Skip to content

Add privacy considerations related to legal processes and coercion #1504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 26, 2024
Merged

Add privacy considerations related to legal processes and coercion #1504

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2a591d1
Advise against depending on Private Browsing mode.
msporny Jun 19, 2024
d0b2cec
Add privacy considerations section on legal processes.
msporny Jun 19, 2024
89af67a
Add statement about logging disclosures to verifiers.
msporny Jun 19, 2024
7072c8c
Fix grammar in legal processes and coercion section.
msporny Jun 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 27 additions & 4 deletions index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5424,7 +5424,11 @@ <h3>The Principle of Data Minimization</h3>
<p>
Implementers of software used by [=holders=] are urged to disclose what
information is being requested by a [=verifier=], such that a [=holder=] can
push back on the over-collection of information that is unnecessary for the
decline to share specific requested information that is unnecessary for the
transaction. Additionally, logs of information shared with [=verifiers=] are
strongly encouraged to be available to [=holders=] such that the information
might be shared with authorities if a [=holder=] believes that they are a
victim of overreach or coercion to share more than necessary for a particular
transaction.
</p>

Expand Down Expand Up @@ -5764,6 +5768,23 @@ <h3>Usage Patterns</h3>
</p>
</section>

<section class="informative">
<h3>Legal Processes</h3>

<p>
It is possible, through legal processes, for [=issuers=], [=holders=], and/or
[=verifiers=] to be compelled to disclose private information to authorities,
such as law enforcement. It is also possible for the same private
information to be accidentally disclosed to an unauthorized party through a
software bug or security failure. Authors of legal processes and compliance
regimes are advised to draft guidelines that notify the [=subjects=] involved
when their private information is purposefully or accidentally disclosed to a
third party. Providers of software services are advised to be transparent about
known circumstances that might cause such private information to be shared with
a third party, and about the identity of any such third party.
</p>
</section>

<section class="informative">
<h3>Sharing Information with the Wrong Party</h3>

Expand Down Expand Up @@ -5920,12 +5941,14 @@ <h3>Private Browsing</h3>
In an ideal private browsing scenario, no PII will be revealed. Because many
[=credentials=] include PII, organizations providing software to
[=holders=] should warn them about the possibility of revealing this
information if they wish to use [=credentials=] and [=presentations=]
information if they use [=credentials=] and [=presentations=]
while in private browsing mode. As each browser vendor handles private browsing
differently, and some browsers might not have this feature at all, it is
important for implementers to be aware of these differences and implement
solutions accordingly.
important for implementers to not depend on private browsing mode to provide
any privacy protections. Instead, implementers are advised to depend on
tooling that is directly usable by their software to provide privacy guarantees.
</p>

</section>

<section class="informative">
Expand Down