Add "Security and Privacy Considerations" to all use cases (or requirements)

[mmccool]

In https://github.com/w3c/wot-architecture/tree/master/USE-CASES a number of use cases have been assembled. For each one we should consider the security and privacy requirements and document them. This could also go into "requirements", but then "Security and Privacy Considerations" should be added to the requirements template at https://github.com/w3c/wot-architecture/blob/master/REQUIREMENTS/requirements-template.md

[mmccool]

The following may be relevant (note that it was updated in 2019): https://www.w3.org/TR/security-privacy-questionnaire/

[mmccool]

We should update the HTML version now with "blank" security and privacy considerations sections... (McCool to make a PR)

[mmccool]

Should just create issues for particular use cases over in the use case repo. Then we can track which use cases have considered privacy and security and which ones have not. For example:

• Complete privacy section for Oauth use case wot-usecases#49
• Complete privacy section for Medical use case wot-usecases#50

[mmccool]

We should start this by having a set of questions to be asked for each use case, such as "does this handle PII"? "Is access control needed?" "Are there safety considerations for access?"
"Are there different classes of users?" etc. See w3c/wot-usecases#84
Some bullet points should be added to the template as well.

[mmccool]

Note that when we did the CR last time we had to answer a long set of questions about security, and we can look back to the answers to those. Most of them were not actually relevant to IoT, but some were.

[mmccool]

Brainstorm from security TF call May 10. We also looked at the Self-Review Questionnaire and tried to extract anything useful (there was surprisingly not much, since it is very browser-focused and spends a lot of time on same-origin constraints, etc).

Security:

1. What kinds of access controls are supported?
2. How is access managed, distributed, and revoked?
3. Will the hardware be protected from physical access?
4. Does data being transmitted need to be protected?
5. Does data at rest need to be protected?
6. Is the system safety-critical?
7. Will the device be accessible remotely/globally?
8. Will the device/service run third-party (untrusted) code, or will all code be provided by the developer/maker?
9. Does the use case allow the installation and running of executable content, e.g. scripts, rules, etc?
10. Does the user have the ability to install and manage keys, e.g. certificates?

Privacy:

1. Does this use case handle personally identifiable information (PII)?
2. Can PII be inferred from data or metadata?
3. Can this use case's device report its geolocation?
4. Can this use case's device report local sensor data that might be used to infer PII?
5. Is ad-hoc discovery and use needed? Peer-to-peer or directory?
6. Does this use case require the generation and use of unique global identifiers?
7. Does this use case require the generation and use of temporary local identifiers?
8. Does this use case provide for the tracking and erasure of any PII captured?

[mmccool]

Probably should add:

• Are there legal requirements you have to comply with: HIPPA, GDPR, NIST, etc.