Proposed text for privacy requirements

I'd like to propose the following draft text for the Privacy portion  
of the  "Device API Security,Privacy and Policy Requirements" document  
[1].  (We can merge this rough draft with the text that Dom provides.)  
I will probably have more to offer later.

Privacy Requirements

Privacy considerations are important to Device APIs, since misuse of  
information can have financial, physical safety, and reputation  
impacts, among others. Privacy needs a systemic solution, including  
functional requirements on user agents, web sites and other components  
of the system, since any opportunity for misuse of private information  
is a risk. Addressing privacy may include functional requirements in  
the technical standards, laws and regulations, and best practices.  
When privacy concerns are not appropriately met, legal remedies in the  
courts may be required after the fact. Thus it is important that  
privacy is addressed appropriately up-front.

The following aspects of privacy should be addressed with more  
detailed requirements [PrivacyIssuesGeolocation]:

Appropriateness - is the information collected appropriate to the  

Minimization - is the minimum necessary granularity collected

User Control - Does the user have control over the sharing of  
information, active or passive? Are there defaults?

Notice - What information is provided to the user by the entity  
requesting information regarding that request? Can a user attach rules  
regarding use to the information provided?

Consent - Is the user in control of decisions to disclose information?  
How is this control manifested, per use, per recipient, etc.
What is the model, opt-in, opt-out?

Secondary Use - Is consent required for secondary use?  Are there  
mechanisms for setting limits or asking permission?

Distribution - Can the entity requesting the information redistribute  

Retention - Can policy statements about retention be made? Is the  
information provided with a timestamp to enable retention limits?

Transparency and Feedback - Are flows of information transparent to  
the user? Can the user access log information?

Aggregation - Can information be aggregated, are persistent unique  
identifiers used?

In general these concerns apply to all APIs, though the impact of  
privacy risks may vary with individual API. For example, inappropriate  
disclosure of contacts or location information could have serious  
personal safety issues, while system information disclosures might  
less so.

[PrivacyIssuesGeolocation] Doty, N. Mulligan, D. Wilde, E. "Privacy  
Issues of the W3C Geolocation API". UC Berkeley School of Information.  
24 February 2010. URI:


(It might be worth considering if a light weight version of P3P or  
Geopriv is appropriate and can be generalized for DAP in the context  
of extension points as discussed by Noah.)

regards, Frederick

Frederick Hirsch


Received on Sunday, 28 February 2010 16:04:11 UTC