[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: privacy
On Wed, 8 Jan 2003, Randy Bush wrote:
> which is one of the reason per-field granularity is desired. it
> maximizes flexibility, i.e., you're not just stuck with "don't publish
> tech poc." it handles the union of requests heard from various
> registrars, locales, and registries.
I'm not sure that mere item tagging is adequate.
Way back in the 1970's in the days when we were worrying about database
privacy rather than net privacy it was realized that data has a
synergistic property - that N items of sensitive S often have an aggregate
sensitivity much larger than N*S.
Thus the privacy policies had to express limitions of combinations.
Sometime the policies had to express other things, such as whether to lose
precision (e.g. turn a full postal address into a mere postal code, or a
phone number into a mere city code) possibly based on relationships
between the requestor and the requested record (e.g. obtain records only
when subject's salary is lower than that of querier.)
I don't think that these kinds of policies can be mechanized with only
simple item tags. Certainly tags are useful and valuable for simple
scenerios. And it may be that they are a good balance between nothing and
a fully flexible generalized system of enormous complexity. But until
somebody actually thinks through the generalized systems it's hard to know
if simple tags are, in fact, a good middle ground or whether they will
prove to be a good idea that doesn't quite do the job (like ICMP source
quench) and were a waste of time to specify and to implement.
--karl--