Re: PING call - 20 August 2020 UTC 16 - Agenda Request

Hi James (and all),

This doesn’t directly reply to James’s point, since I think Nick addressed, but just wanted to add the below too, to frame things a bit and give some background (as I see it):

There are several efforts to give guidance to groups, to ease privacy reviews and assist groups.  But, all the relevant docs (the questionnaire, the TAG’s ethical web principals, the under-construction threat-model doc, the fingerprinting doc, etc) are guidance, not law. If something comes up in a privacy review thats alarming or concerning, we’ll update the relevant document to cover the new finding, not the reverse (i.e. limit the finding to match the existing docs).

Best,
Pete


> On Aug 19, 2020, at 9:56 AM, James Rosewell <james@51degrees.com> wrote:
> 
> Hi Christine, Pete,
> 
> I've read the three main documents that the group delivers and the charter. The mission of the group is to "improve privacy". However, the success criteria are incomplete as they focus solely on the provision of feedback and review. The success criteria do not define how improved privacy is actually measured.
> 
> The Security and Privacy Questionnaire is widely used across the W3C requiring questions and mitigations to be provided. The absence of policies clearly stating what constitutes acceptable or improved privacy makes the document harder to use. I've proposed some preliminary modifications. This general issue was acknowledged by Pete when commenting on the Privacy Thread Model document edits this week [1]. Pete raises the following excellent points.
> 
> "1. Enumerate what privacy protections / properties / boundaries we'd like the web to have, as a way of making our privacy-reviews consistent and easier to understand
> 2. Provide predictability to spec authors, so they can better anticipate the results of a privacy review
> 3. Provide consistency across the work PING does, and other privacy-related groups in W3C (TAG, PrivacyCG), so that we can make sure that one group doesn't accidentally undo the work another group is pursuing"
> 
> I'm curious to learn if there is work underway to adopt a common privacy policy across the W3C? Such a policy could be short and similar to the antitrust policy.
> 
> I have reviewed the Security and Privacy Questionnaire and raised four issues with the document that have now been closed by TAG chairs, in two cases without a logical conclusion or explanation. All these issues would be significantly mitigated with reference to such a common privacy policy. I'd like us to discuss each of these issues during the next meeting.
> 
> Regards,
> 
> James
> 
> [1] https://w3cping.slack.com/archives/CTL6DM6HZ/p1597697711029200
> This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, 5 Charlotte Close, Reading. RG47BY. T: +44 118 328 7152; E: info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.
> 

Received on Wednesday, 19 August 2020 17:01:48 UTC