Privacy and security changes

epub33/a11y/index.html

@@ -1640,7 +1640,7 @@ <h2>Distribution</h2>
 					accessibility by activating a feature that would normally not be active.</p>
 			</div>
 		</section>
-		<section id="privacy" class="informative">
+		<section id="privacy">
 			<h2>Privacy and security</h2>
 
 			<p>The authoring of accessible content does not introduce any new privacy or security considerations for
@@ -1656,16 +1656,16 @@ <h2>Privacy and security</h2>
 					>reading systems</a>, bookstores and any other interface that can build a profile of the user, on
 				the other hand, has the potential to violate individual privacy laws. While it might seem helpful to
 				store and anticipate the type of content a user is most likely to consume, for example, or how best to
-				initiate its playback, developers should not engage in such profiling unless explicit permission is
+				initiate its playback, developers SHOULD NOT engage in such profiling unless explicit permission is
 				obtained from the user and a means of easily removing the profile is available.</p>
 
 			<p>Even in the case where a user assents to the application maintaining information about their
-				accessibility needs, developers must ensure that this information is kept private (e.g., it must not be
-				shared with third party advertisers or even with the original publisher).</p>
+				accessibility needs, developers SHOULD ensure that this information is kept private (e.g., not share the
+				information with third party advertisers or even with the original publisher).</p>
 
-			<p>Developers should also be mindful about storing or mining information about the types of searches a user
-				performs when searching for content based on its accessibility characteristics. This information can be
-				used to indirectly profile the abilities of users.</p>
+			<p>Developers SHOULD NOT store or mine information about the types of searches a user performs when
+				searching for content based on its accessibility characteristics. This information can be used to
+				indirectly profile the abilities of users.</p>
 		</section>
 		<section id="app-a11y-vocab" class="appendix vocab">
 			<h2>EPUB accessibility vocabulary</h2>
@@ -1853,6 +1853,7 @@ <h2>Change log</h2>
 					>working group's issue tracker</a>.</p>
 
 			<ul>
+				<li>18-May-2022: Updated privacy and security recommendations to use normative language.</li>
 				<li>17-May-2022: Added an index of terms. See <a href="https://github.com/w3c/epub-specs/issues/2260"
 						>issue 2260</a>.</li>
 				<li>12-Apr-2022: Restored recommendation to include links to all reproduced pages in the page list and

epub33/core/index.html

@@ -9232,10 +9232,10 @@ <h2>Accessibility</h2>
 					reference the latest accessibility requirements).</p>
 			</div>
 		</section>
-		<section id="sec-security-privacy" class="informative">
+		<section id="sec-security-privacy">
 			<h2>Security and privacy</h2>
 
-			<section id="security-privacy-overview">
+			<section id="security-privacy-overview" class="informative">
 				<h3>Overview</h3>
 
 				<p>The particularity of an [=EPUB publication=] is its structure. The EPUB format provides a means of
@@ -9257,7 +9257,7 @@ <h3>Overview</h3>
 				</div>
 			</section>
 
-			<section id="epub-threat-model">
+			<section id="epub-threat-model" class="informative">
 				<h3>Threat model</h3>
 
 				<p>EPUB publications pose a variety of privacy and security threats to unsuspecting users. Many of these
@@ -9392,7 +9392,7 @@ <h4>EPUB-specific features</h4>
 				<h3>Recommendations</h3>
 
 				<p>Although EPUB creators cannot prevent every method of exploiting users, they are ultimately
-					responsible for the secure construction of their content. That means that they should take
+					responsible for the secure construction of their content. That means that they need to take
 					precautions to limit the exposure of their EPUB publications to the types of <a
 						href="#epub-threat-model">malicious exploits</a> described in the previous section.</p>
 
@@ -9414,27 +9414,27 @@ <h3>Recommendations</h3>
 				</ul>
 
 				<p>EPUB creators also need to consider the privacy rights of users and avoid situations where they are
-					intentionally collecting data. Ideally, EPUB creators should not track their users, but this is not
+					intentionally collecting data. Ideally, EPUB creators SHOULD NOT track their users, but this is not
 					realistic for all types of publishing.</p>
 
