Request for information: privacy considerations? #29
Comments
|
We're using the tracking-issues repo for spec issues. I'm moving this discussion here. Here is the reply I sent in email. First, thank you for asking! We draw largely from the IETF's practices, and we point at their documents: https://tools.ietf.org/html/rfc6973#section-7 More resources are linked from the horizontal review instruction page: https://www.w3.org/Guide/documentreview/#how_to_get_horizontal_review We require these sections because many of these concerns persist even at time of implementation and need to impact implementation - these aren't merely evidence of "we fixed everything already". Accordingly, while we have a questionnaire to encourage spec developers to look in various corners, we specifically discourage using the questionnaire as a template. We instead ask for custom-crafted text, written for the USER of the spec, not the reviewer: https://w3ctag.github.io/security-questionnaire/#considerations I'm not sure if i18n feels similarly about the issues you tend to raise, but that might inform whether you want to see sections in-line or not. |
|
Thanks for reaching out. From my point of view, it is extremely important to have a dedicated section in specifications that (a) identifies any known privacy risks or vulnerabilities that may arise if the spec is implemented or otherwise used; and (b) how those risks or vulnerabilities have been mitigated. Just as specs are updated, the privacy considerations section should also be updated as the spec evolves, or new privacy risks and mitigations are discovered. |
I was actioned by the I18N WG to ask about the privacy's experience with the use of “privacy considerations” sections in specs. The background here is that internationalization is thinking about when and whether it makes sense to have “internationalization considerations” as a separate section in a spec. In most cases we have preferred not to create these, but there may be cases where it makes sense.
We’d be interested to know how privacy handles the creation, review, and maintenance of these when they appear in specs. Do you have a template or best practices? Do you have any learnings that would be helpful to us?
The text was updated successfully, but these errors were encountered: