From 747c08fb6560f7a7b7f796c8b14e78adb319647b Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 18 Jul 2023 14:42:40 -0400 Subject: [PATCH 01/26] 'incorporating direct feedback from wide review' --- index.html | 51 +++++++++++++++++++++++++-------------------------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/index.html b/index.html index d596b4a5..238f6bcd 100644 --- a/index.html +++ b/index.html @@ -592,17 +592,13 @@ best align with ethical Web values in Web [=contexts=] ([[?ETHICAL-WEB]], [[?Why-Privacy]]). Information flows as used in this document refer to information -exchanged or processed by [=actors=]. The information itself need not necessarily be -[=personal data=]. Disruptive or interruptive information flowing to a -person is in scope, as is [=de-identified=] [=data=] that can be used to manipulate people or that -was extracted by observing people's behaviour on a website. - -[=Information flows=] need to be understood from more than one perspective: there is the flow of information -about a person (the subject) being processed or transmitted to any other [=actor=], and there is -the flow of information towards a person (the recipient). Recipients can have their privacy violated in multiple ways such as -unexpected shocking images, loud noises while they intend to sleep, manipulative information, -interruptive messages when their focus is on something else, or harassment when they seek -social interactions. +exchanged or processed by [=actors=]. Information flows need to be understood from more than one +perspective: there is the flow of information about a person (the subject) being processed +or transmitted to any other actor, and there is the flow of information towards a person +(the recipient). Recipients can have their privacy violated in multiple ways such as unexpected +shocking images, loud noises while they intend to sleep, manipulative information, interruptive +messages when their focus is on something else, or harassment when they seek social interactions. +(In some of these cases, the information may not be [=personal data=].) On the Web, [=information flows=] may involve a wide variety of [=actors=] that are not always recognizable or obvious to a user within a particular interaction. Visiting a website may involve @@ -633,9 +629,9 @@ Affordances and interactions that decrease [=autonomy=] are known as deceptive patterns (or dark patterns). A [=deceptive pattern=] does not have to be intentional ([[?Dark-Patterns]], [[?Dark-Pattern-Dark]]). - -Because we are all subject to motivated reasoning, the design of defaults and affordances -that may impact [=autonomy=] should be the subject of independent scrutiny. +When building something that may impact [=autonomy=], it is important to review the product from +multiple independent perspectives to make sure that it does not introduce [=deceptive patterns=] +that may not be obvious to its creator. Given the large volume of potential [=data=]-related decisions in today's data economy, complete informational self-determination is impossible. This fact, however, should not be @@ -649,9 +645,9 @@ Several kinds of mechanisms exist to enable [=people=] to control how they interact with systems in the world. Mechanisms that increase the number of [=purposes=] for which -their [=data=] is being [=processed=] or the amount their [=data=] is [=processed=] +their [=data=] is being [=processed=] or the amount of their [=data=] that is [=processed=] are referred to as [=opt-in=] or consent. Mechanisms -that decrease this number of [=purposes=] or amount of [=processing=] are known as +that decrease this number of [=purposes=] or amount of [=data=] being [=processed=] are known as opt-out. When deployed thoughtfully, these mechanisms can enhance [=people=]'s [=autonomy=]. Often, @@ -659,13 +655,13 @@ types of [=processing=] are [=appropriate=] and which are not, offloading [=privacy labour=] to the people using a system. -In specific cases, [=people=] should be able to [=consent=] to data sharing that would otherwise be restricted, -such as having their [=identity=] or reading history shared across contexts. -[=Actors=] need to take care that their users are *informed* when granting this [=consent=] and -*aware* enough about what's going on that they can know to revoke their consent -when they want to. -[=Consent=] is comparable to the general problem of permissions on the Web -platform. Both consent and permissions should be requested in a way that lets +In specific cases, [=people=] should be able to [=consent=] to data sharing that would +otherwise be restricted, such as granting access to their pictures or geolocation. +[=Actors=] need to take care that their users are [*informed*](#consent-principles) when +granting this [=consent=] and *aware* enough about what's going on that they can know to +revoke their consent when they want to. +[=Consent=] to data processing and granting permissions to access APIs on the Web +platform are similar problems. Both consent and permissions should be requested in a way that lets people delay or avoid answering if they're trying to do something else. If either results in persistent data access, there should be an indicator that lets people notice and that lets them turn off the access if it has lasted longer @@ -741,7 +737,11 @@ of [=privacy=] in a given context can be contested ([[?Privacy-Contested]]). This makes privacy a problem of collective action ([[?GKC-Privacy]]). Group-level [=data processing=] may impact populations or individuals, including in -ways that [=people=] could not control even under the optimistic assumptions of [=consent=]. +ways that [=people=] could not control even under the optimistic assumptions of [=consent=]. For instance, +it's possible that the only thing that a person is willing to reveal to a particular actor is that they +are part of a given group. However, other members of the same group may be