[wp-trac] [WordPress Trac] #51092: Create a JSON schema for Privacy and Other Related Disclosures

WordPress Trac noreply at wordpress.org
Fri Aug 21 14:38:24 UTC 2020


#51092: Create a JSON schema for Privacy and Other Related Disclosures
----------------------------------+--------------------------------
 Reporter:  carike                |       Owner:  (none)
     Type:  enhancement           |      Status:  new
 Priority:  normal                |   Milestone:  5.6
Component:  Privacy               |     Version:  trunk
 Severity:  normal                |  Resolution:
 Keywords:  needs-privacy-review  |     Focuses:  rest-api, privacy
----------------------------------+--------------------------------
Description changed by carike:

Old description:

> **Background:**
>
> The Disclosures Tab is an initiative that is underway in the Core Privacy
> Team.
> The aim is to help site owners / admins better understand what
> information their site (plugins, themes and Core) collects, where the
> information is stored and where it is sent - and in particular, who it is
> shared with.
> We hope to help site owners / admins make more informed privacy choices
> (e.g. when choosing which plugin to install) and to better understand
> their risk profile when it comes to privacy.
> For the most part, the actual "controlling" is planned for a sibling
> plugin, the Permissions Tab, which is not currently intended to be merged
> into Core, as this will contain more advanced settings.
> You can read more about the various privacy initiatives here:
> https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
> meeting-19-august-2020/
>
> **The Challenge:**
>
> Free-form disclosures in the readme.txt would create a lot of additional
> work for the plugins review team.
> Moreover, it makes it near impossible to compare across plugins, or to
> use the information in any sort of automated process.
> The Disclosures Tab seeks to standardize the way that plugin, theme
> authors and Core can disclose privacy and other related concerns to site
> owners / admins, by creating quasi-"headers" and limiting the acceptable
> values for each.
>
> **The Solution:**
>
> Timothy suggested that each plugin could have a privacy.json file, which
> could then be read by Core (and Meta) using relatively simple REST API
> functionality.
> As all items are not strictly privacy related, the file will be called
> disclosures.json instead.
>
> This ticket proposes a JSON schema. Future tickets will deal with the
> validation and the display respectively.
> In its current form, the JSON schema does not set any fields as
> "required".
> As URLs are not one of the six data types accepted by JSON, these types
> have been set as "string"s. However, in the ticket to follow this one,
> the validation of the schema should include appropriate validation of the
> URLs.
>
> {{{#!php
> <?php
> {
>    "$schema": "https://core.trac.wordpress.org/to.be.filled.in.later",
>    "$id":
> "https://example.com/to.be.filled.in.later.disclosures.tab.json",
>    "description": "The vision of the Disclosures Tab is for site
> administrators to understand their site's privacy risk profile and to
> make more informed privacy-related choices as a result. The mission of
> the Disclosures Tab is to help site administrators understand what
> information their site collects, where it is stored and where it is sent
> - and in particular, with whom it is shared.",
>    "type": "object",
>    "properties": {
>       "identification": {
>          "type": "object",
>          "properties": {
>             "component": {
>                "description": "Please enter one of the following values:
> plugin, theme, Core",
>                "type": "string"
>             },
>             "slug": {
>                "description": "Please supply the slug, if the code
> relates to a plugin or a theme.",
>                "type": "string"
>             }
>          }
>       },
>       "externalNetworkCalls": {
>          "description": "Please enter a comma-separated list of URLs
> containing the links to the Privacy Policies of the sites to which the
> external calls are being made.",
>          "type": "object",
>          "properties": {
>             "PHP": {
>                "type": "string"
>             },
>             "JavaScript": {
>                "type": "string"
>             },
>             "CSS": {
>                "type": "string"
>             }
>          }
>       },
>       "ThirdPartyConditions": {
>          "type": "object"
>          "properties": {
>             "SaaS": {
>                "description": "Please provide a comma-separated list of
> URLs to the Terms of Service of any instances of Software as a Service.",
>                "type": "string"
>             },
>             "ExternalAPICalls": {
>                "description": "Please provide a comma-separated list of
> URLs to the Terms of Service of any external API being used.",
>                "type": "string"
>             },
>             "RemoteAssets": {
>                "description": "Please provide a comma-separated list of
> URLs to the license that applies to the use of each remote asset. This
> relates to the use of CDNs for images, fonts, etc.",
>                "type": "string"
>             }
>          }
>       },
>       "APIEndpoints": {
>          "description": "Please provide a comma-separated list of URLs
> for any internal API endpoints that are created by the code using
> example.com as the domain.",
>          "type": "string"
>       },
>       "LocalAssetLicenses": {
>          "description": "Please provide a comma-separated list of URLs to
> the license that applies to the use of each asset that has been included
> locally. This includes the license of the code, as well as the licenses
> of any images, fonts, etc.",
>          "type": "string"
>       },
>       "clientSideStorage": {
>          "type": "object",
>          "properties": {
>             "setsCookiesInPHP": {
>                "description": "Please provide the names of any cookies
> that have been set using PHP.",
>                "type": "string"
>             },
>             "setsCookiesUsingJavaScript": {
>                "description": "Please provide the names of any cookies
> that have been set using JavaScript.",
>                "type": "string"
>             },
>             "usesLocalStorage": {
>                "description": "Please indicate whether the code makes use
> of local storage.",
>                "type": "string"
>             }
>          }
>       },
>       "DatabaseManagement": {
>          "type": "object",
>          "properties": {
>             "WritesToDB": {
>                "description": "Please indicate TRUE / FALSE to whether
> the code writes any data to the database.",
>                "type": "boolean"
>             },
>             "CreatesCustomPostTypes": {
>                "description": "Please indicate TRUE / FALSE as to whether
> the code creates any Custom Post Types",
>                "type": "boolean"
>             },
>             "CreatesCustomTables": {
>                "description": "Please indicate TRUE / FALSE as to whether
> the code creates any custom tables in the database.",
>                "type": "boolean"
>             }
>          }
>       },
>       "StoresPPI": {
>          "description": "Please indicate TRUE / FALSE as to whether the
> code stores any Protected Personal Information.",
>          "type": "boolean"
>       },
>       "CompatibilityWithPrivacyTools": {
>          "type": "object",
>          "properties": {
>             "PPIExport": {
>                "description": "Do you as a developer consider the code to
> be compatible with the PPI Export Tool in WordPress?",
>                "type": "boolean"
>             },
>             "PPIErasure": {
>                "description": "Do you as a developer consider the code to
> be compatible with the PPI Erasure Tool in WordPress?",
>                "type": "boolean"
>             },
>             "ConsentAPI": {
>                "description": "Do you as a developer consider the code to
> be compatible with the WordPress Consent API?",
>                "type": "boolean"
>             },
>             "DisclosuresTab": {
>                "description": "Do you as a developer consider the code to
> be compatible with the Disclosure Tab?",
>                "type": "boolean"
>             },
>             "PermissionsTab": {
>                "description": "Do you as a developer consider the code to
> be compatible with the Permissions Tab?",
>                "type": "boolean"
>             }
>          }
>       },
>       "MonetizationPractices": {
>          "type": "object",
>          "properties": {
>             "UpsellingInWPAdmin": {
>                "description": "Does this code promote a paid version, or
> extensions, or other products or services from the same author(s)?",
>                "type": "boolean"
>             },
>             "AsksForBackLinks": {
>                "description": "Does this code contain or generate, or ask
> the site owner / admin for permission to generate, backlinks?",
>                "type": "boolean"
>             },
>             "AffiliateLinks": {
>                "description": "Does this code contain, or generate
> affiliate links - i.e. links from which the author may receive
> conditional compensation, whether in money, or in kind?",
>                "type": "boolean"
>             },
>             "PaidPromotion": {
>                "description": "Does the code contain, or generate
> promotions or recommendations for any products or services not directly
> under the control of the author(s), for which the author(s) receive any
> compensation, whether in money, or in kind?",
>                "type": "boolean"
>             }
>          }
>       }

