Update DPG privacy requirements

[gfanti]

We (@GeetikaGopi, @amad-person, @omkhar, @gfanti) are a team of researchers from Carnegie Mellon University and OpenSSF. In our recent study to appear at SOUPS 2024, we have found that a significant fraction of DPGs respond to question 9(a) on privacy with responses that are incomplete or misleading (more details in the paper). For example, we find that the level of detail that many DPGs provide in response to 9(a) is insufficient to understand much about their privacy posture. This can make it challenging to understand if PII is being handled properly. We would hence like to discuss the possibility of updating the privacy requirements for being classified as a DPG.

Starting point: A proposed solution
It may not be scalable or feasible for the DPGA to meaningfully evaluate the privacy posture of DPGs, given that many DPGs consist of large and complex codebases. In our paper (Section 6.2.1), we propose an alternative architecture for privacy evaluation of DPGs. Roughly, the proposed process would proceed as follows:

1. DPGs would complete and submit a standardized privacy assessment developed by an external body; for example, privacy impact assessments (PIAs) are widely used.
2. DPGs could either complete this assessment on their own (self-attestation) or submit a certified assessment from third parties approved by the DPGA (e.g., many consulting firms routinely conduct PIAs today).
3. DPGs would submit the documentation of their privacy assessment along with their DPG application.
4. The DPGA would not evaluate the quality of the privacy assessment, beyond ensuring a good-faith response—it would simply post the assessment information on the DPGA website, along with the remaining DPG standard responses.
5. Adopters would evaluate themselves whether a DPG meets their privacy requirements; the privacy assessment would give them a summary from which they can make an initial assessment.

We believe this process has a few desirable properties:

• It provides adopters with a more nuanced evaluation of DPGs’ privacy postures, compared to the current responses to 9(a).
• It does not require the DPGA to decide what privacy features are important.
• It does not require the DPGA to evaluate DPGs’ privacy postures.
• It makes use of existing, widely-adopted privacy evaluation tools and ecosystems.

This is of course not the only possible process, and as always, there are tradeoffs. We would be happy to discuss this issue (both the underlying problem and potential solutions) further.

[jstclair2019]

+1 @gfanti I wholeheartedly endorse this proposal. I agree with the proposed steps in the interim but ultimately harmonize the DPGA to specify common privacy controls.

[gfanti]

Thank you for your consideration! May we ask if there has been any further discussion on these points?

[AmreenTaneja]

Hi @GeetikaGopi, @amad-person, @omkhar @gfanti Reposting this here as the comment seems to be hidden due to some technical issues in the previous profile, Please refer to this report that has been recently published noting the latest Privacy related updates to the DPG Standard. In addition to this, the DPG Standard privacy expert group is also working on creating an annex to the DPG Standard with privacy best practices that DPGs will be highly encouraged to follow. : chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.digitalpublicgoods.net/dpg-privacy-report

[gfanti]

Thanks for letting us know, @AmreenTaneja ! Excited to see the updates. By the way, is there a typo in the question for Recommendation 4? The question seems to be the same as the one for Recommendation 5, is that intentional?

[AmreenTaneja]

Hi @gfanti Its not a typo, we have tried to address how the questions prepared for the DPG applicants meet the criteria for these recommendations, hence they have been repeated where they fulfil the particular requirement of the principle- for eg. "Is your solution designed with any mechanisms to delete the PII data?” addresses both recommendations 4 and 5- we have explained how it does so, under the 'purpose' section. Thanks