- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Fri, 08 Jul 2011 14:50:21 +0200
- To: Frederick.Hirsch@nokia.com
- Cc: public-device-apis@w3.org
Hi, Le mardi 05 juillet 2011 à 21:15 +0000, Frederick.Hirsch@nokia.com a écrit : > I have created an initial draft of a Privacy Best Practices document for service providers. > see http://dev.w3.org/2009/dap/privacy-practices/ Thanks for getting this started! Some early comments (I'd probably have much more after a more thorough reading, but I thought I would send what already appeared to me): * the document's title refer to device APIs; I think the current content doesn't match this scoping: - it seems to apply more broadly than when using APIs - it applies more broadly than just "device" APIs (assuming this has a clear definition) Fixing this could mean either broadening the title, or reducing the actual scope, or a combination of both * I think the document should strive to use as little privacy-jargon as possible and instead use language that will make sense to services providers and developers; I would probably argue e.g. against having a section called "minimizing data" since it only makes sense to people who have been exposed to the concept of data minimization; in this case, it could be as simple as rewording it in "minimize collection and transmission of personal data" * the best practices mix imperative language ("do this"), affirmative language ("A is B", or "A requires B"), and RFC2119 language ("X should do Y"); I think we should align on a single form as much as we can * I think giving plenty of examples would be terrific * there should be something about using HTTPs to transmit personal/sensitive data over the network * while referencing privacy by design is good, I don't think that most of our readers would actually bother; it would probably be better documenting how these principles apply concretely to the development of Web apps using sensitive APIs. * the bits on "minimal consent dialogs" don't seem to apply to services providers but more to UA? at least it's not clear to me how it would apply to services providers; likewise for the discussion on "making decision in context". Some links to previous discussions on these BP that may be worth exploring: http://lists.w3.org/Archives/Public/public-device-apis/2010Mar/att-0154/minutes-2010-03-16.html#item01 http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-21.pdf Dom
Received on Friday, 8 July 2011 12:50:42 UTC