index.html

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <script src="https://www.w3.org/Tools/respec/respec-w3c" defer class="remove"></script>
  <title>Privacy Principles</title>
  <script class="remove">
    // All config options at https://respec.org/docs/
    var respecConfig = {
      specStatus: 'ED',
      group: 'tag',
      format: 'markdown',
      editors: [{
        name: 'Robin Berjon',
        company: 'Protocol Labs',
        companyURL: 'https://protocol.ai/',
        url: 'https://berjon.com/',
        note: 'The New York Times until Sep 2022',
        w3cid: 34327,
      }, {
        name: 'Jeffrey Yasskin',
        company: 'Google',
        companyURL: 'https://google.com/',
        w3cid: 75192,
      }],
      github: 'w3ctag/privacy-principles',
      latestVersion: 'https://www.w3.org/TR/privacy-principles/',
      shortName: 'privacy-principles',
      lint: {
        'required-sections': false,
      },
      postProcess: [
        () => {
          // relabel each principle, and lose the numbering, delabel principle summary
          for (let label of document.querySelectorAll('div.practice > a.marker > bdi, #bp-summary > ul > li > a.marker > bdi')) {
            label.textContent = 'Principle';
          }
          // I hate markdown
          for (let p of document.querySelectorAll('div.practice > p')) {
            if (/^\s*$/.test(p.textContent)) p.remove();
          }
          for (let prac of document.querySelectorAll('div.practice.advisement')) {
            prac.classList.remove('advisement');
            prac.classList.add('principle');
          }
          let h2 = document.querySelector('#bp-summary h2');
          h2.innerHTML = h2.innerHTML.replace('Best Practices Summary', 'Principles Summary');
        }
      ],
      localBiblio: {
        'Addressing-Cyber-Harassment': {
          title: 'Addressing cyber harassment: An overview of hate crimes in cyberspace',
          authors: ['Danielle Keats Citron'],
          publisher: 'Case Western Reserve Journal of Law, Technology & the Internet',
          date: '2015',
          href: 'https://scholarship.law.bu.edu/cgi/viewcontent.cgi?article=1634&context=faculty_scholarship'
        },
        'Anti-Tracking-Policy': {
          title: 'Anti-Tracking Policy',
          href: 'https://wiki.mozilla.org/Security/Anti_tracking_policy#Tracking_Definition',
          publisher: 'Mozilla',
        },
        'Automating-Inequality': {
          title: 'Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor',
          href: 'https://us.macmillan.com/books/9781250074317/automatinginequality',
          authors: ['Virginia Eubanks'],
          publisher: 'Macmillan',
        },
        'Beyond-Individual': {
          title: 'Privacy Beyond the Individual Level (in Modern Socio-Technical Perspectives on Privacy)',
          href: 'https://doi.org/10.1007/978-3-030-82786-1_6',
          authors: ['J.J. Suh', 'M.J. Metzger'],
          publisher: 'Springer',
        },
        'Big-Data-Competition': {
          title: 'Big Data and Competition Policy',
          href: 'https://global.oup.com/academic/product/big-data-and-competition-policy-9780198788140?lang=en&cc=us',
          authors: ['Maurice E. Stucke', 'Allen P. Grunes'],
          publisher: 'Oxford University Press',
        },
        'Bit-By-Bit': {
          title: 'Bit By Bit: Social Research in the Digital Age',
          href: 'https://www.bitbybitbook.com/',
          authors: ['Matt Salganik'],
          publisher: 'Princeton University Press',
          status: 'You can read this book free of charge, but Matt is an outstanding author and I encourage you to support him by buying his book!',
        },
        'Browser-Parties': {
          title: 'Parties and browsers',
          href: 'https://tess.oconnor.cx/2020/10/parties',
          authors: ["Tess O'Connor"],
        },
        'CAT': {
          title: 'Content Aggregation Technology (CAT)',
          authors: ['Robin Berjon', 'Justin Heideman'],
          href: 'https://nytimes.github.io/std-cat/',
        },
        'Contextual-Integrity': {
          title: 'Privacy As Contextual Integrity',
          authors: ['Helen Nissenbaum'],
          href: 'https://digitalcommons.law.uw.edu/wlr/vol79/iss1/10/',
          publisher: 'Washington Law Review',
        },
        'Confiding': {
          title: 'Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries',
          authors: ['Lindsey Barrett'],
          href: 'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3354129',
        },
        'Consent-Lackeys': {
          title: 'Publishers tell Google: We\'re not your consent lackeys',
          authors: ['Rebecca Hill'],
          href: 'https://www.theregister.com/2018/05/01/publishers_slam_google_ad_policy_gdpr_consent/',
          publisher: 'The Register',
        },
        'Convention-108': {
          title: 'Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data',
          href: 'https://rm.coe.int/1680078b37',
          publisher: 'Council of Europe',
        },
        'Dark-Patterns': {
          title: 'Dark patterns: past, present, and future',
          authors: ['Arvind Narayanan', 'Arunesh Mathur', 'Marshini Chetty', 'Mihir Kshirsagar'],
          href: 'https://dl.acm.org/doi/10.1145/3397884',
          publisher: 'ACM',
        },
        'Dark-Pattern-Dark': {
          title: 'What Makes a Dark Pattern… Dark? Design Attributes, Normative Considerations, and Measurement Methods',
          authors: ['Arunesh Mathur', 'Jonathan Mayer', 'Mihir Kshirsagar'],
          href: 'https://arxiv.org/abs/2101.04843v1',
        },
        'Data-Futures-Glossary': {
          title: 'Data Futures Lab Glossary',
          authors: ['Mozilla Insights'],
          href: 'https://foundation.mozilla.org/en/data-futures-lab/data-for-empowerment/data-futures-lab-glossary/',
          publisher: 'Mozilla Foundation',
        },
        'Data-Minimization': {
          title: 'Data Minimization in Web APIs',
          authors: ['Daniel Appelquist'],
          href: 'https://www.w3.org/2001/tag/doc/APIMinimization-20100605.html',
          publisher: 'W3C TAG',
          status: 'Draft Finding',
        },
        'De-identification-Privacy-Act': {
          title: 'De-identification and the Privacy Act',
          authors: ['Office of the Australian Information Commissioner'],
          href: 'https://www.oaic.gov.au/privacy/guidance-and-advice/de-identification-and-the-privacy-act',
          publisher: 'Australian Government',
        },
        'Digital-Assistant-Trust': {
          title: "Facebook's new digital assistant 'M' will need to earn your trust",
          authors: ['Neil Richards', 'Woodrow Hartzog'],
          href: 'https://www.theguardian.com/technology/2015/sep/09/what-should-we-demand-of-facebooks-new-digital-assistant',
          publisher: 'The Guardian',
        },
        'Digital-Market-Manipulation': {
          title: 'Digital Market Manipulation',
          authors: ['Ryan Calo'],
          href: 'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2309703',
          publisher: 'George Washington Law Review',
        },
        'Eurobarometer-443': {
          title: 'Eurobarometer 443: e-Privacy',
          authors: ['European Commission'],
          href: 'https://ec.europa.eu/COMMFrontOffice/publicopinion/index.cfm/Survey/getSurveyDetail/instruments/FLASH/surveyKy/2124',
        },
        'Fiduciary-UA': {
          title: 'The Fiduciary Duties of User Agents',
          href: 'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3827421',
          authors: ['Robin Berjon'],
        },
        'FIP': {
          title: 'Fair Information Practices: A Basic History',
          href: 'http://bobgellman.com/rg-docs/rg-FIPShistory.pdf',
          authors: ['Bob Gellman'],
          status: '(PDF)',
        },
        'For-Everyone': {
          title: 'This Is For Everyone',
          href: 'https://twitter.com/timberners_lee/status/228960085672599552',
          authors: ['Tim Berners-Lee'],
          status: 'Statement made to the London 2012 Olympics opening ceremony',
        },
        'GDPR': {
          title: 'General Data Protection Regulations (GDPR) / Regulation (EU) 2016/679',
          href: 'https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN',
          authors: ['European Parliament and Council of European Union'],
        },
        'GKC-Privacy': {
          title: 'Governing Privacy in Knowledge Commons',
          authors: ['Madelyn Rose Sanfilippo', 'Brett M. Frischmann', 'Katherine J. Strandburg'],
          href: 'https://www.cambridge.org/core/books/governing-privacy-in-knowledge-commons/FA569455669E2CECA25DF0244C62C1A1',
          publisher: 'Cambridge University Press',
        },
        'GPC': {
          title: 'Global Privacy Control (GPC)',
          authors: ['Robin Berjon', 'Sebastian Zimmeck', 'Ashkan Soltani', 'David Harbage', 'Peter Snyder'],
          href: 'https://globalprivacycontrol.github.io/gpc-spec/',
          publisher: 'W3C',
        },
        'IAD': {
          title: 'Understanding Institutional Diversity',
          authors: ['Elinor Ostrom'],
          href: 'https://press.princeton.edu/books/paperback/9780691122380/understanding-institutional-diversity',
          publisher: 'Princeton University Press',
        },
        'Individual-Group-Privacy': {
          title: 'From Individual to Group Privacy in Big Data Analytics',
          authors: ['Brent Mittelstadt'],
          href: 'https://link.springer.com/article/10.1007/s13347-017-0253-7',
          publisher: 'Philosophy & Technology',
        },
        'Industry-Unbound': {
          title: 'Industry Unbound: the inside story of privacy, data, and corporate power',
          authors: ['Ari Ezra Waldman'],
          href: 'https://www.cambridge.org/core/books/industry-unbound/787989F90DBFC08E47546178A7AB04F7',
          publisher: 'Cambridge University Press',
        },
        'Internet-of-Garbage': {
          title: 'The Internet of Garbage',
          authors: ['Sarah Jeong'],
          publisher: 'The Verge',
          date: '2018',
          href: 'https://www.theverge.com/2018/8/28/17777330/internet-of-garbage-book-sarah-jeong-online-harassment'
        },
        'Lost-In-Crowd': {
          title: 'Why You Can No Longer Get Lost in the Crowd',
          authors: ['Woodrow Hartzog', 'Evan Selinger'],
          href: 'https://www.nytimes.com/2019/04/17/opinion/data-privacy.html',
          publisher: 'The New York Times',
        },
        'Nav-Tracking': {
          title: 'Navigational-Tracking Mitigations',
          authors: ['Pete Snyder', 'Jeffrey Yasskin'],
          href: 'https://privacycg.github.io/nav-tracking-mitigations/',
          publisher: 'W3C',
        },
        'NIST-800-63A': {
          title: 'Digital Identity Guidelines: Enrollment and Identity Proofing Requirements',
          href: 'https://pages.nist.gov/800-63-3/sp800-63a.html',
          publisher: 'NIST',
          authors: ['Paul A. Grassi', 'James L. Fenton', 'Naomi B. Lefkovitz', 'Jamie M. Danker', 'Yee-Yin Choong', 'Kristen K. Greene', 'Mary F. Theofanos'],
          date: 'March 2020'
        },
        'NYT-Privacy': {
          title: 'How The New York Times Thinks About Your Privacy',
          author: ['Robin Berjon'],
          href: 'https://open.nytimes.com/how-the-new-york-times-thinks-about-your-privacy-bc07d2171531',
          publisher: 'NYT Open',
        },
        'Obfuscation': {
          title: 'Obfuscation: A User\'s Guide for Privacy and Protest',
          authors: ['Finn Brunton', 'Helen Nissenbaum'],
          href: 'https://www.penguinrandomhouse.com/books/657301/obfuscation-by-finn-brunton-and-helen-nissenbaum/',
          publisher: 'Penguin Random House',
        },
        'Obscurity-By-Design': {
          title: 'Obscurity by Design',
          authors: ['Woodrow Hartzog', 'Frederic Stutzman'],
          href: 'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2284583',
        },
        'OECD-Guidelines': {
          title: 'OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data',
          href: 'https://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm',
          publisher: 'OECD',
        },
        'PEN-Harassment': {
          href: 'https://onlineharassmentfieldmanual.pen.org/defining-online-harassment-a-glossary-of-terms/',
          title: 'Online Harassment Field Manual',
          publisher: 'PEN America',
        },
        'PEW-Harassment': {
          title: 'The State of Online Harassment',
          publisher: 'Pew Research Center',
          date: 'January 2021',
          href: 'https://www.pewresearch.org/internet/2021/01/13/the-state-of-online-harassment/'
        },
        'Phone-On-Feminism': {
          title: 'This is your phone on feminism',
          href: 'https://conversationalist.org/2019/09/13/feminism-explains-our-toxic-relationships-with-our-smartphones/',
          authors: ['Maria Farrell'],
          publisher: 'The Conversationalist',
          rawDate: '2019-09-13',
        },
        'Privacy-Behavior': {
          title: 'Privacy and Human Behavior in the Age of Information',
          authors: ['Alessandro Acquisti', 'Laura Brandimarte', 'George Loewenstein'],
          href: 'https://www.heinz.cmu.edu/~acquisti/papers/AcquistiBrandimarteLoewenstein-S-2015.pdf',
          publisher: 'Science',
        },
        'Privacy-Concerned': {
          title: 'Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information',
          authors: ['Brooke Auxier', 'Lee Rainie', 'Monica Anderson', 'Andrew Perrin', 'Madhu Kumar', 'Erica Turner'],
          href: 'https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/',
          publisher: 'Pew Research Center',
        },
        'Privacy-Contested': {
          title: 'Privacy is an essentially contested concept: a multi-dimensional analytic for mapping privacy',
          authors: ['Deirdre K. Mulligan', 'Colin Koopman', 'Nick Doty'],
          href: 'https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5124066/',
          publisher: 'Philosophical Transacions A',
        },
        'Privacy-Harms': {
          title: 'Privacy Harms',
          authors: ['Danielle Keats Citron', 'Daniel Solove'],
          href: 'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222',
        },
        'Privacy-In-Context': {
          title: 'Privacy in Context',
          authors: ['Helen Nissenbaum'],
          href: 'https://www.sup.org/books/title/?id=8862',
          publisher: 'SUP',
        },
        'Privacy-Is-Power': {
          title: 'Privacy Is Power',
          authors: ['Carissa Véliz'],
          href: 'https://www.penguin.com.au/books/privacy-is-power-9781787634046',
          publisher: 'Bantam Press',
        },
        'Privacy-Threat': {
          title: 'Target Privacy Threat Model',
          href: 'https://w3cping.github.io/privacy-threat-model/',
          authors: ['Jeffrey Yasskin', 'Tom Lowenthal'],
          publisher: 'W3C PING',
        },
        'PSL-Problems': {
          authors: ['Ryan Sleevi'],
          href: 'https://github.com/sleevi/psl-problems',
          title: 'Public Suffix List Problems'
        },
        'Relational-Turn': {
          title: 'A Relational Turn for Data Protection?',
          href: 'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3745973&s=09',
          authors: ['Neil Richards', 'Woodrow Hartzog'],
        },
        'Seeing-Like-A-State': {
          title: 'Seeing Like a State: How Certain Schemes to Improve the Human Condition Have Failed',
          href: 'https://bookshop.org/books/seeing-like-a-state-how-certain-schemes-to-improve-the-human-condition-have-failed/9780300246759',
          authors: ['James C. Scott'],
        },
        'SILVERPUSH': {
          title: 'How TV ads silently ping commands to phones: Sneaky SilverPush code reverse-engineered',
          href: 'https://www.theregister.com/2015/11/20/silverpush_soundwave_ad_tracker/',
          publisher: 'The Register',
          authors: ['Iain Thomson']
        },
        'Strava-Debacle': {
          title: 'The Latest Data Privacy Debacle',
          authors: ['Zeynep Tufekci'],
          href: 'https://www.nytimes.com/2018/01/30/opinion/strava-privacy.html',
          publisher: 'The New York Times',
        },
        'Strava-Reveal-Military': {
          title: 'Strava Fitness App Can Reveal Military Sites, Analysts Say',
          authors: ['Richard Pérez-Peña', 'Matthew Rosenberg'],
          href: 'https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html',
          publisher: 'The New York Times',
        },
        'Surveillance-Capitalism': {
          title: 'The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power',
          authors: ['Shoshana Zuboff'],
          href: 'https://www.publicaffairsbooks.com/titles/shoshana-zuboff/the-age-of-surveillance-capitalism/9781610395694/',
          publisher: 'Hachette Public Affairs',
        },
        'Taking-Trust-Seriously': {
          title: 'Taking Trust Seriously in Privacy Law',
          href: 'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2655719',
          authors: ['Neil Richards', 'Woodrow Hartzog'],
        },
        'Twitter-Developer-Policy': {
          title: 'Developer Policy - Twitter Developers',
          href: 'https://developer.twitter.com/en/developer-terms/policy',
          publisher: 'Twitter'
        },
        'Tracking-Prevention-Policy': {
          title: 'Tracking Prevention Policy',
          href: 'https://webkit.org/tracking-prevention-policy/',
          publisher: 'Apple',
        },
        'Understanding-Privacy': {
          title: 'Understanding Privacy',
          authors: ['Daniel Solove'],
          href: 'https://www.hup.harvard.edu/catalog.php?isbn=9780674035072',
          publisher: 'Harvard University Press',
        },
        'Why-Privacy': {
          title: 'Why Privacy Matter',
          authors: ['Neil Richards'],
          href: 'https://global.oup.com/academic/product/why-privacy-matters-9780190939045?cc=us&lang=en&',
          publisher: 'Oxford University Press',
        },
        'Records-Computers-Rights': {
          title: 'Records, Computers and the Rights of Citizens',
          publisher: 'U.S. Department of Health, Education & Welfare',
          href: 'https://archive.epic.org/privacy/hew1973report/'
        },
        'Relational-Governance': {
          title: 'A Relational Theory of Data Governance',
          authors: ['Salomé Viljoen'],
          href: 'https://www.yalelawjournal.org/feature/a-relational-theory-of-data-governance',
          publisher: 'Yale Law Journal',
        }
      },
    };
  </script>
  <style>
    .principle {
      border: .5em;
      border-color: cornflowerblue;
      border-style: none none none double;
      background: transparent;
      padding: .5em;
      page-break-inside: avoid;
      margin: 1em auto;
    }
    .principle > .marker {
      color: cornflowerblue;
      font-weight: bold;
    }
    q {
      font-style: italic;
    }
  </style>
</head>
<body data-cite="html indexedDB service-workers fingerprinting-guidance url">

