From 38e11b156f973247e7be78075e808c2f042329a4 Mon Sep 17 00:00:00 2001 From: stephtngu-CR <68969226+stephtngu-CR@users.noreply.github.com> Date: Tue, 1 Dec 2020 13:38:06 -0500 Subject: [PATCH 01/14] Delete Dark-Patterns.md --- Dark-Patterns.md | 45 --------------------------------------------- 1 file changed, 45 deletions(-) delete mode 100644 Dark-Patterns.md diff --git a/Dark-Patterns.md b/Dark-Patterns.md deleted file mode 100644 index ba0c54c..0000000 --- a/Dark-Patterns.md +++ /dev/null @@ -1,45 +0,0 @@ -# Dark Patterns Privacy Testing Research -**Goal of this document** - * Develop something that can be used along side the Digital Standard - * Develop the pieces that need to exist directly inside the Digital Standard to fully asssess user experience - * Figure out what should be and can be tested with respect to good/bad user design - -**References** - * NCC’s Deception by Design and Every Step You Take reports - * darkpatterns.org - * https://twitter.com/spotthepattern - -### Things we want to measure (re: Privacy) -**What is the default flow for any path-of-least-resistance user?** - * Get people to do it on usertesting.com to see what the norms are - * Explore the space of possibility - * What are the settings and features in question? - * What are the defaults for those settings? - * Which settings explicitly define what they control? - * Which settings give sufficient fidelity on control? - -**How easy is it to choose the privacy friendly option (including account deletion)?** - * Hidden defaults? - * How many clicks does it take to enable? - * Are there even settings to do so? - * Are the buttons the same size, position, color, font? - * Does the UX use buttons too tiny, blocked, or inactive to select, etc.? - * Does the UI fool users into interacting with it? - * Boxes that suddenly appear under your finger - * Are there false notifications or distractions? - -**How easy is it to change defaults before finalizing account creation?** - * Does the user have the ability to tailor their experience based on privacy? - * Is the user interface designed to push the user to prefered use of service rather than explore settings (FB example from over the summer where a notification bubble distracted users from exploring settings) - -**Is the user repeatedly nagged or pressured to make decisions contrary to their privacy?** - * Are there dialogs or prompts that appear repeatedly to ask for contacts, location, etc.? - * Especially onerous when the user has already set a setting to not allow access - * Does the interface imply a sense of timing that is designed to pressure the user into making a quick decision? (aka forced timing) - * Does the user have access to nuanced notification controls? - * Does the site use forced timing or crafted/artificial urgency mechanisms? (i.e., ticket sites) - -**Are there elements of the user interface designed to distract users when they are about to make a choice about their privacy?** - -**Are users clearly notified and able to clearly read instructions and policies that impact their privacy?** - * Are privacy policies presented in a reasonable fashion that you can access later? From db80a9f6bd42262bc4e65e4f7dd08ece22b0d6c9 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Tue, 1 Dec 2020 13:57:22 -0500 Subject: [PATCH 02/14] Misspelling of "unrecognized" I also see many sentences that have the period at the end and many that don't. Not sure if that needs to be changed to all having periods? --- evaluations/security/authentication.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/security/authentication.yaml b/evaluations/security/authentication.yaml index 09f639c..a189cae 100644 --- a/evaluations/security/authentication.yaml +++ b/evaluations/security/authentication.yaml @@ -22,7 +22,7 @@ criterias: procedures: - Create an account and look for settings to enable MFA. - - indicator: For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication whenever product is activated, or when a device is unreckognized. + - indicator: For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication whenever product is activated, or when a device is unrecognized. procedures: - Create an account, enable MFA, and try using product multiple times on one device to see if MFA is required each time. - Create an account, enable MFA, and try using product multiple times on different devices to see if MFA is required each time. From 96082026eab040f804519e2999ac47342ea9a80f Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Tue, 1 Dec 2020 14:02:37 -0500 Subject: [PATCH 03/14] Extra double quote. --- evaluations/security/known-exploit-resistance.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/security/known-exploit-resistance.yaml b/evaluations/security/known-exploit-resistance.yaml index 66e70a0..d36954f 100644 --- a/evaluations/security/known-exploit-resistance.yaml +++ b/evaluations/security/known-exploit-resistance.yaml @@ -62,6 +62,6 @@ criterias: Examine file system, database, and logs to determine if sensitive information is stored in a way that could lead to compromise of user - data." + data. readinessFlag: '2' From dd27a3da79508475c053c7aeab67fd46e09b8001 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Tue, 1 Dec 2020 14:14:59 -0500 Subject: [PATCH 04/14] Extra line break It looks fine in github but on the website the sentence is broken up into two bullet points. There might be other ways to fix this other than the one I suggest here. --- evaluations/privacy/data-sharing.