diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1c5437e..8b6ffb7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,8 @@ jobs: name: Version Release runs-on: ubuntu-latest steps: + - name: checkout files + uses: actions/checkout@v2 - name: get version id: version run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} diff --git a/evaluations/governance/3rd-party-requests-for-user-data.yaml b/evaluations/governance/3rd-party-requests-for-user-data.yaml deleted file mode 100644 index ac68dfb..0000000 --- a/evaluations/governance/3rd-party-requests-for-user-data.yaml +++ /dev/null @@ -1,37 +0,0 @@ -testName: 3rd party requests for user data -criterias: - - criteriaName: >- - The company complies only with legal and ethical third-party requests for - user information. - indicators: - - indicator: >- - The company explains its process for responding to non-judicial - government requests. - - - The company explains its process for responding to court orders. - - - The company explains its process for responding to requests from - foreign jurisdictions. - - - The company explains its process for responding to requests made by - private parties. - - - The company’s explanations include the legal basis under which it may - comply. - - - The company commits to carry out due diligence on requests before - deciding how to respond and to push back on unlawful requests. - - - The company provides guidance or examples of implementation of its - process. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/governance/business-model.yaml b/evaluations/governance/business-model.yaml deleted file mode 100644 index 4eb7041..0000000 --- a/evaluations/governance/business-model.yaml +++ /dev/null @@ -1,14 +0,0 @@ -testName: Business model -criterias: - - criteriaName: I understand how the company earns its revenue. - indicators: - - indicator: |+ - - - - procedures: - - |+ - - - -readinessFlag: '3' diff --git a/evaluations/governance/governance.yaml b/evaluations/governance/governance.yaml deleted file mode 100644 index c3f4adb..0000000 --- a/evaluations/governance/governance.yaml +++ /dev/null @@ -1,133 +0,0 @@ -testName: Governance -criterias: - - criteriaName: >- - The company or organization publicly commits to respect users' human - rights to freedom of expression and privacy. - - indicators: - - indicator: >- - Explicit and clearly articulated policy commitment to human rights, - including freedom of expression and privacy - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses - - - criteriaName: >- - The company or organization's senior leadership exercises oversight over - how its policies and practices affect freedom of expression and privacy. - - indicators: - - indicator: >- - The board of directors exercises formal oversight over how company - practices affect freedom of expression and privacy. - - An executive-level committee, team, program or officer oversees how - company practices affect freedom of expression and privacy. - - A management-level committee, team, program or officer oversees how - company practices affect freedom of expression and privacy. - - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses - - - criteriaName: >- - The company or organization should have mechanisms in place to implement - its commitments to freedom of expression and privacy internally. - - indicators: - - indicator: >- - - Provides employee, volunteers or other staff training on freedom of - expression and privacy issues - - Maintains a whistleblower program through which employees, volunteers - or other staff can report concerns related to how the company treats - its users’ freedom of expression and privacy rights - - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses - - - criteriaName: >- - The company or organization implements due diligence processes, such as - human rights impact assessments, to identify how all aspects of its - activities affect freedom of expression and privacy and to mitigate any - risks posed by those impacts. - - indicators: - - indicator: >- - As part of its decision-making, considers how laws affect freedom of - expression and privacy in jurisdictions where it operates - - Regularly assesses free expression and privacy risks associated with - existing products and services - - Assesses free expression and privacy risks associated with a new - activity, including the launch and/or acquisition of new products or - services or entry into new markets - - Assesses free expression and privacy risks associated with the - processes and mechanisms used to enforce its Terms of Service - - Conducts in-depth due diligence wherever the company’s risk - assessments identify concerns - - Senior executives and/or members of the company’s board of directors - review and consider the results of assessments and due diligence in - decision-making for the company - - Conducts assessments on a regular schedule - - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses - - - criteriaName: >- - The company or organization engages with a range of stakeholders on - freedom of expression and privacy issues. - - indicators: - - indicator: >- - The company initiates or participates in meetings with stakeholders - that represent, advocate on behalf of, or are people directly and - adversely impacted by the company’s business - - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses - - - - criteriaName: >- - The company or organization should have grievance and remedy mechanisms to - address user's freedom of expression and privacy concerns. - - indicators: - - indicator: >- - - The company initiates or participates in meetings with stakeholders - that represent, advocate on behalf of, or are people directly and - adversely impacted by the company’s business - - Clear disclosure of processes for receiving complaints - - Process includes complaints related to freedom of expression and - privacy - - Clear disclosure of process for responding to complaints - - The company reports on the number of complaints received. - - The company provides evidence that it is responding to complaints. - - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses - -readinessFlag: '1' diff --git a/evaluations/governance/identity-policy.yaml b/evaluations/governance/identity-policy.yaml deleted file mode 100644 index fa8560f..0000000 --- a/evaluations/governance/identity-policy.yaml +++ /dev/null @@ -1,15 +0,0 @@ -testName: Identity policy -criterias: - - criteriaName: >- - I can register using any name and identifying characteristics I wish, or - keep my identity completely anonymous. - indicators: - - indicator: >- - The company does not require users to verify their identity with their - government-issued identification, or with other forms of - identification that could be connected to their offline identity. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/governance/open-innovation.yaml b/evaluations/governance/open-innovation.yaml deleted file mode 100644 index 6747833..0000000 --- a/evaluations/governance/open-innovation.yaml +++ /dev/null @@ -1,16 +0,0 @@ -testName: Open Innovation -criterias: - - criteriaName: >- - The company works to advance all technology and innovation, not just its - own interests. - indicators: - - indicator: |+ - - - - procedures: - - |+ - - - -readinessFlag: '3' diff --git a/evaluations/governance/open-source.yaml b/evaluations/governance/open-source.yaml deleted file mode 100644 index 9c47ccc..0000000 --- a/evaluations/governance/open-source.yaml +++ /dev/null @@ -1,11 +0,0 @@ -testName: Open Source -criterias: - - criteriaName: The product's source code is publicly available and reusable. - indicators: - - indicator: Software is open source, meaning published under a license approved and listed by the Open Source Initiative. (https://opensource.org/licenses/alphabetical) - procedures: - - |- - Determine if code is available. - - Determine type of open source license. -readinessFlag: '1' diff --git a/evaluations/governance/terms-of-service-and-privacy-policy-documents.yaml b/evaluations/governance/terms-of-service-and-privacy-policy-documents.yaml deleted file mode 100644 index 3927d70..0000000 --- a/evaluations/governance/terms-of-service-and-privacy-policy-documents.yaml +++ /dev/null @@ -1,37 +0,0 @@ -testName: Terms of Service and Privacy Policy documents -criterias: - - criteriaName: >- - I can easily find, read, and understand the privacy policy and/or terms of - service. - indicators: - - indicator: >- - The company clearly discloses which Terms of Service (ToS) apply to the product/service in question. - - The ToS are easy to find. - - - The ToS are available in the language(s) most commonly spoken by the - company's users. - - Privacy policies and ToS are accessible through the company's websites and are available for search engines to process. - - Privacy policies and ToS are accessible via a stable URL. - - Privacy policies and ToS for specific devices are available online. - - The ToS are presented in an understandable manner. - - The company clearly discloses which privacy policies apply to the product/service in question. - - The privacy policies are easy to find. - - The privacy policies are available in the languages(s) most commonly - spoken by the company's users. - - - The privacy policies are presented in an understandable manner. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/governance/threat-notification.yaml b/evaluations/governance/threat-notification.yaml deleted file mode 100644 index a61a7e6..0000000 --- a/evaluations/governance/threat-notification.yaml +++ /dev/null @@ -1,22 +0,0 @@ -testName: Threat Notification -criterias: - - criteriaName: >- - The company notifies appropriate authorities and those affected when a - data breach occurs. - indicators: - - indicator: >- - The company will notify the relevant authorities without undue delay - when a data breach occurs. - - - The company clearly discloses its process for notifying data subjects - who might be affected by a data breach. - - - The company clearly discloses what kinds of steps it will take to - address the impact of a data breach on its users. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/governance/tos-and-privacy-policy-change-notification.yaml b/evaluations/governance/tos-and-privacy-policy-change-notification.yaml deleted file mode 100644 index 33ddbed..0000000 --- a/evaluations/governance/tos-and-privacy-policy-change-notification.yaml +++ /dev/null @@ -1,38 +0,0 @@ -testName: ToS & Privacy Policy change notification -criterias: - - criteriaName: >- - The company provides clear notification when it changes its privacy policy - and/or terms of service. - indicators: - - indicator: >- - Commitment to notify users about changes to the terms of service - - - Disclosure of how users will be directly notified of changes to the - terms of service - - - Disclosure of timeframe for notification prior to changes to the terms - of service coming into effect - - - Maintains a public archive or change log of the terms of service - - - Commitment to notify users about change to the privacy policy - - - Disclosure of how users will be directly notified of changes to the - privacy policy - - - Disclosure of timeframe for notification