diff --git a/principles/index.html b/principles/index.html index 708ebb5..2a0e364 100644 --- a/principles/index.html +++ b/principles/index.html @@ -110,6 +110,30 @@
Population-level measurement can still be used for inference; this principle only indicates that participation (or non-participation) in the measurement cannot be used to enable an inference about that individual.
+Users should be able to learn what measurements they participate in.
+Users should be able to learn what level of risk of re-identification or cross-context data-sharing is possible.
+
See also: comprehensibility.
Researchers should be able to learn what measurements are taking place, in order to identify unexpected or potentially abusive behavior and to explain the implications of the system to users (whose individual data may not be satisfyingly explanatory).
+ +Most users will not choose to investigate or be able to interpret individual data about measurements. Independent researchers can provide an important accountability function by identifying potentially significant or privacy-harmful outcomes.
+ +Some privacy harms -- including to small groups or vulnerable people -- cannot reasonably be identified in the individual case, but only with some aggregate analysis.
+ +Auditors, with internal access to at least one of the participating systems, should be able to investigate and document whether abuse has occurred (for example, collusion between non-colluding helper parties, or interfering with results). When evidence of abuse is discovered, affected parties must be notified.
+