<section id="abstract">

Privacy is an essential part of the Web ([[?ETHICAL-WEB]]). This document provides definitions
for privacy and related concepts that are applicable worldwide. It also provides a set of privacy
principles that should guide the development of the Web as a trustworthy platform. People using
the Web would benefit from a stronger relationship between technology and policy, and this
document is written to work with both.

</section>

<section id="sotd">

This document is a Draft Finding of the [Technical Architecture Group (TAG)](https://www.w3.org/2001/tag/)
which we are releasing as a Draft Note. The intent is for this document to become a W3C Statement.
It was prepared by the [Web Privacy Principles Task Force](https://github.com/w3ctag/privacy-principles),
which was convened by the TAG. Publication as a Draft Finding or Draft Note does not imply
endorsement by the TAG or by the W3C Membership.

This draft <strong>does not yet</strong> reflect the consensus of the TAG or the task force and may
be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to cite this
document as anything other than a work in progress.

It will continue to evolve and the task force will issue updates as often as needed. At the
conclusion of the task force, the TAG intends to adopt this document as a Finding.

</section>

<section class="introductory">

## How This Document Fits In

This document elaborates on the [privacy principle](https://www.w3.org/2001/tag/doc/ethical-web-principles/#privacy) in the [[[Ethical-Web]]]. It doesn't
address how to balance the different principles in that document if they come into
conflict.

Privacy is covered by legal frameworks and this document recognises that existing data
protection laws take precedence for legal matters. However, because the Web is global, we
benefit from having shared concepts to guide its evolution as a system built for the people using it
([[?RFC8890]]). A clear and well-defined view of privacy on the Web, informed by research,
can hopefully help all the Web's participants in different legal regimes. Our shared
understanding is that the law is a floor, not a ceiling.

</section>

<section class="introductory">

## Audience for this Document

The primary audiences for this document are

 * browser developers,
 * authors of web specifications,
 * reviewers of web specifications, and
 * web developers

Other audiences include:

 * policy makers, and
 * operators of privacy-related services.

This document is intended to help its audiences address privacy concerns as early as possible in the life
cycle of a new Web standard or feature, or in the development of Web products.  Beginning with privacy in mind will help avoid the need to
add special cases to comply with specific requirements one law or one jurisdiction at a time, later, or
to build systems that turn out to be unacceptable to users.

Because this document guides privacy reviews of new standards, designers should consult it early in the design to make sure their feature passes the review smoothly.

</section>


# An Introduction to Privacy on the Web {#intro}

The Web is for everyone ([[?For-Everyone]]). It is "<i>a platform that helps people and provides a
net positive social benefit</i>" ([[?ETHICAL-WEB]], [[?design-principles]]). One of the ways in which the
Web serves people is by protecting them in the face of asymmetries of power, and this includes
establishing and enforcing rules to govern the power of data.

The Web is a social and technical system made up of [=information flows=]. Because this document
is specifically about [=privacy=] as it applies to the Web, it focuses on privacy with respect to
information flows. Our goal is not to cover all privacy issues, but rather to provide enough
background to support the Web community in making informed decisions about privacy and to weave
privacy into the architecture of the Web. Few architectural principles are absolute, and privacy is
no exception: privacy can come into tension with other desirable properties of an ethical
architecture, and when that happens the Web community will have to work together to strike the right
balance.

Information is power. It can be used to predict and to influence people, as well as to design online
spaces that control people's behaviour. The collection and [=processing=] of information in greater
volume, with greater precision and reliability, with increasing interoperability across a growing
variety of data types, and at intensifying speed is leading to an unprecedented concentration of power
that threatens private and public liberties.

What's more, automation and the increasing computerisation of all aspects of our lives
both increase the power of information and decrease the cost of a number of intrusive
behaviours that would be more easily kept in check if the perpetrator had to be in the same room as
the victim.

These asymmetries of information and of automation create commanding asymmetries of power.

<dfn data-lt="governance">Data governance</dfn> is the system of [=principles=] that regulate [=information flows=]. When
[=people=] are involved in [=information flows=], [=data governance=] determines how
these [=principles=] constrain and distribute the power of information between different [=actors=].
The <dfn>principles</dfn> describe the way in which different [=actors=] may, must,
or must not produce or [=process=] flows of information from, to, or about other [=actors=]
([[?GKC-Privacy]], [[?IAD]]).

Typically, <dfn>actors</dfn> are [=people=] but they can also be collective endeavours such as
companies, associations, or political parties (eg. in the case of espionage), which are known as
[=parties=]. It is important to keep in mind that not all people are equal in how they can resist
the imposition of unfair [=principles=]: some [=people=] are more [=vulnerable=] and therefore in greater
need of protection. The focus of this document is on the impact that this power differential can
have against people, but it can also impact other [=actors=], such as companies or governments.

[=Principles=] vary from [=context=] to [=context=] ([[?Understanding-Privacy]], [[?Contextual-Integrity]]): people
have different expectations of [=privacy=] at work, at a café, or at home for instance. Understanding and
evaluating a privacy situation is best done by clearly identifying:

* Its [=actors=], which include the subject of the information as well as the sender and the recipient
  of the [=information flow=]. (Note that recipients might not always want to be recipients.)
* The specific type of data in the [=information flow=].
* The [=principles=] that are in use in this specific context.

It is important to keep in mind that there are <em>always</em> privacy [=principles=] and that all
of them imply different power dynamics. Some [=principles=] may be more permissive, but that does
not render them neutral — it merely indicates that they are supportive of the power dynamic that
emerges from permissive [=processing=]. We must therefore determine which [=principles=]
best align with ethical Web values in Web [=contexts=] ([[?ETHICAL-WEB]], [[?Why-Privacy]]).

<dfn data-lt='information'>Information flows</dfn> as understood in this document are information
exchanged or processed by [=actors=]. The information itself need not necessarily be
[=personal data=]. Disruptive or interruptive information flowing <em>to</em> a
person is in scope, as is [=de-identified=] [=data=] that can be used to manipulate people or that
was extracted by observing people's behaviour on someone else's website.

[=Information flows=] need to be understood from more than one perspective: there is the flow of information
<em>about</em> a person (the subject) being processed or transmitted to any other party, and there is
the flow of information <em>towards</em> a person (the recipient). Recipients can have their privacy violated in multiple ways such as
unexpected shocking images, loud noises while one intends to sleep, manipulative information,
interruptive messages when a person's focus is on something else, or harassment when they seek
social interactions.

On the Web, [=information flows=] may involve a wide variety of [=parties=] that are not always
recognizable or obvious to a user within a particular interaction. Visiting a website may involve
the parties that operate that site and its functionality, but also parties with network access,
which may include: Internet service providers; other network operators; local institutions providing
a network connection including schools, libraries or universities; government intelligence services;
malicious hackers who have gained access to the network or the systems of any of the other parties.
High-level threats including [=surveillance=] may be pursued by these parties. Pervasive monitoring,
a form of large-scale, indiscriminate surveillance, is a known attack on the privacy of users of the
Internet and the Web [[RFC7258]].

Information flows may also involve other people &mdash; for example, other users of a site &mdash;
which could include friends, family members, teachers, strangers, or government officials. Some
threats to privacy, including both [=disclosure=] and harassment, may be particular to the other
people involved in the information flow.

## Individual Autonomy {#autonomy}

A [=person=]'s <dfn data-lt="autonomous">autonomy</dfn> is their ability to make decisions of their own volition,
without undue influence from other [=parties=]. People have limited intellectual resources and
time with which to weigh decisions, and by necessity rely on shortcuts when making
decisions. This makes their preferences, including privacy preferences, malleable and susceptible to
manipulation ([[?Privacy-Behavior]], [[?Digital-Market-Manipulation]]). A [=person=]'s [=autonomy=] is enhanced by a
system or device when that system offers a shortcut that aligns more with what that [=person=] would
have decided given arbitrary amounts of time and relatively unlimited intellectual ability;
and [=autonomy=] is decreased when a similar shortcut goes against decisions made under such
ideal conditions.

Affordances and interactions that decrease [=autonomy=] are known as <dfn>dark patterns</dfn>.
A [=dark pattern=] does not have to be intentional ([[?Dark-Patterns]], [[?Dark-Pattern-Dark]]).

Because we are all subject to motivated reasoning, the design of defaults and affordances
that may impact [=autonomy=] should be the subject of independent scrutiny.

Given the large volume of potential [=data=]-related decisions in today's data economy,
complete informational self-determination is impossible. This fact, however, should not be
confused with the idea that privacy is dead. Studies show that [=people=] remain concerned over how
their [=data=] is [=processed=], feeling powerless and like they have lost agency
([[?Privacy-Concerned]]). Careful design of our technological infrastructure can ensure that
people's [=autonomy=] with respect to their own [=data=] is enhanced through [=appropriate=]
defaults and choice architectures.

### Opt-in, Consent, Opt-out, Global Controls {#opt-in-out}

<aside class="issue">Broaden this from [=processing=] to general interactions with systems.</aside>

Different procedural mechanisms exist to enable [=people=] to control how they interact
with systems in the world. Mechanisms that increase the number of [=purposes=] for which
their [=data=] is being [=processed=] are referred to as [=opt-in=] or
<dfn data-lt="opt in|opt-in">consent</dfn>; mechanisms that decrease this number of [=purposes=] are known as
<dfn data-lt="opt out">opt-out</dfn>.

When deployed thoughtfully, these mechanisms can enhance [=people=]'s [=autonomy=]. Often,
however, they are used as a way to avoid putting in the difficult work of deciding which
types of [=processing=] are [=appropriate=] and which are not, offloading [=privacy labour=]
to the people using a system.

In specific cases, [=people=] should be able to [=consent=] to more
sensitive [=purposes=], such as having their [=identity=] recognised across contexts or
their reading history shared with a company. The burden of proof on ensuring that informed
[=consent=] has been obtained needs to be very high in this case.
[=Consent=] is comparable to the
general problem of permissions on the Web platform. In the same way that it should be clear when a
given device capability is in use (eg. you are providing geolocation or camera access), sharing
data should be set up in such a way that it requires deliberate, specific action from the [=person=]
(eg. triggering a form control that is not on a modal dialog) and if that [=consent=] is persistent,
there should be a vivid indicator that data is being transmitted shown at all times, in such a way
that the person can easily switch it off. In general, providing [=consent=] should be rare,
difficult, highly intentional, and temporary.

When an [=opt-out=] mechanism exists, it should preferably be complemented by a
<dfn>global opt-out</dfn> mechanism. The function of a [=global opt-out=] mechanism is to
rectify the <dfn class="export">automation asymmetry</dfn> whereby service providers can automate
[=data processing=] but [=people=] have to take manual action to prevent it. A good example of a
[=global opt-out=] mechanism is the <em>Global Privacy Control</em> [[?GPC]].

Conceptually, a [=global opt-out=] mechanism is an automaton operating as part of the
[=user agent=], which is to say that it is equivalent to a robot that would carry out a
[=person=]'s bidding by pressing an [=opt-out=] button with every interaction that the
[=person=] has with a site, or more generally conveys an expression of the [=person=]'s
rights in a relevant jurisdiction. (For instance, under [[?GDPR]], the [=person=] may be
conveying objections to [=processing=] based on legitimate interest or the withdrawal of
[=consent=] to specific [=purposes=].) It should be noted that, since a [=global opt-out=]
signal is reaffirmed automatically with every interaction, it will take precedence
in terms of specificity over any general obtention of [=consent=] by a site,
and only superseded by specific [=consent=] obtained through a deliberate action taken by
the user with the intent of overriding their global opt-out.

### Privacy Labour {#privacy-labour}

<dfn data-lt="privacy labor|labour|labor">Privacy labour</dfn> is the practice of having a [=person=] carry out
the work of ensuring [=data processing=] of which they are the subject or recipient is
[=appropriate=], instead of having the [=parties=] be responsible for that work.
Data systems that are based on asking [=people=] for their [=consent=] tend to increase
[=privacy labour=].

More generally, implementations of [=privacy=] are often dominated by self-governing approaches that
offload [=labour=] to [=people=]. This is notably true of the regimes descended from the
<dfn data-lt="FIPs">Fair Information Practices</dfn> ([=FIPs=]), a loose set of principles initially
elaborated in the 1970s in support of individual [=autonomy=] in the face of growing concerns with databases. The
[=FIPs=] generally assume that there is sufficiently little [=data processing=] taking place that any
[=person=] will be able to carry out sufficient diligence to enable [=autonomy=] in their
decision-making. Since they entirely offload the [=privacy labour=]
to people and assume perfect, unlimited [=autonomy=], the [=FIPs=] do not forbid specific
types of [=data processing=] but only place them under different procedural requirements.
Such an approach is [=appropriate=] for [=parties=] that are processing data in the 1970s.

One notable issue with procedural, self-governing approaches to privacy is that they tend to have the same
requirements in situations where people find themselves in a significant asymmetry of
power with a [=party=] — for instance a [=person=] using an essential service provided by a
monopolistic platform — and those where people and [=parties=] are very much on equal
footing, or even where the [=person=] may have greater power, as is the case with small
businesses operating in a competitive environment. It further does not consider cases in
which one [=party=] may coerce other [=parties=] into facilitating its [=inappropriate=]
practices, as is often the case with dominant players in advertising or
in content aggregation ([[?Consent-Lackeys]], [[?CAT]]).

Reference to the [=FIPs=] survives to this day. They are often referenced as "<i>transparency
and choice</i>", which, in today's digital environment, is often an indication that
[=inappropriate=] [=processing=] is being described.


## Collective Governance {#collective}

Privacy [=principles=] are socially negotiated and the definition of [=privacy=] is essentially
contested ([[?Privacy-Contested]]). This makes privacy a problem of collective action ([[?GKC-Privacy]]).
Group-level [=data processing=] may impact populations or individuals, including in
ways that [=people=] could not control even under the optimistic assumptions of [=consent=].
For example, based on group-level analysis, a company may know that <var>site.example</var>
is predominantly visited by [=people=] of a given race or gender, and decide not to run its
job ads there. Visitors to that page are implicitly having their [=data=] processed in
[=inappropriate=] ways, with no way to discover the discrimination or seek relief
([[?Relational-Governance]]).

What we consider is therefore not just the relation between the [=people=] who share data
and the [=parties=] that invite that disclosure ([[?Relational-Turn]]), but also between the [=people=]
who may find themselves categorised indirectly as part of a group even without sharing data. One key
understanding here is that such relations may persist even when data is [=de-identified=]. What's
more, such categorisation of people, voluntary or not, changes the way in which the world operates.
This can produce self-reinforcing loops that can damage both individuals and
groups ([[?Seeing-Like-A-State]]).

In general, collective issues in [=data=] require collective solutions. Web standards help with
[=data governance=] by defining structural controls
in [=user agents=] and establishing or delegating to institutions that can handle issues of [=privacy=].
[=Governance=] will often struggle to achieve its goals if it works primarily by
increasing <em>individual</em> control instead of acting collectively.

Collecting data at large scales can have significant pro-social outcomes. Problems tend to
emerge when [=actors=] [=process=] [=data=]
for collective benefit and for [=self-dealing=] [=purposes=] at the same time.
The [=self-dealing=] [=purposes=] are often justified as bankrolling the pro-social outcomes
but this requires collective oversight to be [=appropriate=].

### Group Privacy {#group-privacy}

There are different ways for [=people=] to become members of a group. Either they can join it
deliberately, making it a self-constituted group such as when joining a club, or they can be
classified into it by an external party, typically a bureaucracy or its computerised equivalent
([[?Beyond-Individual]]). In the latter case, [=people=] may not be aware that they are being
grouped together, and the definition of the group may not be intelligible (for instance if it is
created from opaque machine learning techniques).

Protecting group privacy can take place at two different levels. The existence of a group or at
least its activities may need to be protected even in cases in which its members are guaranteed to
remain anonymous. We refer to this as "group privacy." Conversely, [=People=] may wish to protect
knowledge that they are members of the group even though the existence of the group and its actions
may be well known (eg. membership in a dissidents movement under authoritarian rule), which we call
"membership privacy". An example [=privacy violation=] for the former case
is the fitness app Strava that did not reveal individual behaviour or identity but published heat
maps of popular running routes. In doing so, it revealed secret US bases around which military
personnel took frequent runs ([[?Strava-Debacle]], [[?Strava-Reveal-Military]]).

When [=people=] do not know that they are members of a group, when they cannot easily find other
members of the group so as to advocate for their rights together, or when they cannot easily
understand why they are being categorised into a given group, their ability to protect themselves
through self-governing approaches to privacy is largely eliminated.

One common problem in group privacy is when the actions of one member of a group reveals information
that other members would prefer were not shared in this way (or at all). For instance, one person
may publish a picture of an event in which they are featured alongside others while the other people
captured in the same picture would prefer their participation not to be disclosed. Another example
of such issues are sites that enable people to upload their contacts: the person performing the
upload might be more open to disclosing their social networks than the people they are connected to
are. Such issues do not necessarily admit simple, straightforward solutions but they need to be
carefully considered by people building websites.

### Transparency and Research {#transparency}

While transparency rarely helps enough to inform the individual choices that [=people=] may
make or in increasing their [=autonomy=], it plays a critical role in letting
researchers and reporters inform our
collective decision-making about privacy [=principles=]. This consideration extends the
TAG's resolution on a [Strong and Secure Web Platform](https://www.w3.org/blog/2015/11/strong-web-platform-statement/)
to ensure that "<i>broad testing and audit continues to be possible</i>" where
[=information flows=] and automated decisions are involved.

Such transparency can only function if there are strong rights
of access to data (including data
derived from one's personal data) as well as mechanisms to explain the outcomes of automated
decisions.

## People's Agents {#user-agents}

The <dfn>user agent</dfn> acts as an intermediary between a [=person=] (its [=user=]) and the web.
[=User agents=] implement, to the extent possible, the [=principles=] that collective governance
establishes in favour of individuals. They seek to prevent the creation of asymmetries of
information, and serve their [=user=] by providing them with automation to rectify
[=automation asymmetries=]. Where possible, they protect their [=user=] from receiving
intrusive messages.

