Principles of User Privacy (PUP) #24
Comments
|
I'd like to know the intent of this document, as I have a similar item on the agenda in web adv for this upcoming week that has been discussed for a while now, and this is the first I've heard of this document. It also seems to have been just posted now, (it is dated today), after I mentioned my proposal on the recent meeting. I'd like to know why another such document that has never been seen before has suddenly been created and is requesting to be on track for working item status already?? While I agree (and have been campaigning for) a common definition set, this one seems to heavily favor the user agent despite their status as the largest of tracking companies. This is not appropriate in a common definition set. |
Outstanding, Robin. Thanks for taking the time to draft and publish this. It's great you started with the definitions in the TPE as a building block since a lot of consideration went into them. We will review and offer perspective on behalf of publishers. |
|
You write: "This document provides building blocks for the creation of privacy threat models on the Web" This is exactly what I am presenting in a few days time, as I mentioned on the call before this was posted, and have been talking about for the past couple of days. That version, however, does not act in-and-of-itself as a privacy definition, which this proposal is doing. It instead invites each proposal to give their own definition. This chills all dissenting arguments with its tenants. I would like to know why you are attempting to fast-track a browser-bias version of a proposal that is already in progress? |
|
I want to be clear I think there is a great deal of useful information here, but, in addition to the user agent description problem I mentioned, I want to know why rather than reaching out to contribute to the very proposal on whose topic you yourself claimed was out of scope for privacycg recently, you penned your own and rushed it out the door? Would you be willing to treat this as a contribution towards the other proposal rather than a working item? |
|
@TheMaskMaker The purpose of the document is indicated in the abstract. Sorry, I don't mean to be flippant — but it would help to have greater precision if you find that unclear. You can use git history to see that this predates the mentions of your work by a while (and in fact it was moved over from a previous project). I had to be in and out of the meeting and missed any mention you made of your work. Sorry if this looks related, it simply isn't. I'm not rushing it out the door, I had intended to get it approved prior to the f2f but life happened is all. That said, if you want to work on this problem, the whole point of publishing this is collaboration so I don't think there's a problem? I would be interested in hearing what you consider to be "browser-biased". The document is heavily user-biased, but that's what the Web is about so that shouldn't be a surprise. You mention user agents that track; I think it's pretty clearly stated in the document that that is a violation of privacy. You might further wish to refer to the user agent as fiduciary model that is promoted there; I believe it is an effective framework within which to address that concern. I'm not entirely sure what you are getting at in terms of everyone giving their own definition of privacy (again, sorry, I missed that discussion). Privacy is the subject of extensive literature and I'm not sure how much we would want to relitigate those debates? I don't mean this to be a comprehensive literature review in the formal sense (because I don't think that would be useful) but to the extent possible I ground the definition in the literature, as translated for use on the Web. |
|
@darobin I'm sure you can understand my concerns your repo was copied over 2 hour ago, with many recent updates today, and while I was told to delay the copying over of my own repo and advised to go through a feedback process first, this proposal seems to have jumped ahead of all of it. Incidentally your original repo does not predate my research, though you are correct it has existed for longer than today. I was also led to not post it in this group for reasons of scope, which I recall you yourself bringing up. Thus it seems like either you have skipped ahead of process or I was told to take an unnecessarily long path. By everyone getting their own privacy definition, I mean that would you deem privacy in this proposal does not necessarily correlate to what others deem privacy. Your definition and mine of what privacy is does not necessarily match that of other groups and proposals. This is a problem Feathered Serpent seeks to provide clarity on that is not present here. PUP does have a great many good things about it, once the assumptions are removed. I would be happy to collaborate with you on Feathered Serpent, but if you intend to replace it with a version that assumes a personal privacy definition as fact, I have strong concerns. |
|
I think we agree on 90% of this ironically. I saw the fiduciary model, but even within the model it gives browsers privileges that are problematic in various privacy contexts. I am concerned with abuse there. |
|
