RE: PING call - 20 August 2020 UTC 16 - Agenda Request from James Rosewell on 2020-08-20 (public-privacy@w3.org from July to September 2020)

From: James Rosewell <james@51degrees.com>
Date: Thu, 20 Aug 2020 12:59:15 +0000
To: Nick Doty <npdoty@ischool.berkeley.edu>
CC: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <DB7PR02MB47109A6A392453BD348F2564A65A0@DB7PR02MB4710.eurprd02.prod.outlook.com>
Hi Nick,

> James, can you say a little more about what you mean by “common privacy policy across the W3C”?

Here is a simple example of a policy from another industry.

Automobile manufacturers create cars that can exceed the speed limit. The choice to comply with the law is that of the individual driver not the automobile manufacturer. The automobile industry has therefore adopted a policy in relation to people's choice and their role in relation to that choice and the law.

As I read these three documents, and an increasing number of the documents they reference, I'm observing the same difficulties Pete has highlighted in understand what the W3C's position (policy) is in relation to similar matters.

Questions I'm left with include; Is it the role of the technical standard to enforce the law? If so which law? If not a law what is the standard against which privacy is measured? Is it even the role of the W3C to be involved in such issues? If as Michael proposes there is a need for boundaries how can these boundaries be defined by W3C? If not the W3C, whom?

When reading RFC6973 I observe a document open to a broader range of issues and remedies than the W3C documents. For example; supply chains can be trusted. However RFC6973 recognises that privacy issues cannot be covered entirely within technical guidance.

These documents would be simpler to author and use if they referenced a single common policy on privacy covering the work and standards of the W3C. Duplication, assumptions, and inconsistencies would be removed.

Regards,

James

-----Original Message-----
From: Nick Doty <npdoty@ischool.berkeley.edu>
Sent: 19 August 2020 17:12
To: James Rosewell <james@51degrees.com>
Cc: public-privacy (W3C mailing list) <public-privacy@w3.org>
Subject: Re: PING call - 20 August 2020 UTC 16 - Agenda Request

On Aug 19, 2020, at 10:56 AM, James Rosewell <james@51degrees.com> wrote:
>
> The Security and Privacy Questionnaire is widely used across the W3C requiring questions and mitigations to be provided. The absence of policies clearly stating what constitutes acceptable or improved privacy makes the document harder to use. I've proposed some preliminary modifications. This general issue was acknowledged by Pete when commenting on the Privacy Thread Model document edits this week [1]. Pete raises the following excellent points.
>
> "1. Enumerate what privacy protections / properties / boundaries we'd
> like the web to have, as a way of making our privacy-reviews
> consistent and easier to understand 2. Provide predictability to spec authors, so they can better anticipate the results of a privacy review 3. Provide consistency across the work PING does, and other privacy-related groups in W3C (TAG, PrivacyCG), so that we can make sure that one group doesn't accidentally undo the work another group is pursuing"
>
> I'm curious to learn if there is work underway to adopt a common privacy policy across the W3C? Such a policy could be short and similar to the antitrust policy.

James, can you say a little more about what you mean by “common privacy policy across the W3C”?

There is a W3C privacy statement [0], a short policy similar to the antitrust policy (in being scoped to participation in W3C activities) that sets out the privacy of usage of W3C websites, mailing lists and applications.

Regarding conceptions of privacy for use of the Web generally (a large topic!), we have occasionally talked about drafting a privacy model for the Web, similar to architectural models or security models of the Web (which are sometimes explicitly documented, but more often not). The Privacy Threat Model work is the most up-to-date effort along those lines [1]. That does not provide a singular definition of privacy, but does list (and expand upon) high-level threats to privacy, based on RFC 6973 from colleagues in the IETF [2], which is also cited by the Security and Privacy Questionnaire [3].

I don’t believe PING or W3C or any other group can feasibly set a privacy policy for the Web, but improved understanding and communication of the privacy model can definitely help, as I’m hearing both James and Pete suggest, in our work on developing specifications of Web features.

—Nick

[0] https://www.w3.org/Consortium/Legal/privacy-statement-20140324

[1] https://w3cping.github.io/privacy-threat-model/

[2] https://tools.ietf.org/html/rfc6973

[3] https://w3ctag.github.io/security-questionnaire/

This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, 5 Charlotte Close, Reading. RG47BY. T: +44 118 328 7152; E: info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.
Received on Thursday, 20 August 2020 12:59:38 UTC