interacting with the same +actor and revealing a lot more information, which can enable effective statistical inferences about +people who refrain from providing information about themselves. What we consider is therefore not just the relation between the [=people=] who share data and the [=actors=] that invite that sharing ([[?Relational-Turn]]), but also between the [=people=] @@ -807,8 +807,7 @@ to ensure that "broad testing and audit continues to be possible" where [=information flows=] and automated decisions are involved. -Such transparency can only function if there are strong rights -of access to data (including data +Such transparency can only function if there are strong rights of access to data (including data derived from one's personal data) as well as mechanisms to explain the outcomes of automated decisions. From 8aa001cf96bc20f19d55a5b105a7a4b7f4f1c4b5 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 18 Jul 2023 16:53:13 -0400 Subject: [PATCH 02/26] 'sec 1' --- index.html | 58 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/index.html b/index.html index 238f6bcd..aad04f1c 100644 --- a/index.html +++ b/index.html @@ -546,14 +546,14 @@ The Web is for everyone ([[?For-Everyone]]). It is "a platform that helps people and provides a net positive social benefit" ([[?ETHICAL-WEB]], [[?design-principles]]). One of the ways in which the -Web serves people is by protecting them in the face of asymmetries of power, and this includes -establishing and enforcing rules to govern the power of data. +Web serves people is by protecting them from surveillance and the types of manipulation that data can +enable. The Web is a social and technical system made up of [=information flows=]. Because this document is specifically about [=privacy=] as it applies to the Web, it focuses on privacy with respect to information flows. -Information is power. It can be used to predict and to influence people, as well as to design online +Information can be used to predict and to influence people, as well as to design online spaces that control people's behaviour. The collection and [=processing=] of information in greater volume, with greater precision and reliability, with increasing interoperability across a growing variety of data types, and at intensifying speed is leading to a concentration of power that threatens @@ -562,22 +562,23 @@ behaviours that would be more easily kept in check if the perpetrator had to be in the same room as the victim. -These asymmetries of information and of automation create significant asymmetries of power. +When an [=actor=] can collect [=data=] about a [=person=] and process it automatically, and that +[=person=] cannot automatically protect their [=data=] and prevent its processing ([=automation asymmetry=]) +this creates an imbalance of power that favors that [=actor=] and decreases the [=persons=]'s agency. + +It is important to keep in mind that not all people are equal in how they can resist +an imbalance of power: some [=people=] are more [=vulnerable=] and therefore in greater +need of protection. This document focuses on the impact that [=data=] [=processing=] can +have on people, but it can also impact other [=actors=], such as companies or governments. Data governance is the system of principles that regulate [=information flows=]. When [=people=] are involved in [=information flows=], [=data governance=] determines how -these principles constrain and distribute the power of information between different [=actors=]. -Such principles describe the ways in which different [=actors=] may, must, -or must not produce or [=process=] flows of information from, to, or about other [=actors=] -([[?GKC-Privacy]], [[?IAD]]). - -It is important to keep in mind that not all people are equal in how they can resist -the imposition of unfair principles: some [=people=] are more [=vulnerable=] and therefore in greater -need of protection. This document focuses on the impact that differences in information power can -have on people, but those differences can also impact other [=actors=], such as companies or governments. +which [=actors=] can collect which [=data=] and how they may, must, or must not [=process=] it +([[?GKC-Privacy]], [[?IAD]]). This document provides building blocks for [=data governance=] +that puts the interests of [=people=] first. -Principles vary from [=context=] to [=context=] ([[?Understanding-Privacy]], [[?Contextual-Integrity]]): people -have different expectations of [=privacy=] at work, at a café, or at home for instance. Understanding and +Principles vary from [=context=] to [=context=] ([[?Understanding-Privacy]], [[?Contextual-Integrity]]). +For instance, people have different expectations of [=privacy=] at work, at a café, or at home. Understanding and evaluating a privacy situation is best done by clearly identifying: * Its [=actors=], which include the subject of the information as well as the sender and the recipient @@ -585,24 +586,23 @@ * The type of data involved in the [=information flow=]. * The principles that are in use in this context. -It is important to keep in mind that there are always privacy principles and that all -of them imply different power dynamics. Some sets of principles may be more permissive, but that does -not make them neutral — it means that they support the power dynamic that -comes with permissive [=processing=]. We must therefore determine which principles -best align with ethical Web values in Web [=contexts=] ([[?ETHICAL-WEB]], [[?Why-Privacy]]). - -Information flows as used in this document refer to information -exchanged or processed by [=actors=]. Information flows need to be understood from more than one -perspective: there is the flow of information about a person (the subject) being processed -or transmitted to any other actor, and there is the flow of information towards a person -(the recipient). Recipients can have their privacy violated in