diff --git a/index.html b/index.html index 58cafe57..6dfd6928 100644 --- a/index.html +++ b/index.html @@ -864,7 +864,7 @@
This document is governed by the 12 June 2023 W3C Process Document. -
+See 2.11.1 Guardians for more detail on how this principle applies to vulnerable people with guardians.
+See 2.10.1 Guardians for more detail on how this principle applies to vulnerable people with guardians.
Computing devices have owners, who have @@ -1832,92 +1832,80 @@
Online harassment is the "pervasive or severe targeting of an individual or group online -through harmful behavior" [PEN-Harassment]. Harassment is a prevalent problem on the Web, -particularly via social media. While harassment may affect any person using the Web, it may be more -severe and its consequences more impactful for LGBTQ people, women, people in racial or ethnic -minorities, people with disabilities, vulnerable people and other marginalized groups.
-Harassment is both a violation of privacy itself and can be magnified or facilitated by other -violations of privacy.
-Abusive online behavior may include: sending unwanted information; directing others to contact -or bother a person ("dogpiling"); disclosing sensitive information about a person; posting false -information about a person; impersonating a person; insults; threats; and hateful or demeaning -speech.
-Disclosure of identifying or contact information (including "doxxing") can be used, including by -additional attackers, to send often persistent unwanted information that amounts to harassment. -Disclosure of location information can be used, including by additional attackers, to intrude on a -person's physical safety or space.
-Mitigations for harassment include but extend beyond mitigations for unwanted information and other -privacy principles. Harassment can include harmful activity with a wider distribution than just the -target of harassment.
+Online harassment is the "pervasive or severe targeting of an individual or group online +through harmful behavior" [PEN-Harassment]. Harassment is a prevalent problem on the web, +particularly via social media. While harassment may affect any person using the web, it may be more +severe and its consequences more impactful for LGBTQ people, women, people in racial or ethnic +minorities, people with disabilities, vulnerable people and other marginalized groups.
+Harassment is both a violation of privacy itself and can be enabled or +exacerbated by other violations of privacy.
+Harassment may include: sending unwanted information; directing others to contact +or bother a person ("dogpiling"); disclosing sensitive information about a person; posting false information about a person; impersonating a person; insults; threats; and hateful or demeaning speech.
+Disclosure of identifying or contact information (including "doxxing") can often be used to cause additional attackers to send persistent unwanted information that amounts to harassment. +Disclosure of location information can be used to intrude on a +person's physical safety or space.
Reporting mechanisms are mitigations, but may not prevent harassment, particularly in cases where -hosts or intermediaries are supportive of or complicit in the abuse.
-Effective reporting is likely to require:
+hosts, moderators, or other intermediaries are supportive of or complicit in the abuse. +Effective reporting is likely to require:
Receiving unsolicited information that either may cause distress or waste the recipient's -time or resources is a violation of privacy.
-Some useful research overviews of online harassment include: [PEW-Harassment], + [Addressing-Cyber-Harassment] and [Internet-of-Garbage].
+Unwanted information covers a broad range of unsolicited communication, from messages that are typically harmless individually but that become a nuisance in aggregate (spam) to the -sending of images that will cause shock or disgust due to their graphic, violent, or explicit nature -(e.g. pictures of one's genitals). While it is impossible, in a communication system involving many -people, to offer perfect protection against all kinds of unwanted information, steps can be -taken to make the sending of such messages more difficult or more costly, and to make the senders -more accountable. Examples of mitigations include:
+sending of explicit, graphic, or violent images. +System designers should take steps to make the sending of unwanted information more difficult +or more costly, and to make the senders more accountable.
+This section is still being refined. We expect additional principles to be added.
Attempts to obtain consent to processing that is not in accordance with the person's true preferences result in imposing unwanted privacy labour on the person, and may result in people erroneously giving consent that they regret later.
-An actor should not prompt a person for consent if the +
An actor should not prompt a person for consent if the person is unlikely to have sufficient information to make an informed decision to consent or not. In considering whether or not a person is sufficiently informed to be asked for consent, actors should be realistic in assessing how much time and effort would be required to understand the processing for which they are asking for consent. Simply providing a link to a complex policy is unlikely to mean that the person is informed.
Relying on a global opt-out signal from the user agent.
