Privacy Principles

A person's autonomy is their ability to make decisions of their own personal will, without undue influence from other actors. People have limited intellectual resources and time with which to weigh decisions, and they have to rely on shortcuts when making decisions. This makes it possible to manipulate their preferences, including their privacy preferences ([Privacy-Behavior], [Digital-Market-Manipulation]). A person's autonomy is improved by a system when that system offers a shortcut that is closer to what that person would have decided given unlimited time and intellectual ability. Autonomy is decreased when a similar shortcut goes against decisions made under these ideal conditions.

Affordances and interactions that decrease autonomy are known as deceptive patterns (or dark patterns). A deceptive pattern does not have to be intentional ([Dark-Patterns], [Dark-Pattern-Dark]). When building something that may impact people's autonomy, it is important that reviewers from multiple independent perspectives check that it does not introduce deceptive patterns.

Given the large volume of potential data-related decisions in today's data economy, it is impossible for people to have detailed control over how their data is processed. This fact does not imply that privacy is dead. Studies show that people remain concerned over how their data is processed, that they feel powerless, and sense that they have lost agency ([Privacy-Concerned]). If we design our technological infrastructure carefully, we can give people greater autonomy with respect to their own data. This is done by setting appropriate, privacy-protective defaults and designing user-friendly choice architectures.

Sometimes particular groups of people, such as children, or the elderly, are classified as vulnerable people. However, any person could be vulnerable in one or more contexts, sometimes without realizing it. A person may not realise when they disclose personal data that they are vulnerable or could become vulnerable, and an actor may have no way of knowing that a person is vulnerable. System designers should consider this in their system designs.

Some individuals may be more vulnerable to privacy risks or harm as a result of collection, misuse, loss, or theft of personal data because:

• of their attributes, interests, opinions, or behaviour;
• of the situation or setting (e.g. where there is information asymmetry or other power imbalances);
• they lack the capacity to fully assess the risks;
• choices are not presented in an easy-to-understand meaningful way (e.g. deceptive patterns);
• they have not been consulted about their privacy needs and expectations;
• they have not been considered in the decisions about the design of the product or service.

Additional privacy protections may be needed for personal data of vulnerable people or sensitive information which could cause someone to become vulnerable if their personal data is collected, used, or shared (e.g. blocking tracking elements, sensor data, or information about installed software or connected devices).

While sometimes others can help vulnerable people assess privacy risks and make decisions about privacy (such as parents, guardians, and peers), everyone has their own right to privacy.

Privacy principles are defined through social processes and, because of that, the applicable definition of privacy in a given context can be contested ([Privacy-Contested]). This makes privacy a problem of collective action ([GKC-Privacy]). Group-level data processing may impact populations or individuals, including in ways that people could not control even under the optimistic assumptions of consent. For instance, it's possible that the only thing that a person is willing to reveal to a particular actor is that they are part of a given group. However, other members of the same group may be interacting with the same actor and revealing a lot more information, which can enable effective statistical inferences about people who refrain from providing information about themselves.

What we consider is therefore not just the relation between the people who share data and the actors that invite that sharing ([Relational-Turn]), but also between the people who may find themselves categorised indirectly as part of a group even without sharing data. One key understanding here is that such relations may persist even when data is de-identified. What's more, such categorisation of people, voluntary or not, changes the way in which the world operates. This can produce self-reinforcing loops that can damage both individuals and groups ([Seeing-Like-A-State]).

In general, collective issues in data require collective solutions. Web standards help with data governance by defining structural controls in user agents, ensuring that researchers and regulators can discover group-level abuse, and establishing or delegating to institutions that can handle issues of privacy. Governance will often struggle to achieve its goals if it works primarily by increasing individual control instead of by collective action.

Collecting data at large scales can have significant pro-social outcomes. Problems tend to emerge when actors process data for collective benefit and for disloyal purposes at the same time. The disloyal purposes are often justified as bankrolling the pro-social outcomes but this requires collective oversight to be appropriate.

A user agent acts as an intermediary between a person (its user) and the web. User agents implement, to the extent possible, the principles that collective governance establishes in favour of individuals. They seek to prevent the creation of asymmetries of information, and serve their user by providing them with automation to rectify automation asymmetries. Where possible, they protect their user from receiving intrusive messages.

The user agent is expected to align fully with the person using it and to operate exclusively in that person's interest. It is not the first party. The user agent serves the person as a trustworthy agent: it always puts that person's interest first. In some occasions, this can mean protecting that person from themselves by preventing them from carrying out a dangerous decision, or by slowing down the person in their decision. For example, the user agent will make it difficult for someone to connect to a site if it can't verify that the site is authentic. It will check that that person really intends to expose a sensitive device to a page. It will prevent that person from consenting to the permanent monitoring of their behaviour. Its user agent duties include ([Taking-Trust-Seriously]):

Duty of Protection

Protection requires user agents to actively protect their user's data, beyond simple security measures. It is insufficient to just encrypt at rest and in transit. The user agent must also limit retention, help ensure that only strictly necessary data is collected, and require guarantees from any actor that the user agent can reasonably be aware that data is shared to.

Duty of Discretion

Discretion requires the user agent to make best efforts to enforce principles by taking care in the ways it discloses the personal data that it manages. Discretion is not confidentiality or secrecy: trust can be preserved even when the user agent shares some personal data, so long as it is done in an appropriately discreet manner.

Duty of Honesty

Honesty requires that the user agent give its user information of which the user agent can reasonably be aware, that is relevant to them and that will increase their autonomy, as long as they can understand it and there's an appropriate time to do so. This is almost never when the person is trying to do something else such as read a page or activate a feature. The duty of honesty goes well beyond that of transparency that is often included in older privacy regimes. Unlike transparency, honesty can't hide relevant information in complex legal notices and it can't rely on very short summaries provided in a consent dialog. If the person has provided consent to processing of their personal data, the user agent should inform the person of ongoing processing, with a level of obviousness that is proportional to the reasonably foreseeable impact of the processing.

Duty of Loyalty

Because the user agent is a trustworthy agent, it is held to be loyal to the person using it in all situations, including in preference to the user agent's implementer. When a user agent carries out processing that is detrimental to its user's interests and instead benefits another actor, this is disloyal. Often this would benefit the user agent itself, in which case it is known as "self-dealing". Behaviour can be disloyal even if it is done at the same time as processing that is in the person's interest, what matters is that it potentially conflicts with that person's interest. Additionally, it is important to keep in mind that additional processing almost always implies additional risk. Therefore processing that is not explicitly in a user's interest is likely to be disloyal. Disloyalty is always inappropriate.

These duties ensure the user agent will care for its user. In academic research, this relationship with a trustworthy agent is often described as "fiduciary" ([Fiduciary-Law], [Fiduciary-Model], [Taking-Trust-Seriously]; see [Fiduciary-UA] for a longer informal discussion). Some jurisdictions may have a distinct legal meaning for "fiduciary." ([Fiduciary-Law])

Many of the principles described in the rest of this document extend the user agent's duties and make them more precise.

While privacy principles are designed to work together and support each other, occasionally a proposal to improve how a system follows one privacy principle may reduce how well it follows another principle.

Once one is choosing between different designs at the Pareto frontier, the choice of which privacy principles to prefer is complex and depends heavily on the details of each particular situation. Note that people's privacy can also be in tension with non-privacy concerns. As discussed in the W3C TAG Ethical Web Principles, "it is important to consider the context in which a particular technology is being applied, the expected audience(s) for the technology, who the technology benefits and who it may disadvantage, and any power dynamics involved" ([Ethical-Web]). Despite this complexity, there is a basic ground rule to follow:

It is attractive to say that if someone violates the rules of a service they're using, then they sacrifice a proportionate amount of their privacy protections, but

1. Often the service can only prevent the rule violation by also collecting data from innocent users. This extra collection is not always appropriate, especially if it allows pervasive monitoring ([RFC7258], [RFC7687]).
2. If a service operator wants to collect some extra data, it can be tempting for them to define rules and proportionality that allow them to do so.

The following examples illustrate some of the tensions:

A person's identity is the set of characteristics that define them. Their identity in a context is the set of characteristics they present under particular circumstances.

People can present different identities to different contexts, and can also share a single identity across several different contexts.

People may wish to present an ephemeral or anonymous identity. This is a set of characteristics that is too small or unstable to be useful for following them through time.

A person's identities may often be distinct from whatever legal identity or identities they hold.

In some circumstances, the best way for a user agent to uphold this principle is to prevent recognition (e.g. so that one site can't learn anything about its user's behavior on another site).

In other circumstances, the best way for a user agent to uphold this principle is to support recognition (e.g. to help its user prove to one site that they have a particular identity on another site).

Similarly, a user agent can help its user by preventing or supporting recognition across repeat visits to the same site.

User agents should do their best to distinguish contexts within a site and adjust their partitions to prevent or support recognition across those intra-site contexts according to their users' wishes.

Data minimization limits the risks of data being disclosed or misused. It also helps user agents and other actors more meaningfully explain the decisions their users need to make. For more information, see Data Minimization in Web APIs.

The principle of data minimization applies to all personal data, even if it is not known to be identifying, sensitive, or otherwise harmful. See: 2.4 Sensitive Information.

The many APIs available to websites expose lots of data that can be combined into information about people, web servers, and other things.

User-controlled settings or permissions can guard access to data on the web. When designing a web API, use access guards to ensure the API exposes information in appropriate ways.

New APIs which add new ways of getting information must be guarded at least as strongly as the existing ways.

Information that would be acceptable to expose under one set of access guards might be unacceptable under another set. When an API designer intends to explain that their new API is acceptable because an existing acceptable API already exposes the same information, they must be careful to ensure that their new API is only available under a set of guards that are at least as strict. Without those guards, they need to make the argument from scratch, without relying on the existing API.

If existing APIs provide access to some information, but there is a plan to change those APIs to prevent that access, new APIs must not be added that provide that same information, unless they include additional access guards that ensure access is appropriate.

For example, browsers are gradually removing the ability to join identities between different partitions. It is important that new APIs do not add features which re-enable cross-context recognition.

Many pieces of information about someone could cause privacy harms if disclosed. For example:

• Their location.
• Language preferences.
• Any identifiers associated with them.
• Video or audio from their camera or microphone.
• The content of certain files on their filesystem.
• Financial data.
• Contacts.
• Calendar entries.
• Whether they are using assistive technology.

A particular piece of information may have different sensitivity for different people. People can become vulnerable if sensitive information about them is, or is likely to be, exposed; see 1.2 Vulnerability.

While data rights alone are not sufficient to satisfy all privacy principles for the web, they do support self-determination and help improve accountability. Such rights include:

• The right to access data about oneself.

This right includes both being able to review what information has been collected or inferred about oneself and being able to discover what actors have collected information about oneself. As a result, databases containing information about people cannot be kept secret, and data collected about people needs to be meaningfully discoverable by those people.

• The right to erase data about oneself.

A person has a right to erase information about themselves whether or not they are terminating use of a service altogether, though what data can be erased may differ between those two cases. On the web, a person may wish to erase data on their device, on a server, or both, and the data's location may not always be clear to the person.

• The right to port data, including data one has stored with another actor, so it can easily be reused or transferred elsewhere.

Portability is needed to support a person's ability to make choices about services with different data practices. Standards for interoperability are essential for effective re-use. Porting user data involves security and privacy risks described in [Portability-Threat-Model].

• The right to correct data about oneself, to ensure that one's identity is properly reflected in a system.

• The right to be free from automated decision-making based on data about oneself.

For some kinds of decision-making with substantial consequences, there is a privacy interest in being able to exclude oneself from automated profiling. For example, some services may alter the price of products (price discrimination) or offers for credit or insurance based on data collected about a person. Those alterations may be consequential (financially, say) and objectionable to people who believe those decisions based on data about them are inaccurate or unjust. As another example, some services may draw inferences about a user's identity, humanity, or presence based on facial recognition algorithms run on camera data. Because facial recognition algorithms and training sets are fallible and may exhibit certain biases, people may not wish to submit to decisions based on that kind of automated recognition.

• The right to object, withdraw consent, and restrict use of data about oneself.

People may change their decisions about consent or may object to subsequent uses of data about themselves. Data rights mean that a person needs to have ongoing control, not just a choice at the time of collection.

The OECD Privacy Principles [OECD-Guidelines], [Records-Computers-Rights], and the [GDPR], among other places, describe many of the rights people have as data subjects. These participatory rights by people over data about themselves are inherent to autonomy.

Data is de-identified when there exists a high level of confidence that no person described by the data can be identified, directly or indirectly (e.g. via association with an identifier, user agent, or device), by that data alone or in combination with other available information. Note that further considerations relating to groups are covered in the Collective Issues in Privacy section.

We talk of controlled de-identified data when:

1. The state of the data is such that the information that could be used to re-identify an individual has been removed or altered, and
2. there is a process in place to prevent attempts to re-identify people and the inadvertent release of the de-identified data. ([De-identification-Privacy-Act])

Different situations involving controlled de-identified data will require different controls. For instance, if the controlled de-identified data is only being processed by one actor, typical controls include making sure that the identifiers used in the data are unique to that dataset, that any person (e.g. an employee of the actor) with access to the data is barred (e.g. based on legal terms) from sharing the data further, and that technical measures exist to prevent re-identification or the joining of different data sets involving this data.

In general, the goal is to ensure that controlled de-identified data is used in a manner that provides a viable degree of oversight and accountability such that technical and procedural means to guarantee the maintenance of pseudonymity are preserved.

This is more difficult when the controlled de-identified data is shared between several actors. In such cases, good examples of typical controls that are representative of best practices would include making sure that:

• the identifiers used in the data are under the direct and exclusive control of the first party (the actor a person is directly interacting with) who is prevented by strict controls from matching the identifiers with the data;

• when these identifiers are shared with a third party, they are made unique to that third party such that if they are shared with more than one third party these cannot then match them up with one another;

• there is a strong level of confidence that no third party can match the data with any data other than that obtained through interactions with the first party;

• any third party receiving such data is barred (e.g. based on legal terms) from sharing it further;

• technical measures exist to prevent re-identification or the joining of different data sets involving this data; and

• there exist contractual terms between the first party and third party describing the limited purpose for which the data is being shared.

Note that controlled de-identified data, on its own, is not sufficient to make data processing appropriate.

Privacy principles are often defined in terms of extending rights to individuals. However, there are cases in which deciding which principles apply is best done collectively, on behalf of a group. Collective decision-making should be considered:

• When information is about membership in a group or about a group's behaviour. As Brent Mittelstadt explains, “Algorithmically grouped individuals have a collective interest in the creation of information about the group, and actions taken on its behalf.” ([Individual-Group-Privacy]) As 1.3.1 Group Privacy discusses, an individual's permission isn't enough to support the autonomy of other members of the group.
• When individuals can't realistically be expected to make informed decisions. This can happen when data processing is complex or requests to process data happen very frequently.
• When individuals have systematically less power than the organizations asking them to agree to data processing ([Relational-Turn]).
• When the data processing is unjust at a societal level even if an individual remains anonymous ([Relational-Governance]).

Different forms of collective decision-making are legitimate depending on what data is being processed. These forms might be governmental bodies at various administrative levels, standards organisations, worker bargaining units, or civil society fora. Even though collective decision-making can be better than offloading privacy labour to individuals, it is not a panacea. Decision-making bodies need to be designed carefully, for example using the Institutional Analysis and Development framework.

