I missed this due to all the HTML in the email...
How about this?
OLD:
"Implementers need to consider the policy and privacy implications of
returning information that was not explicitly requested."
NEW:
"Implementers need to consider the policy and privacy implications of
returning information that was not explicitly requested. Clients should
only receive information that they are explicitly authorized to receive."
AlmostŠ²Servers should only send information that clients are explicitly
authorized to receive.²
The way it is worded is impossible to "enforce."
How does this work with anonymous access to public information, which is
how this information is served today? How do I ³explicitly" authorize an
anonymous user? I think the old text above is good enough and find the
next text (both versions) to be confusing.
-andy