initial principles related to accountability

npdoty · Feb 27, 2024 · b3b64c9 · b3b64c9
1 parent 1b500fe
commit b3b64c9
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/principles/index.html b/principles/index.html
@@ -110,6 +110,30 @@ <h4>Measurement should not significantly enable inferences about individual peop
         <p>Population-level measurement can still be used for inference; this principle only indicates that participation (or non-participation) in the measurement cannot be used to enable an inference about that individual.</p>
       </section>
     </section>
+    <section>
+      <h3>Accountability</h3>
+      <section>
+        <h4>Users should be able to investigate how data about them is used and shared.</h4>
+
+        <p>Users should be able to learn what measurements they participate in.</p>
+        <p>Users should be able to learn what level of risk of re-identification or cross-context data-sharing is possible. 
+          <br><i>See also: comprehensibility.</i></p>
+      </section>
+      <section>
+        <h4>Researchers, regulators and auditors should be able to investigate how a system is used and whether abuse is occurring.</h4>
+
+        <p>Researchers should be able to learn what measurements are taking place, in order to identify unexpected or potentially abusive behavior and to explain the implications of the system to users (whose individual data may not be satisfyingly explanatory).</p>
+
+        <p>Most users will not choose to investigate or be able to interpret individual data about measurements. Independent researchers can provide an important accountability function by identifying potentially significant or privacy-harmful outcomes.</p>
+
+        <p>Some privacy harms -- including to small groups or vulnerable people -- cannot reasonably be identified in the individual case, but only with some aggregate analysis.</p>
+
+        <p>Auditors, with internal access to at least one of the participating systems, should be able to investigate and document whether abuse has occurred (for example, collusion between non-colluding helper parties, or interfering with results). When evidence of abuse is discovered, affected parties must be notified.</p>
+      </section>
+      <section>
+        <h4>When abuse happens, there must be a mechanism to identify the abuse, limit further access and enable consequences.</h4>
+      </section>
+    </section>
   </section>
 
   <section class="appendix">