Web feature developers are cautioned against increasing interest in privacy and security while designing contributions.
Write in Blog Post On the “evolving threats” to the privacy and security of Internet users, the W3C Standards Authority (TAG) and the Privacy Concern Group (PING) have developed a series of reviews on W3C Security and Privacy Questionnaire For web feature developers.
The questionnaire itself is not new. However, recent updates focus more on the need for contributors to assess and mitigate the effects of privacy, with developers warning that "features may not be implemented if risks are impossible or unsatisfactorily Mitigation. "
In the blog post, independent researcher Lucas Olegnik, He currently works as a supported expert at W3C TAG; and Apple's Jason Novak, representing Ping, writes that The intention of the update is to make it "Clear that feature developers should Consider security and privacy early In the feature lifecycle " [emphasis theirs].
"The TAG will carefully study security and privacy From a feature in their design reviews, "They warn more, adding:" The security and privacy considerations section of one specification is more than just the answers to the questionnaire. "
The revisions to the questionnaire include updates to the threat model and the specific threats that the author of the specifications should consider – including a new high-level threat called "Project misuse", Where the document states:" When designing specifications taking into account safety and privacy, all use and misuse cases must be within their scope. "
"Including this threat in the security and privacy questionnaire aims to highlight that having a potential advantage does not necessarily mean developing the feature, especially if the number of beneficiaries outweighs the negative target audience, especially in the long run," they write. "As a result, a mitigation of the privacy effect of a feature is that the user agent drops the feature (or does not implement it)."
"Features should be secure and privacy by default and design issues should be mitigated"User agents should not be afraid to undermine users' privacy by applying new web standards or having to resort to urgent specifications during implementation to maintain user privacy."
The pair also urges specification authors to avoid comprehensive treatment of first and third parties, explaining: "Authors of specifications may wish to consider first and third parties separately in their advantage to protect user safety and privacy."
Questionnaire reviews come at a time when browsers are asking for their response to privacy threats – encouraged by increased public awareness of the risks posed by data leakage, as well as increased regulatory measures related to data protection.
Last month WebKit open source browser engine (which supports Apple's Safari browser) Advertise new Follow the prevention policy He takes the most stringent line so far on background and cross-site tracking, saying he will treat attempts to circumvent politics as closer to hacking – putting privacy protection essentially on par with security.
Advance this month Mozilla also pushed an update to the Firefox browser that enables anti-tracking cookies in all domains, as well as existing users – by lowering the order of cookies to unwanted by default.
even in Google Chrome has taken some initial steps toward improving privacy – announcing changes in how Handles cookies Earlier this year. Although the adtech giant has dramatically avoided privacy fluctuations by default in Chrome where it comes to third-party tracking cookies, leading to accusations that this step is mostly Privacy and washing.
Recently Google Advertise A long-term plan to engage its Chromium browser engine in the development of a new open standard of privacy – raising concerns about trying to raise the enclosure to protect privacy and disturb water by forming and pushing self-interest tariffs that are aligned with core mining business data.
There's more activity to consider, too. Earlier this year Another data mining giant, Facebook, made the first major Google API contribution to Chrome – which it also brought to the W3C Performance Working Group.
Facebook social networking site It doesn't have its own browser, of course. This means that authoring contributions to web technologies provides the company with an alternative channel to try to influence the structure of the Internet to its advantage.
The latest step in the W3C TAG to focus minds on privacy and security by default comes in time.
Fits into a broader shift in the industry towards proactively defending user data and should exclude any contributions from technology giants in Internet engineering which is clearly good. Screening remains the best defense against self-interest.