Computing devices have administrators, who have privileged access to the devices in order to install and configure the programs that run on them. The owner of a device can authorize an administrator to administer the whole device. Some user agent implementations can also assign an administrator to manage a particular user agent based on the account that's logged into it.

Sometimes the person using a device doesn't own the device or have administrator access to it (e.g. an employer providing a device to an employee; a friend loaning a device to their guest; or a parent providing a device to their young child). Other times, the owner and primary user of a device might not be the only person with administrator access.

These relationships can involve power imbalances. A child may have difficulty accessing any computing devices other than the ones their parent provides. A victim of abuse might not be able to prevent their partner from having administrator access to their devices. An employee might have to agree to use their employer's devices in order to keep their job.

While a device owner has an interest and sometimes a responsibility to make sure their device is used in the ways they intended, the person using the device still has a right to privacy while using it. This principle enforces this right to privacy in two ways:

1. User agent developers need to consider whether requests from device owners and administrators are reasonable, and refuse to implement unreasonable requests, even if that means fewer sales. Owner/administrator needs do not supersede user needs in the priority of constituencies.
2. Even when information disclosure is reasonable, the person whose data is being disclosed needs to know about it so that they can avoid doing things that would lead to unwanted consequences.

Some administrator requests might be reasonable for some sorts of users, like employees or children, but not be reasonable for other sorts, like friends or intimate partners. The user agent should explain what the administrator is going to learn in a way that helps different users to react appropriately.

Digital abuse is the mistreatment of a person through digital means. Online harassment is the "pervasive or severe targeting of an individual or group online through harmful behavior" [PEN-Harassment] and constitutes a form of abuse. Harassment is a prevalent problem on the web, particularly via social media. While harassment may affect any person using the web, it may be more severe and its consequences more impactful for LGBTQ people, women, people in racial or ethnic minorities, people with disabilities, vulnerable people and other marginalized groups.

Harassment is both a violation of privacy itself and can be enabled or exacerbated by other violations of privacy.

Harassment may include: sending unwanted information; directing others to contact or bother a person ("dogpiling"); disclosing sensitive information about a person; posting false information about a person; impersonating a person; insults; threats; and hateful or demeaning speech.

Disclosure of identifying or contact information (including "doxxing") can often be used to cause additional attackers to send persistent unwanted information that amounts to harassment. Disclosure of location information can be used to intrude on a person's physical safety or space.

Reporting mechanisms are mitigations, but may not prevent harassment, particularly in cases where hosts, moderators, or other intermediaries are supportive of or complicit in the abuse.

Effective reporting is likely to require:

• standardized mechanisms to identify abuse reporting contacts;
• sites and user agents to provide visible and usable ways to report abuse;
• identifiers to refer to senders and content;
• the ability to provide context and explanation of harms;
• people responsible for promptly responding to reports;
• tools for pooling mitigation information (see Example 13).

Unwanted information covers a broad range of unsolicited communication, from messages that are typically harmless individually but that become a nuisance in aggregate (spam) to the sending of explicit, graphic, or violent images.

System designers should take steps to make the sending of unwanted information more difficult or more costly, and to make the senders more accountable.

Features that are designed-for-purpose facilitate these principles by providing functionality that is only or primarily useful for a particular purpose. Designed-for-purpose features make it easier to explain the purpose to people, and may also limit the feasible secondary uses of data. When building a designed-for-purpose feature, consider tradeoffs between high and low-level APIs.

Controlled de-identified data may be used for additional purposes in ways that are compatible with the specified purpose.

Transparency is a necessary, but insufficient, condition for consent. Relevant explanatory information includes who is accessing data, what data is accessed (including the potential inferences or combinations of such data) and how data is used. For transparency to be meaningful to people, explanatory information must be provided in the relevant context.

Machine-readable presentation of privacy-relevant practices is necessary for user agents to be able to help people make general decisions, rather than relying falsely on the idea that people can or want to read documentation before every visit to a web site. Machine-readable presentation also facilitates collective governance by making it more feasible for researchers and regulators to discover, document, and analyze data collection and processing to identify cases in which it may be harmful.

