The Success Criteria in the working group charter says that:

​​Each normative specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users.

I'd like to suggest that we add a data section.

The notion of privacy can’t be separated from data, which suggests there can be no meaningful assessment of privacy without identification of the data in question. While I agree that defining privacy is not something we should pursue further, I do think the question of identifying the data inputs and outputs of features is something we haven't focused on and which we ought to give thought to.

More specifically, I think we should consider requiring that specifications include a separate section detailing what data inputs a feature requires and what outputs it provides, potentially along with associated attributes, like a notion of how identifying the data is, whether its use should be consented and user controls offered and what the consequences of users exercising controls are for the feature.

This seems reasonable, but I think a minimal alteration can cover it.

@bmayd what do you think of:

Each normative specification should contain separate sections that: detail anticipated data inputs and outputs along with the shape of both; detail security concerns; and make clear the privacy implications for implementers, Web authors, and end users.

I don't think our specifications can always detail questions of consent as--depending on the specification--that might be up to the user agent, device or the website and I think the question of how identifying the data is would be covered in the privacy section. As for the question of controls, those are very rarely established in standards of these types and instead left up to user agents. I hesitate to make specifying controls part of the charter for that reason and I think it is reasonable to address that as-needed in each standard.

@AramZS Thanks for the response; I take your points in the latter part of your post and agree:

It is sufficient for the charter to indicate that specifications include a data section and appropriate to leave decisions about what additional information and detail are necessary for a given proposal to its developers and reviewers.

I also agree that controls and other similar aspects of the relationship between users and user-agents are properly left to implementers and are best addressed in the context of specific proposals.

Can you clarify what you mean by "the shape of both" in:

... detail anticipated data inputs and outputs along with the shape of both;

That might be unnecessary language for what would presumably already be done, but by shape, I meant data format (type, object properties, anticipated size, etc). In retrospect I think I can probably remove that clause.

Thanks for clarifying and I agree with leaving it out; I think "...detail anticipated data..." captures it.

Hey @bmayd - my hope is that this is resolved by #59 and we can discuss the above changes as a separate PR only if that PR is objected to.

What is stated in #59 addresses my concerns and is sufficient for the WG charter.

I think we've got this addressed in the latest set of changes now. Closing this issue.