describe privacy considerations, if any about microdata HOT 4 CLOSED

The specification can make data, including high-value or PII data, more explicit, for improved harvesting. It doesn't distinguish first- or third-party or anonymous use: the data is ordinarily laid open to the Web. But it doesn't have special access to any data, and cannot expose anything not already available to the origin.

It is possible to use the explicit nature of microdata to adjust a DOM, serialise it, and record detailed information, however this does not open any new attack surface as far as I can tell.

from microdata.

There is a proposed privacy section

from microdata.

also, from https://www.w3.org/wiki/Privacy/Privacy_Considerations

• can the information be used (alone or in combination with other APIs / sources of information) to fingerprint a device or user? No more than already so.
• can a user access the information she created? Only by adding interactivity to create stuff.
• can a user record that information locally? Depends if the application allows that
• am I able to have actions on this personal record? Depends ditto
• can a user block partly or totally the record of the information? Other than automatically available info, yes
• can a user fake it? (think about fuzzy geolocation or voluntary fake location) Probably some, but not automatic info
• Is the data personally-derived, i.e. derived from the interaction of a single person, or their device or address? (If so, even if anonymous, it might be re-correlated) Probably, but depends on the application
• Does the data record contain elements that would help such re-correlation? (examples include an IP address, and so on) Depends on the application
• What other data could this record be correlated with? (e.g. the ISP) Any
• If you had large amounts of this data about one person, what conclusions would it enable you to draw? (e.g. maybe you could estimate location from many ambient light events by estimating latitude and longitude from the times of sunrise and sunset) Nothing special based on this spec.
• Is the user likely to know if information is being collected? Only from best practice applications
• How visible is its collection and or use? Depends on the application
• Does the user get feedback on the patterns that the information could reveal (at any instant, over time) so she can adjust her behaviours? No
• if a background event about the device is fired in all browsing contexts, does it allow correlation of a user across contexts? Not sure
• can code on a page send signals that can be received by device sensors on nearby devices? Nothin in the spec makes that easier

from microdata.

Help wanted:
If a background event about the device is fired in all browsing contexts, does it allow correlation of a user across contexts?

from microdata.