The GDPR Is Making Me TRACK MORE
From IIW
How The GDPR Is Making Me TRACK MORE
Wednesday 4J
Convener: George Fletcher
Notes-taker(s): George Fletcher
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
General discussion about GDPR requirements (not exhaustive)
- User ability to…
- Request what is being tracked
- Download data the company has on me
- Update some data elements (if they are incorrect)
- Delete all my data
- Clear and informed consent
- Requirement to report data tracked by device identifier and not directly tied to a user (e.g. persistent browser cookie)
- The issue of concern. If we have to give out tracked data based on device identifiers, how do we ensure that data is only given to the correct entity
- low confidence — device reports the identifiers to the host
- no way to verify that the identifiers the device is claiming is “theirs” are really valid (i.e. the correct value and not impersonated/stolen)
- medium confidence — possibly OAuth2 dynamical client reg with pub/priv keys, apps report identifiers in a JWS (signed JSON Web Token) on a periodic basis, host builds a risk-based profile of device **based on these signed assertions. At data request time match signed identifiers to risk-based profile to define a higher level of confidence
- high confidence — didn’t discuss this much… probably requires special hardware on the device
- low confidence — device reports the identifiers to the host
- Conclusion — in order to support safe release of data to a device identifier additional tracking must be done