multiple ways such as unexpected -shocking images, loud noises while they intend to sleep, manipulative information, interruptive +There are always privacy principles at work. Some sets of principles may be more +permissive, but that does not make them neutral. All privacy principles have an impact on +[=people=] and we must therefore determine which principles best align with ethical Web values in +Web [=contexts=] ([[?ETHICAL-WEB]], [[?Why-Privacy]]). + +Information flows are information exchanged or processed by +[=actors=]. Information flows can be seen from different perspectives: there is the flow of +information about a person (the subject) being processed or transmitted to any other +actor, and there is the flow of information towards a person (the recipient). +Recipients can have their privacy violated in multiple ways such as unexpected shocking images, +loud noises while they intend to sleep, manipulative information, interruptive messages when their focus is on something else, or harassment when they seek social interactions. (In some of these cases, the information may not be [=personal data=].) On the Web, [=information flows=] may involve a wide variety of [=actors=] that are not always recognizable or obvious to a user within a particular interaction. Visiting a website may involve -the actors that operate that site and its functionality, but also actors with network access, +the actors that contribute to operating that site, but also actors with network access, which may include: Internet service providers; other network operators; local institutions providing a network connection including schools, libraries or universities; government intelligence services; malicious hackers who have gained access to the network or the systems of any of the other actors. @@ -670,7 +670,7 @@ When an [=opt-out=] mechanism exists, it should preferably be complemented by a global opt-out mechanism. The function of a [=global opt-out=] mechanism is to -rectify the automation asymmetry whereby service providers can automate +rectify the automation asymmetry whereby service providers can automate [=data processing=] but [=people=] have to take manual action to prevent it. A good example of a [=global opt-out=] mechanism is the Global Privacy Control [[?GPC]]. From 9833614f892bd484fd66eff8200753e8da6e9367 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 18 Jul 2023 17:00:56 -0400 Subject: [PATCH 03/26] 'sec 1.1' --- index.html | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/index.html b/index.html index aad04f1c..fbaee4ce 100644 --- a/index.html +++ b/index.html @@ -619,27 +619,26 @@ A [=person=]'s autonomy is their ability to make decisions of their own personal will, without undue influence from other [=actors=]. People have limited intellectual resources and -time with which to weigh decisions, and by necessity rely on shortcuts when making -decisions. This makes their preferences, including privacy preferences, malleable and susceptible to -manipulation ([[?Privacy-Behavior]], [[?Digital-Market-Manipulation]]). A [=person=]'s [=autonomy=] is enhanced by a -system or device when that system offers a shortcut that aligns more with what that [=person=] would -have decided given arbitrary amounts of time and relatively unlimited intellectual ability; -and [=autonomy=] is decreased when a similar shortcut goes against decisions made under such -ideal conditions. +time with which to weigh decisions, and have to rely on shortcuts when making decisions. This makes it possible +to manipulate their preferences, including privacy preferences ([[?Privacy-Behavior]], [[?Digital-Market-Manipulation]]). +A [=person=]'s [=autonomy=] is improved by a system when that system offers a shortcut that is closer to what +that [=person=] would have decided given unlimited time and intellectual ability; and [=autonomy=] is decreased +when a similar shortcut goes against decisions made under these ideal conditions. Affordances and interactions that decrease [=autonomy=] are known as deceptive patterns (or dark patterns). A [=deceptive pattern=] does not have to be intentional ([[?Dark-Patterns]], [[?Dark-Pattern-Dark]]). -When building something that may impact [=autonomy=], it is important to review the product from +When building something that may impact people's [=autonomy=], it is important to review the product from multiple independent perspectives to make sure that it does not introduce [=deceptive patterns=] that may not be obvious to its creator. Given the large volume of potential [=data=]-related decisions in today's data economy, -complete informational self-determination is impossible. This fact, however, should not be -confused with the idea that privacy is dead. Studies show that [=people=] remain concerned over how -their [=data=] is [=processed=], feeling powerless and like they have lost agency -([[?Privacy-Concerned]]). Careful design of our technological infrastructure can ensure that -people's [=autonomy=] with respect to their own [=data=] is enhanced through [=appropriate=] -defaults and choice architectures. +it is impossible for people to have detailed control over how their data is processed. +This fact should not be confused with the idea that privacy is dead. Studies show that +[=people=] remain concerned over how their [=data=] is [=processed=], that they feel powerless +and have lost agency ([[?Privacy-Concerned]]). If we design out technological infrastructure +carefully, we can give people greater [=autonomy=] with respect to their own [=data=]. This is +done by setting [=appropriate=], privacy-protective defaults and user-friendly choice +architectures. ### Opt-in, Consent, Opt-out, Global Controls {#opt-in-out} From 4198b0e65090747fd0b8950531a900d593bd3007 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 18 Jul 2023 17:31:55 -0400 Subject: [PATCH 04/26] 'sec 1.1.1' --- index.html | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/index.html