Having reviewed the responses to the security & privacy questionnaire, we would appreciate some stronger language and a more proactive stance around mitigating potential harms. We appreciate that implementation details of reading systems may be out of scope, but the Security and Privacy Considerations sections of the specifications can nonetheless be used to encourage good behaviour, and raise awareness of things that implementors might not otherwise have considered.

For example, the response mentions:

Some reading systems track every user reading session, including the time of day, the duration, how many pages were read, what book, the user’s IP address if a web-based reader, etc.

But then says:

The EPUB specifications do not mention personal information.

and

the fact that you are reading a particular book can itself be sensitive information. The specification offers no guidance to reading systems on this matter.

This is an opportunity for the specs to mention PII and sensitive information, with regard to discouraging collection and/or transmission over the network in the first place, or to notify readers of what data is being collected and why (and, ideally, offer them a chance to opt out).