Privacy Considerations: Addressing "unnecessary" usage of the API

[johannhof]

trafficstars

This seems to be one of the key Privacy topics we need to address for this API - how can DC protect users against illegitimate and/or unnecessary usage of the API. The spec cites an obvious case of "requesting a driver's license to log into a movie rating website", but we will likely see more nuanced examples going forward.

From what I understand, the definition of illegitimate can often be subject to government regulation. Obviously, this is something that DC implementers should defer to and provide the capabilities to support, and we could bolster the spec to more clearly define this requirement.

Where legitimacy is not clearly regulated, things get more interesting - to what degree can and should a user agent enforce its own protections?

It looks like this has been discussed several times as part of the incubation process, e.g. in #30, #35, #44 and #136. I don't think we can come to an entirely satisfying conclusion in the short term, but we should make an effort to reflect the state of the discussion and make sensible recommendations and requirements that we can agree on.

CC @npdoty @martinthomson @samuelgoto @bvandersloot-mozilla