Encryption

[TatevSarg]

I suggest editing the first two indicators under encryption to ensure that they are correctly interpreted to refer not only to user communications but also to other user information. For example, for devices and services that collect data but do not mediate user-to-user communication and user-generated content, we should also evaluate whether user information (e.g., personal information, viewing information, voice recordings, etc.) that the company collects is encrypted while travelling to company servers. Hence, perhaps instead of saying "Transmission of user communications is encrypted by default," we may want to say, "Transmission of user communications and/or user information is encrypted by default." Same goes for the second indicator.

[digitalstandard-bot]

Thank you for helping shape the Digital Standard. Addressing privacy, security, and data issues in the marketplace requires a community-driven response.

The partners meet once every 3 months to review pull requests. The next meeting is scheduled for mid-August.

Thanks again!

[TatevSarg]

I also recommend adding an indicator on data encryption at rest, which should include data stored on devices and on company servers.

• User information is encrypted at rest.

[KatieMcInnis]

test

[KatieMcInnis]

@TatevSarg we agree with the tenor of the suggestion, but are unsure where to put the language. We could change the language of the indicators to: "Transmission of user communications is encrypted by default." and add "user information is encrypted by default when at rest" --does that make sense?

[TatevSarg]

Hi Katie, "User information is encrypted by default when at rest," sounds good. For the rest of the indicators under encryption I suggest using "user information" instead of "user communication" and "user content." User information seems more inclusive to me.

Transmission of user information is encrypted by default. Transmission of user information is encrypted using unique keys. Users can secure their information using end-to-end encryption.

[rschulman]

I would offer another observation on the encryption indicators: protection of user data (communications or otherwise) is only one reason to encrypt data. Any command and control messaging should also be encrypted to avoid attackers interfering with the operation of the device, even if those communications don't contain user data.

[TatevSarg]

@rschulman Ross, that is an excellent point. Do you have any suggestions on how we can frame the encryption indicators to cover more than user information?