prior to changes to the - privacy policy coming into effect - - - Maintains a public archive or change log of the privacy policy - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/governance/transparency-reporting.yaml b/evaluations/governance/transparency-reporting.yaml deleted file mode 100644 index ba2284f..0000000 --- a/evaluations/governance/transparency-reporting.yaml +++ /dev/null @@ -1,50 +0,0 @@ -testName: Transparency reporting -criterias: - - criteriaName: >- - The company is transparent about its practices for sharing user data with - the government and other third parties. - indicators: - - indicator: >- - The company lists the number of requests it receives by country. - - - The company lists the number of requests it receives for stored user - information and for real-time communications access. - - - The company lists the number of accounts affected. - - - The company lists whether a demand sought communications content or - non-content or both. - - - The company identifies the specific legal authority or type of legal - process through which law enforcement and national security demands - are made. - - - The company includes requests that come from court orders. - - The company list the number of requests it receives from private - parties. - - - The company lists the number of requests it complied with, broken down - by category of demand. - - - The company lists what types of government requests it is prohibited - by law from disclosing. - - - The company reports this data at least once per year. - - - The data reported by the company can be exported as a structured data - file. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/governance/user-notification-about-third-party-requests-for-user-information.yaml b/evaluations/governance/user-notification-about-third-party-requests-for-user-information.yaml deleted file mode 100644 index 17c4679..0000000 --- a/evaluations/governance/user-notification-about-third-party-requests-for-user-information.yaml +++ /dev/null @@ -1,21 +0,0 @@ -testName: User notification about third-party requests for user information -criterias: - - criteriaName: >- - The company tells me if the government or other third parties ask for my - information. - indicators: - - indicator: >- - The company notifies users when government entities (including courts - or other judicial bodies) request their user information. - - The company notifies users when private parties request their user - information. - - The company clearly discloses situations when it might not notify - users, including a description of the types of government requests it - is prohibited by law from disclosing to users. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/ownership/functionality-over-time.yaml b/evaluations/ownership/functionality-over-time.yaml deleted file mode 100644 index 030e978..0000000 --- a/evaluations/ownership/functionality-over-time.yaml +++ /dev/null @@ -1,32 +0,0 @@ -testName: Functionality Over Time -criterias: - - criteriaName: >- - The company commits to maintain the intended functionality of the product for a clearly defined and communicated period of time (i.e., the product life cycle). - indicators: - - indicator: >- - The product life cycle is communicated to the potential owner before purchase. - - - Every feature of the product will continue to work the stated product life cycle; that is, the manufacturer will not 'brick' - certain parts of the product during that time frame. - - - The manufacturer will not cease to support the functionality I come to - expect during the product life cycle. - - - Replacement services will exist if the manufacturer ceases to support - the functionality during the product life cycle. - - - The company commits that, in the event the company is sold or acquired, the - new owner will maintain the intended functionality for the full product life cycle. - - The company has a mechanism (e.g. email address, bug tracker, etc.) through - which users, researchers, etc. can tell the company about bugs/problems they discover. - procedures: - - >- - Investigation and analysis of publicly available documentation, services, - and web presence to determine what the company clearly discloses and supports. - -readinessFlag: '3' diff --git a/evaluations/ownership/interoperability.yaml b/evaluations/ownership/interoperability.yaml deleted file mode 100644 index 892666f..0000000 --- a/evaluations/ownership/interoperability.yaml +++ /dev/null @@ -1,17 +0,0 @@ -testName: Interoperability -criterias: - - criteriaName: >- - The company does not prohibit use of the product with other, - complementary, products. - indicators: - - indicator: >- - The manufacturer does not use software, copyright, or other devices to - restrict the use of products and services that would otherwise be - possible to use with your existing products (e.g., set-top boxes, - third-party applications, etc.). - procedures: - - |+ - - - -readinessFlag: '3' diff --git a/evaluations/ownership/ownership.yaml b/evaluations/ownership/ownership.yaml deleted file mode 100644 index fe4b39a..0000000 --- a/evaluations/ownership/ownership.yaml +++ /dev/null @@ -1,14 +0,0 @@ -testName: Ownership -criterias: - - criteriaName: 'When I buy a product, I own every part of it.' - indicators: - - indicator: >- - The company does not retain any control or ownership over the - operation, use, inputs, or outputs of the product after it has been - purchased by the consumer. - procedures: - - |+ - - - -readinessFlag: '3' diff --git a/evaluations/ownership/process-for-terms-of-service-enforcement.yaml