w3ctag / privacy-principles

https://w3ctag.github.io/privacy-principles/
Other
49 stars 16 forks source link

Data portability threat model, mitigations #424

Closed lisad closed 4 months ago

lisad commented 6 months ago

The right to port data is indeed important for choice, but I think it would be good to have a small amount of extra discussion about the privacy and safety considerations involved in that kind of functionality.

This is way TL,DR; but I've put a bunch of work into a reference architectural model for secure data portability, as well as a detailed threat model (in two parts), so I would be able to help if there is agreement to say a little more more.

Some of the onus is on regulators and 3rd parties such as standards bodies - without help, companies are left liable (especially in the US) for data transfers that end badly even if nobody could have predicted that outcome. There's stuff we can do, projects I'm for one actively working on, and maybe it wouldn't hurt to have a little acknowledgement of the work to do in this excellent principles doc!

jyasskin commented 6 months ago

We discussed this question in our meeting today, and while we don't want to add a long discussion about the details of how to do data portability well, we'd like to add a citation from https://w3ctag.github.io/privacy-principles/#dfn-right-to-portability to some document that does go into those details. Does DTI have a good document that supports and explains the right to port, which you'd like us to cite?

I think we'd also be happy to take changes to the text that don't make it appreciably longer. Would you like to suggest such a change, or is the current summary basically ok?

Also, thanks for working on the details of this problem!

lisad commented 6 months ago

I'm working on some more citable documents. We're definitely working on a single link for the threat model document, coming soon. I'll think more about a summary of the right to port.

I still think that a small addition to the text is worthwhile. Not very much longer, but definitely worth mentioning the additional threats around phishing/permissions and harmful content, which are challenging threats to manage in a data portability context.

E.g.: "Data portability increases challenges in content moderation and maintaining content policies. Bulk transfers of data are harder to apply some protective tools to, and services will need to create or use new protections. New avenues for phishing for personally-identifying or sensitive material are also likely, as data transfer is complex and involves permissions and scopes that need to offer what various users need, yet also be simple and clear."

torgo commented 5 months ago

Hi @lisad - After discussion on today's call, we're still minded to not include further text but instead cite something. It's a different tone from the rest of the section and we don't feel it's balanced with the other rights we discussed so in the interest of brevity we'd like to instead include a citation.

lisad commented 5 months ago

Okay! I'm working with our ED Chris on a couple documents that we can provide on dtinit.org as stable citations - one on the threat model, one that I think will be a short, great explainer on what is the right to data portability. It will be useful in other contexts as well - I'm constantly running into people, both technical and not, who question whether this should be a right and why it's not already solved with exporting support. I'll keep you posted when we have something available.

lisad commented 5 months ago

Our single-permanent-link threat model doc is now at: https://dtinit.org/assets/ThreatModel.pdf We are still working on a referenceable doc for "the right to data portability", after thinking about it we did agree that's a worthwhile effort. ( Some folks who are technical and informed ask why we bother, or why export/import doesn't solve this -so it's worth documenting at least a couple trends and use cases that make this matter, as well as the laws that support this right.)

torgo commented 4 months ago

Thank you, @lisad !