Merge pull request #59 from npdoty/reorg

editorial reorganization: move principle groups to top-level sections

principles/index.html

@@ -55,7 +55,7 @@ <h2>How This Document Fits In</h2>
   </section>
 
   <section>
-    <h2>Private Advertising Principles</h2>
+    <h2>Topics</h2>
 
     <p>Advertising-specific privacy principles may address the following issues:</p>
 
@@ -77,62 +77,61 @@ <h2>Private Advertising Principles</h2>
     </ul>
 
     <p>Principles are organized in sections below regarding particular use cases or common concepts that apply across different use cases.</p>
+  </section>
+  <section>
+    <h3>Measurement</h3>
 
     <section>
-      <h3>Measurement</h3>
-
-      <section>
-        <h4>Measurement should be private for safe, widespread usage, but always be under user control</h4>
-      </section>
+      <h4>Measurement should be private for safe, widespread usage, but always be under user control</h4>
+    </section>
 
-      <section>
-        <h4>Opting-out should not be visible</h4>
-        <p>Users may wish to opt-out of participation in measurement, but do so in such a way that is not visible to the sites they visit. Visible opt-out could lead to retaliation against, or coercion of, users who do not wish to participate in measurement.</p>
-      </section>
+    <section>
+      <h4>Opting-out should not be visible</h4>
+      <p>Users may wish to opt-out of participation in measurement, but do so in such a way that is not visible to the sites they visit. Visible opt-out could lead to retaliation against, or coercion of, users who do not wish to participate in measurement.</p>
+    </section>
 
-      <section>
-        <h4>Measurement should not significantly enable cross-context recognition</h4>
-        
-        <p>Protections of differential privacy take the form of guarantees that aggregation or noise make participation in a particular measurement mostly indistinguishable, but also recognize that some information (as often quantified by parameters including epsilon) is released and could be combined with other known information to learn something with some (presumably very small) probability. "significantly" here is not yet detailed. The aggregated or noised measurement should not reasonably be usable to identify a particular user or to link an user's activity to another context.</p>
+    <section>
+      <h4>Measurement should not significantly enable cross-context recognition</h4>
+
+      <p>Protections of differential privacy take the form of guarantees that aggregation or noise make participation in a particular measurement mostly indistinguishable, but also recognize that some information (as often quantified by parameters including epsilon) is released and could be combined with other known information to learn something with some (presumably very small) probability. "significantly" here is not yet detailed. The aggregated or noised measurement should not reasonably be usable to identify a particular user or to link an user's activity to another context.</p>
 
-        <p class="note">
-          Metrics to define significance are being evaluated by a separate task force.
-        </p>
+      <p class="note">
+        Metrics to define significance are being evaluated by a separate task force.
+      </p>
 
-        <p>Because measurement and attribution involve all kinds of viewing advertisements and a variety of other actions, in a wide range of different contexts, relying on understanding of, expectations about and consent over cross-context recognition as a result of ad measurement would be inappropriate.</p>
-      </section>
+      <p>Because measurement and attribution involve all kinds of viewing advertisements and a variety of other actions, in a wide range of different contexts, relying on understanding of, expectations about and consent over cross-context recognition as a result of ad measurement would be inappropriate.</p>
+    </section>
 
-      <section>
-        <h4>Measurement should not significantly enable inferences about individual people from their participation in the measurement</h4>
+    <section>
+      <h4>Measurement should not significantly enable inferences about individual people from their participation in the measurement</h4>
 
-        <p>Related to cross-context recognition, measurement mechanisms should not reasonably be able to be used to learn or infer information about a particular user, for example, that a user visited a site (or class of site) or took an online or offline action.</p>
+      <p>Related to cross-context recognition, measurement mechanisms should not reasonably be able to be used to learn or infer information about a particular user, for example, that a user visited a site (or class of site) or took an online or offline action.</p>
 
-        <p>Population-level measurement can still be used for inference; this principle only indicates that participation (or non-participation) in the measurement cannot be used to enable an inference about that individual.</p>
-      </section>
+      <p>Population-level measurement can still be used for inference; this principle only indicates that participation (or non-participation) in the measurement cannot be used to enable an inference about that individual.</p>
     </section>
+  </section>
+  <section>
+    <h3>Accountability</h3>
     <section>
-      <h3>Accountability</h3>
-      <section>
-        <h4>Users should be able to investigate how data about them is used and shared.</h4>
+      <h4>Users should be able to investigate how data about them is used and shared.</h4>
 
-        <p>Users should be able to learn what measurements they may participate in.</p>
-        <p>Users should be able to learn what level of risk of re-identification or cross-context data-sharing is possible. 
-          <br><i>See also: comprehensibility.</i></p>
-      </section>
-      <section>
-        <h4>Researchers, regulators and auditors should be able to investigate how a system is used and whether abuse is occurring.</h4>
+      <p>Users should be able to learn what measurements they may participate in.</p>
+      <p>Users should be able to learn what level of risk of re-identification or cross-context data-sharing is possible. 
+        <br><i>See also: comprehensibility.</i></p>
+    </section>
+    <section>
+      <h4>Researchers, regulators and auditors should be able to investigate how a system is used and whether abuse is occurring.</h4>
 
-        <p>Researchers should be able to learn what measurements are taking place, in order to identify unexpected or potentially abusive behavior and to explain the implications of the system to users (whose individual data may not be satisfyingly explanatory).</p>
+      <p>Researchers should be able to learn what measurements are taking place, in order to identify unexpected or potentially abusive behavior and to explain the implications of the system to users (whose individual data may not be satisfyingly explanatory).</p>
 
-        <p>Most users will not choose to investigate or be able to interpret individual data about measurements. Independent researchers can provide an important accountability function by identifying potentially significant or privacy-harmful outcomes.</p>
+      <p>Most users will not choose to investigate or be able to interpret individual data about measurements. Independent researchers can provide an important accountability function by identifying potentially significant or privacy-harmful outcomes.</p>
 
-        <p>Some privacy harms -- including to small groups or vulnerable people -- cannot reasonably be identified in the individual case, but only with some aggregate analysis.</p>
+      <p>Some privacy harms -- including to small groups or vulnerable people -- cannot reasonably be identified in the individual case, but only with some aggregate analysis.</p>
 
-        <p>Auditors, with internal access to at least one of the participating systems, should be able to investigate and document whether abuse has occurred (for example, collusion between non-colluding helper parties, or interfering with results). When evidence of abuse is discovered, affected parties must be notified.</p>
-      </section>
-      <section>
-        <h4>When abuse happens, there must be a mechanism to identify the abuse, limit further access and enable consequences.</h4>
-      </section>
+      <p>Auditors, with internal access to at least one of the participating systems, should be able to investigate and document whether abuse has occurred (for example, collusion between non-colluding helper parties, or interfering with results). When evidence of abuse is discovered, affected parties must be notified.</p>
+    </section>
+    <section>
+      <h4>When abuse happens, there must be a mechanism to identify the abuse, limit further access and enable consequences.</h4>
     </section>
   </section>