From d021953b9826eb262406eb726e05785583f05319 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Wed, 17 Jan 2024 17:34:29 +0000 Subject: [PATCH] RFC2119 changes (#393) SHA: c2bd5ce7d587e6c6c4cff7ae08c3e1cdf3c8f81f Reason: push, by jyasskin Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- index.html | 87 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 59 insertions(+), 28 deletions(-) diff --git a/index.html b/index.html index 14ed1313..3a540c18 100644 --- a/index.html +++ b/index.html @@ -769,15 +769,15 @@ "id": "web-without-3p-cookies" } }, - "publishISODate": "2024-01-12T00:00:00.000Z", - "generatedSubtitle": "W3C Editor's Draft 12 January 2024" + "publishISODate": "2024-01-17T00:00:00.000Z", + "generatedSubtitle": "W3C Editor's Draft 17 January 2024" }

Privacy Principles

-

W3C Editor's Draft

+

W3C Editor's Draft

More details about this document
@@ -884,7 +884,7 @@

Privacy Principles

This document is governed by the 03 November 2023 W3C Process Document. -

+

How This Document Fits In

@@ -1598,7 +1598,7 @@

Privacy Principles

for them. Because the information provided by ancillary APIs that provide new information isn't available in any other way, user agents should let people turn them off, despite the additional risk of browser fingerprinting.

-

2.3 Information access

Principle: New web APIs must guard users' information at least +

2.3 Information access

Principle: New web APIs should guard users' information at least as well as existing APIs that are expected to stay in the web platform.
@@ -1930,7 +1930,7 @@

Privacy Principles

device to their young child). Other times, the owner and primary user of a device might not be the only person with administrator access.

These relationships can involve power imbalances. A child may have difficulty accessing any -computing devices other than the ones their parent provides. A victim of abuse might not be able to +computing devices other than the ones their parent provides. A victim of abuse might not be able to prevent their partner from having administrator access to their devices. An employee might have to agree to use their employer's devices in order to keep their job.

While a device owner has an interest and sometimes a responsibility to make sure their device is @@ -1951,20 +1951,21 @@

Privacy Principles

2.9 Protecting web users from abusive behaviour

Principle: Systems that allow for communicating on the web must provide an - effective capability to report abuse. - + effective capability to report abuse. +
Principle: User agents and sites must - take steps to protect their users from abusive behaviour, and abuse + take steps to protect their users from abusive behaviour, and abuse mitigation must be considered when designing web platform features.
-

Online harassment is the "pervasive or severe targeting of an individual or group online -through harmful behavior" [PEN-Harassment]. Harassment is a prevalent problem on the web, +

Digital abuse is the mistreatment of a person through digital means. Online harassment +is the "pervasive or severe targeting of an individual or group online through harmful behavior" [PEN-Harassment] +and constitutes a form of abuse. Harassment is a prevalent problem on the web, particularly via social media. While harassment may affect any person using the web, it may be more severe and its consequences more impactful for LGBTQ people, women, people in racial or ethnic minorities, people with disabilities, vulnerable people and other marginalized groups.

@@ -1976,11 +1977,11 @@

Privacy Principles

Disclosure of location information can be used to intrude on a person's physical safety or space.

Reporting mechanisms are mitigations, but may not prevent harassment, particularly in cases where -hosts, moderators, or other intermediaries are supportive of or complicit in the abuse.

+hosts, moderators, or other intermediaries are supportive of or complicit in the abuse.

Effective reporting is likely to require:

    -
  • standardized mechanisms to identify abuse reporting contacts;
    • -
  • sites and user agents to provide visible and usable ways to report abuse;
    • +
  • standardized mechanisms to identify abuse reporting contacts;
    • +
  • sites and user agents to provide visible and usable ways to report abuse;
  • identifiers to refer to senders and content;
  • the ability to provide context and explanation of harms;
  • people responsible for promptly responding to reports;
    • @@ -2088,7 +2089,7 @@

    Privacy Principles

    to people in accessible forms.

    Principle: Mechanisms that can be used for recognizing people should be designed so that - their operation is visible and distinguishable, to user agents, researchers and regulators. + their operation is visible and distinguishable, to user agents, researchers, and regulators.
    @@ -2116,7 +2117,7 @@

    Privacy Principles

    Simply providing a link to a complex policy is unlikely to mean that the person is informed.