The [=user agent=] is expected to align fully with the [=person=] using it and operate exclusively
in that [=person=]'s interest. It is <em>not</em> the [=first party=]. The [=user agent=] serves the
[=person=] as a <dfn>trustworthy agent</dfn>:
it always puts that [=person=]'s interest first. In some occasions, this can mean protecting
that [=person=] from themselves by preventing them from carrying out a dangerous decision,
or by slowing down the person in their decision. For example, the
[=user agent=] will make it difficult for that [=person=] to connect to a site if it can't verify
that the site is authentic. It will check that that [=person=] really intends to expose a
sensitive device to a page. It will prevent that [=person=] from consenting to the permanent
monitoring of their behaviour. Its <dfn class="export">user agent duties</dfn> include
([[?Taking-Trust-Seriously]]):

<dl>
  <dt><dfn class="export">Duty of Protection</dfn></dt>
  <dd>
    Protection requires [=user agents=] to actively protect their [=user=]'s data, beyond
    simple security measures. It is insufficient to just encrypt at rest and in transit,
    but the [=user agent=] must also limit retention, help ensure that only strictly
    necessary data is collected, and require guarantees from any [=party=] that the user agent can
    reasonably be aware that it is shared to.
  </dd>
  <dt><dfn class="export">Duty of Discretion</dfn></dt>
  <dd>
    Discretion requires the [=user agent=] to make best efforts to enforce
    [=principles=] by taking care in the ways it discloses the [=personal data=]
    that it manages. Discretion is not
    confidentiality or secrecy: trust
    can be preserved even when the [=user agent=] shares some [=personal data=], so long as
    it is done in an [=appropriately=] discreet manner.
  </dd>
  <dt><dfn class="export">Duty of Honesty</dfn></dt>
  <dd>
    Honesty requires that the [=user agent=] try to give its [=user=]
    information of which the [=user agent=] can reasonably be aware, that is relevant to
    them and that will increase their
    autonomy, as long as they can understand it and there's an appropriate
    time. This is almost never when the [=person=] is trying to do something else such as
    read a page or activate a feature. The duty of honesty goes well beyond that of
    transparency that is often included in older privacy regimes. Unlike transparency, honesty
    can't hide relevant information in complex legal notices and it can't rely on
    very short summaries provided in a consent dialog.
    If the person has provided [=consent=] to [=processing=] of their [=personal data=],
    the [=user agent=] should inform the [=person=] of ongoing [=processing=], with a
    level of obviousness that is proportional to the reasonably foreseeable impact of the processing.
  </dd>
  <dt><dfn class="export">Duty of Loyalty</dfn></dt>
  <dd>
    Because the [=user agent=] is a [=trustworthy agent=], it is held to be loyal to the
    [=person=] using it in all situations, including in preference to the [=user agent=]'s implementer.
    When a [=user agent=] carries out [=processing=] that is not in the [=person=]'s
    interest but instead benefits another [=actor=] (such as the user agent's implementer) that behaviour is
    known as <dfn>self-dealing</dfn>. Behaviour can be [=self-dealing=] even if it is done at the
    same time as [=processing=] that is in the [=person=]'s interest, what matters is that it
    potentially conflicts with that [=person=]'s interest. [=Self-dealing=] is always
    [=inappropriate=]. Loyalty is the avoidance of [=self-dealing=].
  </dd>
</dl>

These duties ensure the [=user agent=] will <em>care</em> for its [=user=]. In academic
research, this relationship with a [=trustworthy agent=] is often described as "fiduciary"
[[?Fiduciary-UA]]. Some jurisdictions may have a distinct legal meaning for "fiduciary."

Many of the [=principles=] described in the rest of this document extend the [=user agent=]'s duties and
make them more precise.

## Incorporating Different Privacy Principles {#balancing}

While privacy principles are designed to work together and support each other,
occasionally a proposal to improve how a system follows one privacy principle may reduce
how well it follows another principle.

<div class="practice">

<p><span class="practicelab" id="principle-pareto-frontier">When confronted with an
apparent tradeoff, first look for ways to improve all principles at once.</span></p>

Given any initial design that doesn't perfectly satisfy all principles, there are usually
some other designs that improve the situation for some principles without sacrificing
anything about the other principles. Work to find those designs.

Another way to say this is to look for [Pareto
improvements](https://en.wikipedia.org/wiki/Pareto_efficiency) before starting to trade
off between principles.

</div>

Once one is choosing between different designs at the Pareto frontier, the choice of which
privacy principles to prefer is complex and depends heavily on the details of each
particular situation. <span class="note">Note that people's privacy can also be in tension
with non-privacy concerns. As discussed in the [[[Ethical-Web]]], "it is important to
consider the context in which a particular technology is being applied, the expected
audience(s) for the technology, who the technology benefits and who it may disadvantage,
and any power dynamics involved".</span> Despite this complexity, there is a basic ground
rule to follow:

<div class="practice">

<p><span class="practicelab" id="principle-limited-collection-for-safety">If a service
needs to collect extra data from its users in order to protect those or other users, it
must take extra technical and legal measures to ensure that this data can't be then used
for other purposes, like to grow the service.</span></p>

This is a special case of the more general principle that data should not be used for more
[=purposes=] than the data's subjects understood it was being collected for.

A service should explain how it uses people's data to protect them and other people, and
how it might additionally use someone's data if it believes that person has broken the
rules.

</div>

<aside class="example" id="example-technical-legal-measures" title="Technical and Legal Measures">

A site might segregate the data it collects for safety reasons from its business data by:

1. Specifying in its privacy statement that these types of data are kept separate and
   implementing policies and procedures to ensure the data is stored separately. (legal
   and procedural/compliance measures)
1. Using multi-party computation to ensure that its business side can't learn the
   sensitive safety data unless both its safety side and a trusted independent third party
   collude. (A technical measure)
1. Hiring a trusted auditor to publicly check that the data is effectively segregated. (a
   compliance measure)

</aside>

It is attractive to say that if someone violates the norms of a service they're using,
then they sacrifice a proportionate amount of their privacy protections, but

1. Often the service can only prevent the norm violation by also collecting data from
   innocent users. This extra collection is not always [=appropriate=], especially if it
   allows pervasive monitoring ([[RFC7258]], [[RFC7687]]).
1. If a service operator wants to collect some extra data, it can be tempting for them to
   define norms and proportionality that allow them to do so.

The following examples illustrate some of the tensions:

<aside class="example" id="example-sockpuppets" title="Sockpuppets">

A person might want to sign up many accounts ("sockpuppets") or disguise the affiliation
of individual-owned accounts
("[astroturfing](https://en.wikipedia.org/wiki/Astroturfing)") on a service in order to
trick other people into thinking a belief has more support than it really has. This
violates the other people's rights to be free from manipulation.

On the other hand, identifying everyone with enough detail to detect these cases tends to
violate their rights to be free from [=surveillance=] and [=correlation=].

</aside>

<aside class="example" id="example-children" title="Children's Services">

Children using a service (or their guardians) may want to ensure their interaction with
that service is only visible to other children. To accomplish this, the service would need
to check all of its users' ages.

While a service can ask its users to self-assert that they are under the specified age
(without verifying those assertions), or it might rely on trusted institutions (like
schools) to verify people's ages, to verify people's ages directly can be
privacy-invasive. It can require automated facial recognition, collection of live images,
or strongly identifying the children (e.g. via [[NIST-800-63A]]).

</aside>

<aside class="example" id="example-account-security" title="Account Security">

Accounts with a service need to be protected more strongly than just with a username and
password. Since a compromised account reveals all the private information stored in the
account, this is a privacy issue and not just a security issue. Services often store the
historical locations and machine characteristics that have accessed an account, in order
to make it harder to log in from an unusual place or type of machine. They might also
store other personal data, like a phone number or address, in order to check that a
suspicious login actually comes from the real account owner.

</aside>

# Principles for Privacy on the Web

As indicated above, different [=contexts=] require different [=principles=]. This section describes a set
of [=principles=] designed to apply to the Web [=context=] in general. The Web is a big place, and we
fully expect more specific [=contexts=] of the Web to add their own [=principles=] to further constrain
[=information flows=].

To the extent possible, [=user agents=] are expected to enforce these [=principles=]. However, this is not
always possible and additional enforcement mechanisms are needed. One particularly salient issue
is that a [=context=] is not defined in terms of who owns or controls it (it is not a [=party=]). Sharing
[=data=] between different [=contexts=] of a single company is just as much a [=privacy violation=] as
if the same data were shared between unrelated [=parties=].

<aside class="issue">
  Please note that the initial focus of this draft was on <a href="#intro"></a>. This section is
  incomplete and has uneven maturity. The absence of a specific principle should not be seen as an
  indication that the Task Force considers it to be of lesser importance.
</aside>


## Identity on the Web {#identity}

<div class="practice">

<span class="practicelab" id="principle-identity-per-context">A [=user agent=]
should help its user present the [=identity=] they want in each [=context=]
they are in.</span>

</div>

A [=person=]'s <dfn>identity</dfn> is the set of characteristics that define
them. Their identity *in a [=context=]* is the set of characteristics they
present in that context. People frequently present different identities to
different contexts, and also frequently share an identity among several
contexts. People may also wish to present an ephemeral or anonymous identity,
which is just a set of characteristics that is too small or unstable to be useful
for following them through time.

<dfn data-lt="recognize|recognized">Recognition</dfn> is the act of realising that a given [=identity=]
corresponds to the same [=person=] as another [=identity=] which may have been
observed either in another [=context=] or in the same [=context=] but at a
different time.

In order to uphold this principle, sometimes a [=user agent=] needs to *prevent*
[=recognition=], for instance so that a [=site=] can't learn anything about its
[=user=]'s behavior on *another* site, and sometimes the [=user agent=] needs to *support* [=recognition=],
for instance to help its [=user=] *prove* to one [=site=] that they have a
particular identity on another [=site=]. Similarly, a [=user agent=] can help its
[=user=] to separate or communicate [=identity=] across *repeat* visits to the *same*
[=site=].

### Recognition Types {#recognition-types}

There are several types of [=recognition=] that may take place. These rely on
different methods and present different challenges.

<dfn>Cross-context recognition</dfn> is [=recognition=] between different
[=contexts=]. It contributes to [=surveillance=], [=correlation=],
and [=identification=].

[=Cross-context recognition=] is only [=appropriate=] when the person being [=recognized=]
can reasonably expect that recognition to happen and can control whether it does.
Systems which [=recognize=] people across [=contexts=] need
to be careful not to apply the [=principles=] of one [=context=] in ways that
violate the [=principles=] around use of information acquired in a different
[=context=]. This is particularly true for [=vulnerable=] people, as
recognising them in different [=contexts=] may force traits into the open
that reveal their vulnerability. For example, if you meet your therapist at a
party, you expect them to have different discussion topics with you than they
usually would, and possibly even to pretend they don't know you.

Note that a UA may not always be powerful enough to prevent [=cross-context
recognition=]. For example, if two or more services [=inappropriately=]
require an identifying piece of information (eg. an email address) in order
to use the services.

<dfn>Cross-site recognition</dfn> is when a site determines with high
probability that a visit to the site comes from the same person as another
visit to a *different* site. In the usual case that the sites are different [=contexts=],
[=cross-site recognition=] is a privacy harm in the same cases as [=cross-context recognition=].

<dfn>Same-site recognition</dfn> is when a single [=site=] discovers and uses the
fact that two or more visits probably came from the same [=person=].

A privacy harm occurs if a [=person=] reasonably expects that they'll be using
a different [=identity=] for different visits to a single site, but the site
[=recognizes=] them anyway. This harm can be accomplished through a
variety of means detailed in [[[#recognition-methods]]].

Note that these categories overlap: [=cross-site recognition=] is usually
[=cross-context recognition=] (and always [=recognizes=] across [=partitions=]); and
[=same-site recognition=] is sometimes [=cross-context recognition=] (and may or may not
involve multiple [=partitions=]).

### User agent awareness of recognition {#user-agent-recognition}

[=User agents=] can't, in general, determine exactly where [=context=]
boundaries are within a site, or know how a site allows a [=person=] to
express that they intend to change [=identities=], so the UA can't enforce
that sites actually separate [=identities=] at these boundaries.

Instead, [=user agents=] may have to make some assumptions about the borders
between [=contexts=]. By default, [=user agents=] define a
<dfn>machine-enforceable context</dfn> or <dfn>partition</dfn> as:

* A set of [=environments=] (roughly [^iframe^]s (including cross-site [^iframe^]s),
workers, and top-level pages)
* whose [=environment/top-level origins=] are in the [=same site=] (but see
[[PSL-Problems]])
* being visited within the same user agent installation (and browser profile,
container, or container tab for user agents that support those features)
* between points in time that the person or user agent clears that [=site=]'s
cookies and other storage (which is sometimes automatic at the end of each
session).

Even though this is the default, [=user agents=] can further restrict their
definition of [=machine-enforceable context=] to better aid their users for
instance by partitioning identities per subdomain or site path when the
structure of a given site is known.

Where possible, [=user agents=] should prevent people from being
[=cross-context recognition|recognized=] across [=partitions=] unless they
intend to be recognized.

If a [=person=] visits two or more web pages from different [=partitions=],
and does not explicitly express the same identity on each visit, the UA should
take steps to prevent [=same-site recognition=]. Note that sites can do harm
even if they can't be *completely* certain that visits come from the same
person. Further, note that sites must not assume that a person intends to be
recognised across different sites simply because they are using the same
identifier (such as an email address) with both or are relying on the same
single sign-on identity.

[=User agents=] and identity-related web features can do the following to help
people present the [=identity=] that they want to present to a given website:

* Do not reveal someone's profile information without their consent.
* Do not leak someone's profiles, including which types of profiles they have,
without their consent.
* Make it clear to the user which identity is being presented on a given
website.
* Disclose the least amount of identifying information, e.g.:
  * Only share the parts of someone's profile information that is needed by
  the website.
  * Minimize the shared data; for example if a website requires age for
  verification, then share that the
  user is older than the minimum age, as opposed to specific age or date of
  birth.
* Support the user's intent to present a directed identity or a site-specific
identity. E.g., if the website requires an email, then the user may choose a
directed identifier without disclosing their real email.

