Friday, May 26, 2017

Privacy toolkit - W3C Privacy Assessment

This is a short article simply to point toward W3C "Specification Privacy Assessment". I watch many standards bodies, and interact with a few. W3C is most mature "Standards" organization with regards to considering privacy impact that their standards have. Others are working toward having some process for considering privacy while writing a standard specification. But the others are more aspirational, where W3C is 'doing it'.

The best introduction is a presentation. This is fantastic presentation, very detailed. I would love to present these slides as there is so much depth on each page.

They have a set of Questions that each W3C specification writing team must consider. These questions are not intended to short-circuit a real Privacy Impact, but rather to focus on some of the obvious top issues. Here is an excerpt:
  • can the information be used (alone or in combination with other APIs / sources of information) to fingerprint a device or user?
  • may I access to the information I created?
  • may I record it myself (locally)?
  • am I able to have actions on this personal record?
  • may I block partly or totally the record of the information?
  • may I fake it? (think about fuzzy geolocation or voluntary fake location)
  • Is the data personally-derived, i.e. derived from the interaction of a single person, or their device or address? (If so, even if anonymous, it might be re-correlated)
  • Does the data record contain elements that would enable such re-correlation? (examples include an IP address, and so on)
  • What other data could this record be correlated with? (e.g. the ISP)
  • If you had large amounts of this data about one person, what conclusions would it enable you to draw? (e.g. maybe you could estimate location from many ambient light events by estimating latitude and longitude from the times of sunrise and sunset)
  • Am I likely to know if information is being collected?
  • How visible is its collection and or use?
  • Do I get feedback on the patterns that the information could reveal (at any instant, over time) so I can adjust behaviors?
  • if a background event about the device is fired in all browsing contexts, does it allow correlation of a user across contexts?
  • can code on a page send signals that can be received by device sensors on nearby devices?
You can see that W3C considers all of the Privacy Principles, not just confidentiality.

They also have defined some re-usable Privacy Considerations. Such as the "Web Applications Privacy Best Practices"
  • Best Practice 1: Follow "Privacy By Design" principles
  • Best Practice 2: Enable the user to make informed decisions about sharing their personal information with a service.
  • Best Practice 3: Enable the user to make decisions at the appropriate time with the correct contextual information.
  • Best Practice 4: When learning user privacy decisions and providing defaults, allow the user to easily view and change their previous decisions.
  • Best Practice 5: Focus on usability and avoid needless prompting.
  • Best Practice 6: Active consent should be freely given, for specific data, and be informed.
  • Best Practice 7: Be clear and transparent to users regarding potential privacy concerns.
  • Best Practice 8: Be clear as to whether information is needed on a one-time basis or is necessary for a period of time and for how long.
  • Best Practice 9: Request the minimum number of data items at the minimum level of detail needed to provide a service.
  • Best Practice 10: Retain the minimum amount of data at the minimum level of detail for the minimum amount of time needed. Consider potential misuses of retained data and possible countermeasures.
  • Best Practice 11: Maintain the confidentiality of user data in transmission, for example using HTTPS for transport rather than HTTP.
  • Best Practice 12: Maintain the confidentiality of user data in storage.
  • Best Practice 13: Control and log access to data.

The "Device API Privacy Considerations". Which includes a nice breakdown of the Privacy Principles to those that impact Device design.

The "Mobile Web Application Best Practices". Which not just itemizes a fantastic set of Best Practices (cookie use, client storage, robustness, informing user, avoid redirects, etc...). But goes into detail on these best practices
    3.1 Application Data 
    3.2 Security and privacy 
    3.5 User Experience 

see also my articles