b/evaluations/ownership/process-for-terms-of-service-enforcement.yaml deleted file mode 100644 index 84ac73c..0000000 --- a/evaluations/ownership/process-for-terms-of-service-enforcement.yaml +++ /dev/null @@ -1,36 +0,0 @@ -testName: Process for terms of service enforcement -criterias: - - criteriaName: >- - I know how, when, and why the company or organization unilaterally closes - user accounts and/or restricts access to services. - indicators: - - indicator: >- - The company or organization clearly explains what types of activities - it does not permit. - - - The company or organization clearly explains why it may restrict a - user’s account. - - - The company or organization clearly discloses the mechanisms it uses - to identify accounts that violate the rules. - - - The company or organization clearly discloses whether any - non-government and non-judicial entities receive priority - consideration when identifying accounts to be restricted for violating - the company’s rules, and if so, how that priority status is conferred. - - - The company or organization clearly explains its process for enforcing - its rules. - - - The company or organization provides clear examples to help the user - understand what the rules are and how they are enforced. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/ownership/repair-accessibility.yaml b/evaluations/ownership/repair-accessibility.yaml deleted file mode 100644 index f6bc58d..0000000 --- a/evaluations/ownership/repair-accessibility.yaml +++ /dev/null @@ -1,20 +0,0 @@ -testName: Repair Accessibility -criterias: - - criteriaName: The product can be fixed by parties other than the manufacturer. - indicators: - - indicator: >- - The company does not use technical, feature-level, or legal means to - block a consumer's ability to get a device repaired. - - There is a competitive market of repair shops. - - Repair shops, other than the manufacturer's, are supported by the - original manufacturer. - procedures: - - >- - Manufacturer makes blueprints and bill of materials available to end users. - - The device is easy to open using commercially available tools and can be - repaired using commercially available parts. - -readinessFlag: '3' diff --git a/evaluations/ownership/repair-penalty.yaml b/evaluations/ownership/repair-penalty.yaml deleted file mode 100644 index 8796634..0000000 --- a/evaluations/ownership/repair-penalty.yaml +++ /dev/null @@ -1,16 +0,0 @@ -testName: Repair Penalty -criterias: - - criteriaName: >- - I am not penalized for getting the product properly repaired by a third - party or for repairing it myself. - indicators: - - indicator: >- - The company does not penalize consumers (voided warranty, etc.) if - they get the product repaired by someone other than the original - manufacturer or their authorized representatives. - procedures: - - |+ - - - -readinessFlag: '3' diff --git a/evaluations/ownership/resale.yaml b/evaluations/ownership/resale.yaml deleted file mode 100644 index a78ba5c..0000000 --- a/evaluations/ownership/resale.yaml +++ /dev/null @@ -1,17 +0,0 @@ -testName: Resale -criterias: - - criteriaName: I can resell the product to someone and it will still work. - indicators: - - indicator: >- - If a consumer sells the product on the private market, the new owner - has access to the full functionality of the original product.? Or does - the company restrict the transfer of ownership - - - The company does not restrict the transfer of ownership. - procedures: - - |+ - - - -readinessFlag: '3' diff --git a/evaluations/ownership/transparency-about-terms-of-service-enforcement.yaml b/evaluations/ownership/transparency-about-terms-of-service-enforcement.yaml deleted file mode 100644 index 973909a..0000000 --- a/evaluations/ownership/transparency-about-terms-of-service-enforcement.yaml +++ /dev/null @@ -1,27 +0,0 @@ -testName: Transparency about Terms of Service enforcement -criterias: - - criteriaName: >- - I know how often the company or organization unilaterally closes user - accounts - indicators: - - indicator: >- - The company or organization publishes data about the number of - accounts it restricts or closes on its own initiative. - - - The company or organization publishes data about the number of - accounts it restricts or closes as a result of a government request. - - - The company or organization publishes data about the number of - accounts it restricts or closes as a result of a request from private - third parties. - - - The company or organization clearly discloses that it notifies users - when it restricts or closes user accounts. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '2' diff --git a/evaluations/privacy/data-benefits.yaml b/evaluations/privacy/data-benefits.yaml deleted file mode 100644 index d9e07d4..0000000 --- a/evaluations/privacy/data-benefits.yaml +++ /dev/null @@ -1,16 +0,0 @@ -testName: Data benefits -criterias: - - criteriaName: >- - Every piece of data I share brings me a benefit; it doesn't just help the company. - indicators: - - indicator: |+ - The company clearly discloses its purpose for collecting each type of user information. - - procedures: - - |+ - Investigation and analysis of publicly available documentation to determine what the company clearly discloses. - - Compare app documentation, app features, requested permissions, and observed network data to see if they align. - - -readinessFlag: 3 diff --git a/evaluations/privacy/data-collection.yaml b/evaluations/privacy/data-collection.yaml deleted file mode 100644 index 93a6235..0000000 --- a/evaluations/privacy/data-collection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -testName: Data collection -criterias: - - criteriaName: I know what user information this company is collecting and when. - indicators: - - indicator: |- - Disclosure of the type of user information collected - - Disclosure of how user information is collected - - Test the product's sensors to determine whether they give clear indication when they become activated. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/privacy/data-control.yaml b/evaluations/privacy/data-control.yaml deleted file mode 100644 index 29b84cf..0000000 --- a/evaluations/privacy/data-control.yaml +++ /dev/null @@ -1,45 +0,0 @@ -testName: Data control -criterias: - - criteriaName: I can see and control everything the company knows about me. - indicators: - - indicator: >- - The definition of 'user information' includes information collected from third parties. - - - Users can control the collection of their information. - - - Users can control how their information is used to target advertising. - - - Clear explanation of how users can control whether their information - is used for targeted advertising. - - - Users can obtain a copy of their information simply and at no cost. - - - Disclosure of what user information users can obtain - - - Users can obtain their information in a structured data format. - - - Users can obtain all public-facing and private user information the - company hold about them. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - indicator: Privacy controls exist in the user interface. - procedures: - - >- - Look in the product's user interface to see what privacy controls - exist and what the options are. - - indicator: Privacy controls in the user interface are effective. - procedures: - - >- - Look in the product's user interface to see what privacy controls - exist and what the options are. If relevant, analyze network traffic - to see if they are effective. -readinessFlag: '1' diff --git a/evaluations/privacy/data-retention-and-deletion.yaml b/evaluations/privacy/data-retention-and-deletion.yaml deleted file mode 100644 index b40a158..0000000 --- a/evaluations/privacy/data-retention-and-deletion.yaml +++ /dev/null @@ -1,43 +0,0 @@ -testName: Data retention and deletion -criterias: - - criteriaName: The company retains data only as long as relevant and reasonably - necessary to provide service to me. - indicators: - - indicator: >- - The company on its own deletes outdated and unnecessary personal - information, or renders that data to be reasonably de-identified. - - The company provides specific retention periods for different types of - information that are reasonably scoped to get rid of outdated and - unnecessary personal information. - - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - criteriaName: I can delete the data the company has about me that is not - needed to provide the serivce. - indicators: - - indicator: >- - The company offers easy-to-find and -use controls that allow users to - delete data not necessary to render service. - - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - Investigation of deletion tools offered by the company. - - criteriaName: My account and information are deleted when I leave the service. - indicators: - - indicator: >- - All user information is deleted when the user's service is terminated, or - the service no longer operates - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - >- - Terminate a test account, remove service from a device, or perform a - factory reset on the device. -readinessFlag: '1' diff --git a/evaluations/privacy/data-sharing.yaml b/evaluations/privacy/data-sharing.yaml deleted file mode 100644 index 3353ff8..0000000 --- a/evaluations/privacy/data-sharing.yaml +++ /dev/null @@ -1,26 +0,0 @@ -testName: Data sharing -criterias: - - criteriaName: Data sharing is reasonably scoped and transparent. - indicators: - - indicator: |- - The company only shares information with third parties as is reasonably necessary to deliver service to consumers. - - The company clearly discloses what user information it shares with whom. - - The company clearly discloses the types of third parties with which it shares user information. - - The company clearly discloses the names of third parties with which it shares user information. - - The company clearly discloses whether it shares user information with government or legal authorities. - - Third-party domains contacted by the product are named in the privacy policy. - - procedures: - - |- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - Analyze network traffic to see what third-party domains are - contacted by the product. - -readinessFlag: '1' diff --git a/evaluations/privacy/data-use.yaml b/evaluations/privacy/data-use.yaml deleted file mode 100644 index ce25209..0000000 --- a/evaluations/privacy/data-use.yaml +++ /dev/null @@ -1,17 +0,0 @@ -testName: Data use #Need to update section name from "Third Party Tracking-Data Sharing" to "Data Use and Sharing" -criterias: - - criteriaName: Data usage is consistent with the context of the relationship with the user and is transparent. - indicators: - - indicator: |- - The company puts limits on the use of my data that are consistent with the purpose for which the data is collected. - - The company explicitly discloses every way in which it uses my data. - - procedures: - - |- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - Interact with the service to evaluate how personal information is being used. - -readinessFlag: '1' diff --git a/evaluations/privacy/minimal-data-collection.yaml b/evaluations/privacy/minimal-data-collection.yaml deleted file mode 100644 index 5519757..0000000 --- a/evaluations/privacy/minimal-data-collection.yaml +++ /dev/null @@ -1,30 +0,0 @@ -testName: Minimal data collection -criterias: - - criteriaName: >- - The only information the company collects about me is what's needed to make - the product or service work correctly. - indicators: - - indicator: >- - The user information collected is only that which is directly relevant - and necessary for the service. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - indicator: >- - Product still works when all permissions not relevant to product's - functionality are declined. - procedures: - - >- - Decline permissions not relevant to the product's functionality, - verify that product is still functional. - - indicator: >- - Manufacturer does not discriminate or otherwise provide a lower level of - service if a consumer exercises privacy rights or does not consent - to unnecessary secondary data collection or use. - procedures: - - >- - Decline permissions not relevant to the product's functionality, - verify no differential treatment. - -readinessFlag: '1' diff --git a/evaluations/privacy/privacy-by-default.yaml b/evaluations/privacy/privacy-by-default.yaml deleted file mode 100644 index 6939c4c..0000000 --- a/evaluations/privacy/privacy-by-default.yaml +++ /dev/null @@ -1,23 +0,0 @@ -testName: Privacy by default -criterias: - - criteriaName: >- - The default settings in this product prioritize my privacy; to give up - privacy, I actually need to change the settings. - indicators: - - indicator: |- - Targeted advertising is off by default. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - indicator: >- - User interface settings which are optimal for privacy are set by - default. - procedures: - - >- - Review settings available from the user interface, and determine - which options would be optimal for privacy considerations. - - - Determine whether those options are selected by default. -readinessFlag: '2' diff --git a/evaluations/security/authentication.yaml b/evaluations/security/authentication.yaml deleted file mode 100644 index a189cae..0000000 --- a/evaluations/security/authentication.yaml +++ /dev/null @@ -1,74 +0,0 @@ -testName: Authentication -criterias: - - criteriaName: A product has an authentication system that corresponds to the sensitivity of the user data it manages - indicators: - - indicator: If a product supports user accounts, it has an authentication system for accessing those accounts - procedures: - - Start product and note whether users are prompted to authenticate to access account data - - - indicator: If a product is packaged with an account with default credentials, those credentials are unique to the instance of the product - procedures: - - If the product has default credentials, make note their uniqueness, and watch out for credentials like, "default", "admin", or "12345678". - - - indicator: If a product has an authentication system, the user must authenticate each time they want to use the product - procedures: - - Start & stop the product multiple times, and make note of when user is prompted to authenticate. - - - indicator: If a product has an authentication system, it requires at least two pieces of information to authenticate users - procedures: - - Create an account and make note of information needed to do so *for authentication*. e.g. username + password - - - indicator: For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication. - procedures: - - Create an account and look for settings to enable MFA. - - - indicator: For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication whenever product is activated, or when a device is unrecognized. - procedures: - - Create an account, enable MFA, and try using product multiple times on one device to see if MFA is required each time. - - Create an account, enable MFA, and try using product multiple times on different devices to see if MFA is required each time. - - - indicator: If the product uses a password/passphrase for authentication, it requires that passwords are at least 8 characters long - procedures: - - Create an account and make note minimum password lengths. Try passwords such as "a" and "a1b2c3". - - - indicator: If the product uses a password/passphrase for authentication, the password/passphrase may be at least 20 characters long - procedures: - - Create an account and make note maximum password lengths. Try passphrases such as "i love sufficiently long passwords". - - - indicator: If the product uses a password/passphrase for authentication, it requires that passwords are reasonably complex - procedures: - - Create an account and make note complexity limitations. Try passwords such as "aaaaaaaa" and "12345678". - - - indicator: If the product uses a password/passphrase for authentication, it allows all reasonable characters as input - procedures: - - Create an account and make note character restrictions. Try passwords such as ")a!aaaaa$a%" and "p 4 5 5 w 0 R d !". - - - indicator: If the product uses a password/passphrase for authentication, it is compatible with popular password managers. - procedures: - - With a password manager installed, create an account. See if password manager can be used as expected. - - - criteriaName: A product that has an authentication system resists attempts to break it - indicators: - - indicator: The product allows users to be notified via an out-of-band medium when account security settings are changed. - procedures: - - Create an account and make note of whether or not users are able to use email, SMS, or push notifications to be notified when changes occur