This principle is limited in cases where preventing
[=cross-context recognition|recognition=] would break fundamental aspects of
the web. In many cases it's possible to change the design in a way that avoids
the violation without breaking valid use cases, but for cases where that's not
possible we refer you to [[[Privacy-Threat]]] which discusses tradeoffs in
detail.

### Recognition Methods {#recognition-methods}

The web platform offers many ways for a website to recognize that a [=person=]
is using the same [=identity=] over time, including [[RFC6265|cookies]],
{{WindowLocalStorage/localStorage}}, {{WindowOrWorkerGlobalScope/indexedDB}},
{{CacheStorage}}, and other forms of storage. This allows sites to save the
[=person=]'s preferences, shopping carts, etc., and people have come to expect
this behavior in some contexts.

People are unlikely to expect the recognition and will find it difficult to
mitigate when it is automated, which can happen in different ways:

* through the use of <a data-cite="Browser-Parties#environment-cross-site">cross-site</a> cookies,
* by having someone navigate to a link that has been decorated with an identifier
  ([[?Nav-Tracking]]),
* collecting the same piece of identifying information on both sites, or
* by correlating the timestamps of an event that occurs nearly-simultaneously
on both sites (this is an example of a <a
href="https://github.com/asankah/ephemeral-fingerprinting/blob/2395a35aac260d4d2f880eeb05c2617b0fd642ea/README.md">timing
attack</a>).

In addition to recognition methods that can operate automatically across
contexts, recognition can also be made *persistent* such that it will
defeat potential mitigations like [=partitions=] or clearing one's cookies.
This constitutes unsanctioned tracking ([[?UNSANCTIONED-TRACKING]]) and can
take multiple forms.

<dfn data-lt="fingerprint">Fingerprinting</dfn> consists of using attributes of the [=person=]'s
browser and platform that are consistent between two or more visits and
probably unique to the person.

The attributes can be exposed as information about the [=person=]'s device
that is otherwise benign (as opposed to [[[#hl-sensitive-information]]]).
For example:

* language and time zone;
* window size;
* system preferences (such as dark mode, serif font, etc.).

Preventing [=fingerprinting=] can be particularly challenging in cases that
only affect a small group of people who use the web. For example, people who
configure their systems in unique ways, such as by using a browser with a very
small number of users. As long as a tracker can't track a significant number
of people, it's likely to be unviable to maintain the tracker. However, this
doesn't excuse making small groups of people trackable when those people
didn't choose to be in the group.

See [[fingerprinting-guidance]] for how to mitigate threats that result from
[=fingerprinting=].

Supercookies occur when a UA stores data for a site but makes that data more
difficult to clear than other cookies or storage, typically because of a bug, of features
relating to cache storage and network state (eg. ETag, HSTS), or
because the browser restores the browser vendor's cookies when local state is cleared.
<a data-cite="fingerprinting-guidance#clearing-all-local-state">Fingerprinting
Guidance § Clearing all local state</a> discusses how specifications can help
UAs avoid this mistake.

<dfn>Header enrichment</dfn> happens when a network operator adds HTTP request headers
to identify their customers to sites that they visit. It is unfortunately
difficult for a [=user agent=] to mitigate against [=header enrichment=].

<dfn>Cross-device communication</dfn> is communication
between code on one device and code running on another device. For example, sounds or
light emitted from one device could be detected by a microphone or light sensor on
another device [[?SILVERPUSH]]. [=Cross-device communication=] enables cross-device
tracking, a form of [=cross-context recognition=], but it can also be used for other
inappropriate information flows.

## Data minimization {#data-minimization}

<div class="practice">
<span class="practicelab">Sites, user agents and other parties should minimize the amount of
<a>personal data</a> they transfer between parties on the Web.</span>
</div>

Data minimization limits the risks of data being disclosed or misused and also makes it possible to
more meaningfully provide people with understandable decisions about data about them.

<div class="practice">
<span class="practicelab">Web APIs should be designed to minimize the amount of data that sites need
to request to carry out their users' goals and provide granularity and user controls over <a>personal
data</a> that is communicated to sites.</span>
</div>

<aside class="note">
This principle was further explored in an earlier TAG draft on [[[Data-Minimization]]].
</aside>

Because <a>personal data</a> may be sensitive in unexpected ways, or have risks of future uses that could be
unexpected or harmful, minimization as a principle applies to personal data that is not currently
known to be identifying, sensitive or otherwise potentially harmful.

### Ancillary uses

<aside class="issue">
  See <a href="https://github.com/w3ctag/privacy-principles/issues/150">the issue on ancillary
  uses</a> for ongoing discussion and iteration on this principle.
</aside>

In maintaining duties of <a href="#dfn-duty-of-protection">protection</a>, <a
href="#dfn-duty-of-discretion">discretion</a> and <a href="#dfn-duty-of-loyalty">loyalty</a>, user
agents should be conservative when sharing data not necessary to satisfy a user's immediate goals.

On the Web, user agents and sites often communicate data even outside the need to load and display a
page for <dfn>ancillary uses</dfn> including:

* browser telemetry, including:
  * performance measurements,
  * measuring feature usage,
  * debugging site, browser and networking issues, and,
  * detecting security problems or attacks;
* site telemetry, including:
  * performance measurements,
  * analytics about usage and visitors,
  * debugging site issues, and,
  * detecting security problems or attacks;
* advertising and social media sharing, including:
  * measurement, targeting, ad auctions, personalization, fraud prevention;
* performance, including caching and prefetching content;
* software updates.

<dfn>Telemetry and analytics</dfn>, including browser telemetry and site telemetry, are a common
cluster of ancillary uses.

In some cases, mechanisms for sharing data are provided in order to minimize some other data
collection mechanism identified as more intrusive or costly.

Different users will want to share different kinds and amounts of data with websites. For some uses,
some people would reasonably anticipate sharing such data or identify that use as a
commonly-accepted contextual norm and some people would be willing to participate (for example,
might have explicitly decided to contribute if they had the time and understanding to consider
details about such a use) and some people would identify those uses as supporting their own goals.

Aggregated or <a href="#dfn-de-identified">de-identified</a> data is often more likely to be
acceptable in these senses and often still contributes to the collective benefit while minimizing
privacy threats to a particular individual (see <a href="#principle-collective-privacy">collective
privacy</a>). But some people might also object, in particular instances or in general.

<aside class="example">
  Privacy-preserving measurement techniques may be used for aggregate calculations while minimizing
  the parties that have access to personal data about many individual people. Encryption and
  privacy-preserving proxies may be used to minimize the parties that have access to personal data or
  to hide the contents of personal data used for telemetry or other kinds of measurement. But even
  with those protections, some people may prefer not to participate in some kinds of measurement.

  Ongoing work on privacy-preserving technologies in the <abbr title="Internet Engineering Task
  Force">IETF</abbr> <a href="https://datatracker.ietf.org/wg/ppm/about/"><abbr
  title="privacy-preserving measurement">ppm</abbr></a>, <abbr title="Internet Research Task
  Force">IRTF</abbr> <a href="https://datatracker.ietf.org/rg/pearg/about/"><abbr title="Privacy
  Enhancements and Assessments Research Group">pearg</abbr></a> and W3C <a
  href="https://patcg.github.io/"><abbr title="Private Advertising Technology Community
  Group">PATCG</abbr></a> groups may be relevant.
</aside>

<div class="practice">
  <span class="practicelab">Sites and user agents should seek to understand and respect people's
  goals and preferences about use of data about them.</span>
</div>

Agents should both be careful, cautious and conservative in applying data minimization to any <a
href="#dfn-ancillary-uses">ancillary use</a> and also not burden the user with additional [=privacy
labor=]. To that end, user agents may employ user research, solicitation of general preferences, and
heuristics about sensitivity of data or trust in a particular context. To facilitate site
understanding of user preferences, user agents can provide browser-configurable signals to directly
communicate common user preferences.

<div class="practice">
  <span class="practicelab">Specifications that define functionality for telemetry and analytics
  should explicitly note the <a href="#dfn-telemetry-and-analytics">analytics</a> use to facilitate modal or general user
  choices.</span>
</div>

<aside class="example">
  Sites and browsers wish to collect telemetry data to determine how frequently features are used or
  to debug breakages, but the user agent does not want to burden the user with frequent consent
  requests. A browser could use a first-run dialog to ask the user whether they generally support
  sharing data to find bugs and improve the Web software they use, and then enable or disable
  telemetry and reporting APIs based on the user's choice.
</aside>

<aside class="example">
  A user visits a mapping website that they regularly visit and clicks a locator icon; although
  precise geolocation can be very sensitive, the user agent can readily determine the user's intent.
</aside>

Data exposed for ancillary uses including <a href="#dfn-telemetry-and-analytics">telemetry</a> may
often reveal characteristics of user configuration, device, environment or behavior that could be
used as part of <a>browser fingerprinting</a> to identify users across sites. Revealing user
preferences or other heuristics in providing or disabling functionality could also contribute to a
browser fingerprint.

## Information access {#information}

The many APIs available to websites expose lots of data that can be combined into
information about people, web servers, and other things. We can divide that
information into three categories:

1. Information that's fine to expose, for example because a person or group with
    sufficient authority intended to expose that information or to do something that
    necessarily exposes the information, or because it's not about people at all. For
    example:

    * The geolocation and camera APIs ask whether a person wants to expose their data.
    * The URL a person is visiting must be sent to a server in order to navigate to that
       URL, and known private-information-retrieval methods are too expensive to avoid that
       exposure.
    * The distribution of [[[largest-contentful-paint]]] timings for a website is about a website
       rather than about the people browsing it, even if the data that informs that
       measure can also reveal information about people.

1. Information that we don't want to expose and have a plausible plan for removing access
    to. For example, browsers are gradually removing the ability to join identities
    between different [=partitions=].

1. Information that we'd rather not expose, but that we don't have a plausible plan for
    removing access to. For example:

    * Some users are disappointed that the page they're visiting can discover which link
        they clicked to leave that page. We can't block that information that information
        because the page can use <a data-cite="RFC9110#status.3xx">HTTP redirects</a> to
        learn it, and redirection is a core feature of the web.
    * Some users are disappointed that a page with permission to run Javascript can record
        their pattern of interaction with that page. However, the page does this by using
        the same events it would use to make the page interactive, so we can't block this
        information access either.

    These principles don't describe exactly how to distinguish acceptable
    information from information we'd rather not expose. API designers instead
    need to balance the harm to users from exposing information against the harm
    to users from blocking that exposure. When in doubt, designers should ensure
    that different user agents can help their users balance the costs in
    different ways.

The following subsections discuss how to review an API proposal that exposes data that
provides a new way to infer each of the above categories of information. They explain how
to <a data-cite="design-principles#leave-the-web-better">leave the web better than you
found it</a>.

### Handling acceptable information {#acceptable-information}

<div class="practice">
  <span class="practicelab">New APIs can add additional ways of getting acceptable
  information that are guarded at least as strongly as the old ways.</span>
</div>

Acceptable information exposure is always qualified by the (possibly empty) set of
user-controlled settings or permissions that <dfn data-lt="access guard">guard</dfn> access to it.
For example, the URLs of resources, the timing of link clicks, and the referrer chain within a
single origin are not guarded by anything; the scroll position is guarded by the setting to turn off
javascript; and access to the camera or geolocation are guarded by permission prompts.

Information that would be acceptable to expose under one set of [=access guards=] might be
unacceptable under another set, so when an API designer intends to explain that their new
API is acceptable because an existing acceptable API already exposes the same information,
they must be careful to ensure that their new API is only available under a set of guards
that's at least as strict. Without those guards, they need to make the argument from
scratch, without relying on the existing API.

### Handling information that's being removed {#unacceptable-information}

<div class="practice">
  <span class="practicelab">If existing APIs provide access to some information, but
  we have a plan to change those APIs to prevent that access, new APIs must not be added
  that provide that same information without extra [=access guards=] that make the access to the
  information acceptable.</span>
</div>

### Handling information we can't completely block {#sketchy-information}

<div class="practice">
  <span class="practicelab">New APIs that provide access to undesirable information should
  not make that information easier to access, unless they add [=access guards=] that make the
  information acceptable.</span>
</div>


1. If future web platform changes make it possible to remove other access to the
   undesirable information, it should be clear how to extend those changes to the proposed
   API.

1. If an existing browser does block access to the undesirable information, perhaps by
   breaking some experiences on the Web that other browsers don't wish to break, it should
   be clear how the more-private browser can also prevent the new API from exposing that
   information without breaking additional sites or user experiences.

1. When a developer is trying to access the undesirable information, a new API should be at least as
   difficult to use as the existing APIs. For example, it shouldn't require less code, less
   maintenance, or less runtime cost.

