[wp-trac] [WordPress Trac] #51092: Create a JSON schema for Privacy and Other Related Disclosures
WordPress Trac
noreply at wordpress.org
Fri Aug 21 14:38:24 UTC 2020
#51092: Create a JSON schema for Privacy and Other Related Disclosures
----------------------------------+--------------------------------
Reporter: carike | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: 5.6
Component: Privacy | Version: trunk
Severity: normal | Resolution:
Keywords: needs-privacy-review | Focuses: rest-api, privacy
----------------------------------+--------------------------------
Description changed by carike:
Old description:
> **Background:**
>
> The Disclosures Tab is an initiative that is underway in the Core Privacy
> Team.
> The aim is to help site owners / admins better understand what
> information their site (plugins, themes and Core) collects, where the
> information is stored and where it is sent - and in particular, who it is
> shared with.
> We hope to help site owners / admins make more informed privacy choices
> (e.g. when choosing which plugin to install) and to better understand
> their risk profile when it comes to privacy.
> For the most part, the actual "controlling" is planned for a sibling
> plugin, the Permissions Tab, which is not currently intended to be merged
> into Core, as this will contain more advanced settings.
> You can read more about the various privacy initiatives here:
> https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
> meeting-19-august-2020/
>
> **The Challenge:**
>
> Free-form disclosures in the readme.txt would create a lot of additional
> work for the plugins review team.
> Moreover, it makes it near impossible to compare across plugins, or to
> use the information in any sort of automated process.
> The Disclosures Tab seeks to standardize the way that plugin, theme
> authors and Core can disclose privacy and other related concerns to site
> owners / admins, by creating quasi-"headers" and limiting the acceptable
> values for each.
>
> **The Solution:**
>
> Timothy suggested that each plugin could have a privacy.json file, which
> could then be read by Core (and Meta) using relatively simple REST API
> functionality.
> As all items are not strictly privacy related, the file will be called
> disclosures.json instead.
>
> This ticket proposes a JSON schema. Future tickets will deal with the
> validation and the display respectively.
> In its current form, the JSON schema does not set any fields as
> "required".
> As URLs are not one of the six data types accepted by JSON, these types
> have been set as "string"s. However, in the ticket to follow this one,
> the validation of the schema should include appropriate validation of the
> URLs.
>
> {{{#!php
> <?php
> {
> "$schema": "https://core.trac.wordpress.org/to.be.filled.in.later",
> "$id":
> "https://example.com/to.be.filled.in.later.disclosures.tab.json",
> "description": "The vision of the Disclosures Tab is for site
> administrators to understand their site's privacy risk profile and to
> make more informed privacy-related choices as a result. The mission of
> the Disclosures Tab is to help site administrators understand what
> information their site collects, where it is stored and where it is sent
> - and in particular, with whom it is shared.",
> "type": "object",
> "properties": {
> "identification": {
> "type": "object",
> "properties": {
> "component": {
> "description": "Please enter one of the following values:
> plugin, theme, Core",
> "type": "string"
> },
> "slug": {
> "description": "Please supply the slug, if the code
> relates to a plugin or a theme.",
> "type": "string"
> }
> }
> },
> "externalNetworkCalls": {
> "description": "Please enter a comma-separated list of URLs
> containing the links to the Privacy Policies of the sites to which the
> external calls are being made.",
> "type": "object",
> "properties": {
> "PHP": {
> "type": "string"
> },
> "JavaScript": {
> "type": "string"
> },
> "CSS": {
> "type": "string"
> }
> }
> },
> "ThirdPartyConditions": {
> "type": "object"
> "properties": {
> "SaaS": {
> "description": "Please provide a comma-separated list of
> URLs to the Terms of Service of any instances of Software as a Service.",
> "type": "string"
> },
> "ExternalAPICalls": {
> "description": "Please provide a comma-separated list of
> URLs to the Terms of Service of any external API being used.",
> "type": "string"
> },
> "RemoteAssets": {
> "description": "Please provide a comma-separated list of
> URLs to the license that applies to the use of each remote asset. This
> relates to the use of CDNs for images, fonts, etc.",
> "type": "string"
> }
> }
> },
> "APIEndpoints": {
> "description": "Please provide a comma-separated list of URLs
> for any internal API endpoints that are created by the code using
> example.com as the domain.",
> "type": "string"
> },
> "LocalAssetLicenses": {
> "description": "Please provide a comma-separated list of URLs to
> the license that applies to the use of each asset that has been included
> locally. This includes the license of the code, as well as the licenses
> of any images, fonts, etc.",
> "type": "string"
> },
> "clientSideStorage": {