or account credentials need to be reset. - - - indicator: To change a password/passphrase/pin, a user must enter the previous password/passphrase/pin, or have access to a secondary system that is used to reset it. - procedures: - - Create an account and attempt to change the password/passphrase/pin associated with it. Make note of whether or not users are required to enter old credentials, or look toward their email/phone/etc. to reset them. - - - indicator: The product notifies users when account security settings have changed. - procedures: - - Create an account and attempt to change various security settings, such as MFA or password, and make note of whether or not the user is notified. - - - indicator: If the product has an authentication system, it also has a system to prevent brute-force/dictionary attacks - procedures: - - Try to login to product using various incorrect credentials and note whether you have limited attempts to do so, or if it would take far too long to test every combination of allowed or common characters/strings/phrases. - - indicator: If the product has an authentication system, it only sends password hashes to the server for storage - procedures: - - MITM communication between application and service and inspect the traffic while tester is creating a new account and changing a new password. - - indicator: If the product has an authentication system and sends password hashes to the server for storage, the hash algorithm should be secure. - procedures: - - MITM communication between application and service and inspect the traffic while tester is creating a new account and changing a new password. - -readinessFlag: '2' diff --git a/evaluations/security/best-build-practices.yaml b/evaluations/security/best-build-practices.yaml deleted file mode 100644 index dd1e20a..0000000 --- a/evaluations/security/best-build-practices.yaml +++ /dev/null @@ -1,67 +0,0 @@ -testName: |+ - - Best Build Practices - -criterias: - - criteriaName: >+ - The software was built and developed according to the industry's best - practices for security. - - indicators: - - indicator: The product was built with effectively implemented safety features. - procedures: - - > - Run CheckSec or other tool to determine what application armoring - features are present. - - - Are there Stack Guards, and if so, are they effectively implemented? - - - Are all safety features available in the pertinent OS enabled? - (e.g., ASLR, CFI, RELRO, DEP, etc.) - - - Are those safety features well implemented and/or enabled with - optimal settings? (E.g., High Entropy ASLR, rather than just Dynamic - Base on Windows 10) - - - Are the binaries 32 or 64 bit? - - indicator: The software does not make use of unsafe functions or libraries. - procedures: - - >- - Pull out data from the binary that speaks to developer hygiene. - - - Do they use strcpy and other historically unsafe functions? - - - Did the developers use older, less historically safe functions, or - newer, safer replacements for those functions? - - - What risks are introduced via the libraries that the binary links - to, either directly or indirectly? - - indicator: |+ - The software is not overly complex. - - procedures: - - |+ - Pull out data from the binary that speaks to code complexity. - - What is the branch density? - - How many stack adjusts, function calls, etc. are there? - - How complex is the code? - - - indicator: |+ - The software was built reproducibly. - - procedures: - - |+ - If the project is freeware or open source, build the project and verify the output. - - -readinessFlag: '1' diff --git a/evaluations/security/encryption.yaml b/evaluations/security/encryption.yaml deleted file mode 100644 index 92a8eb4..0000000 --- a/evaluations/security/encryption.yaml +++ /dev/null @@ -1,29 +0,0 @@ -testName: |+ - Encryption - -criterias: - - criteriaName: >+ - Information I provide is encrypted so that it can't be easily read or used - by attackers. - - indicators: - - indicator: |+ - Transmission of user communications or information is encrypted by default. - - Transmission of user communications or information is encrypted using unique keys. - - Users can secure their content using end-to-end encryption. - - End-to-end encryption is enabled by default. - - User information and communications are encrypted by default when at rest. - - procedures: - - >+ - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - - Inspect traffic to determine if SSL encryption is used. - -readinessFlag: '2' diff --git a/evaluations/security/known-exploit-resistance.yaml b/evaluations/security/known-exploit-resistance.yaml deleted file mode 100644 index d36954f..0000000 --- a/evaluations/security/known-exploit-resistance.yaml +++ /dev/null @@ -1,67 +0,0 @@ -testName: Known Exploit Resistance -criterias: - - criteriaName: >- - The product is protected from known software vulnerabilities that present - a danger from attackers. - indicators: - - indicator: The software is secure against known bugs and types of attacks. - procedures: - - >- - Browsers: - - - Identify publicly known vulnerabilities for each browser. - - - Use the original proof of concept code (if known) or devise custom - code where necessary, to test the browser for the issue identified - in the vulnerability notice. - - - Check if the browser is now protected from the identified - vulnerabilities. - - >- - Apps: - - - Root/jailbreak the device, configure web proxy and network traffic - monitor. - - - Launch target app, create accounts, sign-in, launch any activities - available from user interface. - - - Monitor communication between the