SC Shortname: User Information

SC text

User Information: Use known techniques to keep sensitive user information safe that can be used to identify the user or identify that user may have a disability.Warn users of any known risk.

Priority Level

A

Suggestion for Priority Level (A/AA/AAA)

A

Related Glossary additions or changes

harm: Loss of or damage to a person's right, property, or physical or mental well-being. Where it is unclear if something is a damage we consider a test to be that over 80% of random people asked would consider it to be a damage as defined above.

identify the user: Personally identifiable user information is information that may by itself or in conjunction with other information be used to discover the identity of, locate, or contact a specific person

What Principle and Guideline the SC falls within.

Suggested priciple is 2,

and we suggest changing guideline 2.3 from

• Do not design content in a way that is known to cause seizures.

to

• Do not design content in a way that is known to harm users.

Description and Benefits

Don’t store personal information that could be used to harm a user without being very careful to minimise any risk to the user.

Examples: storing information, which suggests a user user has Dementia, may make a target for scams; or storing information, which suggests a user has an intellectual disability, may make a target for predators.

A predatory company could send requests for money, saying “you haven’t made your donation” despite the user having made one.

It is vital that users stay safe.

Another consideration is that many users have weak executive functioning, and are thus less likely to identify risks correctly.

Related Resources (optional)

Issue papers: Online

Also see

• Gap analysis
• User needs table 1
• Background research document

Testability

• Step 1. Identify if user information is being stored. (If no, then pass. If yes, then continue.)
• Step 2. Identify if one of the known techniques are used.
• Step 3. Identify that the risks are available to users in clear language.

Acceptable  outcomes:

No to Step 1
OR
Yes to all three steps.

Techniques

1. For personalization information: Use functional requirements for personalization that do not suggest  users have disablities.
2. Use approved security techniques, in your jurisdiction, for sensitive data.
3. Obtain approval by the Helsinki Committee for Human Rights, which is a an ethics committee used by the European Union.
4. Failure technique to be added: associating a user to a code that is used mainly for people with cognitive disabilities.

Advisory techniques

• Chat options prevent any exchange of personal information.
• Users are regularly warned to avoid scams.
• Getting help, and/or reporting something worrying, is easy-to-do, and includes a statement that users will never be penalized for reporting something.
• An easy-to-use feature is provided for users to report to cyber crime fighters in their jurisdictions.
• Easy-to-use videos and tips with explanations provided about cyber criminals, how to stay safe, and how to report anything found odd.
• Server-side solutions, such as analytics, are employed to find cyber-criminals.
• Advertisements and paid articles are clearly marked, as external content, in an easy-to-understand way.
• Sites offering sexual content, or intended for chats of a sexual nature, state that clearly.

See also

https://www.owasp.org/index.php/Client_Side_Testing

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)