b/index.html index fbaee4ce..f6c5848b 100644 --- a/index.html +++ b/index.html @@ -643,13 +643,13 @@ ### Opt-in, Consent, Opt-out, Global Controls {#opt-in-out} Several kinds of mechanisms exist to enable [=people=] to control how they interact -with systems in the world. Mechanisms that increase the number of [=purposes=] for which +with data-processing systems. Mechanisms that increase the number of [=purposes=] for which their [=data=] is being [=processed=] or the amount of their [=data=] that is [=processed=] are referred to as [=opt-in=] or consent. Mechanisms that decrease this number of [=purposes=] or amount of [=data=] being [=processed=] are known as opt-out. -When deployed thoughtfully, these mechanisms can enhance [=people=]'s [=autonomy=]. Often, +When deployed thoughtfully, these mechanisms can improve [=people=]'s [=autonomy=]. Often, however, they are used as a way to avoid putting in the difficult work of deciding which types of [=processing=] are [=appropriate=] and which are not, offloading [=privacy labour=] to the people using a system. @@ -659,33 +659,31 @@ [=Actors=] need to take care that their users are [*informed*](#consent-principles) when granting this [=consent=] and *aware* enough about what's going on that they can know to revoke their consent when they want to. -[=Consent=] to data processing and granting permissions to access APIs on the Web -platform are similar problems. Both consent and permissions should be requested in a way that lets -people delay or avoid answering if they're trying to do something else. If -either results in persistent data access, there should be an indicator that lets -people notice and that lets them turn off the access if it has lasted longer -than they want. In general, providing [=consent=] should be rare, intentional, -and temporary. - -When an [=opt-out=] mechanism exists, it should preferably be complemented by a +[=Consent=] to data processing and granting permissions to access Web platform APIs are +similar problems. Both consent and permissions should be requested in a way that lets +people delay or avoid answering if they're trying to do something else. If the user +grants some form of persistent access to data, there should be an indicator that lets +people notice this ongoing access and that lets them turn it off whenever they wish to. +In general, providing [=consent=] should be rare, intentional, and temporary. + +When an [=opt-out=] mechanism exists, it should preferably work with a global opt-out mechanism. The function of a [=global opt-out=] mechanism is to rectify the automation asymmetry whereby service providers can automate [=data processing=] but [=people=] have to take manual action to prevent it. A good example of a [=global opt-out=] mechanism is the Global Privacy Control [[?GPC]]. Conceptually, a [=global opt-out=] mechanism is an automaton operating as part of the -[=user agent=], which is to say that it is equivalent to a robot that would carry out a -[=person=]'s bidding by pressing an [=opt-out=] button with every interaction that the -[=person=] has with a site, or more generally conveys an expression of the [=person=]'s -rights in a relevant jurisdiction. (For instance, the [=person=] may be objecting to [=processing=] +[=user agent=]. It is equivalent to a robot that would carry out a [=person=]'s instructions +by pressing an [=opt-out=] button (or a similar expression of the [=person=]'s rights) with every +interaction that the [=person=] has with a site. (For instance, the [=person=] may be objecting to [=processing=] based on legitimate interest, withdrawing [=consent=] to specific [=purposes=], or requesting that -their data not be sold or shared.) It should be noted that, since a -[=global opt-out=] signal is reaffirmed automatically with every interaction, it will take precedence -in terms of specificity over any general obtention of [=consent=] by a site, -and only superseded by specific [=consent=] obtained through a deliberate action taken by -the user with the intent of overriding their global opt-out. +their data not be sold or shared.) It should be noted that, since a [=global opt-out=] signal is +reaffirmed automatically with every interaction, it will take precedence in terms of specificity +over any general [=consent=] given to a site's processing, and will only be superseded by specific +[=consent=] obtained through a deliberate action taken by the user with the intent of overriding +their global opt-out. -One implementation strategy for [=opt-outs=] and other data rights is +One implementation strategy for [=opt-outs=] or other data rights is to assign [=people=] stable [=identifiers=] and to maintain a central registry to map these [=identifiers=] to [=people=]'s preferences. [=Actors=] that wish to process a given person's data are then expected to fetch that person's preferences from the central registry and to From ab1005effc99ae8e0d4845eb68968bb2f3ba9581 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 18 Jul 2023 17:36:07 -0400 Subject: [PATCH 05/26] 'sec 1.1.2' --- index.html | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/index.html b/index.html index f6c5848b..2337938e 100644 --- a/index.html +++ b/index.html @@ -564,7 +564,7 @@ When an [=actor=] can collect [=data=] about a [=person=] and process it automatically, and that [=person=] cannot automatically protect their [=data=] and prevent its processing ([=automation asymmetry=]) -this creates an imbalance of power that favors that [=actor=] and decreases the [=persons=]'s agency. +this creates an imbalance of power that favors that [=actor=] and decreases the [=person=]'s agency. It is important to keep in mind that not all people are equal in how they can resist an imbalance of power: some [=people=] are more [=vulnerable=] and therefore in greater @@ -696,32 +696,31 @@ ### Privacy Labour {#privacy-labour} -Privacy labour