W3C - Privacy Working Group

Threat Modeling with LEGO SERIOUS PLAY: Building your Digital Identity threat

Mon, 20 Oct 2025 18:38:00 +0000

At the World Wide Web Consortium (W3C), we know that security, privacy, and human rights are interconnected. This interconnection is especially true for digital identity technologies. As these technologies change, so must the way we understand and address threats.

In recent years, the W3C community has been exploring different ways to address technical threats and harm to individuals, to ensure that new standards, including those for digital identity, protect not only systems but also people, through Threat Modeling.

On October 14, 2025, this commitment took shape with a one-of-a-kind workshop, organized in collaboration with Threat Modeling Connect, entitled “Threat Modeling with LEGO© SERIOUS PLAY© - Build Your Digital Identity Threat”.

The workshop combined the threat modeling process with a creative and practical methodology developed by W3C to help participants visualize damage, transform it into threats, and build connections between different dimensions in the digital identity landscape.

From harms to threats

Traditional threat modeling frameworks rely on different threat categorization frameworks, such as STRIDE and LINDDUN, which W3C is already using in identifying security and privacy threats, respectively. However, the social and ethical implications of the web require a broader view. How to recognize threats to humanity or social impact?

W3C has begun to work on a new level of analysis of Digital Identities based on a mixed approach of Threat Modeling and Harms Modeling. Inspired by Microsoft's early work on responsible innovation and expanded through academic research, this approach focuses on identifying how different stakeholders (e.g., individuals or communities) might be negatively affected by a technology, and then tracing the technical causes of those impact - the threats - blending the harm modeling with threat modeling.

High-level threats are particularly important in the field of digital identity, where credentials issued by governments - such as national ID cards, passports, and education certificates - can become tools of inclusion or exclusion. As governments and organizations adopt verifiable credentials and digital wallets, the associated threats are no longer limited to technical failures but also extend to profiling, discrimination, and human rights violations.

Why LEGO© SERIOUS PLAY©?

To bridge this gap, the workshop used LEGO© SERIOUS PLAY© (LSP), a facilitation method originally developed by the LEGO Group in the 1990s for strategic thinking and problem solving. LSP is based on the concept of “manual knowledge”, the idea that building physical models helps unlock abstract understanding and encourages inclusive participation.

In the session, each participant received a set of LEGO bricks and was given a challenge: “Build a threat from harm”. The tactile and metaphorical process helped to transform complex and often abstract ethical and social considerations into tangible representations that participants could literally hold in their hands, modify, and connect.

As Simone explained during the session - as he’s a Certified facilitator of LEGO® SERIOUS PLAY® method and materials by The Association of Master Trainers - by externalizing thought through play, we allow everyone to see —and question— the invisible assumptions behind technological design.

Building threats

The workshop followed the classic four-phase rhythm of LSP - Listen, Build, Share, Reflect - with challenges that followed the structure of a threat modeling process, generating threats from the harms. As the Threat Modeling Community Group and Security Interest Group are categorizing the various categories of harms and threats, they found specific harms related to Digital Identities in Enhancing National Digital Identity Systems by Corti et al. (2025). These included issues such as discrimination based on personal characteristics, illegal use of data beyond consent, exposure to domestic abuse, persecution, and economic exclusion through increased transaction costs.

A model to illustrate ethnic and/or religious profiling

A model to illustrate discrimination based on individual characteristics

From individual models to landscapes: analyzing connections

In the second phase, participants were asked to arrange the models spatially so that the connections between damage and threats formed a coherent story, a “super-story” of the collective threat landscape.

This interconnected step showed how individual harms are rarely isolated. For example, misuse of data can lead to profiling, which in turn can lead to discriminatory denial of services. Similarly, exposure to domestic abuse was linked to inadequate wallet security controls, demonstrating that technical and social security measures are inseparable.

Models connected spatially

Lessons learned

In the final retrospective, the traditional LEGO® SERIOUS PLAY® “duck” exercise, participants rebuilt the symbolic duck they had created at the beginning of the session, now reflecting what they had learned.

Insights emerged from participants:

"Money lost/spent leading to decreased standards of living"
"I learned to connect ideas and concepts in different ways and forms"
"The most unexpected things are strongly connected"

These reflections helped to understand that threat modeling based on human experience expands our imagination. Transforming a security or privacy analysis from a checklist exercise to a collaborative exploration of possible futures, both positive and negative.

"Thinking about harm naturally leads to framing threats, and then creating stories about those threats, and thinking of how your project can be compromised"

Symbolic LEGO duck and lesson learned

Beyond the workshop

The workshop demonstrated that integrating LSP into W3C's security, privacy, and human rights work is not only feasible but also transformative.