-				<p>When tracking must occur, EPUB creators should obtain the approval of the user to collect information
-					prior to opening the EPUB publication (e.g., in educational course work). If this is not possible,
-					they should obtain permission when users access the EPUB publication for the first time. EPUB
-					creators should also allow users to opt out of tracking, when feasible, and provide users the
-					ability to manage and delete any data that is collected about them.</p>
+				<p>When EPUB creators have to track users, they SHOULD obtain the approval of the user to collect
+					information prior to opening the EPUB publication (e.g., in educational course work). If this is not
+					possible, they SHOULD obtain permission when users access the EPUB publication for the first time.
+					EPUB creators SHOULD also allow users to opt out of tracking, and provide users the ability to
+					manage and delete any data that is collected about them.</p>
 
-				<p>Content authors also need to consider the inadvertent collection of information about users. Linking
-					to content on a publisher's web site, or remotely hosting resources on their servers, can lead to
+				<p>Content authors also SHOULD avoid inadvertent collection of information about users. Linking to
+					content on a publisher's web site, or remotely hosting resources on their servers, can lead to
 					profiling users, especially if unique tracking identifiers are added to the URLs.</p>
 
-				<p>When publishers and vendors must use digital rights management schemes, they should prefer schemes
+				<p>When publishers and vendors have to use digital rights management schemes, they SHOULD prefer schemes
 					that do not utilize or transmit information about the user or their content to external parties to
 					perform encryption or decryption.</p>
 
 				<p>EPUB creators who want to maximally limit the privacy and security issues in their EPUB publications
-					should work to make the content as self-contained as possible. An EPUB publication that comes with
-					all its needed resources and has no dependencies on network access or links to external content not
-					only benefits users but reduces future maintenance and improves archivability.</p>
+					SHOULD make the content as self-contained as possible. An EPUB publication that comes with all its
+					needed resources and has no dependencies on network access or links to external content not only
+					benefits users but reduces future maintenance and improves archivability.</p>
 			</section>
 		</section>
 		<section id="app-overview-unsupported" class="appendix">
@@ -11503,6 +11503,7 @@ <h2>Change log</h2>
 					>Working Group's issue tracker</a>.</p>
 
 			<ul>
+				<li>18-May-2022: Updated privacy and security recommendations to use normative language.</li>
 				<li>17-May-2022: Added an index of terms. See <a href="https://github.com/w3c/epub-specs/issues/2260"
 						>issue 2260</a>.</li>
 				<li>12-Apr-2022: Added note about complexities of escaping from nested escapable structures and updated

epub33/rs/index.html

@@ -1152,8 +1152,8 @@ <h3>Cascading Style Sheets (CSS)</h3>
 					</li>
 					<li>
 						<p id="confreq-css-rs-fonts" data-tests="#cnt-css-fonts">MUST support [[truetype]],
-							[[opentype]], [[woff]], and [[woff2]] font resources referenced from
-							<a data-cite="css-fonts-4#font-face-rule"><code>@font-face</code> rules</a>
+							[[opentype]], [[woff]], and [[woff2]] font resources referenced from <a
+								data-cite="css-fonts-4#font-face-rule"><code>@font-face</code> rules</a>
 							[[css-fonts-4]].</p>
 					</li>
 					<li>
@@ -2183,10 +2183,10 @@ <h2>Accessibility</h2>
 			<p>The DAISY Consortium maintains an <a href="https://epubtest.org/test-books">accessibility test suite</a>
 				to aid in evaluating these issues and more.</p>
 		</section>
-		<section id="sec-security-privacy" class="informative">
+		<section id="sec-security-privacy">
 			<h2>Security and privacy</h2>
 
-			<section id="security-privacy-overview">
+			<section id="security-privacy-overview" class="informative">
 				<h3>Overview</h3>
 
 				<p>The particularity of an [=EPUB publication=] is its structure. The EPUB format provides a means of
@@ -2208,13 +2208,14 @@ <h3>Overview</h3>
 				</div>
 			</section>
 
-			<section id="epub-threat-model">
+			<section id="epub-threat-model" class="informative">
 				<h3>Threat model</h3>
 
 				<p>The greatest threats to users come from the <a data-cite="epub-33#epub-threat-model">content they
 						read</a> [[epub-33]], and the first line of defense against these attacks is the reading systems
 					they use. Users expect that reading systems act as safeguards against malicious content and are
-					often unaware that EPUB publications are susceptible to the same security risks as web sites.</p>
+					often unaware that [=EPUB publications=] are susceptible to the same security risks as web
+					sites.</p>
 
 				<p>But although reading systems are relied on to provide security and privacy, they can also pose
 					unintended threats to users depending on how information is handled. Tracking user information to
@@ -2238,6 +2239,9 @@ <h3>Threat model</h3>
 					<dd>
 						<p>EPUB publications may contain resources designed to exploit security flaws in reading systems
 							or the operating systems they run on.</p>
+						<p>The lack of a standard method of signing EPUB publications means that reading systems cannot
+							always verify whether the content has been tampered with between authoring and loading in
+							the device.</p>
 					</dd>
 
 					<dt>Remote resources</dt>
@@ -2300,28 +2304,32 @@ <h3>Recommendations</h3>
 
 				<p>The strongest measure that reading system developers can take for privacy is to specify the data they
 					intend to collect and use about the user and/or their reading behavior and seek the consent of users
-					to obtain it. They should also allow personalization and control over this information.</p>
+					to obtain it. They SHOULD also allow personalization and control over this information.</p>
 
 				<p>If a reading system allows users to store persistent data, especially personally identifiable
-					information, it must treat that data as sensitive.</p>
+					information, it SHOULD treat that data as sensitive and not allow access to it by third parties.</p>
 
 				<p>It is understood that the collection of some user data may be required for the sale, delivery, and
 					operation of an EPUB publication, particularly on platforms where the sale of an EPUB publication
-					and the method of reading it are connected. In these cases, it is recommended that the reading
-					system or retailer be clear about the data being collected, how it is used, and allow for user
-					opt-outs where possible. Anonymization of data is strongly recommended for the privacy and the
-					security of the user and reading system.</p>
+					and the method of reading it are connected. In these cases, the reading system SHOULD identify the
+					data being collected, how it is used, and allow for user opt-outs (retailers may choose to inform
+					users by other means, however, such as when a user creates an account on their web site).
+					Anonymization of any collected data is strongly RECOMMENDED for the privacy and the security of the
+					user and reading system.</p>
 
 				<p>It is also understood that user data may be required or helpful for some reading system affordances.
-					In these cases, anonymization is strongly recommended. It is also recommended that reading systems
-					inform users of what data is needed, what it is to be used for, and to provide methods to
-					opt-out.</p>
+					In these cases, anonymization is also strongly RECOMMENDED. Reading systems also SHOULD inform users
+					of what data is needed, what it is to be used for, and to provide methods to opt-out.</p>
 
 				<p>Content processors &#8212; defined as entities that handle the ingestion of EPUB content for
-					distribution, display, or sale &#8212; should also be aware of the potential risks in ingestion. It
+					distribution, display, or sale &#8212; also need to be aware of the potential risks in ingestion. It
 					is advised that content processors check content for malicious content on ingestion, in addition to
 					the validation steps that usually occur. This could include running virus scans, validating external
 					links and remote resources, and other precautions.</p>
+
+				<p>Reading systems that allow users to load untrustworthy EPUB publications (e.g., unsigned EPUB
+					publications through the process of "sideloading") SHOULD treat such content as insecure (e.g.,
+					prompt users to allow scripting and network access).</p>
 			</section>
 		</section>
 		<section id="app-epubReadingSystem">
@@ -2552,6 +2560,10 @@ <h2>Change log</h2>
 					>Working Group's issue tracker</a>.</p>
 
 			<ul>
+				<li>18-May-2022: Noted that unsigned EPUB publications represent a security risk and added
+					recommendation to treat sideloaded unsigned publications as untrusted. See <a
+						href="https://github.com/w3c/epub-specs/issues/2265">issue 2265</a>.</li>
+				<li>18-May-2022: Updated privacy and security recommendations to use normative language.</li>
 				<li>17-May-2022: Added an index of terms. See <a href="https://github.com/w3c/epub-specs/issues/2260"
 						>issue 2260</a>.</li>
 				<li>31-Mar-2022: Moved custom attribute authoring requirements to the authoring specification. Added