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/evaluations/privacy/data-sharing.yaml b/evaluations/privacy/data-sharing.yaml index 544c3d6..f99ea69 100644 --- a/evaluations/privacy/data-sharing.yaml +++ b/evaluations/privacy/data-sharing.yaml @@ -3,8 +3,7 @@ criterias: - criteriaName: Data sharing is reasonably scoped and transparent. indicators: - indicator: |- - The company only shares information with third parties as is reasonably necessary to deliver service to - consumers. + The company only shares information with third parties as is reasonably necessary to deliver service to consumers. The company clearly discloses what user information it shares with whom. @@ -24,4 +23,4 @@ criterias: Analyze network traffic to see what third party domains are contacted by the product. -readinessFlag: '1' \ No newline at end of file +readinessFlag: '1' From 0495f4468a23b07b7c350c6ba2fc9c65128ca535 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Tue, 1 Dec 2020 14:16:38 -0500 Subject: [PATCH 05/14] Extra line break It looks fine in github but on the website the sentence is broken up into two bullet points. There might be other ways to fix this other than the one I suggest here. --- evaluations/privacy/data-use.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/evaluations/privacy/data-use.yaml b/evaluations/privacy/data-use.yaml index 9e823f2..ce25209 100644 --- a/evaluations/privacy/data-use.yaml +++ b/evaluations/privacy/data-use.yaml @@ -3,8 +3,7 @@ criterias: - criteriaName: Data usage is consistent with the context of the relationship with the user and is transparent. indicators: - indicator: |- - The company puts limits on the use of my data that are consistent with the purpose for which the data is - collected. + The company puts limits on the use of my data that are consistent with the purpose for which the data is collected. The company explicitly discloses every way in which it uses my data. From 4e588ba1057c8bf99492ab37281cb627f6fa60ad Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Tue, 1 Dec 2020 14:20:47 -0500 Subject: [PATCH 06/14] deidentified to de-identified Minor change - adding a dash --- evaluations/privacy/data-retention-and-deletion.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/privacy/data-retention-and-deletion.yaml b/evaluations/privacy/data-retention-and-deletion.yaml index 39a2744..b40a158 100644 --- a/evaluations/privacy/data-retention-and-deletion.yaml +++ b/evaluations/privacy/data-retention-and-deletion.yaml @@ -5,7 +5,7 @@ criterias: indicators: - indicator: >- The company on its own deletes outdated and unnecessary personal - information, or renders that data to be reasonably deidentified. + information, or renders that data to be reasonably de-identified. The company provides specific retention periods for different types of information that are reasonably scoped to get rid of outdated and From 2a4107adcc98863b857368a7a72e477a18cc34d9 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Tue, 1 Dec 2020 14:26:34 -0500 Subject: [PATCH 07/14] Changed 'other' to 'otherwise'? Does that read better? --- evaluations/privacy/minimal-data-collection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/privacy/minimal-data-collection.yaml b/evaluations/privacy/minimal-data-collection.yaml index 05282a7..5519757 100644 --- a/evaluations/privacy/minimal-data-collection.yaml +++ b/evaluations/privacy/minimal-data-collection.yaml @@ -19,7 +19,7 @@ criterias: Decline permissions not relevant to the product's functionality, verify that product is still functional. - indicator: >- - Manufacturer does not discriminate or other provide a lower level of + Manufacturer does not discriminate or otherwise provide a lower level of service if a consumer exercises privacy rights or does not consent to unnecessary secondary data collection or use. procedures: From d220ff03f3bc26835478194938978eec0b00e7a3 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Tue, 1 Dec 2020 14:41:38 -0500 Subject: [PATCH 08/14] 'third-parties' to 'third parties' No dash when "third party" is used as a noun (I googled it to be sure). --- evaluations/privacy/data-control.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/privacy/data-control.yaml b/evaluations/privacy/data-control.yaml index 4e71c45..29b84cf 100644 --- a/evaluations/privacy/data-control.yaml +++ b/evaluations/privacy/data-control.yaml @@ -3,7 +3,7 @@ criterias: - criteriaName: I can see and control everything the company knows about me. indicators: - indicator: >- - The definition of 'user information' includes information collected from third-parties. + The definition of 'user information' includes information collected from third parties. Users can control the collection of their information. From e9a8583d0104e2abd69e4f8f38652616959ea8a3 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Wed, 2 Dec 2020 10:24:39 -0500 Subject: [PATCH 09/14] period after etc Just adding a period after "etc" to keep it consistent with the other instances of etc in the Digital Standard. --- evaluations/security/best-build-practices.