> "type": "object",
> "properties": {
> "setsCookiesInPHP": {
> "description": "Please provide the names of any cookies
> that have been set using PHP.",
> "type": "string"
> },
> "setsCookiesUsingJavaScript": {
> "description": "Please provide the names of any cookies
> that have been set using JavaScript.",
> "type": "string"
> },
> "usesLocalStorage": {
> "description": "Please indicate whether the code makes use
> of local storage.",
> "type": "string"
> }
> }
> },
> "DatabaseManagement": {
> "type": "object",
> "properties": {
> "WritesToDB": {
> "description": "Please indicate TRUE / FALSE to whether
> the code writes any data to the database.",
> "type": "boolean"
> },
> "CreatesCustomPostTypes": {
> "description": "Please indicate TRUE / FALSE as to whether
> the code creates any Custom Post Types",
> "type": "boolean"
> },
> "CreatesCustomTables": {
> "description": "Please indicate TRUE / FALSE as to whether
> the code creates any custom tables in the database.",
> "type": "boolean"
> }
> }
> },
> "StoresPPI": {
> "description": "Please indicate TRUE / FALSE as to whether the
> code stores any Protected Personal Information.",
> "type": "boolean"
> },
> "CompatibilityWithPrivacyTools": {
> "type": "object",
> "properties": {
> "PPIExport": {
> "description": "Do you as a developer consider the code to
> be compatible with the PPI Export Tool in WordPress?",
> "type": "boolean"
> },
> "PPIErasure": {
> "description": "Do you as a developer consider the code to
> be compatible with the PPI Erasure Tool in WordPress?",
> "type": "boolean"
> },
> "ConsentAPI": {
> "description": "Do you as a developer consider the code to
> be compatible with the WordPress Consent API?",
> "type": "boolean"
> },
> "DisclosuresTab": {
> "description": "Do you as a developer consider the code to
> be compatible with the Disclosure Tab?",
> "type": "boolean"
> },
> "PermissionsTab": {
> "description": "Do you as a developer consider the code to
> be compatible with the Permissions Tab?",
> "type": "boolean"
> }
> }
> },
> "MonetizationPractices": {
> "type": "object",
> "properties": {
> "UpsellingInWPAdmin": {
> "description": "Does this code promote a paid version, or
> extensions, or other products or services from the same author(s)?",
> "type": "boolean"
> },
> "AsksForBackLinks": {
> "description": "Does this code contain or generate, or ask
> the site owner / admin for permission to generate, backlinks?",
> "type": "boolean"
> },
> "AffiliateLinks": {
> "description": "Does this code contain, or generate
> affiliate links - i.e. links from which the author may receive
> conditional compensation, whether in money, or in kind?",
> "type": "boolean"
> },
> "PaidPromotion": {
> "description": "Does the code contain, or generate
> promotions or recommendations for any products or services not directly
> under the control of the author(s), for which the author(s) receive any
> compensation, whether in money, or in kind?",
> "type": "boolean"
> }
> }
> }
New description:
**Background:**
The Disclosures Tab is an initiative that is underway in the Core Privacy
Team.
The aim is to help site owners / admins better understand what information
their site (plugins, themes and Core) collects, where the information is
stored and where it is sent - and in particular, who it is shared with.
We hope to help site owners / admins make more informed privacy choices
(e.g. when choosing which plugin to install) and to better understand
their risk profile when it comes to privacy.
For the most part, the actual "controlling" is planned for a sibling
plugin, the Permissions Tab, which is not currently intended to be merged
into Core, as this will contain more advanced settings.
You can read more about the various privacy initiatives here:
https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
meeting-19-august-2020/
**The Challenge:**
Free-form disclosures in the readme.txt would create a lot of additional
work for the plugins review team.
Moreover, it makes it near impossible to compare across plugins, or to use
the information in any sort of automated process.
The Disclosures Tab seeks to standardize the way that plugin, theme
authors and Core can disclose privacy and other related concerns to site
owners / admins, by creating quasi-"headers" and limiting the acceptable
values for each.
**The Solution:**
Timothy suggested that each plugin could have a privacy.json file, which
could then be read by Core (and Meta) using relatively simple REST API
functionality.
As all items are not strictly privacy related, the file will be called
disclosures.json instead.
This ticket proposes a JSON schema. Future tickets will deal with the
validation and the display respectively.
In its current form, the JSON schema does not set any fields as
"required".
As URLs are not one of the six data types accepted by JSON, these types
have been set as "string"s. However, in the ticket to follow this one, the
validation of the schema should include appropriate validation of the
URLs.
Further tickets should include ones to update WP-CLI and WordPress.org to
make the strings translatable. Thanks to Swissspidy for the comment below!
{{{#!php
<?php
{
"$schema": "https://core.trac.wordpress.org/ticket/51092",
"$id": "https://example.com/to.be.filled.in.later.disclosures.json",
"description": "The vision of the Disclosures Tab is for site
administrators to understand their site's privacy risk profile and to make
more informed privacy-related choices as a result. The mission of the
Disclosures Tab is to help site administrators understand what information
their site collects, where it is stored and where it is sent - and in
particular, with whom it is shared.",
"type": "object",
"properties": {
"identification": {
"type": "object",
"properties": {
"component": {
"description": "Please enter one of the following values:
plugin, theme, Core",
"type": "string"
},
"slug": {
"description": "Please supply the slug, if the code relates
to a plugin or a theme.",
"type": "string"
}
}
},
"Licensing": {
"type": "object",
"properties": {
"componentCode": {
"description": "Please provide a URL to the license that
applies to the use of this component (plugin, theme, or Core component)'s
use.",
"type": "string"
},
"localAssets": {
"description": "Please provide a comma-separated list of
URLs to the license that applies to the use of each asset that has been
included locally. This includes the license of any bundled libraries, as
well as the licenses of any images, fonts, etc.",
"type": "string"
},
"remoteAssets": {
"description": "Please provide a comma-separated list of
URLs to the license that applies to the use of each asset that is accessed
remotely. This includes the licenses of any external libraries, as well as
the licenses of any images, fonts, etc.",
"type": "string"
}
}
},
"externalNetworkCalls": {
"description": "Please enter a comma-separated list of URLs
containing the links to the Privacy Policies of the sites to which the
external calls are being made.",
"type": "object",
"properties": {
"PHP": {
"type": "string"
},
"JavaScript": {
"type": "string"
},
"CSS": {
"type": "string"
}
}
},
"ThirdPartyTerms": {
"type": "object"
"properties": {
"SaaS": {
"description": "Please provide a comma-separated list of
URLs to the Terms of Service of any instances of Software as a Service.",
"type": "string"
},
"ExternalAPICalls": {
"description": "Please provide a comma-separated list of
URLs to the Terms of Service of any external API being used.",
"type": "string"
},
"RemoteAssets": {
"description": "Please provide a comma-separated list of
URLs to the Terms of Service that applies to the use of each remote asset.
This relates to the use of CDNs for images, fonts, etc.",
"type": "string"
},
"requiresRegistration": {
"description": "Please provide a comma-separated list of
URLs to the Terms of Service that apply to any accounts that need to be
registered in order to be able to make use of this component's code.",
"type": "string"
}
}
},
"APIEndpoints": {
"description": "Please provide a comma-separated list of URLs for
any internal API endpoints that are created by the code using example.com
as the domain.",
"type": "string"
},
"clientSideStorage": {
"type": "object",
"properties": {
"setsCookiesInPHP": {
"description": "Please provide the names of any cookies
that have been set using PHP.",
"type": "string"
},
"setsCookiesUsingJavaScript": {
"description": "Please provide the names of any cookies
that have been set using JavaScript.",
"type": "string"
},
"usesLocalStorage": {
"description": "Please indicate whether the code makes use
of local storage.",
"type": "string"
}
}
},
"DatabaseManagement": {
"type": "object",
"properties": {
"WritesToDB": {
"description": "Please indicate TRUE / FALSE to whether the
code writes any data to the database.",
"type": "boolean"
},
"CreatesCustomPostTypes": {
"description": "Please indicate TRUE / FALSE as to whether
the code creates any Custom Post Types",
"type": "boolean"
},
"CreatesCustomTables": {
"description": "Please indicate TRUE / FALSE as to whether
the code creates any custom tables in the database.",
"type": "boolean"
}
}
},
"StoresPPI": {
"description": "Please indicate TRUE / FALSE as to whether the
code stores any Protected Personal Information.",
"type": "boolean"
},
"CompatibilityWithPrivacyTools": {
"type": "object",
"properties": {
"PPIExport": {
"description": "Do you as a developer consider the code to
be compatible with the PPI Export Tool in WordPress?",
"type": "boolean"
},
"PPIErasure": {
"description": "Do you as a developer consider the code to
be compatible with the PPI Erasure Tool in WordPress?",
"type": "boolean"
},
"ConsentAPI": {
"description": "Do you as a developer consider the code to
be compatible with the WordPress Consent API?",
"type": "boolean"
},
"DisclosuresTab": {
"description": "Do you as a developer consider the code to
be compatible with the Disclosure Tab?",
"type": "boolean"
},
"PermissionsTab": {
"description": "Do you as a developer consider the code to
be compatible with the Permissions Tab?",
"type": "boolean"
}
}
},
"MonetizationPractices": {
"type": "object",
"properties": {
"UpsellingInWPAdmin": {
"description": "Does this code promote a paid version, or
extensions, or other products or services from the same author(s)?",
"type": "boolean"
},
"AsksForBackLinks": {
"description": "Does this code contain or generate, or ask
the site owner / admin for permission to generate, backlinks?",
"type": "boolean"
},
"AffiliateLinks": {
"description": "Does this code contain, or generate
affiliate links - i.e. links from which the author may receive conditional
compensation, whether in money, or in kind?",
"type": "boolean"
},
"PaidPromotion": {
"description": "Does the code contain, or generate
promotions or recommendations for any products or services not directly
under the control of the author(s), for which the author(s) receive any
compensation, whether in money, or in kind?",
"type": "boolean"
}
}
}
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51092#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list