application on the device and any - backend services. - - - Examine file system, database, and logs on the mobile device to - determine if sensitive information is stored in a way that could - lead to compromise of user data. - - >+ - Connected Devices: - - - Check if using latest version of software. - - - Configure web proxy and network traffic monitor. - - - Create account and sign-in to the installed "out of the box" - applications. - - - Launch any activities available from the user interface. - - - Monitor communication between the applications on the device, the - device itself, and any backend services. - - - Examine file system, database, and logs to determine if sensitive - information is stored in a way that could lead to compromise of user - data. - -readinessFlag: '2' diff --git a/evaluations/security/personal-safety.yaml b/evaluations/security/personal-safety.yaml deleted file mode 100644 index 0114fd0..0000000 --- a/evaluations/security/personal-safety.yaml +++ /dev/null @@ -1,14 +0,0 @@ -testName: Personal safety -criterias: - - criteriaName: 'The company helps me protect myself from grief, abuse, and harassment.' - indicators: - - indicator: |+ - - - - procedures: - - |+ - - - -readinessFlag: '3' diff --git a/evaluations/security/product-stability.yaml b/evaluations/security/product-stability.yaml deleted file mode 100644 index 8ca05bd..0000000 --- a/evaluations/security/product-stability.yaml +++ /dev/null @@ -1,29 +0,0 @@ -testName: |+ - - Product stability - -criterias: - - criteriaName: |+ - The software is reliable. - - indicators: - - indicator: > - The software is not susceptible to crashes. - - - If the program is forced to unexpectedly terminate, it shuts down in a - safe and responsible fashion. - procedures: - - > - Fuzz software to see if and how it crashes. - - - Under appropriate fuzz testing, what was the code coverage, number - of crashes, and type(s) of crashes. - - - Are crashes exploitable, or do they simply allow a disruption of - service? - - -readinessFlag: '2' diff --git a/evaluations/security/security-over-time.yaml b/evaluations/security/security-over-time.yaml deleted file mode 100644 index d6c445c..0000000 --- a/evaluations/security/security-over-time.yaml +++ /dev/null @@ -1,38 +0,0 @@ -testName: Security over time -criterias: - - criteriaName: The product is kept protected with software updates for a clearly defined and communicated period of time (i.e., the product life cycle). - indicators: - - indicator: The product life cycle is communicated to the potential owner before purchase. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - - indicator: Software updates are authenticated. - procedures: - - >- - TBD - - indicator: Automatic software updates - procedures: - - >- - Examine software settings and product documentation to determine if - automatic software updates are enabled by default or can be enabled - by the user. - - indicator: Notification of software updates - procedures: - - >- - If updates are not automatic, examine software settings and product - documentation to determine if the product notifies the user if a - software update is available, and if that notification is - persistent, or if the user can easily determine if a software update - is available. - - indicator: Ease of installation of software updates - procedures: - - >- - Execute the procedure to install a software update and evaluate the - ease of installation by comparing against established references. - - indicator: Software can be kept up-to-date for security issues. - procedures: - - >- - Check if a later version of software exists but the product cannot - be updated to it (e.g. Android devices with pre-KitKat versions). -readinessFlag: '2' diff --git a/evaluations/security/security-oversight.yaml b/evaluations/security/security-oversight.yaml deleted file mode 100644 index 924f38e..0000000 --- a/evaluations/security/security-oversight.yaml +++ /dev/null @@ -1,23 +0,0 @@ -testName: Security Oversight -criterias: - - criteriaName: The company is a responsible caretaker of my data. - indicators: - - indicator: >- - The company has systems in place to limit and monitor employee access - to user information. - - - The company has an internal security team that conducts security - audits on the company's products and services. - - - The company commissions third-party security audits on its products - and services. - - The company ensures that third parties who process data on behalf of the company - implement the required technical and organizational measures to protect user data. - procedures: - - >- - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. -readinessFlag: '1' diff --git a/evaluations/security/vulnerability-disclosure-program.yaml b/evaluations/security/vulnerability-disclosure-program.yaml deleted file mode 100644 index c673e90..0000000 --- a/evaluations/security/vulnerability-disclosure-program.yaml +++ /dev/null @@ -1,24 +0,0 @@ -testName: |+ - Vulnerability disclosure program - -criterias: - - criteriaName: |+ - The company is willing and able to address reports of vulnerabilities. - - indicators: - - indicator: >+ - The company has a mechanism (ex: a bug bounty program) through which security researchers can - submit vulnerabilities they discover. - - The company discloses the timeframe in which it will review reports of - vulnerabilities. - - The company commits not to pursue legal action against security - researchers. - - procedures: - - >+ - Investigation and analysis of publicly available documentation to - determine what the company clearly discloses. - -readinessFlag: '1'