From 718bc840a290709fabb8fe1a69f4e810809e1ae0 Mon Sep 17 00:00:00 2001 From: Amy Guy Date: Wed, 6 Sep 2023 17:22:59 +0100 Subject: [PATCH] Editorial: data minimization, fixes #303. (#324) Distills several principles into a single one at the start. Ancillary Data subsection may now be better as part of explanatory text in the intro or appendix. --- index.html | 90 ++++++++++++++++++++++++++---------------------------- 1 file changed, 44 insertions(+), 46 deletions(-) diff --git a/index.html b/index.html index e457b2f5..cd56b7e2 100644 --- a/index.html +++ b/index.html @@ -1083,25 +1083,31 @@ ## Data Minimization {#data-minimization} -
-Sites, user agents, and other actors should minimize the amount of -personal data they transfer between actors on the Web. -
+
[=Sites=], [=user agents=], and other [=actors=] +should minimize the amount of [=personal data=] they transfer.
-Data minimization limits the risks of data being disclosed or misused, and it also helps -user agents more meaningfully explain the decisions their users need to make. +
Web APIs should be designed to minimize the amount of data that sites need +to request to carry out their users' goals and provide granularity and user controls over personal +data that is communicated to sites.
-Web APIs should be designed to minimize the amount of data that sites need -to request to carry out their users' goals and provide granularity and user controls over personal -data that is communicated to sites. +In maintaining duties of [=duty of +protection|protection=], [=duty of discretion|discretion=] and [=duty of loyalty|loyalty=], user agents should share data only when it either is needed +to satisfy a user's immediate goals or aligns with the user's wishes and +interests.
-Because personal data may be sensitive in unexpected ways, or have risks of future uses that could be -unexpected or harmful, minimization as a principle applies to personal data that is not currently -known to be identifying, sensitive, or otherwise potentially harmful. +Data minimization limits the risks of data being disclosed or misused. It also +helps [=user agents=] and other [=actors=] more meaningfully explain the decisions their users need +to make. For more information, see [[[Data-Minimization]]]. + +Web APIs should be designed to minimize the amount of data that sites need to +request to pursue their users' goals and interests. They should also provide granular +user controls over [=personal data=] that is communicated to [=sites=]. -Note that this principle was further explored in an earlier TAG draft on [[[Data-Minimization]]]. +The principle of data minimization applies to all [=personal data=], even if it +is not known to be identifying, sensitive, or otherwise harmful. See: +[[[#hl-sensitive-information]]]. -Different users will want to share different kinds and amounts of [=ancillary data=] -with websites, including possibly no [=ancillary data=]. +Different [=users=] will want to share different kinds and amounts of +[=ancillary data=] with [=sites=]. Some [=people=] will not want to share any +[=ancillary data=] at all. -Aggregation or [=de-identified|de-identification=] of data may make users -interested in sharing [=ancillary data=] in cases where the user was -otherwise not interested. These techniques may be especially useful and important +Users may be willing to share [=ancillary data=] if it is aggregated with +the data of other users, or [=de-identified=]. This can be useful when [=ancillary data=] contributes to a collective benefit in a way that reduces privacy threats to individuals (see collective privacy). @@ -1150,33 +1152,34 @@ hide the contents of personal data. But even with those protections, some people may prefer not to participate in some kinds of measurement. - Ongoing work on privacy-preserving technologies in the IETF ppm, IRTF pearg, and W3C PATCG groups addresses relevant questions. + Group">PATCG groups. -
- Sites and user agents should seek to understand and respect people's - goals and preferences about use of data about them. -
- [=User agents=] should aggressively minimize [=ancillary data=] and should avoid burdening the user with additional [=privacy labor=] when deciding what [=ancillary data=] to expose. To that end, user agents may employ user research, solicitation of general preferences, and heuristics about -sensitivity of data or trust in a particular context. To help sites understand -user preferences, user agents can provide browser-configurable signals to -directly communicate common user preferences (such as a [=global opt-out=]). +sensitivity of data or trust in a particular [=context=]. -
- Specifications that define functionality for telemetry and analytics - should explicitly note the telemetry and analytics use to facilitate modal or general user - choices. -
+To help [=sites=] understand user preferences, user agents can provide +browser-configurable signals to directly communicate common user preferences +(such as a [=global opt-out=]). + +Data exposed for the [=ancillary uses=] of telemetry and analytics may reveal +information about user configuration, device, environment, or behavior that +could be used as part of browser fingerprinting to identify users across +sites. Revealing user preferences or other heuristics in providing or disabling +functionality could also contribute to a browser fingerprint. + +Functionality for telemetry and analytics should be explicitly noted by +specification authors, to help [=user agents=] provide configuration options +to their users. -Data exposed for [=ancillary uses=] including telemetry and analytics may -often reveal characteristics of user configuration, device, environment, or behavior that could be -used as part of browser fingerprinting to identify users across sites. Revealing user -preferences or other heuristics in providing or disabling functionality could also contribute to a -browser fingerprint. ## Information access {#information}