I’d focus more on how existing standards can be abused - there’s some cool work on creating a combined privacy and security review instrument<p><a href="https://www.w3.org/TR/security-privacy-questionnaire/" rel="nofollow">https://www.w3.org/TR/security-privacy-questionnaire/</a><p>That was done after issues with the battery api<p><a href="http://lukaszolejnik.com/battery.pdf" rel="nofollow">http://lukaszolejnik.com/battery.pdf</a><p>Back in 2016, my supervisor at the Center for Democracy & Technology used to physically block the door to his office and make statements such as that if I didn’t want to compromise on encryption, I’d have to agree that fingerprinting isn’t tracking.<p>(As well as claim his “friend in GCHQ” agreed.)<p>To this day I am shocked that a major NGO allowed a first generation PhD student be physically threatened by an agent of foreign power for trying to avoid privacy leaks in new web standards, and that paired with career obstruction when I tried to retreat to something less political is why I left civil society entirely and am currently interviewing around at coffee shops to save up for emigration, since there’s no point in further self education if folks are just going to treat job interviews as chances to engage in further abuse or as free consulting sessions.<p>If you want to see an early version of the work I did, it’s live at <a href="https://lists.w3.org/Archives/Public/public-privacy/2015AprJun/0089.html" rel="nofollow">https://lists.w3.org/Archives/Public/public-privacy/2015AprJ...</a><p>Merry Christmas, if you celebrate.