    Principle: An actor should avoid interrupting a person's use of a site for - consent requests when an alternative is available. + consent requests when an alternative is available.
    @@ -2137,8 +2138,8 @@

    Privacy Principles

Principle: - It should be as easy for a person to check what consent they have given, to withdraw consent, - or to opt out or object, as to give consent. + It should be as easy for a person to check what consent they have given, to withdraw consent, + or to opt out or object, as to give consent.
@@ -2524,7 +2525,7 @@

Privacy Principles

  • Principle: User agents should provide a way to enable or disable ancillary APIs that provide new information and should set the default according to their users' needs. -
  • Principle: New web APIs must guard users' information at least +
  • Principle: New web APIs should guard users' information at least as well as existing APIs that are expected to stay in the web platform.
  • Principle: System designers should not assume that particular information is or is not sensitive. @@ -2549,10 +2550,10 @@

    Privacy Principles

    know about this surveillance.
  • Principle: Systems that allow for communicating on the web must provide an - effective capability to report abuse. -
  • Principle: + effective capability to report abuse. +
  • Principle: User agents and sites must - take steps to protect their users from abusive behaviour, and abuse + take steps to protect their users from abusive behaviour, and abuse mitigation must be considered when designing web platform features.
  • Principle: When accessing personal data or requesting permission, sites and other actors should specify the purpose @@ -2569,17 +2570,17 @@

    Privacy Principles

    language form and in machine-readable form.
  • Principle: Mechanisms that can be used for recognizing people should be designed so that - their operation is visible and distinguishable, to user agents, researchers and regulators. + their operation is visible and distinguishable, to user agents, researchers, and regulators.
  • Principle: When any actor obtains consent for processing from a person, the actor should design the consent request so as to learn the person's true intent to consent or not, and not to maximize the processing consented to.
  • Principle: An actor should avoid interrupting a person's use of a site for - consent requests when an alternative is available. + consent requests when an alternative is available.
  • Principle: - It should be as easy for a person to check what consent they have given, to withdraw consent, - or to opt out or object, as to give consent. + It should be as easy for a person to check what consent they have given, to withdraw consent, + or to opt out or object, as to give consent.
  • Principle: Actors should provide functionality to access, correct, and remove data about people to those people when that data has been provided by someone else. @@ -2597,7 +2598,19 @@

    Privacy Principles

    promise on the user's behalf about the user or their environment.
    • -

    D. Acknowledgements

    +

    D. Conformance

    + + +

    This document does not adhere to strict [RFC2119] terminology because it is primarily of +an informative nature and does not easily lend itself to constraining a conformance class. +However, within the formulation of its principles, we have taken care to use "should" to indicate +that a principle can be overridden in some rare cases given that there are valid reasons for doing so and +"must" to indicate that we can see no situation in which deviating from the principle could +be justified.

    +
    + + +

    E. Acknowledgements

    Some of the definitions in this document build on top of the work in Tracking Preference Expression (DNT).

    @@ -2624,7 +2637,7 @@

    Privacy Principles

    Wendy Seltzer.

    -

    E. Issue summary

    There are no issues listed in this specification.

    F. References

    F.1 Informative references

    +

    F. Issue summary

    There are no issues listed in this specification.

    G. References

    G.1 Informative references

    [ADDING-PERMISSIONS]
    Adding another permission? A guide. Nick Doty. 2018. URL: https://github.com/w3cping/adding-permissions @@ -2728,6 +2741,8 @@

    Privacy Principles

    A Relational Theory of Data Governance. Salomé Viljoen. Yale Law Journal. URL: https://www.yalelawjournal.org/feature/a-relational-theory-of-data-governance
    [Relational-Turn]
    A Relational Turn for Data Protection?. Neil Richards; Woodrow Hartzog. URL: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3745973&s=09 +
    [RFC2119]
    + Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
    [RFC6772]
    Geolocation Policy: A Document Format for Expressing Privacy Preferences for Location Information. H. Schulzrinne, Ed.; H. Tschofenig, Ed.; J. Cuellar; J. Polk; J. Morris; M. Thomson. IETF. January 2013. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6772
    [RFC6973]
    @@ -3240,6 +3255,22 @@

    Privacy Principles

  • § 2.8 Device Owners and Administrators (2)
    • + +