07:50:03 RRSAgent has joined #privacy 07:50:03 logging to http://www.w3.org/2010/07/12-privacy-irc 07:50:07 Zakim has joined #privacy 07:50:13 Meeting: W3C Privacy Workshop 07:50:16 Chair: DKA, TLR 07:50:30 Agenda: http://www.w3.org/2010/api-privacy-ws/agenda.html 08:02:38 soonho has joined #privacy 08:03:27 karl has joined #privacy 08:06:23 Present+ Soonho_Lee 08:07:57 bblfish has joined #privacy 08:08:02 hi 08:08:36 dsinger has joined #privacy 08:08:44 jmorris has joined #privacy 08:09:57 Youn-Sung has joined #privacy 08:10:01 Dong-Young has joined #privacy 08:10:03 fjh has joined #privacy 08:11:49 good. good 08:12:07 hendry has joined #privacy 08:12:12 good morning 08:12:31 karl has changed the topic to: W3C Workshop API Privacy - London 12/13 July 2010 (karl) 08:13:20 alissa has joined #privacy 08:14:44 pkelley has joined #privacy 08:17:02 wonsuk has joined #privacy 08:18:34 rbarnes has joined #privacy 08:18:39 hello? 08:23:41 Kangchan has joined #privacy 08:27:24 MikeS has joined #privacy 08:27:32 RRSAgent, make minutes 08:27:32 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 08:29:49 are the slides being made available anywhere? 08:29:54 Zakim, code? 08:29:54 sorry, MikeS, I don't know what conference this is 08:29:58 ... for those of us in the back who can't really see 08:30:03 zakim, list 08:30:03 I see XML_(F2F)3:00AM active and no others scheduled to start in the next 15 minutes 08:30:26 we'll collect the slides and link them from the agenda 08:31:17 drogersuk has joined #privacy 08:31:33 what newspaper was the article for today in? Herald Tribune? 08:31:42 darobin has joined #privacy 08:32:10 tlr: thanks to Vodafone! 08:32:20 .. and Primelife 08:32:50 cullenfluffyjenni has joined #privacy 08:33:55 me Herald Tribune 08:34:09 tlr: walking through slides 08:35:47 ifette has joined #privacy 08:37:26 tlr: if you say the word "privacy" you must define what you mean 08:37:42 again, slides would be helpful for this in the back of the room 08:38:05 thanks! 08:38:33 Karl Dubost, Pheromone 08:39:17 eisinger has joined #privacy 08:39:32 Scribe: jmorris 08:40:11 karl: different identities in different contexts 08:40:44 .. marketing leads to interesting discussions about "privacy" 08:42:23 .. communications can be global, instantaneous 08:42:38 .. info is replicated on net -- much harder to lie 08:42:51 http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-3.html is Karl's pp btw 08:42:52 .. info is permanent 08:43:53 .. once you give access, you have no way to take it back -- to say "stop using my data" 08:43:59 umh 08:44:02 s/umh// 08:44:10 .. how do we make it possible to have a loss of memory 08:45:16 http://www.w3.org/2010/api-privacy-ws/slides/dubost.pdf 08:45:37 .. privacy is cultural 08:45:51 .. people's privacy views differ than businesses 08:46:08 tlr has changed the topic to: W3C Privacy Workshop | Agenda (with links to slides): http://www.w3.org/2010/api-privacy-ws/agenda.html 08:46:55 .. robots.txt is a bad protocol ... only works if you have access to root of site 08:47:06 .. it shows what you want to hide 08:47:25 .. can only do that with .htaccess 08:48:24 .. Tumblr and other sites give you the ability to keep search engines from indexing personal site 08:48:56 .. your site is public, but you give links to it (not reached through search engine) 08:49:18 .. need something better that robots.txt 08:51:03 .. browsers are my main communications tool 08:51:14 s#walking through slides#http://www.w3.org/2010/api-privacy-ws/slides/tlr-intro.pdf# 08:51:24 bryan_sullivan has joined #privacy 08:51:26 .. could their be a layer in browser to collect what you have share? 