Open tobie opened 4 years ago
jyasskin
commented
4 years ago Do you mean anything in particular by "formally"? https://github.com/w3cping/privacy-threat-model/pull/12/files#diff-ec9cfa5f3f35ec1f84feb2e59686c34dR223 talks about the difference between benign and sensitive information a bit, and @tomlowenthal is rewriting the introduction to give some principles on the difference.
tobie
commented
4 years ago To give you a bit of context, I'm looking at the privacy aspects of the Web Monetization spec and of the underlying payment protocol (ILP). The protocol leaks information which the editors consider benign (e.g. the user's payment provider).
I'd like to understand if there's agreement as to what kind of information that term encompasses and what kind of threat leaking either benign or sensitive information opens the user to.
If there is agreement, I'd want that term defined in this spec, and linkable through a dfn.
If there isn't agreement, or if agreement is jurisdiction-dependant, having a note to that effect that could be referenced would be great. Ideally, this spec would also offer another ontology that could be used instead and that would help editors and implementors better reason about these issues.
jyasskin
commented
4 years ago So far, I've been thinking of RFC 6973, Privacy Considerations for Internet Protocols §Disclosure as the main way to identify sensitive information, in particular "information about an individual that affects the way others judge the individual." I agree we should have a citable definition in this spec too, but that might work for you as a reference until this spec is better.
npdoty
commented
4 years ago I don't think we will be able to confidently list what information is sensitive and what information is benign, because I think that's a property of the user, the context they are in and what the risks are to them of disclosure of a piece of information, rather than a property of a datatype itself.
But I do think providing a definition or guidance on what makes information sensitive to users and some common threats that indicate types of information that are frequently sensitive could still be useful for the use case @tobie is describing. (And thanks for providing that example, it helps a lot in thinking this through. I think payment provider could be revealing and sensitive for some people, even if it's commonly not.)
npdoty
commented
4 years ago I like the "information that affects the way others judge the individual" even if it's a bit abstract.
Based on discussion in the PR thread, I also think these other factors might be useful in determining whether a class of information is likely to be sensitive to users:
- whether it serves as a persistent identifier (see severity in Mitigating browser fingerprinting);
- whether it discloses substantial (including intimate details or inferences) information about the user or other users;
- whether it can be revoked (as in determining whether a permission is necessary);
- whether it enables other threats, like intrusion
Notably so it can be linked to from other documents.