Participants were able to visualize complex and abstract harms and threats, and the method helps uncover assumptions that traditional textual analysis often overlooks.

For the W3C community, this experiment is in line with ongoing initiatives by the Security Interest Group, the Privacy Working Group, and the Threat Modeling Community Group.

The exercise also reinforced W3C's broader commitment to open and participatory processes. Just as web standards are born of collaboration and transparency, so too should our understanding of the threats be.

Conclusion

The Threat Modeling with LEGO® SERIOUS PLAY® workshop, which focused on digital identity, was a step toward the integration of human-centered thinking in the technical standardization process. Participants didn't just analyze threats; they built, connected, and understood them together.

As the W3C community continues to define standards for the next generation of identity technologies, this exercise reminds us that technology has an important social impact.

W3C will continue to refine this approach - focusing on the user and humans - within its Threat Modeling Community Group to invite others to join the conversation and, perhaps, build their own threats.

Privacy on the web: creating a more trustworthy web

Seth Dobbs, W3C CEO and President — Wed, 28 May 2025 08:26:00 +0000

Photo by Annie Spratt on Unsplash

Continuing the series that puts the emphasis on the key areas that help ensure that the Web works, for everyone, this month I am diving into Web security. It is one of the key areas that we call “horizontals” and that shape every W3C work package because they involve approaches that are common to all work groups. Our horizontals are Web accessibility, internationalization, security and privacy.

The imperative

Creating a more trustworthy web and protecting user privacy is fundamental to creating a web that works, for everyone.

Privacy, along with Security, are integral to human rights and civil liberties, and are essential to the success of the web platform. Today, so many of the features of the web and its usage involve information about people and their communications that privacy must be considered consistently across the design of the entire platform. The human factors and the sociotechnical aspects add additional complexity.

To affirmatively realize the privacy of people using the web and address privacy threats that have already arisen requires us to operate in an interdisciplinary and global space, and to develop dedicated privacy features.

How W3C approaches privacy on the web

Following the mid-2000s W3C work on Platform for Privacy Preferences (P3P), the W3C Team in 2011 identified the need to strengthen the foundations of trust on the web for communities large and small to access and share data, and made it an area of focus in 2011. The evolution then trended toward significantly more intense collection, processing, and publication of personal data.

We follow a recipe that is simple but which details are of importance:

Review the privacy of web standards
Advise W3C groups developing standards to mitigate privacy issues
Develop some private technology standards

Horizontal reviews are conducted for privacy of proposals and specifications under development by other W3C Working Groups and Community Groups, and of charters for other W3C groups. Related to that is advising groups developing standards on how to avoid and mitigate privacy issues with web technologies.

The other main component is the standardization of new technical mechanisms that improve privacy on the web, including work moving from incubation when there is a basic technical design, significant implementer interest and activity.

The W3C Privacy Working Group undertakes the former and a lot of the latter. The rest of the privacy-focused features specific to technical work covered by another Working Group are typically best developed in those Working Groups, alongside related technical features.

In focus: Global Privacy Control, Private Advertising

Global Privacy Control (GPC) defines a signal, transmitted over HTTP and through the DOM, that conveys a person's request to websites and services to not sell or share their personal information with third parties. This standard is intended to work with existing and upcoming legal frameworks that render such requests enforceable.

W3C launched the Private Advertising Working Group

In late 2024, motivated by the Ethical Web Principles W3C Statement, to specify web features and APIs that support advertising while acting in the interests of users, in particular providing strong privacy assurances using predominantly technical means.

If you wish to know more about ongoing work, I suggest you take 8 minutes to watch the Privacy talk my colleague Tara Whalen, W3C Privacy Lead, gave early April 2025.

W3C Statement: Privacy Principles

The Privacy Principles were elevated in May 2025 to W3C Statement, which means that although the document is informative and not a formal standard in nature, it creates a stable reference that has received formal review and endorsement from W3C Members.

The document provides definitions for privacy that are applicable worldwide as well as a set of privacy principles that aim to guide the development of the web as a trustworthy platform.

You can read more in Tara Whalen’s blog post on the W3C Statement: New Privacy Principles for a more trustworthy web.

First Public Working Draft: Global Privacy Control (GPC)

Thu, 21 Nov 2024 07:38:00 +0000

The Privacy Working Group has published the First Public Working Draft of Global Privacy Control (GPC). This document defines a signal, transmitted over HTTP and through the DOM, that conveys a person's request to websites and services to not sell or share their personal information with third parties. This standard is intended to work with existing and upcoming legal frameworks that render such requests enforceable.