In discussing sensitivity, there is this odd statement:
When considering whether a class of information is likely to be sensitive [...], consider [...]:
[...]
whether it can be revoked (as in determining whether a permission is necessary);
This probably needs expansion. Information cannot be revoked or taken back. It would seem that there is a distinction between information and capabilities that needs to be considered.
What distinguishes a capability is that it can be revoked, even if it is presented as information. For instance, a capability URL is information, the knowledge of which imparts some capability. That access can be revoked (usually by adding access control to the identified resource so that the URL loses its "capability" property), but the knowledge is irrevocable.
In pure privacy terms, the capability to contact a person via email or push notifications has privacy implications. I certainly find that many actors abuse this capability once granted them. The use of email aliases or push notification controls gives me the ability to withhold that capability, rendering the information effectively useless. Those uses are deliberately capabilities, not information.
Of course, if I give away my primary email address, I lose the ability to differentiate in denial of access. (Push notifications don't have that property because that is not how we built them.)
Some of the details mentioned in Section 2.4 might manifest as capabilities (ongoing access to a calendar, geolocation permission, and certainly camera and microphone), but others are pure information.
In discussing sensitivity, there is this odd statement:
This probably needs expansion. Information cannot be revoked or taken back. It would seem that there is a distinction between information and capabilities that needs to be considered.
What distinguishes a capability is that it can be revoked, even if it is presented as information. For instance, a capability URL is information, the knowledge of which imparts some capability. That access can be revoked (usually by adding access control to the identified resource so that the URL loses its "capability" property), but the knowledge is irrevocable.
In pure privacy terms, the capability to contact a person via email or push notifications has privacy implications. I certainly find that many actors abuse this capability once granted them. The use of email aliases or push notification controls gives me the ability to withhold that capability, rendering the information effectively useless. Those uses are deliberately capabilities, not information.
Of course, if I give away my primary email address, I lose the ability to differentiate in denial of access. (Push notifications don't have that property because that is not how we built them.)
Some of the details mentioned in Section 2.4 might manifest as capabilities (ongoing access to a calendar, geolocation permission, and certainly camera and microphone), but others are pure information.