New description:

 **Background:**

 The Disclosures Tab is an initiative that is underway in the Core Privacy
 Team.
 The aim is to help site owners / admins better understand what information
 their site (plugins, themes and Core) collects, where the information is
 stored and where it is sent - and in particular, who it is shared with.
 We hope to help site owners / admins make more informed privacy choices
 (e.g. when choosing which plugin to install) and to better understand
 their risk profile when it comes to privacy.
 For the most part, the actual "controlling" is planned for a sibling
 plugin, the Permissions Tab, which is not currently intended to be merged
 into Core, as this will contain more advanced settings.
 You can read more about the various privacy initiatives here:
 https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-
 meeting-19-august-2020/

 **The Challenge:**

 Free-form disclosures in the readme.txt would create a lot of additional
 work for the plugins review team.
 Moreover, it makes it near impossible to compare across plugins, or to use
 the information in any sort of automated process.
 The Disclosures Tab seeks to standardize the way that plugin, theme
 authors and Core can disclose privacy and other related concerns to site
 owners / admins, by creating quasi-"headers" and limiting the acceptable
 values for each.

 **The Solution:**

 Timothy suggested that each plugin could have a privacy.json file, which
 could then be read by Core (and Meta) using relatively simple REST API
 functionality.
 As all items are not strictly privacy related, the file will be called
 disclosures.json instead.

 This ticket proposes a JSON schema. Future tickets will deal with the
 validation and the display respectively.
 In its current form, the JSON schema does not set any fields as
 "required".
 As URLs are not one of the six data types accepted by JSON, these types
 have been set as "string"s. However, in the ticket to follow this one, the
 validation of the schema should include appropriate validation of the
 URLs.
 Further tickets should include ones to update WP-CLI and WordPress.org to
 make the strings translatable. Thanks to Swissspidy for the comment below!