@TheMaskMaker I haven't copied over anything? The repo's been there for a few months. I made updates today because editing specs is what happens when I'm in a WG meeting but the agenda isn't something I plan to take part in. I don't put anything in doubt with respect to your research, I mean, I think I can trace my oldest notes on this to back when I was chairing DAP in 2009, but I'm not sure that matters? I'm not sure what you mean about the scope or the process, but if you have pointers I'd be happy to look. If the group feels that this is not the right venue for this document, that's a discussion I'm happy to have of course. But it would help to have clear pointers from I'm not sure what you mean by "personal" definition of privacy. Again, I cite references rather extensively. It's also not like the Web community hasn't been discussing privacy for a long time. I find it very hard to identify changes I could make based on generic notes like "privileges that are problematic in various privacy contexts" or "I am concerned with abuse". I would like to understand your concerns so that they can be addressed, but I'm afraid that would require more details. |
|
@darobin I'd be happy to clarify. Ironically, thats what feathered serpent is meant to do, maybe I should just show it you. Tomorrow will be a long day; do you have time Friday to sync up and discuss, as we seem to have very similar proposals, and perhaps some pieces of one belong in another, and vice versa, or PING, etc? At the very least would you consider it appropriate not to ask for working group status until the other copy has been made public? I am mid-updates based on feedback at the moment, and while I hope we are actually on the same page and all this text is muddling things, in the event we believe separate ideals are better it would be best to have them side by side than make a race of it? |
|
working group -> working item, sorry typo there and didn't want to edit |
|
@TheMaskMaker There's no race here, this is just a working draft so the point is to collaborate and iterate. If you're mid-updates and have a crazy week, take the time to do the updates, then share and we can see where we can go from there? That's a pretty normal process for things, taking multiple inputs and figuring out where consensus is. I think you got the impression of speed from a coincidence; I wouldn't sweat it and just do things the usual way. |
|
@darobin Tomorrow is busy because we have the next FtF, but I can finish by friday afternoon (ET) if you have the time, or this upcoming Monday. I'd actually like to speak with you before I demo this thing on Tuesday because it might impact some features if we do decide there is room to sync. I'm working on changing my github account so I can showcase my name, e-mail etc, but in the meantime if there is a time that works for you I'm at michael@carbonrmp.com. Let me give you one example of why I'm worried about racing: We both use the word 'party' as a key term. We both mean very similar things by it, but we have some differences (if I understand your definition correctly). This could be very confusing for everyone, even if we sync up afterwards and later resolve it. I'd like to either figure out where we can go together here, or if we have very different ideas of what this should be, at least use unique language, or else our attempts to improve communication may muddle it further. PUP has something Feathered Serpent is missing, namely you define far more than terms I did and provide more terminology to aid discussion. But feathered serpent provides for various viewpoints (privacy definitions) industry fairness (trust analysis) and doesn't make any statements about privacy itself to avoid conflicting with any groups opinion on it. I like a great deal of PUP. I am afraid that, even if inadvertently, the two proposals may end up competing if we work separately. I'd rather work together from the beginning, if possible. Please let me know your thoughts. |
|
@TheMaskMaker I would really chill about the term overlap! I 100% agree with you that it would be confusing if there were multiple finalised documents with the same terms but we're dealing with drafts here. Let's let the proposals bloom and we can align when they're not the same! I look forward to seeing your input too. |
|
It's a great undertaking, @darobin! I think, especially, lawmakers and regulators will find it informative to guide their work. My suggestion would be to distribute your proposal to them as well. And maybe they have feedback that you can include in later iterations. Your work will help to bridge the gap between web technologies and the law governing those. I am optimistic that we converge over time to an understanding of what personal information, what a first party is, etc. |
|
Thank you @SebastianZimmeck! I'm glad that you see it that way since it is indeed my hope to help build such a bridge. If you have suggestions for places to share this, happy to coordinate! |
|
Hi Robin!
I'm really interested in this document & want to see work on it proceed somewhere at W3C. That said, and like I've said elsewhere, we're more focused on the nitty-gritty details of specific technical proposals here in the Privacy CG. For big-picture questions about privacy, I think PING is a much better fit. Or the TAG even.
Definitely sounds more like a PING or TAG thing, then. |
|
Hi Tess! I missed that other issue (so many issues) and I'm perfectly happy with that orientation. As it happens, I'm already in discussions about finding it a new home. I'll give the group a heads up if/when that happens so we can all keep track of what is where. Thanks! |
Dear friends,
I would like to propose the Principles of User Privacy (PUP) as a work item.
The goal of PUP is to provide a set of solid set of terms and tools to discuss and think about privacy, grounded in the domain's state of the art. With this document I hope to facilitate any and all conversations pertaining to privacy on the Web.
There is no specific conformance class for this document, it is intended to inform principled decisions, in line with TAG documents or RFC 8890.
The text was updated successfully, but these errors were encountered: