w3cping/privacy-threat-model

Sensitive information disclosure and vulnerable communities

Opened this issue · 1 comments

hober commented

I'd like to see §3.3 Sensitive information disclosure be more explicit about how broad a category sensitive information can be, especially where vulnerable communities are concerned.

In the W3C TAG Ethical Web Principles under
"The web should not cause harm to society," we say (emphasis mine):

When we are adding a feature or technology to the web, we will consider what harm it could do to society or groups, especially vulnerable people.

So, concretely:

  1. Sensitive information disclosure contributes to surveillance too—e.g. the use of AT reveals to attackers, to a high degree of certainty, that the user has one or more disabilities. See also the "Do not reveal that assistive technologies are being used" design principle.
  2. Information which can be used to categorize the user into cohorts may not seem like sensitive information itself, but membership in certain cohorts (e.g. based on race, sexual orientation, trans status, etc.) is itself very sensitive information. The document provides at least one example in this category (language preferences indicating ethnic minority status), but other examples covering other cohorts would really help.
  3. The second bulleted list should recognize that information that itself doesn't disclose substantial information about the user may substantially contribute to algorithms which attempt to categorize users into cohorts, membership of which may be very sensitive information.
  4. Additional entires for the first bulleted list:
    • Medical information
    • that a user has an account on a particular service (e.g., having an account on a dating service which is primarily used by people in a particular sexual minority)
hober commented

This is related to #16.