Delaying a prompt for consent until a user does something that puts the request in context, +
Delaying a prompt for consent until a user does something that puts the request in context, which will also help them give an informed response.
A person may share data about other people (e.g. a picture with both that person and others). If that person consents to the processing of that data, this does not imply that those other people have consented as well.
+A person may share data about other people (e.g. a picture with both that person and others). If that person consents to the processing of that data, this does not imply that those other people have consented as well.
See Group Privacy and Data Rights for further discussion of privacy of people other than the user.
Whenever people have the ability to cause an actor to process less of their data or to stop +
Whenever people have the ability to cause an actor to process less of their data or to stop carrying out some given set of data processing that is not essential to the service, they must be -allowed to do so without the actor retaliating, for instance by artificially removing an +allowed to do so without the actor retaliating, for instance by artificially removing an unrelated feature, by decreasing the quality of the service, or by trying to cajole, badger, or -trick the person into opting back into the processing.
+trick the person into opting back into the processing.Some services have the user pay for their use in data. These services aren't necessarily retaliating by denying their services to users who refuse to pay with data, but the details are more complex than we've had time to write.
Actors can invest time and energy into automating ways of gathering data from people and can -design their products in ways that make it a lot easier for people to disclose information than not, whereas -people typically have to manually wade through options, repeated prompts, and deceptive patterns. In many -cases, the absence of data — when a person refuses to provide some information — can also be identifying +
Actors can invest time and energy into automating ways of gathering data from people and can +design their products in ways that make it a lot easier for people to disclose information than not, whereas +people typically have to manually wade through options, repeated prompts, and deceptive patterns. In many +cases, the absence of data — when a person refuses to provide some information — can also be identifying or revealing. Additionally, APIs can be defined or implemented in rigid ways that can prevent people from accessing useful functionality. For example, I might want to look for restaurants in a city I will be visiting this weekend, but if my geolocation is forcefully set to match my GPS, a restaurant-finding site might only allow searches in my current location. In other cases, sites do not abide by data minimisation principles and request more information than they require. This principle supports -people in minimising their own data.
-User agents should make it simple for people to present the identity they wish +people in minimising their own data.
+User agents should make it simple for people to present the identity they wish to and to provide information about themselves or their devices in -ways that they control. This helps people to live in obscurity ([Lost-In-Crowd], +ways that they control. This helps people to live in obscurity ([Lost-In-Crowd], [Obscurity-By-Design]), including by obfuscating information about themselves ([Obfuscation]).
Instead, the API could indicate a person's preference, a person's chosen identity, a -person's query or interest, or a person's selected communication style.
+Instead, the API could indicate a person's preference, a person's chosen identity, a +person's query or interest, or a person's selected communication style.
For example, a user agent might support this principle by:
A person (also user or -data subject) is any natural person. Throughout this document, we primarily use person or -people to refer to human beings, as a reminder of their humanity. When we use the term user, -it is to talk about the specific person who happens to be using a given system at that time.
-A vulnerable person is a person who may be unable to
+ A person (also user or
+data subject) is any natural person. Throughout this document, we primarily use person or
+people to refer to human beings, as a reminder of their humanity. When we use the term user,
+it is to talk about the specific person who happens to be using a given system at that time. A vulnerable person is a person who may be unable to
exercise sufficient self-determination in a context. Amongst other things, they should
be treated with greater default privacy protections and may be considered unable to
consent to various interactions with a system.
@@ -2181,25 +2169,25 @@ Privacy Principles
are employees with respect to their employers, are facing a steep asymmetry of power,
are people in some situations of intellectual or psychological impairment, are
refugees, etc.
A context is a physical or digital environment in which people interact with other -actors, and which the people understand as distinct from other contexts.
+A context is a physical or digital environment in which people interact with other +actors, and which the people understand as distinct from other contexts.
A context is not defined in terms of who owns or controls it. Sharing data between different contexts of a single company is -a privacy violation, just as if the same data were shared between unrelated actors.
-An actor is an entity that a person can reasonably understand as a single "thing" -they're interacting with. Actors can be people or collective entities like companies, +a privacy violation, just as if the same data were shared between unrelated actors.