The third consideration can be surprising. In many other cases, we can think in terms of a
threat model, using designs familiar from security to make information either available or
unavailable. In this third case, however, we have to think more economically, about the
cost to a website of inferring the relevant information from whatever data the web's APIs
expose. If the cost of inferring the undesirable information is high, fewer websites will
gather it, and privacy will be generally better. If a new API makes the cost go down, more
websites will start inferring the information, and overall privacy will worsen.

Usually, acceptable APIs in this category will be designed to expose data that makes some
acceptable information easier to discover. For example, they might reveal a performance
metric for a website directly instead of requiring it to be computed from the timing of
{{GlobalEventHandlers/onload}} events. The challenge for the new API's designer is to
ensure that the data it exposes doesn't make it cheaper to compute information about
people than it would have been through other methods.

## Sensitive Information {#hl-sensitive-information}

Contributes to [=correlation=], [=identification=], [=secondary use=], and
[=disclosure=].

Many pieces of information about someone could cause privacy harms if disclosed.
For example:

* Their location.
* Video or audio from the their camera or microphone.
* The content of certain files on their filesystem.
* Financial data.
* Contacts.
* Calendar entries.
* [Whether they are using assistive technology.](https://w3ctag.github.io/design-principles/#do-not-expose-use-of-assistive-tech)
* ...

A particular piece of information may have different sensitivity for different
people. Language preferences, for example, might typically seem innocent, but
also can be an indicator of belonging to an ethnic minority. Precise location
information can be extremely sensitive (because it's identifying, because it
allows for in-person intrusions, because it can reveal detailed information
about a person's life) but it might also be public and not sensitive at all, or
it might be low-enough granularity that it is much less sensitive for many
people.

When considering whether a class of information is likely to be sensitive to
a person, consider at least these factors:

* whether it serves as a persistent [=identifier=] (see severity in Mitigating
    browser fingerprinting);
* whether it discloses substantial (including intimate details or inferences)
    information about the the person using the system or other people;
* whether it can be revoked (as in determining whether a permission is
    necessary);
* whether it enables other threats, like intrusion.

Issue(16): This description of what makes information sensitive still needs to
be refined.

## Data Rights {#data-rights}

<p>
  <span class="practicelab" id="respect-data-rights">
    [=People=] have certain rights over [=data=] that is about themselves, and these rights should
    be facilitated by their [=user agent=] and the [=parties=] that are [=processing=] their
    [=data=].
  </span>
</p>

While data rights alone are not sufficient to satisfy all [=privacy=] principles for the Web, they
do support self-determination and help improve accountability. Such rights include:

* The <dfn data-export="">right to access</dfn> [=data=] about oneself.

This right includes being able to discover data about oneself (implying no databases are kept
secret) and to review
what information has been collected or inferred.

* The <dfn data-export="" data-lt="right to erase">right to erase</dfn> [=data=] about oneself.

The right to erase applies whether or not terminating use of a service altogether, though what
[=data=] can be erased may differ between those two cases. On the Web, [=people=] may wish to erase
data on their device, on a server, or both, and the distinctions may not always be clear.

* The <dfn data-export="" data-lt="right to portability" data-local-lt="portability">right to
port</dfn> [=data=], including data one has stored with a [=party=], so it can easily be reused or
transferred elsewhere.

Portability is needed to realize the ability for [=people=] to make choices about services with
different data practices. Standards for interoperability are essential for effective re-use.

* The <dfn data-export="">right to correct</dfn> [=data=] about oneself, to ensure that one's
[=identity=] is properly reflected in a system.

* The <dfn data-export="">right to be free from automated decision-making</dfn> based on [=data=]
about oneself.

For some kinds of decision-making with substantial consequences, there is a privacy interest in
being able to exclude oneself from automated profiling. For example, some services may alter the
price of products (price discrimination) or offers for credit or insurance based on [=data=]
collected about a person. Those alterations may be consequential (financially, say) and
objectionable to people who believe those decisions based on data about them are inaccurate or
unjust. As another example, some services may draw inferences about a user's identity, humanity or
presence based on facial recognition algorithms run on camera data. Because facial recognition
algorithms and training sets are fallible and may exhibit certain biases, people may not wish to
submit to decisions based on that kind of automated recognition.

* The <dfn data-export=""
  data-lt="right to object|right to withdraw consent|right to restrict use">right to object,
withdraw consent, and restrict use</dfn> of data about oneself.

[=People=] may change their decisions about consent or may object to subsequent uses of data about
themselves. Retaining rights requires ongoing control, not just at the time of collection.

The OECD Privacy Principles [[OECD-Guidelines]], [[Records-Computers-Rights]], and the [[GDPR]],
among other places, include many of the rights [=people=] have as data subjects. These participatory
rights by people over data about themselves are inherent to [=autonomy=].

## De-identified Data {#deidentified-data}

<div class="practice">

<p>
  <span class="practicelab" id="de-identify-data">
    Whenever possible, processors should work with [=data=] that has been [=de-identified=].
  </span>
</p>

</div>

Data is <dfn>de-identified</dfn> when there exists a high level of confidence
that no [=person=] described by the data can be identified, directly or indirectly
(e.g. via association with an [=identifier=], user agent, or device), by that data alone or in
combination with other available information. Note
that further considerations relating to groups are covered in the
<a href="#collective">Collective Issues in Privacy</a> section.

We talk of <dfn>controlled de-identified data</dfn> when:
1. The _state_ of the data is such that the information that could be used to re-identify an
   individual has been removed or altered, and
2. the there is a _process_ in place to prevent attempts to re-identify [=people=] and the inadvertent
   release of the de-identified data. [[?De-identification-Privacy-Act]]

Different situations involving [=controlled de-identified data=] will require different controls.
For instance, if the [=controlled de-identified data=] is <em>only</em> being processed by one
[=party=], typical controls include making sure that the [=identifiers=] used in the data are unique
to that dataset, that any person (e.g. an employee of the [=party=]) with access to the [=data=] is
barred (e.g. based on legal terms) from sharing the [=data=] further, and that technical measures
exist to prevent re-identification or the joining of different data sets involving this [=data=],
notably against timing or k-anonymity attacks.

In general, the goal is to ensure that [=controlled de-identified data=] is used in a manner that
provides a viable degree of oversight and accountability such that technical and procedural means to
guarantee the maintenance of pseudonymity are preserved.

This is more difficult when the [=controlled de-identified data=] is shared between several
[=parties=]. In such cases, good examples of typical controls that are representative of best
practices would include making sure that:

* the [=identifiers=] used in the [=data=] are under the direct and exclusive control of
  the [=first party=] who is prevented by strict controls from matching the identifiers with the
  data;

* when these [=identifiers=] are shared with a [=third party=], they are made unique
  to that [=third party=] such that if they are shared with more than one
  [=third party=] these cannot then match them up with one another;

* there is a strong level of confidence that no [=third party=] can match the [=data=]
  with any data other than that obtained through interactions with the [=first
  party=];

* any [=third party=] receiving such [=data=] is barred (eg. based on legal terms)
  from sharing it further;

* technical measures exist to prevent re-identification or the joining of
  different data sets involving this [=data=], notably against timing or
  k-anonymity attacks; and

* there exist contractual terms between the [=first party=] and [=third party=]
  describing the limited [=purpose=] for which the data is being shared.

Note that [=controlled de-identified data=], on its own, is not sufficient to render
[=data processing=] [=appropriate=].

## Collective Privacy {#collective-privacy}

<div class="practice">

<p>
  <span class="practicelab" id="principle-collective-privacy">
    Groups and various forms of institutions should best protect and support autonomy by making
    decisions collectively rather than individually to either prevent or enable data
    sharing, and to set defaults for data processing rules.
  </span>
</p>

</div>

Privacy principles are often defined in terms of extending rights to individuals. However, there are
cases in which deciding which principles apply is best done collectively, on behalf of a group.

One such case, which has become increasingly common with widespread profiling, is that of information
relating to membership of a group or to a group's behaviour, as detailed in
<a href="#group-privacy"></a>. As Brent Mittelstadt explains, “<em>Algorithmically grouped
individuals have a collective interest in the creation of information about the group, and actions
taken on its behalf.</em>” ([[?Individual-Group-Privacy]]) This justifies ensuring that grouped
people can benefit from both individual and collective means to support their [=autonomy=] with respect
to [=data=] [=processing=]. It should be noted that [=processing=] can be unjust even if individuals
remain anonymous, not from the violation of individual [=autonomy=] but because it violates ideals
of social equality ([[?Relational-Governance]]).

Another case in which collective decision-making is preferable is for [=processing=] for which
informed individual decision-making is unrealistic (due to the complexity of the processing, the
volume or frequency of processing, or both). Expecting laypeople (or even experts) to make informed
decisions relating to complex [=data=] [=processing=] or to make decisions on a very frequent basis
even if the [=processing=] is relatively simple, is unrealistic if we also want them to have
reasonable levels of [=autonomy=] in making these decisions.

The purpose of this principle is to require that [=data governance=] provide ways to distinguish
[=appropriate=] [=data=] [=processing=] without relying on individual decisions whenever the latter
are impossible, which is often ([[?Relational-Governance]], [[?Relational-Turn]]).

Which forms of collective governance are recognised as legitimate will depend on domains. These may
take many forms, such as governmental bodies at various administrative levels, standards
organisations, worker bargaining units, or civil society fora.

It must be noted that, even though collective decision-making can be better than offloading
[=privacy labour=] to [=individuals=], it is not necessarily a panacea. When considering such
collective arrangements it is important to keep in mind the principles that are likely to support
viable and effective institutions at any level of complexity ([[?IAD]]).

A good example of a failure in collective privacy decisions was the standardisation of the
[^a/ping^] attribute. Search engines, social sites, and other algorithmic media in the same vein
have an interest in knowing which sites that they link to [=people=] choose to visit (which in turn
could improve the service for everyone). But [=people=] may have an interest in keeping that
information private from algorithmic media companies (as do the sites being linked to, as that
facilitates timing attacks to recognise [=people=] there). A [=person=]'s exit through a specific
link can either be tracked with JavaScript tricks or through bounce tracking, both of which are slow
and difficult for user agents to defend against. The value proposition of the [^a/ping^] attribute
in this context is therefore straightforward: by providing declarative support for this
functionality it can be made fast (the browser sends an asynchronous notification to a ping
endpoint after the [=person=] exits through a link) and the user agent can provide its [=user=] with
the option to opt out of such tracking — or disable it by default.

Unfortunately, this arrangement proved to be unworkable on the privacy side (the performance gains,
however, are real). What prevents a site from using [^a/ping^] for [=people=] who have it activated
and bounce tracking for others? What prevents a browsers from opting everyone out because it wishes
to offer better protection by default? Given the contested nature of the [^a/ping^] attribute and
the absence of a forcing function to support collective enforcement, the scheme failed to deliver
improved privacy.

## Device Owners and Administrators {#device-administrators}

<div class="practice">
<span class="practicelab" id="principle-owned-devices-disclose-surveillance">
[=User agents=] must not help a device [=administrator=] surveil the people using the devices they
administrate without those people's knowledge.
</span>
</div>

<div class="practice">
<span class="practicelab" id="principle-reasonable-disclosure-on-owned-devices">
[=User agents=] should only tell a device [=administrator=] about user behavior when that disclosure
is necessary to enforce reasonable constraints on use of the device.
</span>
</div>


Computing devices have <dfn data-lt="device owner">owners</dfn>, and those owners have
<dfn>administrator</dfn> access to the devices in order to install and configure the programs,
including [=user agents=], that run on them. Sometimes, as in the cases of an employer providing a
device to an employee, a friend loaning a device to their visitor, or a parent providing a device to
their small child, the [=person=] using a device doesn't own the device or have [=administrator=]
access to it. Other times, as in the cases of intimate partners or one relative helping another
relative with their device, the owner and primary user of a device might not be the only person with
[=administrator=] access. As a program running on a device, a [=user agent=] generally can't tell
whether the [=administrator=] who has installed and configured it was authorized by the device's
actual owner.

These relationships can involve power imbalances. A child may have difficulty accessing any
computing devices other than the ones their parent provides. A victim of abuse might not be able to
prevent their partner from having [=administrator=] access to their devices. An employee might have
to agree to use their employer's devices in order to keep their job.

While a [=device owner=] has an interest and sometimes a responsibility to make sure their device is
used in the ways they intended, the [=person=] _using_ the device still has a right to privacy while
using it. The above principles enforce this right to privacy in two ways:

1. [=User agent=] developers need to consider whether requests from [=device owners=] and
   [=administrators=] are reasonable, and refuse to implement unreasonable requests, even if that
   means fewer sales. Owner/administrator needs must not simply trump user needs in the <a
   data-cite="design-principles#priority-of-constituencies">priority of constituencies</a>.
1. Even when information disclosure is reasonable, the [=person=] whose data is being disclosed
   needs to know about it so that they can avoid doing things that would lead to unwanted
   consequences.

