Bias – needs to encompass a fuller set of considerations

[jwrosewell]

Privacy and security are important considerations. Competitive markets, freedom of expression, and innovation, among others, are also considerations.

The document is not concerned with these wider considerations.

Before being amended it should be expanded to encompass a full set of considerations. The IETF in their documents “The Internet is for End Users” and ESCAPE provide insight.

In the meantime it should only be used in situations where these wider considerations are given equal importance. I’m new to the W3C and find the number of committees, documents and processes somewhat hard to follow. Could members of TAG and PING explain how these wider considerations are incorporated in to their work? If this is not the correct forum then perhaps they could direct me towards the correct one?

To consider only security and privacy is to ignore or downgrade the importance of society, people, publishers, advertisers (who fund much of the open web) and all technology businesses whose roles further the purpose of the W3C as defined in the membership agreement.

Such a document might start with the paragraph…

“Throughout the feature development process there are both foreseeable and unexpected security, privacy, competition, freedom and innovation risks. These risks may arise from the nature of the feature, some of its part(s), its implementation in practice, or unforeseen interactions with other features…”

[pbannist]

I agree with this. The draft document states, "This is why each Working Group needs to consider security and privacy by design and by default. This consideration is mandatory." This is a critical point - privacy and security are important and every working group and proposal should spend significant time ensuring that privacy/security are built-in by design.

However, the draft also states, "is the specification exposing the bare minimum necessary to achieve the desired use cases? If not, why not and why expose the additional information?" The document pushes developers to expose the least minimum information and think through why they would need to expose more - but this document, nor any other document of the W3C that I know of, does not present any other considerations that a developer might need to weigh in making a decision.

This draft, by default, makes privacy/security not a "mandatory" consideration of projects but the de facto exclusive consideration. A proposal author would need to be an expert in the other considerations that @jwrosewell presents to be able to understand the balance between privacy/security and other important topics.

Using this document in a vacuum could easily lead to standards that stifle innovation, shut down freedom of expression or hobble competitive markets.

Other questionnaires should be developed so that working groups can be armed with all necessary facts to make informed decisions about how their work will impact all end users.

[lknik]

However, the draft also states, "is the specification exposing the bare minimum necessary to achieve the desired use cases? If not, why not and why expose the additional information?" The document pushes developers to expose the least minimum information and think through why they would need to expose more - but this document, nor any other document of the W3C that I know of, does not present any other considerations that a developer might need to weigh in making a decision.

This document lists example strategies (the list is not exhaustive).

Other questionnaires should be developed so that working groups can be armed with all necessary facts to make informed decisions about how their work will impact all end users.

But in my humble opinion, "we need more documents also on other topics" is not an issue with this particular document, which is very well targeted for good reasons. However, nothing precludes you from setting up a separate repository with a proposed questionnaire and invite the community to weigh in.

It seems to me that the discussion is not actually about the security & privacy self-check.

[torgo]

@jwrosewell - I'm afraid I don't really follow you regarding how enhanced privacy could diminish freedom of expression. Indeed, enhanced privacy can be an enabler of freedom of expression as surveillance (corporate or state) can have a chilling effect on free speech.

Regarding the data minimisation point that @pbannist mentioned, I worked on a draft TAG finding on this topic which explains some of the thinking there. Basically this is based on some pretty fundamental computer science.

I find the reference to the IETF document on end users perplexing. As that draft states:

"end users," means human users whose activities IETF standards as a whole are designed to support

…so I think what we have written in this document, and in the TAG Ethical Principles and Web Platform Design Principles, is consistent with this view and approach. @mnot may have thoughts here?

[torgo]

Just to close this off, we discussed in today's call and we agree that the security & privacy questionnaire does narrowly focus itself on two of the W3C areas of horizontal review, and that we should consider writing or collaborating on self-checks for the other areas. That said, we feel that the S&P questionnaire rightly focuses itself on its two areas.