+An actor is an entity that a person can reasonably understand as a single "thing" +they're interacting with. Actors can be people or collective entities like companies, associations, or governmental bodies. Uses of this document in a particular domain are expected to -describe how the core concepts of that domain combine into a user-comprehensible actor, and +describe how the core concepts of that domain combine into a user-comprehensible actor, and those refined definitions are likely to differ between domains.
-User agents tend to explain to people which origin or site provided the -web page they're looking at. The actor that controls this origin or site is -known as the web page's first party. When a person +
User agents tend to explain to people which origin or site provided the +web page they're looking at. The actor that controls this origin or site is +known as the web page's first party. When a person interacts with a UI element on a web page, the first party of that interaction -is usually the web page's first party. However, if a different actor controls +is usually the web page's first party. However, if a different actor controls how data collected with the UI element is used, and a reasonable person with a realistic cognitive budget would realize -that this other actor has this control, this other -actor is the first party for the interaction instead.
+that this other actor has this control, this other +actor is the first party for the interaction instead.The first party to an interaction is accountable for the processing of data produced by that interaction, even if another actor does the processing.
-A third party is any actor other than the -person visiting the website or the first parties they expect to be interacting +
A third party is any actor other than the +person visiting the website or the first parties they expect to be interacting with.
The Vegas Rule is a simple implementation of privacy in which "what happens with the first party stays with the first party." Put differently, the Vegas Rule is followed @@ -2220,16 +2208,16 @@
We define personal data as any information that is directly or -indirectly related to an identified or identifiable person, such as by reference to an +indirectly related to an identified or identifiable person, such as by reference to an identifier ([GDPR], [OECD-Guidelines], [Convention-108]).
On the web, an identifier of some type is typically assigned for an identity as seen by a website, which makes it easier for an automated -system to store data about that person.
-Examples of identifiers for a person can be:
+system to store data about that person. +Examples of identifiers for a person can be:
If a person could reasonably be identified or re-identified through the combination of data with other +
If a person could reasonably be identified or re-identified through the combination of data with other data, then that data is personal data.
Privacy is achieved in a given context that either involves personal data or -involves information being presented to people when the principles of that context are +involves information being presented to people when the principles of that context are followed appropriately. When the principles for that context are not followed, there is a privacy violation. Similarly, we say that a particular interaction is appropriate when the principles are adhered to) or inappropriate otherwise.
-An actor processes data if it +
An actor processes data if it carries out operations on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, sharing, dissemination or otherwise making available, selling, alignment or combination, restriction, erasure or destruction.
-An actor shares data if it provides it to any other -actor. Note that, under this definition, an actor that provides data to its own +
An actor shares data if it provides it to any other +actor. Note that, under this definition, an actor that provides data to its own service providers is not sharing it.
-An actor sells data when it shares it in exchange +
An actor sells data when it shares it in exchange for consideration, monetary or otherwise.
The purpose of a given processing of data is an anticipated, intended, or planned outcome of this processing which is achieved or aimed for within a given @@ -2269,30 +2257,30 @@
A data controller is an actor that determines the means and purposes -of data processing. Any actor that is not a service provider is a data controller.
+A data controller is an actor that determines the means and purposes +of data processing. Any actor that is not a service provider is a data controller.
A service provider or data processor is considered to be in -the same category of first party or third party as the actor contracting it to +the same category of first party or third party as the actor contracting it to perform the relevant processing if it:
Recognition is the act of realising that a given identity -corresponds to the same person as another identity which may have been +corresponds to the same person as another identity which may have been observed either in another context, or in the same context but at a different time. Recognition can be probabilistic, if someone realises there's -a high probability that two identities correspond to the same person, +a high probability that two identities correspond to the same person, even if they aren't certain.
-A person can be recognized whether or not their legal identity or +
A person can be recognized whether or not their legal identity or characteristics of their legal identity are included in the recognition.
There are several types of recognition that may take place.
Cross-context recognition is recognition between different @@ -2319,8 +2307,8 @@
Same-site recognition is when a single site recognizes a -person across two or more visits.
-A privacy harm occurs if a person reasonably expects that they'll be using +person across two or more visits.
+A privacy harm occurs if a person reasonably expects that they'll be using a different identity for different visits to a single site, but the site recognizes them anyway.
Note that these categories overlap: cross-site recognition is usually @@ -2450,8 +2438,8 @@
Referenced in:
Referenced in:
Referenced in: