Re: PING call - 20 August 2020 UTC 16 - Agenda Request

On Aug 19, 2020, at 10:56 AM, James Rosewell <james@51degrees.com> wrote:
> 
> The Security and Privacy Questionnaire is widely used across the W3C requiring questions and mitigations to be provided. The absence of policies clearly stating what constitutes acceptable or improved privacy makes the document harder to use. I've proposed some preliminary modifications. This general issue was acknowledged by Pete when commenting on the Privacy Thread Model document edits this week [1]. Pete raises the following excellent points.
> 
> "1. Enumerate what privacy protections / properties / boundaries we'd like the web to have, as a way of making our privacy-reviews consistent and easier to understand
> 2. Provide predictability to spec authors, so they can better anticipate the results of a privacy review
> 3. Provide consistency across the work PING does, and other privacy-related groups in W3C (TAG, PrivacyCG), so that we can make sure that one group doesn't accidentally undo the work another group is pursuing"
> 
> I'm curious to learn if there is work underway to adopt a common privacy policy across the W3C? Such a policy could be short and similar to the antitrust policy.

James, can you say a little more about what you mean by “common privacy policy across the W3C”? 

There is a W3C privacy statement [0], a short policy similar to the antitrust policy (in being scoped to participation in W3C activities) that sets out the privacy of usage of W3C websites, mailing lists and applications.

Regarding conceptions of privacy for use of the Web generally (a large topic!), we have occasionally talked about drafting a privacy model for the Web, similar to architectural models or security models of the Web (which are sometimes explicitly documented, but more often not). The Privacy Threat Model work is the most up-to-date effort along those lines [1]. That does not provide a singular definition of privacy, but does list (and expand upon) high-level threats to privacy, based on RFC 6973 from colleagues in the IETF [2], which is also cited by the Security and Privacy Questionnaire [3].

I don’t believe PING or W3C or any other group can feasibly set a privacy policy for the Web, but improved understanding and communication of the privacy model can definitely help, as I’m hearing both James and Pete suggest, in our work on developing specifications of Web features.

—Nick

[0] https://www.w3.org/Consortium/Legal/privacy-statement-20140324
[1] https://w3cping.github.io/privacy-threat-model/
[2] https://tools.ietf.org/html/rfc6973
[3] https://w3ctag.github.io/security-questionnaire/

Received on Wednesday, 19 August 2020 16:12:08 UTC