Privacy Principles
By Jeffrey Yasskin
See also the slides.
Transcript
Okay, I'm Jeffrey Yasskin, I work for Google, and I'm representing the Privacy Principles task force today to tell you about the document we're writing.
It is an elaboration of the the ethical web principles about privacy.
So it kind of fits into the framework that we already have.
We had a bunch of goals when we started writing it.
First, engineers do best when we know our constraints when we're starting to design something and so we tried to write those down so that everyone knows what we're aiming at.
Second, when people are reviewing web APIs, we wanted to give them something of a checklist to go through to figure out if the API is doing a good job.
Third, the web has a bunch of norms that are kind of different from other platforms, and so we wanted to try to explain those to people writing websites and to civil society groups and governments.
And finally, we know that we are going to continue discussing and arguing about privacy, and we wanted to define some common ground and terminology so that those arguments go well and we understand each other.
We did not want to override any of the other ethical principles.
So, a couple places in our documents say like, when there's disagreement or apparent disagreement between a privacy principle and another ethical principle, our document doesn't necessarily win.
We're basically done with the content of the document.
We are fixing a bunch of-- We're still fixing a bunch of comments we got during wide review.
We are copy editing, removing a lot of things, trying to make it more understandable.
We're hoping that we will be done and able to hand it off to the TAG later this year so that they can maintain it in the long run, and eventually, we're hoping that this document can become a W3C statement.
So what's the document shaped like?
It's got two main sections.
First, describing the background knowledge and beliefs that kind of guide the rest of the principles and then the principles themselves.
It wasn't always obvious what should be a background knowledge versus a principle, but right now this section has a description of the idea that information flows need to be governed collectively, not just decided on by a single like vendor.
We want to support human autonomy, which has a bunch of implications for how we ask for consent and how we set defaults.
User agents have some duties to their users, and we talk about trade-offs between privacy principles and how often those are not real trade-offs.
You can find a better design that satisfies all of the principles together, And the principles themselves.
Note that the stuff you see on the slide is very compressed.
There's a lot more nuance in the document.
But we say that that user agents need to help users pick the identity they want to present to each site they visit, that web APIs and websites need to minimize the data they send to achieve their user's goals, that new APIs need to guard data that they expose at least as well as the old APIs did, that some information is sensitive, but it can be hard to figure out what that differs depending on the particular user.
So that's hard to predict.
People have some rights about their data.
De-identifying data is a good idea, but is difficult, and so we talk about a little bit of the ways to manage that.
Groups have some of their own privacy interests and asking an individual to consent to something can reveal information about other members of the group that didn't consent, and so we talk a little about how to manage that.
Even though user agents are picked by device owners, they have an obligation to the users, in addition to the device owners.
Can't just sacrifice the user's interests when the device owner asks you to.
We need to try to design in ways to protect people from abuse, both in websites and in API design, when that's possible.
Vulnerable people often need to turn on more privacy settings to protect themselves and make their web browsing safe, and so websites need to work well when people turn on those settings and especially need to not retaliate against people who do turn on those settings.
We also have a, in the vulnerable people section, we discuss the super complicated area of children and the trade-offs between parents and children and how you can manage that.
We talk about how to request consent in ways that respect people and understand what they actually wanted, instead of just having them click yes.
Notifications should not interrupt people in ways they don't want, and users should be able to choose the data that they send, instead of just saying yes or no to some data that was predefined.
So we would appreciate your help.
Please read our document.
Please send us PRs, suggest texts that fixes problems you see.
If you don't have a fix in mind, just send us file an issue and we have a breakout session tomorrow that you can attend to talk to us more directly.
So thank you.
