-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update DPG privacy requirements #183
Comments
+1 @gfanti I wholeheartedly endorse this proposal. I agree with the proposed steps in the interim but ultimately harmonize the DPGA to specify common privacy controls. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We (@GeetikaGopi, @amad-person, @omkhar, @gfanti) are a team of researchers from Carnegie Mellon University and OpenSSF. In our recent study to appear at SOUPS 2024, we have found that a significant fraction of DPGs respond to question 9(a) on privacy with responses that are incomplete or misleading (more details in the paper). For example, we find that the level of detail that many DPGs provide in response to 9(a) is insufficient to understand much about their privacy posture. This can make it challenging to understand if PII is being handled properly. We would hence like to discuss the possibility of updating the privacy requirements for being classified as a DPG.
Starting point: A proposed solution
It may not be scalable or feasible for the DPGA to meaningfully evaluate the privacy posture of DPGs, given that many DPGs consist of large and complex codebases. In our paper (Section 6.2.1), we propose an alternative architecture for privacy evaluation of DPGs. Roughly, the proposed process would proceed as follows:
We believe this process has a few desirable properties:
This is of course not the only possible process, and as always, there are tradeoffs. We would be happy to discuss this issue (both the underlying problem and potential solutions) further.
The text was updated successfully, but these errors were encountered: