AB/2016 Priorities/Security

From W3C Wiki

Proposed W3C AB strategic objectives on security

This page gathers a proposed strategic plan for W3C, in order to increase members awareness and specification quality, with respect to security. this project is supported by Virginie Galindo (gemalto), Tantek Çelik (mozilla) and Judy Zhu (Alibaba)

Security

Improve WG security awareness and reviews

  • Maintain Security and Privacy Questionnaire
    • -> TAG
  • Implement Security Reviews (Privacy ones are already up and running)
    • -> TAG + Process document (should consider)
  • Develop Security guidelines
    • -> To WebAppSec, escalate to TAG
  • Play twice a year the security and privacy training to chairs and editors

Participation

  • Motivate W3C security centric companies

W3C Process

  • Adding a mention to security and privacy review

W3C synch

  • Creating synchronization group on security and privacy activities (chairs and editors from the security activity)
  • Maintaining the security and privacy roadmap with Wendy S [1]

Communication to members and public

  • Establish the markets for which security is key in W3C (web of data, financial services, automotive)
  • Highlight of security and privacy activities/progress from members during AC meeting

Broaden and enhance the security work

  • Incubate new security work, for example, privacy, web security best pratices, and data security etc
  • Increase participation on security activity, for example, Privacy IG, Web Security IG etc

Privacy

Making sure the PING and W3C mmebership keeps a good understanding of new privacy challenges. Questions that could be highlighted to PING are about :


Improve Privacy understanding

  1. what’s ‘ok’ online and what’s not (cf. the ‘real world’)
  2. understanding different cultural approaches and views of privacy
  3. getting to grips with principles and ethics
  4. understanding user expectations and assumptions better; setting defaults better to correspond to default understanding
  5. privacy and social divide. Tracker blockers, differential privacy and crypto can reduce tracking of only some users with socially unforeseen consequences

Reducing un-needed exposure:

  1. reduce the spread of presonal information that parties didn’t actually need
  2. reduce the ‘fingerprinting surface’
  3. reduce the ability to eavesdrop
  4. improve ‘anonymity’ when it’s possible
  5. the web specs could use/encourage more on-device user modeling

Giving users more visibility, understanding, and control

  1. more tracing of what happens to their private data
  2. better control of exposure
  3. easier ways to understand what’s happening, what policies apply, etc.

Addressing the non-anonymity aspects of privacy

  1. respect for context, what’s appropriate when; mis-use of validly-acquired data is as much a problem as mis-acquisition
  2. understanding that the amount of data (watching me with a video camera vs. occasional snapshots) is a privacy concern