Easily accessible, plain language presentation of privacy-relevant practices is necessary for people to be able to make informed decisions in specific cases when they choose to do so. Sites, user agents, and other actors all may need to present privacy-relevant practices to people in accessible forms.

Non-transparent methods of recognition are harmful in part because they are not visible to the user, which undermines user control [UNSANCTIONED-TRACKING]. Designing features that minimize data and make requests for data explicit can enable detectability, a kind of transparency that is an important mitigation for browser fingerprinting.

Attempts to obtain consent to processing that is not in accordance with the person's true preferences result in imposing unwanted privacy labour on the person, and may result in people erroneously giving consent that they regret later.

An actor should not prompt a person for consent if the person is unlikely to have sufficient information to make an informed decision to consent or not. In considering whether or not a person is sufficiently informed to be asked for consent, actors should be realistic in assessing how much time and effort would be required to understand the processing for which they are asking for consent. Simply providing a link to a complex policy is unlikely to mean that the person is informed.

Examples of alternatives to interrupting users with consent requests include:

• Considering the information sharing norms in the site's audience and category, and requesting only consent that is appropriate to the purpose of the site. (For example, a photo sharing site's users might expect to be prompted for consent to share their uploaded work.) Sites should consider conducting user research on people's expectations for how data is processed.

• Relying on a global opt-out signal from the user agent.

• Delaying a prompt for consent until a user does something that puts the request in context, which will also help them give an informed response.

A person may share data about other people (e.g. a picture with both that person and others). If that person consents to the processing of that data, this does not imply that those other people have consented as well.

Notifications and other interruptive UI can be a powerful way to capture attention. Depending on the operating system in use, a notification can appear outside of the browser context (for example, in a general notifications tray) or even cause a device to buzz or play an alert tone. Like all powerful features, notifications can be misused and can become an annoyance or even used to manipulate behaviour and thus reduce autonomy.

Whenever people have the ability to cause an actor to process less of their data or to stop carrying out some given set of data processing that is not essential to the service, they must be allowed to do so without the actor retaliating, for instance by artificially removing an unrelated feature, by decreasing the quality of the service, or by trying to cajole, badger, or trick the person into opting back into the processing.

Note that because data is valuable, some sites offer an informed, free, and fair exchange of appropriate user information for original content that the site created or paid for the creation of. If a user chooses not to participate in such an exchange, denying them access to the site is not retaliation.

Actors can invest time and energy into automating ways of gathering data from people and can design their products in ways that make it a lot easier for people to disclose information than not, whereas people typically have to manually wade through options, repeated prompts, and deceptive patterns. In many cases, the absence of data — when a person refuses to provide some information — can also be identifying or revealing. Additionally, APIs can be defined or implemented in rigid ways that can prevent people from accessing useful functionality. For example, I might want to look for restaurants in a city I will be visiting this weekend, but if my geolocation is forcefully set to match my GPS, a restaurant-finding site might only allow searches in my current location. In other cases, sites do not abide by data minimisation principles and request more information than they require. This principle supports people in minimising their own data.

User agents should make it simple for people to present the identity they wish to and to provide information about themselves or their devices in ways that they control. This helps people to live in obscurity ([Lost-In-Crowd], [Obscurity-By-Design]), including by obfuscating information about themselves ([Obfuscation]).

Instead, the API could indicate a person's preference, a person's chosen identity, a person's query or interest, or a person's selected communication style.

Sites should include deception in their threat modeling and not assume that web platform APIs provide any guarantees of consistency, currency, or correctness about the user. People often have control of the devices and software they use to interact with web sites. In response to site requests, people may arbitrarily modify or select the information they provide for a variety of reasons, including both malice and self-protection.

In any rare instances when an API must be defined as returning true current values, users may still configure their agents to respond with other information, for reasons including testing, auditing or mitigating forms of data collection, including browser fingerprinting.