Be more explicit about how to improve web's "integrity"

[cwilso]

Filed at WebStandardsFuture/Vision#21.

[michaelchampion]

Some thoughts after a couple years away from these issues:

1. W3C should invest in research / align with external researchers on "post-mortems" of how web technology and culture was exploited by bad actors.

2. W3C should re-think its historical relationship to government legislators and regulators. The old techno-libertarian vision was to pre-empt technologically illiterate legislation by building industry consensus among competent technologists. We need a better balance so that regulations are technologically sound BUT guided by the principle of what is best for users, not what is most interesting/profitable for technologists.

3. W3C (staff? AB? TAG? a new CG?) needs to really come to grips with the user-first priority of constituencies https://www.w3.org/TR/design-principles/#priority-of-constituencies and turn that into more operational guidance. What does it imply for the Process document? Can the professional staff be better proxies for "users" when doing their jobs? How can the organization better solicit "wide review" from actual users without a financial or ideological stake in a W3C decision?

[michaelchampion]

Reviving this issue rather than opening a similar issue like "Need more detail on security and privacy principles"

The Introduction of the Vision document outlines the problems caused by security and privacy issues on the Web:

But the Web's amazing success has led to many unintended consequences that harm society: openness and anonymity have given rise to scams, phishing, and fraud. The ease of gathering personal information has led to business models that mine and sell detailed user data, without people's awareness or consent. Rapid global information sharing has allowed misinformation to flourish and be exploited for political or commercial gain.
This has divided societies and incited hate. We must do better. We must take steps to address these consequences in the standards we create.

But the Mission/Values/Principles points say very little about how W3C will address these problems, just:

We strongly emphasize accessibility, internationalization, privacy, and security.
and
Ensure the Web is trustworthy, by ensuring security and privacy for users.

As pointed out in #53 (comment) this level of detail is not sufficient to describe concrete efforts to emphasize / ensure security and privacy. Yet W3C (or the TAG anyway) has published concrete guidance on what privacy means in practice for the Web and W3C, e.g. https://www.w3.org/TR/privacy-principles/ at a high level and w3ctag/design-reviews#726 (comment) in response to an issue similar to the hypothetical one in that comment.

I hope the AB agrees that the privacy/security text in the Vision needs more detail, or at least references to documents with more detail, to sketch out how W3C can actually make the web more trustworthy. If so, I'm confident the community can find text in the TAG Privacy Principles, various TAG decisions related to privacy, and #13 to flesh out a paragraph or so to make the principles more concrete.

A straw man proposal (assuming the current structure, not that proposed in #63 ):

• Ensure the Web is trustworthy, by ensuring security and privacy for users ...

We will do this by

• Working with members and external researchers to better understand how the web platform has been exploited by bad actors; Applying the TAG's principles and findings relating to security and privacy into the review process for charters and standards; Emphasizing the principle of user control https://w3ctag.github.io/ethical-web-principles/#control when considering potential new members and new work; and Understanding that users can become vulnerable to privacy and security threats in ways they do not expect, and striving to help protect them.