WordPress.org

Make WordPress Core

Opened 14 months ago

Last modified 13 months ago

#51092 new feature request

Create a JSON schema for Privacy and Other Related Disclosures — at Version 15

Reported by: carike Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Privacy Keywords: needs-privacy-review 2nd-opinion
Focuses: rest-api Cc:

Description (last modified by carike)

Background:

The Disclosures Tab is an initiative that is underway in the Core Privacy Team.
The aim is to help site owners / admins better understand what information their site (plugins, themes and Core) collects, where the information is stored and where it is sent - and in particular, who it is shared with.
We hope to help site owners / admins make more informed privacy choices (e.g. when choosing which plugin to install) and to better understand their risk profile when it comes to privacy.
For the most part, the actual "controlling" is planned for a sibling plugin, the Permissions Tab, which is not currently intended to be merged into Core, as this will contain more advanced settings.
You can read more about the various privacy initiatives here: https://make.wordpress.org/core/2020/08/19/minutes-core-privacy-meeting-19-august-2020/

The Challenge:

Free-form disclosures in the readme.txt would create a lot of additional work for the plugins review team.
Moreover, it makes it near impossible to compare across plugins, or to use the information in any sort of automated process.
The Disclosures Tab seeks to standardize the way that plugin, theme authors and Core can disclose privacy and other related concerns to site owners / admins, by creating quasi-"headers" and limiting the acceptable values for each.

The Solution:

Timothy suggested that each plugin could have a privacy.json file, which could then be read by Core (and Meta) using relatively simple REST API functionality.
As all items are not strictly privacy related, the file will be called disclosures.json instead.

In its current form, the JSON schema does not set any fields as "required".
As URLs are not one of the six data types accepted by JSON, these types have been set as "string"s. The format has been set to "uri-reference" to allow for relative URLs.

Scope:

This ticket proposes a JSON schema. Future tickets will deal with the validation and the display respectively.
In the ticket to follow this one, the validation of the schema should include appropriate validation of the URLs in PHP.
Further tickets should include ones to update WP-CLI and WordPress.org to make the strings translatable. Thanks to Swissspidy for the comment below!

