From 1113a14d591bc28377f890e6063d898b28ff86c4 Mon Sep 17 00:00:00 2001 From: Nick Doty Date: Tue, 2 Jul 2024 09:13:10 -0400 Subject: [PATCH 1/2] comprehensibility principles: for the interested user and the reviewer --- principles/index.html | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/principles/index.html b/principles/index.html index 98cef09..d1ec96d 100644 --- a/principles/index.html +++ b/principles/index.html @@ -110,14 +110,14 @@

Measurement should not significantly enable inferences about individual peop

Population-level measurement can still be used for inference; this principle only indicates that participation (or non-participation) in the measurement cannot be used to enable an inference about that individual.

-
+

Accountability

Users should be able to investigate how data about them is used and shared.

Users should be able to learn what measurements they may participate in.

Users should be able to learn what level of risk of re-identification or cross-context data-sharing is possible. -
See also: comprehensibility.

+
See also: comprehensibility.

Researchers, regulators and auditors should be able to investigate how a system is used and whether abuse is occurring.

@@ -134,6 +134,25 @@

Researchers, regulators and auditors should be able to investigate how a sys

When abuse happens, there must be a mechanism to identify the abuse, limit further access and enable consequences.

+
+

Comprehensibility

+
+

Users should be able to understand the implications of their participation in advertising systems.

+

Users won't typically understand the mathematical guarantees of differential privacy or related concepts, but should still be able to see the implications of participation, including:

+
    +
  • the capabilities and what different advertising participants may learn about them;
    • +
  • the likely, and unlikely, risks, including identification, disclosure and manipulation;
    • +
  • whom they are trusting to protect their privacy.
    • +
+

Comprehensibility doesn't require that every user understands or has a correct mental model, but that an interested user can reasonably learn and can make informed decisions about participation.

+
+
+

Reviewers, researchers and policymakers should be able to understand the implications of advertising systems on users, websites and advertisers.

+

Unlike even the interested user, reviewers should be able to understand the implications for different users and for the ecosystem generally. This requires explainability of the implications to non-expert but professionally engaged interested observers. +
See also: accountability.

+

+
+
From 4c51a4dfb4188cbb2f09293e8a543b8f8590168d Mon Sep 17 00:00:00 2001 From: Nick Doty Date: Mon, 15 Jul 2024 14:33:57 -0400 Subject: [PATCH 2/2] Apply editorial suggestions from code review Martin's suggestions, with a couple small additional edits Co-authored-by: Martin Thomson --- principles/index.html | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/principles/index.html b/principles/index.html index ed0da4e..2749284 100644 --- a/principles/index.html +++ b/principles/index.html @@ -137,17 +137,17 @@

When abuse happens, there must be a mechanism to identify the abuse, limit f

Comprehensibility

Users should be able to understand the implications of their participation in advertising systems.

-

Users won't typically understand the mathematical guarantees of differential privacy or related concepts, but should still be able to see the implications of participation, including:

+

Users cannot be expected to understand the details of the process by which their privacy is protected, the mathematical guarantees of differential privacy, or similar concepts. However, users should still be able to see the implications of participation, including:

  • the capabilities and what different advertising participants may learn about them;
    • -
  • the likely, and unlikely, risks, including identification, disclosure and manipulation;
    • +
  • the likely, and unlikely, risks, including identification, disclosure and manipulation; and,
  • whom they are trusting to protect their privacy.
-

Comprehensibility doesn't require that every user understands or has a correct mental model, but that an interested user can reasonably learn and can make informed decisions about participation.

+

Comprehensibility doesn't require that every user understands or has a correct mental model. An interested user should be able to learn enough to predict the implications such that they can make informed decisions about participation.

-

Reviewers, researchers and policymakers should be able to understand the implications of advertising systems on users, websites and advertisers.

-

Unlike even the interested user, reviewers should be able to understand the implications for different users and for the ecosystem generally. This requires explainability of the implications to non-expert but professionally engaged interested observers. +

Reviewers, researchers, and policymakers should be able to understand the implications of advertising systems on users, websites, and advertisers.

+

Unlike even the interested user, reviewers should be able to understand the full spectrum of potential implications for different users and for the ecosystem as a whole. This requires explainability of the implications to non-expert but professionally engaged interested observers.
See also: accountability.