Some [=administrator=] requests might be reasonable for some sorts of users, like employees or
especially children, but not be reasonable for other sorts, like friends or intimate partners. In
those cases, the [=user agent=] can explain what the administrator is going to learn in a way that
also says what sort of user is expected to agree. Users in other classes can then react
appropriately.

<aside class="issue">
Link this to [[[#guardians]]].
</aside>

## Harassment

Online <dfn>harassment</dfn> is the "pervasive or severe targeting of an individual or group online
through harmful behavior" [[PEN-Harassment]]. Harassment is a prevalent problem on the Web,
particularly via social media. While harassment may affect any person using the Web, it may be more
severe and its consequences more impactful for LGBTQ people, women, people in racial or ethnic
minorities, people with disabilities, [=vulnerable people=] and other marginalized groups.

<aside class="note">
  Some useful research overviews of online harassment include: [[?PEW-Harassment]],
  [[?Addressing-Cyber-Harassment]] and [[?Internet-of-Garbage]].
</aside>

[=Harassment=] is both a violation of privacy itself and can be magnified or facilitated by other
violations of privacy.

Abusive online behavior may include: sending [=unwanted information=]; directing others to contact
or bother a person ("dogpiling"); disclosing sensitive information about a person; posting false
information about a person; impersonating a person; insults; threats; and hateful or demeaning
speech.

Disclosure of identifying or contact information (including "doxxing") can be used, including by
additional attackers, to send often persistent unwanted information that amounts to harassment.
Disclosure of location information can be used, including by additional attackers, to intrude on a
person's physical safety or space.

Mitigations for harassment include but extend beyond mitigations for unwanted information and other
privacy principles. Harassment can include harmful activity with a wider distribution than just the
target of harassment.

<div class="practice">
  <p>
    <span class="practicelab" id="abuse-reporting">
      Systems that allow for communicating on the Web must provide an effective capability to report
      abuse.
    </span>
  </p>
</div>

Reporting mechanisms are mitigations, but may not prevent harassment, particularly in cases where
hosts or intermediaries are supportive of or complicit in the abuse.

<div class="note">
  Effective reporting is likely to require:

  * standardized mechanisms to identify abuse reporting contacts
  * visible, usable ways provided by sites and user agents to report abuse
  * identifiers to refer to senders and content
  * the ability to provide context and explanation of harms
  * people responsible for promptly responding to reports
  * tools for pooling mitigation information (see Unwanted information, below)
</div>

## Unwanted Information {#unwanted-information}

Receiving unsolicited information that either may cause distress or waste the recipient's
time or resources is a violation of privacy.

<div class="practice">

<p>
  <span class="practicelab" id="principle-protect-unwanted-information">
    [=User agents=] and other [=actors=] should take
    steps to ensure that their [=user=] is not exposed to unwanted information. Technical standards
    must consider the delivery of unwanted information as part of their architecture and must
    mitigate it accordingly.
  </span>
</p>
</div>

<dfn>Unwanted information</dfn> covers a broad range of unsolicited communication, from messages
that are typically harmless individually but that become a nuisance in aggregate (spam) to the
sending of images that will cause shock or disgust due to their graphic, violent, or explicit nature
(eg. pictures of one's genitals). While it is impossible, in a communication system involving many
[=people=], to offer perfect protection against all kinds of unwanted information, steps can be
taken to make the sending of such messages more difficult or more costly, and to render the senders
more accountable. Examples of mitigations include:

* Restricting what new users of a service can post, notably limiting links and media until they have
  interacted a sufficient number of times over a given period with a larger group. This helps to
  raise the cost of producing sockpuppet accounts and gives new users the occasion to understand
  local norms before posting.
* Only accepting communication between [=people=] who have an established relationship of some kind,
  such as being part of a shared group. Protocols should consider requiring a handshake between
  [=people=] prior to enabling communication.
* Requiring a deliberate action from the recipient before rendering media coming from an
  untrusted source.
* Supporting the ability for [=people=] to block a [=party=] such that they cannot send information
  again.
* Pooling mitigation information, for instance shared block lists, shared spam-detection
  information, or public information about misbehaving [=actors=]. As always, the collection and
  sharing of [=information=] for safety purposes should be limited and placed under collective
  governance.


## Vulnerability {#vulnerability}

<div class="issue">This section is still being refined. We expect additional principles to be added.</div>

An individual may not realise when they disclose personal data that
they are vulnerable or could become vulnerable. Some individuals
may be more vulnerable to privacy risks or harm as a result of
collection, misuse, loss or theft of personal data because of
their attributes, interests, opinions or behaviour. Others may be
vulnerable because of the situation or setting (e.g., where there
is information asymmetry or other power imbalances), or they lack
the capacity to fully assess the risks, or because choices are
not presented in an easy-to-understand meaningful way (e.g., dark
patterns). Yet others may be vulnerable because they have not been
consulted about their privacy needs and expectations, or considered
in the decisions about the design of the product of service.

Sometimes communities of individuals are classed as “vulnerable”,
typically children and the elderly, but anyone could become privacy
vulnerable in a given context. Additional privacy protections may
be needed for personal data of vulnerable individuals or sensitive
information which could cause someone to become vulnerable if their
personal data is collected, used or shared.

Even in populations of individuals classed as “vulnerable” (such
as children), each individual is unique with their own desires and
expectations for privacy. While sometimes others can help vulnerable
individuals assess privacy risks and make decisions about privacy
(such as parents, guardians and peers), everyone has their own
right to privacy.

<div class="practice">
<p>
  <span class="practicelab" id="principle-vulnerability">
[=User agents=] and [=sites=] should allow for gracefully degraded
user experience where some features or functionality may not be
available because users have chosen stronger privacy protections
(e.g., blocking tracking elements, sensor data or information about
installed software or connected devices).
  </span>
</p>
</div>

### Guardians {#guardians}

<div class="practice">
<span class="practicelab" id="principle-guardians-have-responsibilities">
A [=user agent=] may only provide information about a [=ward=] to a [=guardian=] for the purpose of
helping that [=guardian=] uphold their responsibilities to their [=ward=]. This system must include
measures to help [=wards=] who realize that their [=guardian=] isn't acting in the [=ward=]'s
interest.</span>
</div>


Some classes of vulnerable people tend to be unable to make good decisions about their own web use,
and need a <dfn>guardian</dfn> to help them. Children are a widely recognized example of this class,
with their parents often acting as their [=guardians=]. A person with a [=guardian=] is known as
a <dfn>ward</dfn>.

Many legal systems treat these guardianship relationships as a set of rights that the [=guardian=]
possesses. We prefer to instead think of the [=ward=] having a right to make informed decisions and
exercise their autonomy. Their [=guardian=] then has an _obligation_ to help their [=ward=] do so
when the [=ward=]'s abilities aren't sufficient, even if that conflicts with the [=guardian=]'s
desires. In practice, many [=wards=] discover that their [=guardian=] is not making decisions in the
[=ward=]'s best interest, and it's critical that such [=wards=] have a way to escape their
misbehaving guardian.

Historically, the Web has provided exactly this escape route, and [=user agents=] should preserve
that feature by correctly balancing a benevolent [=guardian=]'s need to protect their [=ward=] from
dangers against other [=wards=]' need to protect themselves from their misbehaving [=guardians=].

<aside class="example" id="example-protective-parent" title="Protective parents">

A parent might configure a small child's [=user agent=] to block access to violent content until the
child is old enough to make their own decisions about it.

</aside>

<aside class="example" id="example-lgbt-kid" title="An LGBT child">

A child may discover that they're LGBT and need to find supportive resources online. If they have a
homophobic or transphobic parent, that parent might have configured their [=user agent=] to either
block or inform the parent when the child visits web pages about LGBT-related subjects. The [=user
agent=] needs to warn the child about how it's configured so that the child can know to ask a better
[=guardian=] for access to the help they need.

</aside>

<aside class="issue">

Add crosslinks to [[[#device-administrators]]].

</aside>

## Consent, Withdrawal of Consent, Opt-Outs, and Objections {#consent-principles}

<div class="practice">
<p>
  <span class="practicelab" id="principle-consent-user-preference">
    When any [=actor=] obtains [=consent=] for processing from a [=person=], the
    actor should design the consent request so as to learn the person's true
    intent to consent or not, and not to maximize the processing consented to.
  </span>
</p>
</div>

Attempts to obtain consent to [=processing=] that is not in accordance with the person's
true preferences result in imposing unwanted [=privacy labour=] on the person, and may
result in people erroneously giving consent that they regret later.

<div class="practice">
<p>
  <span class="practicelab" id="principle-minimize-consent-requests">
    An [=actor=] should avoid interrupting a [=person=]'s use of a site for
	consent requests when an alternative is available.
  </span>
</p>
</div>

Examples of alternatives to interrupting users with consent requests include:

 * Considering the information sharing norms in the site's audience
   and category, and requesting only consent that is appropriate
   to the purpose of the site. (For example, a photo sharing site's
   users might expect to be prompted for consent to share their
   uploaded work.)  Sites should consider conducting user research on
   people's expectations for how data is processed.

 * Relying on a [=global opt-out=] signal from the [=user agent=].

 * Delaying a prompt for consent until a [=user=] does something that puts the request in context,
    which will also help them give an informed response.

<div class="practice">
<p>
  <span class="practicelab" id="principle-consent-withdraw">
    It should be as easy for a user to check what consent they have given,
	to withdraw consent, or to opt out or object,
	as to give consent.
  </span>
</p>
</div>


## Notifications and Interruptions {#interruptions}

<aside class="issue">This is related to [=autonomy=].</aside>

Notifications and other interruptive UI can be a powerful way to capture attention.
Depending on the operating system in use, a notification can appear outside of the
browser context (for example, in a general notifications tray) or even cause a device to
buzz or play an alert tone.
Like all powerful features, notifications can be misused and can become an annoyance
or even used to manipulate behaviour and thus reduce [=autonomy=].

<div class="practice">

  <span class="practicelab" id="principle-notifications-control">A [=user agent=] should help
    users control notifications and other interruptive UI that can be used to manipulate behavior.</span>

  [=User agents=] should provide UI that allows their users to audit which web [=sites=] have been granted
  permission to display alerts and to revoke these permissions.
  [=User agents=] should also apply some quality metric to the initial request for permissions to receive
  notifications (for example, disallowing sites from requesting permission on first visit).

</div>
<div class="practice">

  <span class="practicelab" id="principle-notifications-context">Web [=sites=] should use notifications
    only for information that their users have specifically requested.
  </span>

  Web [=sites=] should tell their users what specific kind of information people can expect to
  receive, and how notifications can be turned off,  when requesting permission to send interruptive
  notifications.  Web [=sites=] should not request permission to send notifications when
  the user is unlikely to have sufficient knowledge (e.g. information about what kinds of
  notifications they are signing up for) to make an informed response. If it's unlikely
  that such information could have been provided then the [=user agent=] should apply
  mitigations (for example, warning about potential malicious use of the notifications
  API).
  Permissions should be requested in context.

</div>

## Non-Retaliation {#non-retaliation}

<div class="practice">
  <span class="practicelab" id="principle-do-not-retaliate">
    [=Parties=] must not retaliate against [=people=] who protect their [=data=] against
    non-essential [=processing=] or exercise rights over their [=data=].
  </span>
</div>

Whenever people have the ability to cause a [=party=] to process less of their [=data=] or to stop
carrying out some given set of data processing that is not essential to the service, they must be
allowed to do so without the [=party=] retaliating, for instance by artificially removing an
unrelated feature, by decreasing the quality of the service, or by trying to cajole, badger, or
trick the [=person=] into opting back into the [=processing=].

<aside class="issue">Some services have the user pay for their use in data. These services aren't necessarily retaliating by denying their services to users who refuse to pay with data, but the details are more complex than we've had time to write.</aside>

## Support Choosing Which Information to Present {#support-choosing-info}

<div class="practice">
  <span class="practicelab" id="principle-support-choosing-info">
    [=User agents=] should support [=people=] in choosing which information they provide to [=parties=] that
    request it, up to and including allowing users to provide arbitrary information.
  </span>
</div>

[=Parties=] can invest time and energy into automating ways of gathering [=data=] from [=people=] and can
design their products in ways that make it a lot easier for [=people=] to disclose information than not, whereas
[=people=] typically have to manually wade through options, repeated prompts, and deceptive patterns. In many
cases, the absence of data — when a [=person=] refuses to provide some information — can also be identifying
or revealing. Additionally, APIs can be defined or implemented in rigid ways that can prevent people from
accessing useful functionality. For example, I might want to look for restaurants in a city I will be visiting
this weekend, but if my geolocation is forcefully set to match my GPS, a restaurant-finding
site might only allow searches in my current location. In other cases, sites do not abide by data
minimisation principles and request more information than they require. This principle supports
[=people=] in minimising their own data.