 {{{#!php
 <?php
 {
    "$schema": "https://core.trac.wordpress.org/ticket/51092",
    "$id": "https://example.com/to.be.filled.in.later.disclosures.json",
    "description": "The vision of the Disclosures Tab is for site
 administrators to understand their site's privacy risk profile and to make
 more informed privacy-related choices as a result. The mission of the
 Disclosures Tab is to help site administrators understand what information
 their site collects, where it is stored and where it is sent - and in
 particular, with whom it is shared.",
    "type": "object",
    "properties": {
       "identification": {
          "type": "object",
          "properties": {
             "component": {
                "description": "Please enter one of the following values:
 plugin, theme, Core",
                "type": "string"
             },
             "slug": {
                "description": "Please supply the slug, if the code relates
 to a plugin or a theme.",
                "type": "string"
             }
          }
       },
       "Licensing": {
          "type": "object",
          "properties": {
             "componentCode": {
                "description": "Please provide a URL to the license that
 applies to the use of this component (plugin, theme, or Core component)'s
 use.",
                "type": "string"
             },
             "localAssets": {
                "description": "Please provide a comma-separated list of
 URLs to the license that applies to the use of each asset that has been
 included locally. This includes the license of any bundled libraries, as
 well as the licenses of any images, fonts, etc.",
                "type": "string"
             },
             "remoteAssets": {
                "description": "Please provide a comma-separated list of
 URLs to the license that applies to the use of each asset that is accessed
 remotely. This includes the licenses of any external libraries, as well as
 the licenses of any images, fonts, etc.",
                "type": "string"
             }
          }
       },
       "externalNetworkCalls": {
          "description": "Please enter a comma-separated list of URLs
 containing the links to the Privacy Policies of the sites to which the
 external calls are being made.",
          "type": "object",
          "properties": {
             "PHP": {
                "type": "string"
             },
             "JavaScript": {
                "type": "string"
             },
             "CSS": {
                "type": "string"
             }
          }
       },
       "ThirdPartyTerms": {
          "type": "object"
          "properties": {
             "SaaS": {
                "description": "Please provide a comma-separated list of
 URLs to the Terms of Service of any instances of Software as a Service.",
                "type": "string"
             },
             "ExternalAPICalls": {
                "description": "Please provide a comma-separated list of
 URLs to the Terms of Service of any external API being used.",
                "type": "string"
             },
             "RemoteAssets": {
                "description": "Please provide a comma-separated list of
 URLs to the Terms of Service that applies to the use of each remote asset.
 This relates to the use of CDNs for images, fonts, etc.",
                "type": "string"
             },
             "requiresRegistration": {
                "description": "Please provide a comma-separated list of
 URLs to the Terms of Service that apply to any accounts that need to be
 registered in order to be able to make use of this component's code.",
                "type": "string"
             }
          }
       },
       "APIEndpoints": {
          "description": "Please provide a comma-separated list of URLs for
 any internal API endpoints that are created by the code using example.com
 as the domain.",
          "type": "string"
       },
       "clientSideStorage": {
          "type": "object",
          "properties": {
             "setsCookiesInPHP": {
                "description": "Please provide the names of any cookies
 that have been set using PHP.",
                "type": "string"
             },
             "setsCookiesUsingJavaScript": {
                "description": "Please provide the names of any cookies
 that have been set using JavaScript.",
                "type": "string"
             },
             "usesLocalStorage": {
                "description": "Please indicate whether the code makes use
 of local storage.",
                "type": "string"
             }
          }
       },
       "DatabaseManagement": {
          "type": "object",
          "properties": {
             "WritesToDB": {
                "description": "Please indicate TRUE / FALSE to whether the
 code writes any data to the database.",
                "type": "boolean"
             },
             "CreatesCustomPostTypes": {
                "description": "Please indicate TRUE / FALSE as to whether
 the code creates any Custom Post Types",
                "type": "boolean"
             },
             "CreatesCustomTables": {
                "description": "Please indicate TRUE / FALSE as to whether
 the code creates any custom tables in the database.",
                "type": "boolean"
             }
          }
       },
       "StoresPPI": {
          "description": "Please indicate TRUE / FALSE as to whether the
 code stores any Protected Personal Information.",
          "type": "boolean"
       },
       "CompatibilityWithPrivacyTools": {
          "type": "object",
          "properties": {
             "PPIExport": {
                "description": "Do you as a developer consider the code to
 be compatible with the PPI Export Tool in WordPress?",
                "type": "boolean"
             },
             "PPIErasure": {
                "description": "Do you as a developer consider the code to
 be compatible with the PPI Erasure Tool in WordPress?",
                "type": "boolean"
             },
             "ConsentAPI": {
                "description": "Do you as a developer consider the code to
 be compatible with the WordPress Consent API?",
                "type": "boolean"
             },
             "DisclosuresTab": {
                "description": "Do you as a developer consider the code to
 be compatible with the Disclosure Tab?",
                "type": "boolean"
             },
             "PermissionsTab": {
                "description": "Do you as a developer consider the code to
 be compatible with the Permissions Tab?",
                "type": "boolean"
             }
          }
       },
       "MonetizationPractices": {
          "type": "object",
          "properties": {
             "UpsellingInWPAdmin": {
                "description": "Does this code promote a paid version, or
 extensions, or other products or services from the same author(s)?",
                "type": "boolean"
             },
             "AsksForBackLinks": {
                "description": "Does this code contain or generate, or ask
 the site owner / admin for permission to generate, backlinks?",
                "type": "boolean"
             },
             "AffiliateLinks": {
                "description": "Does this code contain, or generate
 affiliate links - i.e. links from which the author may receive conditional
 compensation, whether in money, or in kind?",
                "type": "boolean"
             },
             "PaidPromotion": {
                "description": "Does the code contain, or generate
 promotions or recommendations for any products or services not directly
 under the control of the author(s), for which the author(s) receive any
 compensation, whether in money, or in kind?",
                "type": "boolean"
             }
          }
       }

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51092#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list