<?php
{
   "$schema": "https://core.trac.wordpress.org/ticket/51092",
   "$id": "https://example.com/to.be.filled.in.later.disclosures.json",
   "description": "The vision of the Disclosures Tab is for site administrators to understand their site's privacy risk profile and to make more informed privacy-related choices as a result. The mission of the Disclosures Tab is to help site administrators understand what information their site collects, where it is stored and where it is sent - and in particular, with whom it is shared.",
   "type": "object",
   "properties": {
      "info": {
         "description": "This section provides information to help identify the code.",
         "type": "object",
         "properties": {
            "component": {
               "description": "One of the following values: plugin, theme, or the specific Core component (e.g. avatar).",
               "type": "string"
            },
            "slug": {
               "description": "The slug, if the code relates to a plugin or a theme.",
               "type": "string"
            },
            "version": {
               "description": "Which version of disclosures.json this represents for the individual component.",
               "type": "string"
            },
            "since": {
               "description": "The plugin or theme's version number, or the Core version, if the component is a Core component, which introduced the current version of this disclosures.json file. I.e. this should represent the since value.",
               "type": "string"
            }
         }
      },
<?php
      "licenses": {
         "description": "This section contains more information about licensing."
         "type": "object",
         "properties": {
            "code": {
               "description": "A URL to the license that applies to this component (plugin, theme, or Core component)'s use.",
               "type": "string",
               "format": "uri"
            },
            "localAssets": {
               "description": "A comma-separated list of URLs to the license that applies to the use of each asset that has been included locally. This should include the license of any bundled libraries, as well as the licenses of any images, fonts, etc.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            },
            "remoteAssets": {
               "description": "A comma-separated list of URLs to the licenses that applies to the use of each asset that is accessed remotely. This should the licenses of any external libraries, as well as the licenses of any images, fonts, etc.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            }
         }
      },
<?php
      "external": {
         "description": "This section provides more information relating to the Privacy Policies of the external network sites being called.",
         "type": "object",
         "properties": {
            "PHP": {
               "description": "A comma-separated list of URLs of links to the respective Privacy Policies of the sites to which the external network calls are being made in PHP.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            },
            "JavaScript": {
               "description": "A comma-separated list of URLs linking to the respective Privacy Policies of the sites to which the external network calls are being made in JavaScript.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            },
            "CSS": {
               "description": "A comma-separated list of URLs linking to the respective Privacy Policies of the sites to which the external network calls are being made in CSS.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            }
         }
      },
<?php
      "terms": {
         "description": "This section contains more information about third party terms and conditions that may apply to use of the software.",
         "type": "object"
         "properties": {
            "SaaS": {
               "description": "A comma-separated list of URLs linking to the Terms of Service of any instances of Software as a Service.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            },
            "externalAPIs": {
               "description": "A comma-separated list of URLs linking to the Terms of Service of any external API being used.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            },
            "remoteAssets": {
               "description": "A comma-separated list of URLs linking to the Terms of Service that applies to the use of each remote asset. This relates to the use of CDNs for images, fonts, etc.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            },
            "registration": {
               "description": "A comma-separated list of URLs linking to the Terms of Service that apply to any accounts that need to be registered in order to be able to make use of this component's code.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri"
               },
               "uniqueItems": true
            }
         }
      },
<?php
      "openWeb": {
         "description": "Details about mechanisms that allow others to obtain information from the site without browsing the website's front end.",
         "type": "object",
         "properties": {
            "apiEndpoints": {
               "description": "A comma-separated list of relative URLs for any internal API endpoints that are created by the code.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri-reference"
               },
               "uniqueItems": true
            },
            "feeds": {
               "description": "A comma-separated list of relative URLs for any internal feeds that are created by the code.",
               "type": "array",
               "items": {
                  "type": "string",
                  "format": "uri-reference"
               },
               "uniqueItems": true
            }
         }
      },
<?php
      "clientSide": {
         "type": "object",
         "properties": {
            "setsCookiesPHP": {
               "description": "The names of any cookies that have been set using PHP.",
               "type": "array",
               "items": {
                  "type": "string",
               },
               "uniqueItems": true
            },
            "setsCookiesJavaScript": {
               "description": "The names of any cookies that have been set using JavaScript.",
               "type": "array",
               "items": {
                  "type": "string",
               },
               "uniqueItems": true
            },
            "usesLocalStorage": {
               "description": "Whether or not the code makes use of local storage.",
               "type": "boolean"
            }
         }
      },
<?php
      "communication": {
         "description": "This section provides more information about how the software communicates with external parties.",
         "type": "object",
         "properties": {
            "email": {
               "type": "object",
               "properties": {
                  "sends": {
                     "description": "Whether or not the code sends e-mails.",
                     "type": "boolean"
                  },
                  "subscribed": {
                     "description": "Whether e-mails are only sent to users that have subscribed for that particular e-mail (e.g. a newsletter).",
                     "type": "boolean"
                  }
               }
            }
         }
      },
<?php
      "database": {
         "description": "This section contains information about how the software interacts with the site's database (MySQL or MariaDB).",
         "type": "object",
         "properties": {
            "writesToDB": {
               "description": "Whether or not the code writes to the database.",
               "type": "object",
               "properties": {
                  "auto": {
                     "description": "Whether or not the code writes to the database in relation to information that is not explicitly input by a user.",
                     "type": "boolean"
                  },
                  "manual": {
                     "description": "Whether or not the code writes to the database that is not explicitly input by a user.",
                     "type": "boolean"
                  }
               }
            },
            "CPT": {
               "description": "Whether the component creates any Custom Post Types.",
               "type": "object",
               "properties": {
                  "auto": {
                     "description": "The number of Custom Post Types that are automatically created by the code without user intervention.",
                     "type": "integer",
                     "minimum": 0
                  },
                  "manual": {
                     "description": "Whether or not the code allows for users to generate Custom Post Types.",
                     "type": "boolean"