08:52:52 nickdoty has joined #privacy 08:54:06 henry: mistake that data can be infinitely copied 08:54:20 .. value of info depends on who is publishing 08:54:41 .. so there is info destruction happening 08:56:08 John Carr European NGO Coalition on Child Safety Online 08:56:25 paper: http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-9.pdf 08:56:32 John Carr: no slides 08:57:00 .. works with range of orgs across europe concerned about childrens use of Internet 08:57:24 .. in UK in March 2010 Ofcom did research in child use of social network space 08:57:55 .. of 8-12 year olds, 19% had profiles on three social networks 08:58:12 .. most had profiles private, but 11% did not 08:58:35 .. looking at all children - 25% of all children on sites they should not be on 08:59:05 .. not all parents monitor kids at all times 08:59:37 .. this is environment into which new geolocation services are being dropped 08:59:59 .. geolocation services specify 18 year old as minimum age 09:00:17 .. but geoloc services can be lined to 13 year old social network page 09:00:51 .. wants to enlist group's help to address problems 09:01:24 .. almost think that age limits should be dropped, because they are not being enforced 09:01:43 if, on the internet, no-one knows you're a dog, how do I 'know' you're a child? 09:02:35 and is there a Streisand effect here, saying 'if you're young, DO NOT LOOK HERE!'? what do the young immediately wonder? 09:02:48 Kangchan has joined #privacy 09:02:54 especially given that in the US we are forcefully against any sort of national ID card that could actually be used to prove identity/age online 09:03:00 .. sites purport to want to ban children, but they do not enforce 09:03:42 .. asks what would an 8 year old's judgment be on what privacy means 09:03:55 in germany, we're currently developing an id card that would allow you to prove (parts of your) identity to a website 09:03:58 +1 to ifette's point 09:03:58 such as the age 09:04:16 .. every country in world specifies 18 as minimum age to be adult 09:04:22 jochen - remind me not to move back to germany :) 09:04:32 also, as he said - the parents are actively encouraging the kids so they would just leave their card with the kid 09:04:46 ha, i'll remind you end of september that you didn't want to come here 09:05:23 .. hope that we can find a way in this technical space to find better technical tools to deliver broad social policy 09:06:08 .. we all want privacy rules over out data, but if a company is dealing with physical whereabouts, this is very highly sensitive 09:06:19 s/out/our/ 09:06:23 q? 09:06:50 .. in 2003 mobile services in UK started rolling out location, 09:07:03 RRSAgent, make minutes 09:07:03 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 09:07:07 on the child protection issue - most kids are abused by someone that is known to the family so they are likely to have given their location to that 'trusted' person 09:07:18 .. companies accepted validity of location concern 09:07:31 .. key thing they did is make location a paid-for service 09:07:54 .. if you paid for it, there was an audit trail 09:08:06 .. if you were trying to track a child, you had to do a further check 09:08:20 .. postal checking process 09:08:27 there are use cases getting mixed up here - for example preventing kids accessing over 18 content is entirely different to 'child protection' in the traditional sense 09:08:35 .. before you could commence tracking service on child 09:09:06 example, know where you are at 4pm every monday, can determine pattern 09:09:10 .. does not see evidence of these checks in the new location services 09:09:22 Peter has joined #privacy 09:09:25 .. the web based loc services just require the ticking of a box 09:09:57 anne has joined #privacy 09:10:02 hendry: depends a lot on the browser 09:10:03 @hendry - maybe we should ban the internet 09:10:07 .. experience with ticking box -- gambling sites just asked to tick a box to gamble 09:10:36 .. kids were developing gambling addiction 09:10:37 drogersuk: i think a child can survive without geolocation features 09:10:49 .. law changed to require age verification system 09:10:54 @hendry - or the internet ;-) 09:11:02 Payment doesn't seem like any guarantee. I can go to any store in the US and buy a "pre-paid" credit card, and provide whatever name and address I want that will get associated with the card. 09:11:17 .. since law has passed, children have not being able to invent identities 09:11:23 I remember this discussion about 0898 numbers in the early 1990's. Never stopped me 09:11:26 rbarnes: turning off geolocation needs to be really simple to do. simple enough for a parent/guardian 09:11:29 .. easy for 18 year olds, much harder to do for younger 09:11:48 hendry: ... and permanent enough that the kid can't turn it back on? 09:11:53 hendry - turning it off isn't the hard part. It's ensuring that the kid, who is probably more savvy than the parent, can't turn it back on 09:12:28 @dsinger - yes I missed that too 09:13:03 ifette: true, but i struggle to toggle geolocation and i'm smart I think 09:13:11 dan: what role do education, parents, etc. play in addressing this problem? 