is the practice of having a [=person=] carry out +Privacy labour is the practice of having a [=person=] do the work of ensuring [=data processing=] of which they are the subject or recipient is [=appropriate=], instead of putting the responsibility on the [=actors=] who are doing the processing. Data systems that are based on asking [=people=] for their [=consent=] tend to increase [=privacy labour=]. -More generally, implementations of [=privacy=] are often dominated by self-governing approaches that -offload [=labour=] to [=people=]. This is notably true of the regimes descended from the -Fair Information Practices ([=FIPs=]), a loose set of principles initially -elaborated in the 1970s in support of individual [=autonomy=] in the face of growing concerns with databases. The -[=FIPs=] generally assume that there is sufficiently little [=data processing=] taking place that any -[=person=] will be able to carry out sufficient diligence to enable [=autonomy=] in their -decision-making. Since they offload the [=privacy labour=] -to people and assume perfect, unlimited [=autonomy=], the [=FIPs=] do not forbid specific -types of [=data processing=] but only place them under different procedural requirements. -This approach is no longer appropriate. - -One notable issue with procedural, self-governing approaches to privacy is that they tend to have the same +More generally, implementations of [=privacy=] often offload [=labour=] to [=people=]. This is +notably true of the regimes descended from the Fair Information Practices +([=FIPs=]), a loose set of principles initially elaborated in the 1970s in support of individual +[=autonomy=] in the face of growing concerns with databases. The [=FIPs=] generally assume that +there is sufficiently little [=data processing=] taking place that any [=person=] will be able to +carry out sufficient diligence to be [=autonomous=] in their decision-making. Since they offload +the [=privacy labour=] to people and assume perfect, unlimited [=autonomy=], the [=FIPs=] do not +forbid specific types of [=data processing=] but only place them under different procedural +requirements. This approach is no longer [=appropriate=]. + +One notable issue with procedural approaches to privacy is that they tend to have the same requirements in situations where people find themselves in a significant asymmetry of power with another [=actor=] — for instance a [=person=] using an essential service provided by a monopolistic platform — and those where a person and the other [=actor=] are very much on equal footing, or even where the [=person=] may have greater power, as is the case with small -businesses operating in a competitive environment. They further do not consider cases in +businesses operating in a competitive environment. They also do not consider cases in which one [=actor=] may coerce other [=actors=] into facilitating its [=inappropriate=] -practices, as is often the case with dominant players in advertising or -in content aggregation ([[?Consent-Lackeys]], [[?CAT]]). +practices, as is often the case with dominant players in advertising or in content aggregation +([[?Consent-Lackeys]], [[?CAT]]). Reference to the [=FIPs=] survives to this day. They are often referenced as "transparency and choice", which, in today's digital environment, is often an indication that From 3b636671a63c7c0f29d32b37933ac0db349569bb Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 15:35:29 -0400 Subject: [PATCH 06/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 2337938e..0b06457e 100644 --- a/index.html +++ b/index.html @@ -654,7 +654,7 @@ types of [=processing=] are [=appropriate=] and which are not, offloading [=privacy labour=] to the people using a system. -In specific cases, [=people=] should be able to [=consent=] to data sharing that would +[=People=] should be able to [=consent=] to data sharing that would otherwise be restricted, such as granting access to their pictures or geolocation. [=Actors=] need to take care that their users are [*informed*](#consent-principles) when granting this [=consent=] and *aware* enough about what's going on that they can know to From 644ac320ee95b1dc71c05e3d17b28ce9ce33c5ac Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 15:36:19 -0400 Subject: [PATCH 07/26] 'less affirmative' --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 0b06457e..be849cb6 100644 --- a/index.html +++ b/index.html @@ -546,7 +546,7 @@ The Web is for everyone ([[?For-Everyone]]). It is "a platform that helps people and provides a net positive social benefit" ([[?ETHICAL-WEB]], [[?design-principles]]). One of the ways in which the -Web serves people is by protecting them from surveillance and the types of manipulation that data can +Web serves people is by seeking to protect them from surveillance and the types of manipulation that data can enable. The Web is a social and technical system made up of [=information flows=]. Because this document From 479b0f84e9a87cfc597c3600b43d84e0c64a4304 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 15:37:13 -0400 Subject: [PATCH 08/26] 'align with EWP' --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index be849cb6..6ef7265b 100644 --- a/index.html +++ b/index.html @@ -544,7 +544,7 @@ This is a document containing technical guidelines. However, in order to put those guidelines in context we must first define some terms and explain what we mean by privacy. -The Web is for everyone ([[?For-Everyone]]). It is "a platform that helps people and provides a +The Web is for everyone ([[?For-Everyone]]). It should be "a platform that helps people and provides a net positive social benefit" ([[?ETHICAL-WEB]], [[?design-principles]]). One of the ways in which the Web serves people is by seeking to protect them from surveillance and the types of manipulation that data can enable. From 9df6d53364c8c2c3712151b35f0dea2ee2759a01 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 