                  }
               }
            },
            "customTables": {
               "description": "Whether or not the code creates any custom tables in the database.",
               "type": "object",
               "properties": {
                  "auto": {
                     "description": "The number of custom tables that are automatically created by the code without user intervention.",
                     "type": "integer",
                     "minimum": 0
                  },
                  "manual": {
                     "description": "Whether or not the code allows the user to create any custom tables.",
                     "type": "boolean"
                  }
               }
            }
         }
      },
<?php
      "otherStorage": {
         "description": "Provides more information about where information may be stored, other than the database.",
         "type": "object",
         "properties": {
            "writesToFiles": {
               "description": "A comma-separated list of file types the code writes to (e.g. .txt).",
               "type": "array",
               "items": {
                  "type": "string",
               }
            },
            "fileStructure": {
               "description": "Whether or not the code makes changes to the website's file structure.",
               "type": "object",
               "properties": {
                  "auto": {
                     "description": "Whether or not the code makes changes, or is capable of making changes, to the website's file structure that are not explicitly initiated by a user. This should not include files that are added directly from the repository, or in the original .zip file.",
                     "type": "boolean"
                  },
                  "manual": {
                     "description": "Whether or not the code makes changes, or is capable of making changes, to the website's file structure that are explicitly initiated by the user. This should not include files that are added directly from the repository, or in the original .zip file.",
                  }
               }
            }
         }
      },
<?php
      "automation": {
         "description": "Provides more information with regards to action taken by the code without user input.",
         "type": "object",
         "properties": {
            "cron": {
               "description": "Whether the code makes use of scheduled tasks that do not require user input.",
               "type": "boolean"
            }
         }
      },
<?php
      "ppi": {
         "description": "Whether or not the code stores any Protected Personal Information.",
         "type": "boolean"
      },
      "compatibility": {
         "description": "Indicates whether or not the code is compatible with Privacy Tools.",
         "type": "object",
         "properties": {
            "ppiExport": {
               "description": "Does the developer, in good faith, consider the code to be compatible with the PPI Export Tool in WordPress?",
               "type": "boolean"
            },
            "ppiErasure": {
               "description": "Does the developer, in good faith, consider the code to be compatible with the PPI Erasure Tool in WordPress?",
               "type": "boolean"
            },
            "consentAPI": {
               "description": "Does the developer, in good faith, consider the code to be compatible with the WordPress Consent API?",
               "type": "boolean"
            },
            "disclosuresTab": {
               "description": "Do the developer, in good faith, consider the code to be compatible with the Disclosure Tab?",
               "type": "boolean"
            },
            "permissionsTab": {
               "description": "Do the developer, in good faith, consider the code to be compatible with the Permissions Tab?",
               "type": "boolean"
            }
         }
      },
<?php
      "monetization": {
         "type": "object",
         "description": "This section provides more information about monetization practices. It is included to help facilitate transparency and fair business dealings. Please note that disclosure here does not relieve a developer from any specific obligations that they may have under applicable statutes.",
         "properties": {
            "upsells": {
               "description": "More information about upselling in the code.",
               "type": "array",
               "items": [ 
                  {
                     "description": "Does this code promote a paid version, or extensions, or other products or services from the same author(s)?",
                     "type": "boolean"
                  } 
               ],
               "additionalItems": {
                  "description": "A comma-separate list of URLs linking to the Terms of Service that apply to any paid version, or extension, or other products or services from the same author(s).",
                  "type": "string"
               }
            },
            "donations": {
               "description": "More information about donations that are facilitated by the code.",
               "type": "array",
               "items": [
                  {
                     "description": "Does this code contain any request, or information in order to, donate to the plugin or its developer(s)?",
                     "type": "boolean"
                  }
               ],
               "additionalItems": {
                  "description": "A comma-separated list of URLs linking to the Terms of Service that apply to the platform being used to facilitate donations.",
                  "type": "string"
               }
            },
            "backLinks": {
               "description": "More information about the code requesting credit.",
               "type": "array",
               "items": [
                  {
                     "description": "Does this code contain or generate, or ask the site owner / admin for permission to generate, backlinks?",
                     "type": "boolean"
                  }
               ],
               "additionalItems": {
                  "type": "string"
               }
            },
            "affiliates": {
               "description": "More information about affiliate networks that are promoted by the code.",
               "type": "array",
               "items": [
                  {
                     "description": "Does this code contain, or generate affiliate links - i.e. links from which the author may receive conditional compensation, whether in money, or in kind?",
                     "type": "boolean"
                  }
               ],
               "additionalItems": {
                  "description": "A comma-separated list of URLs linking to the Terms of Service that apply to affiliate networks being promoted by the code.",
                  "type": "string"
               }
            },
            "advertising": {
               "description": "More information about advertising that is facilitated by the code.",
               "type": "array",
               "items": [ 
                  {
                     "description": "Does the code contain, or generate promotions or recommendations for any products or services not directly under the control of the author(s), for which the author(s) receive any compensation, whether in money, or in kind?",
                     "type": "boolean"
                  }
               ],
               "additionalItems": {
                  "description": "A comma-separated list of URLs linking to the Terms of Service that apply to any products or services that are being advertised by the code.",
                  "type": "string"
               }
            }
         }
      }
   }
}

Thanks to Apedog for suggesting improved phrasing for the "external" property's description.

Change History (15)

#1 @carike
14 months ago

  • Description modified (diff)

#2 @carike
14 months ago

  • Description modified (diff)

#3 @swissspidy
14 months ago

If any of these values (e.g. URLs) would need to be translatable, which they probably do, the tooling in WP-CLI and WordPress.org needs to be updated accordingly.

#4 @carike
14 months ago

  • Description modified (diff)

#5 @carike
14 months ago

  • Description modified (diff)

#6 @SergeyBiryukov
14 months ago

#49272 was marked as a duplicate.

#7 @carike
14 months ago

  • Description modified (diff)

#8 @carike
14 months ago

  • Description modified (diff)

#9 @carike
14 months ago

  • Description modified (diff)

#10 @carike
14 months ago

  • Description modified (diff)

#11 @carike
14 months ago

  • Description modified (diff)

#12 @carike
14 months ago

  • Description modified (diff)

This ticket was mentioned in Slack in #core by carike. View the logs.


14 months ago

#14 @carike
14 months ago

  • Description modified (diff)

#15 @carike
14 months ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.