search

w3ctag / ethical-web-principles

W3C TAG Ethical Web Principles
https://w3ctag.github.io/ethical-web-principles/
Other
68 stars 17 forks source link

A small modification to principle 2.5 #112

Closed simoneonofri closed 4 months ago

simoneonofri commented 6 months ago

Hello everyone,

I want to propose a small modification to principle 2.5.

From:

We will start by creating web technologies that create as few risks as possible, and will make sure people understand what risks they are taking when they use the web.

To (addition in italic):

We will start by creating web technologies that create as few risks as possible and mitigate the risks. We will make sure people understand what risks they are taking when they use the web.

To put emphasis not only on the fact that we try to be as safe as possible when developing a standard, but also that some standards are born to mitigate risks (e.g., CSP, CORS, WebAuthn...).

Thank you,

Simone

jyasskin commented 6 months ago

I think you meant to file this against the Ethical Web Principles at https://w3ctag.github.io/ethical-web-principles/#privacy. @torgo, can you move the issue?

mnot commented 6 months ago

It would be good to also be specific about what kind of risks are being talked about; e.g.,

We will start by creating web technologies that create as few risks to users as possible, and mitigate the risks that we cannot avoid. We will make sure people understand what risks they are taking when they use the web.

simoneonofri commented 6 months ago

Hi @mnot, I like what you wrote.

simoneonofri commented 6 months ago

I was also reflecting. Although it is commonly used that "risk" has a negative meaning, particularly in IT, according to the definition in ISO 31000, a risk is "the effect of uncertainty on objectives." If this has a potentially negative effect on objectives, it is a threat; if it has potentially positive effects, it is an opportunity. So, it might be better to use the term "threat."

rhiaro commented 5 months ago

I've made a PR with @mnot's suggestion, and changed "risks" to "harms" (rather than "threats") as I feel that better captures passive or unintended negative consequences, as well as active threats.

@simoneonofri I couldn't add you as a reviewer, but please feel free to review the PR: https://github.com/w3ctag/ethical-web-principles/pull/118

simoneonofri commented 5 months ago

thanks @rhiaro, i did a check on the definitions. in theory threat is a broader term that includes any thing that if it happens has a negative impact, while harm and a type of threat specific to civil society issues (which includes human rights, privacy etc...) so it depends on the meaning you want to give it. personally, I would leave threat, which is more generic. Example here: https://shostack.org/blog/threat-model-thursday-c2pa/

rhiaro commented 5 months ago

Thanks for adding clarity @simoneonofri, I've updated the PR to use "threat"

mnot commented 5 months ago

The important part of my proposal was to users -- to highlight the priority of constituencies.

rhiaro commented 5 months ago

The important part of my proposal was to users -- to highlight the priority of constituencies.

Oops! Oversight on my part. PR updated.