From cd483e4621386323071af668607445b065cf944a Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Wed, 8 Nov 2023 14:25:33 -0800 Subject: [PATCH 1/4] Copy-edit the Common Concepts section, except for the Recognition sub-section. --- index.html | 105 ++++++++++++++++++++++++----------------------------- 1 file changed, 47 insertions(+), 58 deletions(-) diff --git a/index.html b/index.html index 92ca83c3..7c33b51a 100644 --- a/index.html +++ b/index.html @@ -2092,14 +2092,15 @@ [=people=] to refer to human beings, as a reminder of their humanity. When we use the term [=user=], it is to talk about the specific [=person=] who happens to be using a given system at that time. -A vulnerable person is a [=person=] who may be unable to -exercise sufficient self-determination in a [=context=]. Amongst other things, they should +A vulnerable person in a particular [=context=] +is a [=person=] whose ability to make their own choices can be taken away more +easily than usual. Among other things, they should be treated with greater default privacy protections and may be considered unable to [=consent=] to various interactions with a system. People can be vulnerable for different reasons, for example because they are children, are employees with respect to their employers, are facing a steep asymmetry of power, are people in some situations of intellectual or psychological impairment, are -refugees, etc. +refugees, etc. See [[[#vulnerability]]]. ## Contexts {#context} @@ -2107,58 +2108,46 @@ [=actors=], and which the [=people=] understand as distinct from other [=contexts=]. A [=context=] is not defined in terms of who owns or controls it. Sharing -[=data=] between different [=contexts=] of a single company is +[=data=] between different [=contexts=] of a single company can be a [=privacy violation=], just as if the same data were shared between unrelated [=actors=]. ## Server-Side Actors {#parties} An actor is an entity that a [=person=] can reasonably understand as a single "thing" they're interacting with. [=Actors=] can be [=people=] or collective entities like companies, -associations, or governmental bodies. Uses of this document in a particular domain are expected to -describe how the core concepts of that domain combine into a [=user=]-comprehensible [=actor=], and -those refined definitions are likely to differ between domains. +associations, or governmental bodies. [=User agents=] tend to explain to [=people=] which [=origin=] or [=site=] provided the -web page they're looking at. The [=actor=] that controls this [=origin=] or [=site=] is +web page they're looking at. The [=actor=] that makes or delegates decisions +about the content and [=data processing=] on this [=origin=] or [=site=] is known as the web page's first party. When a [=person=] -interacts with a UI element on a web page, the first party of that interaction -is usually the web page's [=page/first party=]. However, if a different [=actor=] controls -how data collected with -the UI element is used, and a reasonable person with a realistic cognitive budget would realize +interacts with a part of a web page, the first party of that interaction +is usually the web page's [=page/first party=]. +However, if a different [=actor=] makes the decisions about how that part of the +page works, and a reasonable person with a realistic cognitive budget would realize that this other [=actor=] has this control, this other [=actor=] is the [=first party=] for the interaction instead. - - -The [=first party=] to an interaction is accountable for the processing of data produced -by that interaction, even if another actor does the processing. +If someone captures data about an interaction with a web page, +the [=first party=] of that interaction is accountable for the way that data is [=processed=], +even if another [=actor=] does the processing. A third party is any [=actor=] other than the [=person=] visiting the website or the [=first parties=] they expect to be interacting with. -The Vegas Rule is a simple implementation of privacy in which "what happens with the -[=first party=] stays with the [=first party=]." Put differently, the [=Vegas Rule=] is followed -when the [=first party=] is the only [=data controller=]. While the [=Vegas Rule=] is a good -guideline, it's neither necessary nor sufficient for [=appropriate=] [=data processing=]. A [=first -party=] that maintains exclusive access to a person's data can still [=process=] it -[=inappropriately=], and there are cases where a third party can learn information about a person -but still treat it [=appropriately=]. - ## Acting on Data {#acting-on-data} We define personal data as any information that is directly or indirectly related to an identified or identifiable [=person=], such as by reference to an -[=identifier=] ([[GDPR]], [[OECD-Guidelines]], [[Convention-108]]). +[=identifier=]. (This matches the [[[GDPR]]], the [[[OECD-Guidelines]]], and the [[[Convention-108]]].) On the web, an identifier of some type is typically assigned for an [=identity=] as seen by a website, which makes it easier for an automated system to store data about that [=person=]. + + If a [=person=] could reasonably be identified or re-identified through the combination of [=data=] with other [=data=], then that [=data=] is [=personal data=]. -Privacy is achieved in a given [=context=] that either involves [=personal data=] or -involves information being presented to [=people=] when the principles of that [=context=] are -followed appropriately. When the principles for that [=context=] are not followed, there is a -privacy violation. Similarly, we say that a particular interaction is -appropriate when the principles are adhered -to) or inappropriate otherwise. +[=People=] have privacy in a given [=context=] when [=actors=] in +that [=context=] follow that [=context=]'s principles when presenting +information and using [=personal data=]. +When the principles for that [=context=] are not followed, there is a +privacy violation. We say that a particular interaction is +appropriate when the principles are followed +or inappropriate otherwise. An [=actor=] processes data if it carries out operations on [=personal data=], whether or not by automated means, such as @@ -2192,41 +2183,39 @@ destruction. An [=actor=] shares data if it provides it to any other -[=actor=]. Note that, under this definition, an [=actor=] that provides data to its own +[=data controller=]. Note that, under this definition, an [=actor=] that provides data to its own [=service providers=] is not [=sharing=] it. -An [=actor=] sells data when it [=shares=] it in exchange -for consideration, monetary or otherwise. +An [=actor=] sells data when it [=shares=] the data in exchange +for something of value, even if that value isn't monetary. The purpose of a given [=processing=] of data is an anticipated, intended, or planned outcome of this [=processing=] which is achieved or aimed for within a given -[=context=]. A [=purpose=], when described, should be specific enough to be actionable by -someone familiar with the relevant [=context=] (ie. they could independently determine -[=means=] that reasonably correspond to an implementation of the [=purpose=]). +[=context=]. A [=purpose=], when described, should be specific enough that +someone familiar with the relevant [=context=] could pick some +[=means=] that would achieve the [=purpose=]. -The means are the general method of [=data processing=] through which a given -[=purpose=] is implemented, in a given [=context=], considered at a relatively abstract -level and not necessarily all the way down to implementation details. Example: -a person will have their preferences restored (purpose) by looking up their identifier -in a preferences store (means). +The means is the general way that data is [=processed=] to achieve a particular +[=purpose=], in a given [=context=]. [=Means=] are relatively abstract +and don't specify all the way down to implementation details. For example, for +the [=purpose=] of restoring a person's preferences, the [=means=] could be to +look up their identifier in a preferences store. A data controller is an [=actor=] that determines the [=means=] and [=purposes=] of data processing. Any [=actor=] that is not a [=service provider=] is a [=data controller=]. -A service provider or [=data processor=] is considered to be in -the same category of [=first party=] or [=third party=] as the [=actor=] contracting it to -perform the relevant [=processing=] if it: +A service provider or [=data processor=]: -* is processing the data on behalf of that [=actor=]; +* [=processes=] data on behalf of a [=data controller=]; * ensures that the data is only retained, accessed, and used as directed by that - [=actor=] and solely for the list of explicitly-specified [=purposes=] - detailed by the directing [=actor=] or [=data controller=]; + [=data controller=] and solely for the list of explicitly-specified [=purposes=] + detailed by the directing [=data controller=]; * may determine implementation details of the data processing in question but does not determine the [=purpose=] for which the data is being [=processed=] nor the overarching [=means=] through which the [=purpose=] is carried out; * has no independent right to use the data other than in a [=de-identified=] form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and, -* has a contract in place with the [=actor=] which is consistent with the above limitations. +* has a contract in place with the [=data controller=] which is consistent with the above limitations. ## Recognition {#recognition} @@ -2270,7 +2259,7 @@ Cross-site recognition is [=recognition=] when the identities are observed on different [=sites=]. In the usual case that the sites are different [=contexts=], -[=cross-site recognition=] is a privacy harm in the same cases as [=cross-context recognition=]. +[=cross-site recognition=] is [=inappropriate=] in the same cases as [=cross-context recognition=]. Same-site recognition is when a single [=site=] [=recognizes=] a [=person=] across two or more visits. From 7d70cefb333cb4c0693b249a717596bdb9a8ddd3 Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Wed, 29 Nov 2023 09:13:55 -0800 Subject: [PATCH 2/4] Take Wendy's suggestion to replace "cognitive budget" Co-authored-by: Wendy Seltzer --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 7c33b51a..7bac7898 100644 --- a/index.html +++ b/index.html @@ -2124,7 +2124,7 @@ interacts with a part of a web page, the first party of that interaction is usually the web page's [=page/first party=]. However, if a different [=actor=] makes the decisions about how that part of the -page works, and a reasonable person with a realistic cognitive budget would realize +page works, and a reasonable person with a realistic amount of time and energy would realize that this other [=actor=] has this control, this other [=actor=] is the [=first party=] for the interaction instead. From 46475a750d2856745065553f178f667a9831790d Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Wed, 29 Nov 2023 10:25:39 -0800 Subject: [PATCH 3/4] Undo citation change for personal data. --- index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.html b/index.html index 7bac7898..554056e2 100644 --- a/index.html +++ b/index.html @@ -2140,7 +2140,7 @@ We define personal data as any information that is directly or indirectly related to an identified or identifiable [=person=], such as by reference to an -[=identifier=]. (This matches the [[[GDPR]]], the [[[OECD-Guidelines]]], and the [[[Convention-108]]].) +[=identifier=] ([[GDPR]], [[OECD-Guidelines]], [[Convention-108]]). On the web, an identifier of some type is typically assigned for an [=identity=] as seen by a website, which makes it easier for an automated From 950bcf8453fa883cbc2223d4b231f602dcf45455 Mon Sep 17 00:00:00 2001 From: Jeffrey Yasskin Date: Wed, 29 Nov 2023 10:29:32 -0800 Subject: [PATCH 4/4] Service providers can work for other service providers. --- index.html | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.html b/index.html index 554056e2..1eb9db6b 100644 --- a/index.html +++ b/index.html @@ -2206,16 +2206,16 @@ A service provider or [=data processor=]: -* [=processes=] data on behalf of a [=data controller=]; +* [=processes=] data on behalf of another [=actor=]; * ensures that the data is only retained, accessed, and used as directed by that - [=data controller=] and solely for the list of explicitly-specified [=purposes=] - detailed by the directing [=data controller=]; + [=actor=] and solely for the list of explicitly-specified [=purposes=] + detailed by the directing [=actor=]; * may determine implementation details of the data processing in question but does not determine the [=purpose=] for which the data is being [=processed=] nor the overarching [=means=] through which the [=purpose=] is carried out; * has no independent right to use the data other than in a [=de-identified=] form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and, -* has a contract in place with the [=data controller=] which is consistent with the above limitations. +* has a contract in place with the [=actor=] which is consistent with the above limitations. ## Recognition {#recognition}