Re: new Privacy Best Practices draft from Dominique Hazael-Massieux on 2011-07-08 (public-device-apis@w3.org from July 2011)

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Fri, 08 Jul 2011 14:50:21 +0200
To: Frederick.Hirsch@nokia.com
Cc: public-device-apis@w3.org
Message-ID: <1310129429.1774.388.camel@altostratustier>

Hi,

Le mardi 05 juillet 2011 à 21:15 +0000, Frederick.Hirsch@nokia.com a
écrit :
> I have created an initial draft of  a Privacy Best Practices document for service providers.
> see http://dev.w3.org/2009/dap/privacy-practices/

Thanks for getting this started!

Some early comments (I'd probably have much more after a more thorough
reading, but I thought I would send what already appeared to me):
* the document's title refer to device APIs; I think the current content
doesn't match this scoping:
 - it seems to apply more broadly than when using APIs
 - it applies more broadly than just "device" APIs (assuming this has a
clear definition)
Fixing this could mean either broadening the title, or reducing the
actual scope, or a combination of both

* I think the document should strive to use as little privacy-jargon as
possible and instead use language that will make sense to services
providers and developers; I would probably argue e.g. against having a
section called "minimizing data" since it only makes sense to people who
have been exposed to the concept of data minimization; in this case, it
could be as simple as rewording it in "minimize collection and
transmission of personal data"

* the best practices mix imperative language ("do this"), affirmative
language ("A is B", or "A requires B"), and RFC2119 language ("X should
do Y"); I think we should align on a single form as much as we can 

* I think giving plenty of examples would be terrific

* there should be something about using HTTPs to transmit
personal/sensitive data over the network

* while referencing privacy by design is good, I don't think that most
of our readers would actually bother; it would probably be better
documenting how these principles apply concretely to the development of
Web apps using sensitive APIs.

* the bits on "minimal consent dialogs" don't seem to apply to services
providers but more to UA? at least it's not clear to me how it would
apply to services providers; likewise for the discussion on "making
decision in context".

Some links to previous discussions on these BP that may be worth
exploring:
http://lists.w3.org/Archives/Public/public-device-apis/2010Mar/att-0154/minutes-2010-03-16.html#item01
http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-21.pdf

Dom

Received on Friday, 8 July 2011 12:50:42 UTC