Privacy review of ARIA in HTML (15th March 2021)

[ShivanKaul]

I looked at https://www.w3.org/TR/html-aria/. I don't have any specific privacy concerns, but given that the plan for ARIA 1.3 is to add a privacy considerations section, should there be a pointer in this doc to that or some mirroring text?

[LJWatson]

Thank you @ShivanKaul for your review.

but given that the plan is for ARIA 1.3 is to add a privacy considerations section, should there be a pointer in this doc to that or some mirroring text?

We're not able to add a normative reference to ARIA 1.3 until it's published, but the WebApps WG charter says:

Where there are implications for implementors, developers, or users, in the areas of accessibility, internationalization, privacy, and security, each specification must have a section that describes relevant benefits, limitations, and best practice solutions for that particular area.

Although your review indicates there are no privacy implications, it still makes sense to include a privacy section in the spec. If there is no such section, it could be taken to mean there are no privacy implications, or that privacy was not considered at all, and that's not helpful to the people reading the spec.

So a privacy section that states there are no known privacy implications would remove any doubt. Then, in a future version of this spec, we can reference the privacy section in the ARIA 1.3 spec as/when it's published.

[ShivanKaul]

Thanks @LJWatson - agreed. @samuelweiler pointed out that it would be good to also have a separate Security Considerations section, in addition to the Privacy Considerations section, even if it is limited for now (based on https://www.w3.org/TR/security-privacy-questionnaire/#considerations)

[samuelweiler]

The editor's draft of the questionnaire contains the updated guidance: https://w3ctag.github.io/security-questionnaire/#considerations

And, yes, I understand that both sections are likely to say "no issues".