Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PING self review #61

Closed
bduga opened this issue Sep 16, 2019 · 1 comment
Closed

PING self review #61

bduga opened this issue Sep 16, 2019 · 1 comment
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.

Comments

@bduga
Copy link

bduga commented Sep 16, 2019

PING Questionnaire for Publication Manifest

The answers below often reference potential to expose information about a user based on the metadata contained in the publication manifest. It should be noted that the same or similar information could be gathered from a user simply reading a publication online using existing web technologies, so it is not clear that this format introduces any new surfaces for gathering PI, PII, or tracking. In addition to the information contained in this spec, there other other technologies it builds upon which are not covered here, including JSON-LD, HTML, CSS, HTTP, and HTTPS.

2.1. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
As a data format, this specification does not call for any additional data to be exposed to a web site. While a web site could infer information about a user based on the content of the manifest (for example, author they may be interested in), that would be true of the content of any web page (for example a fan page in html about that author). WebIDL is used to describe the processing model for the content, but it is not intended to be used to expose information via an API.
2.2. Is this specification exposing the minimum amount of information necessary to power the feature?
There are multiple use cases for the content of this manifest. For instance, it could be delivered directly to a consumer, it could be sent to a digital storefront, or it could be used to archive the content. As such, not all data that could be encapsulated by the format will always be required. However, significant effort was put into determining the least amount of information required to make a publication useful, and only that limited set is required. Only information entered by the authored is contained in the format, and authors have full control over what information will be added.
2.3. How does this specification deal with personal information or personally-identifiable information or information derived thereof?
Neither PI nor PII is included in the format. Information about the author(s), content, etc may be included, however no mechanism is provided by the specification to include identifiable information automatically.

2.4. How does this specification deal with sensitive information?
This specification does not address how sensitive information should be handled. As a data format, no API is proposed to expose data to the web and therefore no mechanism is proposed to protect such distribution. Information about a personal library, reading habits, or other information gleaned from a publication or group of publications should be considered sensitive information. Since this specification does not address transmission of that data, it is up to existing web standards to provide adequate protections (for example, using https instead of http).
2.5. Does this specification introduce new state for an origin that persists across browsing sessions?
This specification does not directly allow browsers to persist state across sessions. While downloaded content could contain state about a user, no mechanism is provided by the specification for a website to access that downloaded content.
2.6. What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?
This specification does not expose any data to an origin. But, see 2.8, below.
2.7. Does this specification allow an origin access to sensors on a user’s device
No.
2.8. What data does this specification expose to an origin? Please also document what data is identical to data exposed by other features, in the same or different contexts.
This specification does not expose any additional information to an origin. Note that it may reference other documents (for example, HTML) that could expose data. Since this specification does not alter the processing model for those other formats, it does not introduce any new data exposure.

2.9. Does this specification enable new script execution/loading mechanisms?
No. It does reference documents (via the manifest) which in turn might enable script loading mechanisms, but this is no different than clicking on a link.
2.10. Does this specification allow an origin to access other devices?
No.
2.11. Does this specification allow an origin some measure of control over a user agent’s native UI?
The specification itself does not provide a mechanism for overriding native UI. It is expected that implementations of this specification could allow such control, but such implementations would simply be web apps, which are not defined by this spec.
2.12. What temporary identifiers might this this specification create or expose to the web?
No temporary identifiers are created. A web publication itself has a permanent identifier (see https://www.w3.org/TR/pub-manifest/#canonical-identifier), but no mechanism is provided to expose that to external sites.
2.13. How does this specification distinguish between behavior in first-party and third-party contexts?
This specification does not change the processing model of the resources it references, therefore it does not distinguish between first and third parties. It is possible to create a manifest that references third party resources, but the standard processing models for the relevant formats and protocols handle such context switches. For example, a third-party font could be loaded via first party CSS, or the last item in the reading order could be hosted on another site, which will be handled as any other third party resource or page load by a UA.
2.14. How does this specification work in the context of a user agent’s Private Browsing or "incognito" mode?
Since this specification does not alter the UA processing model for documents, it has no impact on private mode.
2.15. Does this specification have a "Security Considerations" and "Privacy Considerations" section?
Yes.
2.16. Does this specification allow downgrading default security characteristics?

Yes.

PING Questionnaire for the Audiobook Profile of Publication Manifest
Please refer to the Publication Manifest questionnaire for a review of that specification. The answers for this specification are largely the same as this profile is intended to refine the manifest requirements of that specification. It does add a non-normative reference to the Lightweight Packaging Format, but does not define that format. It also adds placeholder sections for privacy and security. Otherwise the answers are the same as for the publication manifest.

@iherman iherman added privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. labels Sep 23, 2019
@iherman
Copy link
Member

iherman commented Sep 4, 2020

Closing the issue, review closed

@iherman iherman closed this as completed Sep 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
Projects
None yet
Development

No branches or pull requests

2 participants