15:38:40 -0400 Subject: [PATCH 09/26] 'switch web grafs' --- index.html | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.html b/index.html index 6ef7265b..5bb90b93 100644 --- a/index.html +++ b/index.html @@ -544,15 +544,15 @@ This is a document containing technical guidelines. However, in order to put those guidelines in context we must first define some terms and explain what we mean by privacy. +The Web is a social and technical system made up of [=information flows=]. Because this document +is specifically about [=privacy=] as it applies to the Web, it focuses on privacy with respect to +information flows. + The Web is for everyone ([[?For-Everyone]]). It should be "a platform that helps people and provides a net positive social benefit" ([[?ETHICAL-WEB]], [[?design-principles]]). One of the ways in which the Web serves people is by seeking to protect them from surveillance and the types of manipulation that data can enable. -The Web is a social and technical system made up of [=information flows=]. Because this document -is specifically about [=privacy=] as it applies to the Web, it focuses on privacy with respect to -information flows. - Information can be used to predict and to influence people, as well as to design online spaces that control people's behaviour. The collection and [=processing=] of information in greater volume, with greater precision and reliability, with increasing interoperability across a growing From 57ffb507573e10a550f05f277e1dd6755ec42405 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 15:42:05 -0400 Subject: [PATCH 10/26] 'move sentence up' --- index.html | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 5bb90b93..55b07f38 100644 --- a/index.html +++ b/index.html @@ -565,11 +565,12 @@ When an [=actor=] can collect [=data=] about a [=person=] and process it automatically, and that [=person=] cannot automatically protect their [=data=] and prevent its processing ([=automation asymmetry=]) this creates an imbalance of power that favors that [=actor=] and decreases the [=person=]'s agency. +This document focuses on the impact that [=data=] [=processing=] can have on people, but it can also +impact other [=actors=], such as companies or governments. It is important to keep in mind that not all people are equal in how they can resist an imbalance of power: some [=people=] are more [=vulnerable=] and therefore in greater -need of protection. This document focuses on the impact that [=data=] [=processing=] can -have on people, but it can also impact other [=actors=], such as companies or governments. +need of protection. Data governance is the system of principles that regulate [=information flows=]. When [=people=] are involved in [=information flows=], [=data governance=] determines how From bf693e69021dddac9234b98129afaac9a0432ea8 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:15:46 -0400 Subject: [PATCH 11/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 55b07f38..b3d5dec6 100644 --- a/index.html +++ b/index.html @@ -572,8 +572,8 @@ an imbalance of power: some [=people=] are more [=vulnerable=] and therefore in greater need of protection. -Data governance is the system of principles that regulate [=information flows=]. When -[=people=] are involved in [=information flows=], [=data governance=] determines how +Data governance is the system of principles that regulate [=information flows=]. +[=Data governance=] determines how which [=actors=] can collect which [=data=] and how they may, must, or must not [=process=] it ([[?GKC-Privacy]], [[?IAD]]). This document provides building blocks for [=data governance=] that puts the interests of [=people=] first. From de9c51657c97218a0b3b0f1f99ce008876ab384d Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:16:07 -0400 Subject: [PATCH 12/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index b3d5dec6..cba781ac 100644 --- a/index.html +++ b/index.html @@ -576,7 +576,7 @@ [=Data governance=] determines how which [=actors=] can collect which [=data=] and how they may, must, or must not [=process=] it ([[?GKC-Privacy]], [[?IAD]]). This document provides building blocks for [=data governance=] -that puts the interests of [=people=] first. +that puts [=people=] first. Principles vary from [=context=] to [=context=] ([[?Understanding-Privacy]], [[?Contextual-Integrity]]). For instance, people have different expectations of [=privacy=] at work, at a café, or at home. Understanding and From 34e8ce979fff556fcb7616b45fb9c97533e9be02 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:16:25 -0400 Subject: [PATCH 13/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index cba781ac..bdc2562b 100644 --- a/index.html +++ b/index.html @@ -592,7 +592,7 @@ [=people=] and we must therefore determine which principles best align with ethical Web values in Web [=contexts=] ([[?ETHICAL-WEB]], [[?Why-Privacy]]). -Information flows are information exchanged or processed by +Information flows are information exchanged or processed by [=actors=]. Information flows can be seen from different perspectives: there is the flow of information about a person (the subject) being processed or transmitted to any other actor, and there is the flow of information towards a person (the recipient). From 1fcfce58f3555aa5fc6c7b9f317d0a8a58c74410 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:16:59 -0400 Subject: [PATCH 14/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/index.html b/index.html index bdc2562b..e3ca8ac7 100644 --- a/index.html +++ b/index.html @@ -593,10 +593,9 @@ Web [=contexts=] ([[?ETHICAL-WEB]], [[?Why-Privacy]]). Information flows are information exchanged or processed by -[=actors=]. Information flows can be seen from different perspectives: there is the flow of -information about a person (the subject) being processed or transmitted to any other -actor, and there is the flow of information towards a person (the recipient). -Recipients