Web feature developers told to dial up attention on privacy and security

Internet function developers are becoming warned to step up interest to privacy and safety as they style contributions.

Writing in a weblog post about “evolving threats” to Net customers’ privacy and safety, the W3C requirements physique’s technical architecture group (TAG) and Privacy Interest Group (PING) set out a series of revisions to the W3C’s Safety and Privacy Questionnaire for internet function developers.

The questionnaire itself is not new. But the most current updates spot higher emphasis on the need to have for contributors to assess and mitigate privacy impacts, with developers warned that “capabilities may well not be implemented if dangers are located not possible or unsatisfactorily mitigated”.

In the weblog post, independent researcher Lukasz Olejnik, at present serving as an invited professional at the W3C TAG and Apple’s Jason Novak, representing the PING, create that the intent with the update is to make it “clear that function developers need to think about safety and privacy early in the feature’s lifecycle” [emphasis theirs].

“The TAG will be cautiously contemplating the safety and privacy of a function in their style testimonials,” they additional warn, adding: “A security and privacy considerations section of a specification is more than answers to the questionnaire.”

The revisions to the questionnaire contain updates to the threat model and precise threats a specification author need to think about — such as a new higher level form of threat dubbed “reputable misuse“, where the document stipulates that: “When designing a specification with safety and privacy in thoughts, all each use and misuse situations need to be in scope.”

“Including this threat into the Security and Privacy Questionnaire is meant to highlight that just because a feature is possible does not mean that the feature should necessarily be developed, particularly if the benefitting audience is outnumbered by the adversely impacted audience, especially in the long term,” they create. “As a result, one mitigation for the privacy impact of a feature is for a user agent to drop the feature (or not implement it).”

Attributes need to be safe and private by default and concerns mitigated in their style,” they additional emphasize. “User agents should not be afraid of undermining their users’ privacy by implementing new web standards or need to resort to breaking specifications in implementation to preserve user privacy.”

The pair also urge specification authors to steer clear of blanket remedy of 1st and third parties, suggesting: “Specification authors may want to consider first and third parties separately in their feature to protect user security and privacy.”

The revisions to the questionnaire come at a time when browser makers are dialling up their response to privacy threats — encouraged by increasing public awareness of the dangers posed by information leaks, as effectively as enhanced regulatory action on data protection.

Final month the open supply WebKit browser engine (which underpins Apple’s Safari browser) announced a new tracking prevention policy that requires the strictest line but on background and cross-web-site tracking, saying it would treat attempts to circumvent the policy as akin to hacking — basically placing privacy protection on a par with safety.

Earlier this month Mozilla also pushed out an update to its Firefox browser that enables an anti-tracking cookie function across the board, for current customers also — demoting third celebration cookies to default junk.

Even Google’s Chrome browser has produced some tentative actions towards enhancing privacy — announcing alterations to how it handles cookies earlier this year. Although the adtech giant has studiously avoided flipping on privacy by default in Chrome exactly where third celebration tracking cookies are concerned, major to accusations that the move is largely privacy-washing.

Much more not too long ago Google announced a extended term strategy to involve its Chromium browser engine in establishing a new open common for privacy — sparking issues it’s attempting to each kick the can on privacy protection and muddy the waters by shaping and pushing self-interested definitions which align with its core information-mining company interests.

There’s much more activity to think about also. Earlier this year a further information-mining adtech giant, Facebook, produced its 1st important API contribution to Google’s Chrome browser — which it also brought to the W3C Efficiency Functioning Group.

Facebook does not have its personal browser, of course. Which suggests that authoring contributions to internet technologies presents the organization an option conduit to attempt to influence Net architecture in its favor.

The W3C TAG’s most current move to concentrate minds on privacy and safety by default is timely.

It chimes with a wider sector shift towards pro-actively defending user information, and need to rule out any rubberstamping of tech giants contributions to Net architecture which is of course a fantastic point. Scrutiny remains the most effective defence against self-interest.