As privacy concerns become top-of-mind for web developers and systems engineers around the world, privacy standardization efforts become more important. The World Wide Web Consortium and the Institute of Electrical and Electronics Engineers are leaders in this domain, assisting privacy professionals by drafting standards and other reference material to ensure compliance with global privacy regulations and advocating for privacy best practices. Parts one and two of this article series explore other standardization bodies.
Privacy in web development
W3C was founded in 1994 — fittingly by Tim Berners-Lee, inventor of the World Wide Web — with a mission to "lead the World Wide Web to its full potential." The bulk of their privacy development is spearheaded by the Privacy Interest Group. Besides standardization efforts, the W3C’s privacy activity also includes hosting workshops and providing expert analysis on privacy by design as it relates to web development. Unlike many other standards organizations, all W3C’s publications are provided free of charge.
Every W3C publication goes through a well-documented public process before being officially adopted by the organization.
To develop a standard, which the W3C refers to as a "recommendation," a working group made up of a small panel of experts on a particular issue begins developing a technical report on the recommendation track. These technical reports have multiple levels of drafting and review before culminating in the publishing of the document as an official W3C recommendation.
Working groups, as well as other groups in the organization, can also develop documents on the note track. Notes are intended to provide cogent information about related W3C standard developments or implementations but are not formal W3C recommendations. As such, there are fewer formal requirements to publish notes, though they can go through similar review processes to become W3C statements, which is the highest maturity of a note. According to their database, the W3C has published upwards of 1,300 documents since their inception. Of these, 12 are marked as relating to privacy and remain current.
A W3C note on Privacy Principles
By far the most comprehensive resource is a draft note on Privacy Principles. The document, while not an official W3C recommendation, lists best privacy best practices for web developers to implement in their products, including data minimization practices, consent and opt-out procedures, and effective user agent integration. According to the W3C, since web applications collect so much data about users and easily process it to gain increasingly valuable insights, an inherent power imbalance exists between the user and the data processor. Thus, they maintain the prescription includes a strong, robust, and widely adopted set of privacy principles.
Thank your user agent
Much of the discussion in the draft note on Privacy Principles regards the importance of a responsible user agent and the role of such an agent in maintaining the privacy of the user. According to the note, "the user agent acts as an intermediary between a person (its user) and the web (and seeks to) implement, to the extent possible, the principles that collective governance establishes in favour of individuals." Web browsers like Chrome, Microsoft Edge and Firefox, as well as email clients like Outlook and Thunderbird are all examples of user agents. A user agent should act as a fiduciary for its user by helping them ensure privacy principles are enacted when browsing the web.
The note sets out four duties of the user agent as it relates to privacy.
- Duty of protection: The user agent should actively protect their user’s data to the greatest extent possible by limiting the collection, retention and sharing of user data.
- Duty of discretion: The user agent should support best practice in privacy by securely and discretely sharing the personal data that it manages.
- Duty of honesty: The user agent should be as honest to the user as it reasonably can be when user data is being processed in some way. This does not just rely on transparency buried in a privacy notice about processing, but also obviousness and foreseeable impact of the processing.
- Duty of loyalty: The user agent should be held loyal to the user and avoid processing that is not in the interest of the user.
You can thank your user agent the next time you are warned about visiting an unsafe website, for example.
Data rights and data minimization
The note views data rights as an extension of individual autonomy and enumerates six specific rights web developers should consider when designing web applications. Users should have the right to access, erase, port, correct and restrict the use of data about themselves, as well as to be free from automated decision-making based on it.
The principle on extra data collection echoes the data minimization and purpose limitation statements found in Article 5 of the EU General Data Protection Regulation and the U.S. Health Insurance Portability and Accountability Act. Similarly, the principle on deidentified data is similar to Recital 26 of the GDPR, as deidentified or pseudonymized data is subject to fewer restrictions and, thus, should be used whenever possible. Consent is also explicitly framed as a process that must be truthful in the extent of its intent to gain consent, like the "clear and plain language" directive of Recital 42 of the GDPR. Additionally, processors should use deidentified data whenever they can. The note defines data as deidentified when, “there exists a high level of confidence that no person described by the data can be identified, directly or indirectly.”
The note culminates in a set of principles, many of which align with existing privacy regulations. Several of the principles discuss responsible privacy implementations of application programming interfaces, user agents and consent controls. While not a standard in the typical sense, or by W3C terminology, this draft note is arguably one of the most helpful resources for web developers looking for privacy standardization documentation and guidance.
The W3C has two privacy recommendations. The first is W3C maintenance of standardization efforts of the structure and data model of decentralized identifiers. Known commonly as DIDs, they provide a more secure way for developers to maintain digital identities without relying on a central database, like typical federated identities. The W3C also provides related notes that expand on the implementation of DIDs with support material.
The second recommendation is a standardized version of a Verifiable Credentials Data Model, which provides a way to express credentials, e.g., government-issued IDs and educational certificates, on the Web, "in a way that is cryptographically secure, privacy respecting, and machine-verifiable." The recommendation contains an entire section on privacy considerations for implementing the model into production, emphasizing the nature of privacy protective measures as a sliding scale depending on the use case.
Consider someone buying an age-restricted product online. The model allows an age-verification process without disclosing dates of birth in two ways, depending on the model implementation:
- Issuers could offer specific verifiable credentials that contain whether a subject meets a specific age requirement, i.e., offering age verifiable credentials instead of date of birth credentials.
