From W3C Wiki
Privacy Considerations for Web Standards, Group Note
process for conducting privacy reviews of a Web specification
Here is a list of questions (a checklist) that can be used as a first step for reviewing Web Specifications and APIs.
- can the information be used (alone or in combination with other APIs / sources of information) to fingerprint a device or user?
- may I access to the information I created?
- may I record it myself (locally)?
- am I able to have actions on this personal record?
- may I block partly or totally the record of the information?
- may I fake it? (think about fuzzy geolocation or voluntary fake location)
- Is the data personally-derived, i.e. derived from the interaction of a single person, or their device or address? (If so, even if anonymous, it might be re-correlated)
- Does the data record contain elements that would enable such re-correlation? (examples include an IP address, and so on)
- What other data could this record be correlated with? (e.g. the ISP)
- If you had large amounts of this data about one person, what conclusions would it enable you to draw? (e.g. maybe you could estimate location from many ambient light events by estimating latitude and longitude from the times of sunrise and sunset)
- Am I likely to know if information is being collected?
- How visible is its collection and or use?
- Do I get feedback on the patterns that the information could reveal (at any instant, over time) so I can adjust behaviors?
- if a background event about the device is fired in all browsing contexts, does it allow correlation of a user across contexts?
- can code on a page send signals that can be received by device sensors on nearby devices?
Privacy Recommendations for Web Standards, Group Note
substantive recommendations regarding common privacy issues across Web standards
- Fingerprinting guidance (email) | TPAC session: Is browser fingerprinting a lost cause?
Related resources from other groups internal and external to W3C:
- SPA - Specification Privacy Assessment
- IAB Privacy Considerations and Terminology documents