To address the evolving threats to users’ security and privacy online, the W3C Technical Architecture Group and the Privacy Interest Group have updated the Security and Privacy Questionnaire so that developers of web features consider and mitigate modern threats to users as they design their features.
The goal of the document is to provide a framework for authors to think about security and privacy at all points throughout the feature design and specification process — ideation, initial review, iteration, and wide review. Security and design decisions should be documented and updated throughout the development of a specific feature.
There were three significant revisions to the document:
- When and how the document is to be used was clarified.
- The questions themselves have been updated and revised.
- The threat model has been updated throughout.
The security and privacy questionnaire has been utilized in a variety of ways — from using it as a starting point to consider these issues in a feature, to the basis of the security and privacy considerations of a standard. The questionnaire now makes it clear that feature developers should consider security and privacy early in the feature’s lifecycle, that the TAG will be carefully considering the security and privacy of a feature in their design reviews, and that a security and privacy considerations section of a specification is more than answers to the questionnaire.
To make it easier for feature developers, spec reviewers, implementers, and other interested parties to better understand the potential impact of a feature, questions have been updated. Broadly speaking, the updates take two forms: (1) focusing on how — rather than if — the specification handles data in general, and (2) providing context as to why that question is being asked with real world examples of where there has been security and privacy impact.
The threat model and specific threats that a specification author should consider have also been updated. The questionnaire contains a new high level type of threat — legitimate misuse. Including this threat into the Security and Privacy Questionnaire is meant to highlight that just because a feature is possible does not mean that the feature should necessarily be developed, particularly if the benefitting audience is outnumbered by the adversely impacted audience, especially in the long term. As a result, one mitigation for the privacy impact of a feature is for a user agent to drop the feature (or not implement it). Features should be secure and private by default and issues mitigated in their design; user agents should not be afraid of undermining their users’ privacy by implementing new web standards or need to resort to breaking specifications in implementation to preserve user privacy. Web technology developers should consider that features may not be implemented if risks are found impossible or unsatisfactorily mitigated. Moreover, in the questions and the mitigation sections, we highlight that not all parties on the web are equivalent in how they are handled: specification authors may want to consider first and third parties separately in their feature to protect user security and privacy.
We hope the updated Security and Privacy Questionnaire helps authors in ensuring the security and privacy of their web features and the web platform overall. Focusing on security and privacy at the early stages of the reviews should be the standard, in line with Privacy by Design. While we don’t plan a significant review before 2024, we will keep monitoring its performance, as well as the external environment: new risks, threats, expectations.
Finally, we would want to thank Mike West for his significant work on the previous version of the questionnaire.
Jason Novak manages the User Privacy Compliance, Verification, and Standards team at Apple Inc; on behalf of Privacy Interest Group.
Lukasz Olejnik is an independent security and privacy researcher; on behalf of Technical Architecture Group.