- The online service could query the relevant verifiable credential, e.g., a government-issued ID, to determine if the subject meets age requirements. The query will only respond with a yes or no.
The recommendation notes the entire model relies on a high degree of trust in the entity that issues the credentials. In turn, issuers should ensure they use a combination of privacy protections — like zero-knowledge proofs, data minimization techniques and usage pattern obfuscation — in their implementation of the model. Version 2.0 of the model is currently in working draft status and contains minor editorial updates alongside technical updates to some of the implementation advice. The working group is also developing a recommendation for verifying the authenticity and integrity of credentials via cryptography.
IEEE is a nonprofit formed in 1963 after the merger of two other professional associations, the Institute of Radio Engineers and the American Institute of Electrical Engineers. Today, it has one of the largest membership bases in the world. It provides nonbinding standards (though government entities can adopt IEEE standards as their national standards), conferences and other professional development activities for engineering, computing and technology, all with the aim of “advancing technology for the benefit of humanity.”
Standards — of which IEEE has developed almost 1300 — go through a six-step process. First, spurred by an idea from a member of the technical community, responsibility of the project is assumed by the relevant IEEE standards committee. Interested members will work to develop a project authorization request to gain the IEEE’s permission to move forward in developing the standard. Step two is the formation of the working group, which has a role similar role to a W3C working group in that they are the ultimate body responsible for drafting the standard. IEEE working groups are open groups and can be joined by any individual. Step three marks the beginning of the drafting process, where the standard is written and edited by various IEEE stakeholders. Fourth, the standard is voted on and approved, if it is approved by at least 75% of a balloting committee comprised of interested stakeholders selected by IEEE. Fifth, final approval is given by the IEEE Standards Review Committee, where after it will last for 10 years. Minor changes can be made to the standard within that period in the form of amendments submitted to and approved by the IEEE Standards Association Standards Board. At the end of its 10-year lifecycle the standard will either need to be updated (in order to be renewed) or retired.
IEEE Privacy Standards
Many of the IEEE standards that relate to privacy are for specific use-cases (e.g., motor vehicle event data recorders or encryption for shared storage media), but there are a few with broader appeal. The standard on Data Privacy Process, IEEE 7002-2022, is relevant for anyone who is "developing and deploying products, systems, processes, and applications that involve personal information." It differentiates itself from common privacy-focused International Organization for Standardization standards in this way, as IEEE 7002 is meant for development teams whereas ISO standards are commonly geared for privacy teams.
The standard also establishes guidelines for a risk control cycle and a systems development life cycle. Risks should be identified using privacy impact assessments or data protection impact assessments and responded to in one of four ways: implementing control/mitigation efforts, transferring accountability to another authority, avoiding, or removing the risk from the system entirely, or accepting the risk without a response to it.
The system’s development life cycle details how data privacy should be considered in each step of a product’s development. The standard highlights six "phase gates" that help identify and manage privacy requirements and controls. Notably, these gates are created to integrate privacy by design, as failure to meet the requirement at one gate could set the system back many gates depending on the privacy issue.
Privacy pros may also take interest in the standard on biometric privacy, IEEE 2410-2021. Sponsored by the Edge, Fog, Cloud Communications with IOT and Big Data Standards Committee, IEEE 2410 lays out all the components necessary to build biometric authentication systems, as opposed to using a traditional password, while maintaining adherence to common privacy regulations. Implementation of the standard relies on the use of fully homomorphic encryption, a privacy-enhancing technology the IAPP covered previously. Encryption algorithms that are not homomorphic cannot be used to compare "closeness" of two data points, thus making them unusable for biometric authentication. For example, you could not compare similarities between a scanned face and the stored "correct" face using standard encryption algorithms, but you can with homomorphic encryption.
There is also an entire section dedicated to privacy considerations that align attributes of the standard with the GDPR, The California Consumer Privacy Act of 2018, the Biometric Information Privacy Act and HIPAA. FHE payloads, as detailed in the standard, do not contain biometric data as it relates to the definitions under the GDPR, CCPA or BIPA nor are they subject to those regulations' obligations. The payloads do contain anonymized data as it pertains to the GDPR and deidentified data as it pertains to the CCPA. As for HIPAA, the payloads do not contain individually identifiable health information, so they do not fall under the umbrella of the Privacy Rule or Security Rule. All the information is provided in matrices to align the regulation requirements with the proper system compliance control.
Standards set forth by organizations like the W3C and IEEE may be increasingly invaluable and instructive. As more lawmakers and regulators – including in the U.S., the U.K., and the EU – consider privacy in specific contexts such as health data, AI, children's privacy and biometric privacy, the conception, design and delivery of tailored products becomes more important. The U.K. Information Commissioner’s Office Age Appropriate Design Code requires online services to follow specific data protection standards, many of which mirror the best practice principles found in the W3C's note on Privacy Principles. The European Health Data Space initiative promotes autonomy and control of one's health data, the implementation of which could be supported by following the recommendations in IEEE 7002, for example. Both the W3C and IEEE provide important points of reference for privacy pros, with their translations of privacy principles into actionable technical instructions and benchmarked best practices.
Privacy pros of all stripes should keep an eye on future standards development, such as IEEE’s work standardizing the metaverse and the W3C’s disapproving nod to Google’s traditional advertising technology savior.
If you want to comment on this post, you need to login.