Security and privacy questionnaire

Hi,

The questionnaire: https://w3ctag.github.io/security-questionnaire/ seems overly focused on security.
There should be a section at the beginning of the threats on "inviting users to expose themselves".

Users are generally unaware of where their data goes, and are often not really able to understand the implications of a privacy policy even if one exists. They are generally prepared to give up information in exchange for some service, but inviting them to do so without being very clear (in terms a seven-year old can understand, although to be fair many 4 year-olds can use the web) of the consequences, effectively puts them at risk.

I would like to see a specific discussion of the fact that users are poor at anticipating the long-term cumulative consequences of repeatedly giving up small amounts of information.

I think the questions on e.g. location information are valuable, but they seem to be phrased far too atomically.

One way to think of sensitive material is to consider how hard it is to replace, if an unfriendly party has it - your name is harder to change than your passport, which is harder to change than a credit card, which is harder to change than a certain amount of cash.

Another is to consider the cost of an unfriendly party having it.

Someone may use your credit card to spend your money. The cost of lost cash is fairly simple to calculate. But authenticating to an online service like a social network as you, and developing a reputation for things that you would not do, can be very damaging.  Even worse is something that compromises the security of your possessions (e.g. knowing when you are not at home) or your person (e.g. knowing where you are, whether you are alone, with relative strangers, or in a group of friends and family) - all of which is magnified by having personal information - age, gender, etc…

cheers

Chaals

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Monday, 22 June 2015 14:57:06 UTC