She Yap, University Tunku Abdul Rahman, Malaysia
Yong Yu, University of Wollongong, Australia

Track 2: Network and Communications Security

Marco Casassa Mont, Hewlett-Packard Labs Bristol, UK
David Chadwick, University of Kent, UK
Roberto Di Pietro, Bell Labs, France
Carmen Fernandez Gago, University of Malaga, Spain
Weili Han, Fudan University, China
Mohammed Kaosar, Charles Sturt University, Australia
Muhammad Khurram Khan, King Saud University, Saudi Arabia
Gabriele Lenzini, University of Luxembourg, Luxembourg
Fabio Martinelli, IIT-CNR Pisa, Italy
Paolo Mori, IIT-CNR Pisa, Italy
Federica Paci, University of Trento, Italy
Pierangela Samarati, Universitˆ degli Studi di Milano, Italy
Daniele Sgandurra, Imperial College, UK
Gianluca Stringhini, University of California at Santa Barbara, USA
Willy Susilo, University of Wollongong, Australia
Jianming Yong, University of Southern Queensland, Australia
Dajiang Zhang, Microsoft, China

Track 3: Software and Systems Security

Rafael Accorsi, University of Freiburg, Germany
Rose Gamble, University of Tulsa, USA
Dieter Gollmann, Hamburg University of Technology, Germany
Xiaoqi Jia, Chinese Academy of Sciences, China
Nan Jiang, East China Jiao Tong University, China
Muhammad Khurram Khan, King Saud University, Saudi Arabia
Junzuo Lai, Jinan University, China
Cheng-Chi Lee, Fu Jen Catholic University, Taiwan
Patrick P.C. Lee, The Chinese University of Hong Kong, Hong Kong
Chun-Ta Li, Tainan University of Technology, Taiwan
Jay Ligatti, University of South Florida, USA
Jingqiang Lin, Chinese Academy of Sciences, China
Jianxun Liu, Hunan University of Science and Technology, China
Joseph Liu, Institute for Infocomm Research, Singapore
Peng Liu, The Pennsylvania State University, USA
Zheli Liu, Nankai University, China
Gerardo Pelosi, Politecnico di Milano, Italy
Damien Sauveron, University of Limoges, France
Juan E. Tapiador, Universidad Carlos III de Madrid, Spain
Duncan Wong, City University of Hong Kong, Hong Kong
Shouhuai Xu, University of Texas at San Antonio, USA
Xianfeng Zhao, Chinese Academy of Sciences, China

Track 4: Cloud Security

Fabrizio Baiardi, University of Pisa, Italy
Miguel Correia, IST/INESC-ID, Portugal
Qian Duan, Penn State University, USA
Dennis Gamayunov, Moscow State University, Russia
Kun Hua, Lawrence Technological University, USA
Jun Huang, South Dakota School of Mines & Technology, USA
Hong Liu, University of Massachusetts Dartmouth, USA
Gregorio Martinez Perez, University of Murcia, Spain
Rongxing Lu, Nanyang Technological University, Singapore
Nuno Neves, University of Lisboa,L, Portugal
Vladimir Oleshchuk, University of Agder, Norway
Roland Rieke, Fraunhofer Institute for Secure Information Technology SIT, Germany
Joel Rodrigues, University of Beira Interior, Portugal
Houbing Song, West Virginia University, USA
Yun Tian, California State University, Fullerton, USA
Dalei Wu, Massachusetts Institute of Technology, USA
Shaoen Wu, Ball State University, USA
Yan Wu, National Institute of Standards and Technology, USA
Igor Saenko, St.Petersburg Institute for Information and Automation of RAS, Russia
Jianjun Yang, University of North Georgia, USA
Qing Yang, Montana State University, USA
Liang Zhou, Nanjing University of Post and Telecommunications, China

Track 5: Cyberspace Safety

Ryan Gerdes, Utah State University, USA
Hui Li, Xidian University, China
Xiaodong Lin, University of Ontario Institute of Technology, Canada
Yao Liu, University of South Florida, USA
Javier Lopez, University of Malaga, Spain
Aziz Mohaisen, Verisign Labs, USA
Chiu C. Tan, Temple University, USA
A. Selcuk Uluagac, Georgia Institute of Technology, USA
Cong Wang, City University of Hong Kong, China
Qian Wang: Wuhan University, China
Mengjun Xie, University of Arkansas at Little Rock, USA
Qing Yang, Montana State University, USA
Kai Zeng, University of Michigan - Dearborn, USA
Rui Zhang, University of Hawaii, USA
ietf-privacy mailing list
ietf-privacy <at>
Horne, Rob | 24 Mar 13:31 2014

Re: [perpass] Wiki for managing PPM reviews of existing RFCs

Hi, I’m interested in reviewing RFCs so could someone tell me – or point me in the direction of – what the goals are, how to conduct a review and what exactly are we looking for?








From: ietf-privacy [mailto:ietf-privacy-bounces <at>] On Behalf Of Scott Brim
Sent: 24 March 2014 12:23
To: yaojk
Cc: ietf-privacy <at>; perpass
Subject: Re: [ietf-privacy] [perpass] Wiki for managing PPM reviews of existing RFCs


On Mar 23, 2014 10:49 PM, "Jiankang Yao" <yaojk <at>> wrote:
> since there are thousands of RFCs, it is better that they can be reviewd by category.
> for example, based on the following category:
> Jiankang Yao

We want to make sure the essential RFCs are reviewed, and categories are a good way to organize that if you know what categories to use. We don't have enough experience yet to know what good categories would be -- we don't know how many reviewers we will have our their interest areas. To start with let's just get everyone doing reviews. We can organize them later, once we get over a hundred.

Thanks... Scott

ietf-privacy mailing list
ietf-privacy <at>
Scott Brim | 22 Mar 22:21 2014

Wiki for managing PPM reviews of existing RFCs

(I'm sending to both perpass and ietf-privacy for this announcement,
but follow-up should be only to ietf-privacy)

Greetings. At the London IETF we had a Monday lunch meeting to talk
about doing systematic reviews of existing RFCs. We finally have a
wiki page for tracking that activity. It is at

We are using the Trac ticket system. If you have used tickets for
working group issues, it's essentially the same but with a few
different parameters. There are instructions on how to fill out a
ticket on the web page.

 If you were at the Monday lunch and announced an intention to working
on a particular set of RFCs, now there's a home for your reviews. If
you couldn't commit to doing reviews but want to do some, here is your
chance! (If you don't have a login on the wiki, it's easy to
register.) In both cases, please add a ticket when you _start_ your
review -- don't wait until you finish, people will want to know all
about it from the start.


Scott and Avri