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/security/best-build-practices.yaml b/evaluations/security/best-build-practices.yaml index 92de2a8..dd1e20a 100644 --- a/evaluations/security/best-build-practices.yaml +++ b/evaluations/security/best-build-practices.yaml @@ -52,7 +52,7 @@ criterias: What is the branch density? - How many stack adjusts, function calls, etc are there? + How many stack adjusts, function calls, etc. are there? How complex is the code? From 21803817d243d4e2e16a41d38cf5549fe2da5cf4 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Wed, 2 Dec 2020 10:29:18 -0500 Subject: [PATCH 10/14] third parties with no dash --- evaluations/security/security-oversight.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/security/security-oversight.yaml b/evaluations/security/security-oversight.yaml index 6c91120..924f38e 100644 --- a/evaluations/security/security-oversight.yaml +++ b/evaluations/security/security-oversight.yaml @@ -14,7 +14,7 @@ criterias: The company commissions third-party security audits on its products and services. - The company ensures that third-parties who process data on behalf of the company + The company ensures that third parties who process data on behalf of the company implement the required technical and organizational measures to protect user data. procedures: - >- From 156a3ec6399bf3e613bb6a80c3818b62525d5b06 Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Wed, 2 Dec 2020 10:38:24 -0500 Subject: [PATCH 11/14] adding dash to "third party" (adjective) --- evaluations/privacy/data-sharing.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evaluations/privacy/data-sharing.yaml b/evaluations/privacy/data-sharing.yaml index 544c3d6..61d39d6 100644 --- a/evaluations/privacy/data-sharing.yaml +++ b/evaluations/privacy/data-sharing.yaml @@ -14,14 +14,14 @@ criterias: The company clearly discloses whether it shares user information with government or legal authorities. - Third party domains contacted by the product are named in the privacy policy. + Third-party domains contacted by the product are named in the privacy policy. procedures: - |- Investigation and analysis of publicly available documentation to determine what the company clearly discloses. - Analyze network traffic to see what third party domains are + Analyze network traffic to see what third-party domains are contacted by the product. -readinessFlag: '1' \ No newline at end of file +readinessFlag: '1' From c79650923b6c867d1628c0f1c4071e3f62e8c06b Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Wed, 2 Dec 2020 10:42:45 -0500 Subject: [PATCH 12/14] dash in between "third party" (adjective) --- evaluations/ownership/interoperability.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/ownership/interoperability.yaml b/evaluations/ownership/interoperability.yaml index ac3c68c..892666f 100644 --- a/evaluations/ownership/interoperability.yaml +++ b/evaluations/ownership/interoperability.yaml @@ -8,7 +8,7 @@ criterias: The manufacturer does not use software, copyright, or other devices to restrict the use of products and services that would otherwise be possible to use with your existing products (e.g., set-top boxes, - third party applications, etc.). + third-party applications, etc.). procedures: - |+ From 272f42a22da9cf5256a2041a714b5f15d954f3ab Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Wed, 2 Dec 2020 10:45:20 -0500 Subject: [PATCH 13/14] space --- .../ownership/process-for-terms-of-service-enforcement.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/ownership/process-for-terms-of-service-enforcement.yaml b/evaluations/ownership/process-for-terms-of-service-enforcement.yaml index b182dab..84ac73c 100644 --- a/evaluations/ownership/process-for-terms-of-service-enforcement.yaml +++ b/evaluations/ownership/process-for-terms-of-service-enforcement.yaml @@ -2,7 +2,7 @@ testName: Process for terms of service enforcement criterias: - criteriaName: >- I know how, when, and why the company or organization unilaterally closes - user account sand/or restricts access to services. + user accounts and/or restricts access to services. indicators: - indicator: >- The company or organization clearly explains what types of activities From 9e6886419aedb3489baba501b541ae85ca9e3bae Mon Sep 17 00:00:00 2001 From: fgarcia-cr <75324794+fgarcia-cr@users.noreply.github.com> Date: Wed, 2 Dec 2020 10:46:35 -0500 Subject: [PATCH 14/14] no dash between "third parties" (noun) --- .../transparency-about-terms-of-service-enforcement.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evaluations/ownership/transparency-about-terms-of-service-enforcement.yaml b/evaluations/ownership/transparency-about-terms-of-service-enforcement.yaml index 894e9f7..973909a 100644 --- a/evaluations/ownership/transparency-about-terms-of-service-enforcement.yaml +++ b/evaluations/ownership/transparency-about-terms-of-service-enforcement.yaml @@ -15,7 +15,7 @@ criterias: The company or organization publishes data about the number of accounts it restricts or closes as a result of a request from private - third-parties. + third parties. The company or organization clearly discloses that it notifies users