can have their privacy violated in multiple ways such as unexpected shocking images, +[=actors=]. A person's privacy can be harmed both by their information flowing from them to +other actors and by information flowing toward them. Examples of the latter include: +unexpected shocking images, loud noises while they intend to sleep, manipulative information, interruptive messages when their focus is on something else, or harassment when they seek social interactions. (In some of these cases, the information may not be [=personal data=].) From 90bafa44f193c3ae965547f1018a6b5c3e90f4fb Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:17:21 -0400 Subject: [PATCH 15/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index e3ca8ac7..cd87afbd 100644 --- a/index.html +++ b/index.html @@ -619,7 +619,7 @@ A [=person=]'s autonomy is their ability to make decisions of their own personal will, without undue influence from other [=actors=]. People have limited intellectual resources and -time with which to weigh decisions, and have to rely on shortcuts when making decisions. This makes it possible +time with which to weigh decisions, and they have to rely on shortcuts when making decisions. This makes it possible to manipulate their preferences, including privacy preferences ([[?Privacy-Behavior]], [[?Digital-Market-Manipulation]]). A [=person=]'s [=autonomy=] is improved by a system when that system offers a shortcut that is closer to what that [=person=] would have decided given unlimited time and intellectual ability; and [=autonomy=] is decreased From b2fbbb7423ba34dd03b0bb7a004f4d30621d3b4c Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:17:38 -0400 Subject: [PATCH 16/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index cd87afbd..a84f41c4 100644 --- a/index.html +++ b/index.html @@ -620,7 +620,7 @@ A [=person=]'s autonomy is their ability to make decisions of their own personal will, without undue influence from other [=actors=]. People have limited intellectual resources and time with which to weigh decisions, and they have to rely on shortcuts when making decisions. This makes it possible -to manipulate their preferences, including privacy preferences ([[?Privacy-Behavior]], [[?Digital-Market-Manipulation]]). +to manipulate their preferences, including their privacy preferences ([[?Privacy-Behavior]], [[?Digital-Market-Manipulation]]). A [=person=]'s [=autonomy=] is improved by a system when that system offers a shortcut that is closer to what that [=person=] would have decided given unlimited time and intellectual ability; and [=autonomy=] is decreased when a similar shortcut goes against decisions made under these ideal conditions. From 6f46a0257fefd202ef1ae8365d55062a031e8097 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:17:59 -0400 Subject: [PATCH 17/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index a84f41c4..b5949dd8 100644 --- a/index.html +++ b/index.html @@ -622,7 +622,7 @@ time with which to weigh decisions, and they have to rely on shortcuts when making decisions. This makes it possible to manipulate their preferences, including their privacy preferences ([[?Privacy-Behavior]], [[?Digital-Market-Manipulation]]). A [=person=]'s [=autonomy=] is improved by a system when that system offers a shortcut that is closer to what -that [=person=] would have decided given unlimited time and intellectual ability; and [=autonomy=] is decreased +that [=person=] would have decided given unlimited time and intellectual ability. [=Autonomy=] is decreased when a similar shortcut goes against decisions made under these ideal conditions. Affordances and interactions that decrease [=autonomy=] are known as deceptive patterns (or dark patterns). From 15a77e5272894804c007d3f35c704202f065508f Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:18:26 -0400 Subject: [PATCH 18/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/index.html b/index.html index b5949dd8..bee228c1 100644 --- a/index.html +++ b/index.html @@ -627,9 +627,8 @@ Affordances and interactions that decrease [=autonomy=] are known as deceptive patterns (or dark patterns). A [=deceptive pattern=] does not have to be intentional ([[?Dark-Patterns]], [[?Dark-Pattern-Dark]]). -When building something that may impact people's [=autonomy=], it is important to review the product from -multiple independent perspectives to make sure that it does not introduce [=deceptive patterns=] -that may not be obvious to its creator. +When building something that may impact people's [=autonomy=], it is important that reviewers +from multiple independent perspectives check that it does not introduce [=deceptive patterns=]. Given the large volume of potential [=data=]-related decisions in today's data economy, it is impossible for people to have detailed control over how their data is processed. From 2c83dcd61c15cad6070cde54222ba9841283b69d Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:18:41 -0400 Subject: [PATCH 19/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index bee228c1..77451d31 100644 --- a/index.html +++ b/index.html @@ -632,7 +632,7 @@ Given the large volume of potential [=data=]-related decisions in today's data economy, it is impossible for people to have detailed control over how their data is processed. -This fact should not be confused with the idea that privacy is dead. Studies show that +This fact does not imply that privacy is dead. Studies show that [=people=] remain concerned over how their [=data=] is [=processed=], that they feel powerless and have lost agency ([[?Privacy-Concerned]]). If we design out technological infrastructure carefully, we can give people greater [=autonomy=] with respect to their own [=data=]. This is From 79ab2ae09d6390fa30ee05ea0494b41776f5428b Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:19:11 -0400 Subject: [PATCH 20/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 77451d31..b4ab8bff 100644 --- a/index.html +++ b/index.html @@ -634,7 +634,7 @@ it is impossible for people to have detailed control over how their data is processed. This fact does not imply that privacy is dead. Studies show that [=people=] remain concerned over how their [=data=] is [=processed=], that they feel powerless -and have lost agency ([[?Privacy-Concerned]]). If we design out technological infrastructure +and like they have lost agency ([[?Privacy-Concerned]]). If we design out technological infrastructure carefully, we can give people greater [=autonomy=] with respect to their own [=data=]. This is done by setting [=appropriate=], privacy-protective defaults and user-friendly choice architectures. From 12e1809af6c3e513c41c29542363f548d5e1875b Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:20:18 -0400 Subject: [PATCH 21/26] 'sense of loss' --- index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index b4ab8bff..f948ca7f 100644 --- a/index.html +++ b/index.html @@ -633,8 +633,8 @@ Given the large volume of potential [=data=]-related decisions in today's data economy, it is impossible for people to have detailed control over how their data is processed. This fact does not imply that privacy is dead. Studies show that -[=people=] remain concerned over how their [=data=] is [=processed=], that they feel powerless -and like they have lost agency ([[?Privacy-Concerned]]). If we design out technological infrastructure +[=people=] remain concerned over how their [=data=] is [=processed=], that they feel powerless, +and sense that they have lost agency ([[?Privacy-Concerned]]). If we design out technological infrastructure carefully, we can give people greater [=autonomy=] with respect to their own [=data=]. This is done by setting [=appropriate=], privacy-protective defaults and user-friendly choice architectures. From 7bfc3da53de8000abe84e66b0f7ee420adc8c091 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:21:02 -0400 Subject: [PATCH 22/26] 'out to our from JY' --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index f948ca7f..669256dc 100644 --- a/index.html +++ b/index.html @@ -634,7 +634,7 @@ it is impossible for people to have detailed control over how their data is processed. This fact does not imply that privacy is dead. Studies show that [=people=] remain concerned over how their [=data=] is [=processed=], that they feel powerless, -and sense that they have lost agency ([[?Privacy-Concerned]]). If we design out technological infrastructure +and sense that they have lost agency ([[?Privacy-Concerned]]). If we design our technological infrastructure carefully, we can give people greater [=autonomy=] with respect to their own [=data=]. This is done by setting [=appropriate=], privacy-protective defaults and user-friendly choice architectures. From 63169983ea8659e12b3e510996f181ae6b2b83ab Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:22:17 -0400 Subject: [PATCH 23/26] 'missing a verb' --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 669256dc..2eef3e16 100644 --- a/index.html +++ b/index.html @@ -636,7 +636,7 @@ [=people=] remain concerned over how their [=data=] is [=processed=], that they feel powerless, and sense that they have lost agency ([[?Privacy-Concerned]]). If we design our technological infrastructure carefully, we can give people greater [=autonomy=] with respect to their own [=data=]. This is -done by setting [=appropriate=], privacy-protective defaults and user-friendly choice +done by setting [=appropriate=], privacy-protective defaults and designing user-friendly choice architectures. ### Opt-in, Consent, Opt-out, Global Controls {#opt-in-out} From 03dec565737e5c3e5fdfc59e74ad5e5617b6b290 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Tue, 5 Sep 2023 16:23:14 -0400 Subject: [PATCH 24/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 2eef3e16..15074fb9 100644 --- a/index.html +++ b/index.html @@ -645,7 +645,7 @@ with data-processing systems. Mechanisms that increase the number of [=purposes=] for which their [=data=] is being [=processed=] or the amount of their [=data=] that is [=processed=] are referred to as [=opt-in=] or consent. Mechanisms -that decrease this number of [=purposes=] or amount of [=data=] being [=processed=] are known as +that decrease this number of [=purposes=] or the amount of [=data=] being [=processed=] are known as opt-out. When deployed thoughtfully, these mechanisms can improve [=people=]'s [=autonomy=]. Often, From 7ed58663127a4085ba51f68ca71f81c7dc93f01e Mon Sep 17 00:00:00 2001 From: Daniel Appelquist Date: Wed, 6 Sep 2023 17:33:18 +0100 Subject: [PATCH 25/26] Update index.html Co-authored-by: Jeffrey Yasskin --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 15074fb9..b5612872 100644 --- a/index.html +++ b/index.html @@ -549,7 +549,7 @@ information flows. The Web is for everyone ([[?For-Everyone]]). It should be "a platform that helps people and provides a -net positive social benefit" ([[?ETHICAL-WEB]], [[?design-principles]]). One of the ways in which the +net positive social benefit" ([[?ETHICAL-WEB]]). One of the ways in which the Web serves people is by seeking to protect them from surveillance and the types of manipulation that data can enable. From 0ddf0a47f28518150fd30f8726483caeb0348568 Mon Sep 17 00:00:00 2001 From: Robin Berjon Date: Wed, 6 Sep 2023 12:39:41 -0400 Subject: [PATCH 26/26] 'which what' --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index b5612872..07cc520e 100644 --- a/index.html +++ b/index.html @@ -574,7 +574,7 @@ Data governance is the system of principles that regulate [=information flows=]. [=Data governance=] determines how -which [=actors=] can collect which [=data=] and how they may, must, or must not [=process=] it +which [=actors=] can collect what [=data=] and how they may, must, or must not [=process=] it ([[?GKC-Privacy]], [[?IAD]]). This document provides building blocks for [=data governance=] that puts [=people=] first.