[=User agents=] should make it simple for [=people=] to [present the identity they wish
to](#principle-identity-per-context) and to provide information about themselves or their devices in
ways that they control. This helps [=people=] to live in obscurity ([[?Lost-In-Crowd]],
[[?Obscurity-By-Design]]), including by obfuscating information about themselves ([[?Obfuscation]]).

<div class="practice">
  <span class="practicelab" id="principle-no-facts-or-promises">
    APIs should be designed such that data returned through an API does not assert a fact or make a
    promise on the user's behalf about the user or their environment.
  </span>
</div>

Instead, the API could indicate a [=person=]'s preference, a [=person=]'s chosen identity, a
[=person=]'s query or interest, or a [=person=]'s selected communication style.

<div class="example">
For example, a [=user agent=] might support this principle by:

* Generating domain-specific email addresses or other directed identifiers so that [=people=] can
  log into the site without becoming recognisable across contexts.
* Offering the option to generate geolocation and accelerometry data with parameters specified by
  the [=user=].
* Uploading a stored video stream in response to a camera prompt.
* Automatically granting or denying permission prompts based on user configuration.

</div>

Sites should include deception in their threat modeling and not assume that Web platform APIs
provide any guarantees of consistency, currency, or correctness about the user. People often have
control of the devices and software they use to interact with web sites. In response to site
requests, people may people may arbitrarily modify or select the information they provide for a
variety of reasons, including both malice and self-protection.

In any rare instances when an API must be defined as returning true current values, users may still
configure their agents to respond with other information, for reasons including testing, auditing or
mitigating forms of data collection, including <a>browser fingerprinting</a>.

<!--
# EVERYTHING BELOW THIS LINE IS MATERIAL

See Privacy as Rules

ABOUT REASONING
A data system designed for people is one in which people remain effectively able to reason about
what is known about them. This means working to prevent hidden parties from acquiring such
information, preventing any party from acquiring too much information about a person particularly in
cross-referencing from multiple sources, restricting applications of this data that are hostile to
people. [this needs all kinds of better phrasing]

RULES ABOUT PARTIES
Privacy regulatory regimes are often anchored at extremes: either they default to allowing
only very few strictly essential [=purposes=] such that many [=parties=] will have to
resort to [=consent=], habituating [=people=] to ignore legal prompts and incentivising
[=dark patterns=], or, conversely, they default to forbidding only very few, particularly
egregious [=purposes=], such that [=people=] will have to perform the [=privacy labour=] to
[=opt out=] in every [=context=] in order to produce [=appropriate=] [=processing=].

-->

<section class="appendix">

# Common Concepts {#boring-terminology}

## People {#people}

A <dfn data-lt="individual|people|user|data subject">person</dfn> (also [=user=] or
[=data subject=]) is any natural person. Throughout this document, we primarily use [=person=] or
[=people=] to refer to human beings, as a reminder of their humanity. When we use the term [=user=],
it is to talk about the specific [=person=] who happens to be using a given system at that time.

A <dfn data-lt="vulnerable">vulnerable person</dfn> is a [=person=] who may be unable to
exercise sufficient self-determination in a [=context=]. Amongst other things, they should
be treated with greater default privacy protections and may be considered unable to
[=consent=] to various interactions with a system.
People can be vulnerable for different reasons, for example because they are children,
are employees with respect to their employers, are facing a steep asymmetry of power,
are people in some situations of intellectual or psychological impairment, are
refugees, etc.

A <dfn>context</dfn> is a physical or digital environment that a [=person=] interacts with
for a set of [=purposes=] (that they typically share with other [=people=] who interact with the
same environment).

## Server-Side Parties {#parties}

A <dfn>party</dfn> is an entity that a [=person=] can reasonably understand as a single "thing"
they're interacting with. Uses of this document in a particular domain are expected to describe how
the core concepts of that domain combine into a [=user=]-comprehensible [=party=], and those refined
definitions are likely to differ between domains.

[=User agents=] tend to explain to [=people=] which [=origin=] or [=site=] provided the
web page they're looking at. The [=party=] that controls this [=origin=] or [=site=] is
known as the web page's <dfn data-dfn-for="page">first party</dfn>. When a [=person=]
interacts with a UI element on a web page, the <dfn>first party</dfn> of that interaction
is usually the web page's [=page/first party=]. However, if a different [=party=] controls
how data collected with
the UI element is used, and a reasonable person with a realistic cognitive budget would realize
that this other [=party=] has this control, this other
[=party=] is the [=first party=] for the interaction instead.

<aside class="issue">
  The group believes that the definition of [=first party=] provided above needs further refinement.
  Please see <a href="https://github.com/w3ctag/privacy-principles/issues/152">this issue</a>
  for more details.
</aside>

The [=first party=] to an interaction is accountable for the processing of data produced
by that interaction, even if another party does the processing.

A <dfn data-lt="third parties">third party</dfn> is any [=party=] other than the
[=person=] visiting the website or the [=first parties=] they expect to be interacting
with.

The <dfn>Vegas Rule</dfn> is a simple implementation of privacy in which "<i>what happens with the
[=first party=] stays with the [=first party=]</i>." Put differently, the [=Vegas Rule=] is followed
when the [=first party=] is the only [=data controller=]. While the [=Vegas Rule=] is a good
guideline, it's neither necessary nor sufficient for [=appropriate=] [=data processing=]. A [=first
party=] that maintains exclusive access to a person's data can still [=process=] it
[=inappropriately=], and there are cases where a third party can learn information about a person
but still treat it [=appropriately=].

## Acting on Data {#acting-on-data}

We define <dfn data-lt="data">personal data</dfn> as any information that is directly or
indirectly related to an identified or identifiable [=person=], such as by reference to an
[=identifier=] ([[GDPR]], [[OECD-Guidelines]], [[Convention-108]]).

On the web, an <dfn>identifier</dfn> of some type is typically assigned for an
[=identity=] as seen by a website, which makes it easier for an automated
system to store data about that [=person=].

Examples of [=identifiers=] for a [=person=] can be:

* their name,
* an identification number including those mapping to a device that this
[=person=] may be using,
* their phone number,
* their location data,
* an online identifier such as email or IP addresses,
* browser [=fingerprints=] (based on a combination of
configuration characteristics), or
* factors specific to their physical, physiological, genetic, mental,
economic,
cultural, social, or behavioral [=identity=],
* strings derived from other [=identifiers=], for instance through hashing.

If a [=person=] could reasonably be identified or re-identified through the combination of [=data=] with other
[=data=], then that [=data=] is [=personal data=].

<dfn>Privacy</dfn> is achieved in a given [=context=] that either involves [=personal data=] or
involves information being presented to [=people=] when the [=principles=] of that [=context=] are
followed appropriately. When the [=principles=] for that [=context=] are not followed, there is a
<dfn>privacy violation</dfn>. Similarly, we say that a particular interaction is
<dfn data-lt="appropriately">appropriate</dfn> when the [=principles=] are adhered
to) or <dfn data-lt="inappropriately">inappropriate</dfn> otherwise.

A [=party=] <dfn data-lt="process|processing|processed|data processing">processes</dfn> data if it
carries out operations on [=personal data=], whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, [=sharing=], dissemination or
otherwise making available, [=selling=], alignment or combination, restriction, erasure or
destruction.

A [=party=] <dfn data-lt="share|sharing">shares</dfn> data if it provides it to any other
[=party=]. Note that, under this definition, a [=party=] that provides data to its own
[=service providers=] is not [=sharing=] it.

A [=party=] <dfn data-lt="sell|selling">sells</dfn> data when it [=shares=] it in exchange
for consideration, monetary or otherwise.

The <dfn>purpose</dfn> of a given [=processing=] of data is an anticipated, intended, or
planned outcome of this [=processing=] which is achieved or aimed for within a given
[=context=]. A [=purpose=], when described, should be specific enough to be actionable by
someone familiar with the relevant [=context=] (ie. they could independently determine
[=means=] that reasonably correspond to an implementation of the [=purpose=]).

<!--
XXX given that contexts are defined from *user* purpose we might wish to have purpose in
general and processing purpose for the above.
-->

The <dfn>means</dfn> are the general method of [=data processing=] through which a given
[=purpose=] is implemented, in a given [=context=], considered at a relatively abstract
level and not necessarily all the way down to implementation details. Example:
<em>a person will have their preferences restored (purpose) by looking up their identifier
in a preferences store (means)</em>.

A <dfn>data controller</dfn> is a [=party=] that determines the [=means=] and [=purposes=]
of data processing. Any [=party=] that is not a [=service provider=] is a [=data controller=].

A <dfn data-lt="data processor">service provider</dfn> or [=data processor=] is considered to be the
same [=party=] as the [=actor=] contracting it to perform the relevant [=processing=] if it:

* is processing the data on behalf of that [=party=];
* ensures that the data is only retained, accessed, and used as directed by that
  [=party=] and solely for the list of explicitly-specified [=purposes=]
  detailed by the directing [=party=] or [=data controller=];
* may determine implementation details of the data processing in question but
  does not determine the [=purpose=] for which the data is being [=processed=]
  nor the overarching [=means=] through which the [=purpose=] is carried out;
* has no independent right to use the data other than in a [=de-identified=] form (e.g., for
  monitoring service integrity, load balancing, capacity planning, or billing); and,
* has a contract in place with the [=party=] which is consistent with the above limitations.

</section>

<section class="appendix">

# High-Level Threats {#threats}

User agents should attempt to defend the people using them from a variety of high-level
threats or attacker goals, described in this section.

These threats are an extension of the ones discussed by [[RFC6973]].

<dl>
<dt><dfn>Correlation</dfn>

<dd> Correlation is the combination of various pieces of information related to an
    individual or that obtain that characteristic when combined. See
    <a
data-cite="RFC6973#section-5.2.1">RFC6973§5.2.1</a>.

<dt>Data Compromise

<dd> End systems that do not take adequate measures to secure data from
    unauthorized or inappropriate access. See <a
    data-cite="RFC6973#section-5.1.2">RFC6973§5.1.2</a>.

<dt><dfn>Disclosure</dfn>

<dd>Disclosure is the revelation of information about an individual that affects
    the way others judge the individual. See <a
data-cite="RFC6973#section-5.2.4">RFC6973§5.2.4</a>.

<dt>Exclusion

<dd>Exclusion is the failure to allow individuals to know about the data that
    others have about them and to participate in its handling and use. See
    <a
data-cite="RFC6973#section-5.2.5">RFC6973§5.2.5</a>.

<dt><dfn>Identification</dfn>

<dd>Identification is the linking of information to a particular individual, even if the information
isn't linked to that individual's real-world identity (e.g. their legal name, address, government ID
number, etc.). Identifying someone allows a system to treat them differently from others, which can
be [=inappropriate=] depending on the [=context=]. See
<a data-cite="RFC6973#section-5.2.2">RFC6973§5.2.2</a>.

<dt><dfn>Intrusion</dfn>

<dd> [=Intrusion=] consists of invasive acts that disturb or interrupt one’s life or
    activities. See <a
    data-cite="RFC6973#section-5.1.3">RFC6973§5.1.3</a>.

<dt>Misattribution

<dd> Misattribution occurs when data or communications related to one individual
    are attributed to another. See <a
data-cite="RFC6973#section-5.1.4">RFC6973§5.1.4</a>.

<dt>Profiling</dt>

<dd>The inference, evaluation, or prediction of an individual's attributes, interests, or
behaviours.</dd>

<dt><dfn>Secondary Use</dfn>

<dd> Secondary use is the use of collected information about an individual without
    the individual’s consent for a purpose different from that for which the
    information was collected. See <a
data-cite="RFC6973#section-5.2.3">RFC6973§5.2.3</a>.

<dt><dfn>Surveillance</dfn>

<dd> Surveillance is the observation or monitoring of an individual’s
communications or activities. See <a
data-cite="RFC6973#section-5.1.1">RFC6973§5.1.1</a>.
</dl>

These threats combine into the particular concrete threats we want web
specifications to defend against, described in the sections that follow.

</section>

<section class="appendix" id="bp-summary"></section>

<section class="appendix">

# Acknowledgements {#acknowledgements}

Some of the definitions in this document build on top of the work in
[[[tracking-dnt]]].

The following people, in alphabetical order of their first name, were instrumental
in producing this document:
Amy Guy,
Christine Runnegar,
Dan Appelquist,
Don Marti,
Jonathan Kingston,
Nick Doty,
Peter Snyder,
Sam Weiler,
Tess O'Connor, and
Wendy Seltzer.

</section>

<section class="appendix" id="issue-summary"></section>

</body>
</html>