09:13:14 most of the people in this room started their technical careers getting round restrictions that were put on them as kids 09:13:31 john carr: agree that education is part of it, but technical is also part 09:13:33 ifette: in chrome the option to turn off geolocation is buried under a couple of menus! 09:13:54 hendry, everything in chrome is buried under multiple menus because for most users there is no desire to turn this off permanently 09:14:04 hendry: i can't find the toggle in firefox; ironically, it's not under the "privacy" tab 09:14:18 wonsuk has left #privacy 09:14:32 pat: to clarify re 2004 code of practice - it was successful because mobile operators were in highly regulated environment 09:14:37 hendry, chrome will also ask you on each site 09:14:45 (as will any browser afaik) 09:14:49 i have taken a few screenshots battling to turn off geolocation (on already authed sites) http://www.flickr.com/photos/hendry/sets/72157624456158938/ 09:14:51 john: 2004 included extra layers for children 09:15:42 ifette: i think the desire is there. i need to turn it off from time to time. ;) 09:16:01 robert?: use cases mixed up - gambling , predators, different use cases 09:16:12 hendry, please do not use ifette: as then the minutes will have me reflected as saying that. 09:16:20 hendry, in chrome you could have done it much more simply 09:16:24 click on the little target in the url bar 09:16:26 npd-test has joined #privacy 09:16:30 and you can change settings for the site you're on 09:16:39 cullen: how did gambling work 09:16:45 do any of the browsers make it easy to create a user-specific button to turn geoloc on/off? 09:16:47 also the website can already locate you pretty good with only your ip 09:16:53 in one click 09:16:56 .. gambling restrictions on kids 09:17:18 is that for all open tabs btw? 09:17:19 john carr: when you apply to gambling site, you allow credit, other checks 09:17:33 hendry if you clear it, future requests will fail 09:17:36 on all tabs/windows 09:17:47 the setting is stored for the origin, not tied to a window/tab 09:17:58 .. 5% cannot verify with databases, they must use other papers 09:18:17 dsinger: is there error the other way- children in databases? 09:18:25 i mean for all running apps (different origins) 09:18:33 the setting is per origin 09:18:43 http://www.w3.org/2010/api-privacy-ws/slides/chappelle.pdf 09:18:46 Kasey Chappelle, Vodafone 09:18:58 i find it rather unlikely someone suddenly decides they want to turn off geolocation for all sites 09:19:06 .. paper is at http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-15.pdf 09:19:10 we have these theoretical discussions, in practice it doesn't seem to happen 09:19:22 ok,we'll debate this later :) 09:19:35 Kasey: privacy is the right to decide - informational self-determination 09:20:13 .. lots of words on slides .. 09:20:26 Jens has joined #privacy 09:20:26 RRSAgent, make minutes 09:20:26 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 09:21:04 .. web 2.0 mashup ability means I am more empowered to talk 09:21:35 .. economic changes .. 09:21:43 .. regulation becomes a barrier to entry 09:21:53 .. need to walk fine line 09:22:16 .. disruptive innovation is happening all the time, do not want to stop that 09:22:34 .. regulatory environment in flux 09:23:04 http://slidesha.re/cNmZGw - my slide From Privacy to Opacity - Digital Me Management 09:23:07 .. EU is relooking at data protection directive, US is proposing privacy laws, 09:23:45 .. old distinctions between controller, processor, subject are blurring 09:24:18 .. some consistent principles around the world 09:24:50 .. if you meet these principles, companies will avoid privacy fiascos 09:25:25 .. key principles : transparent notice, informed choice, access/correct/delete, minimize/delete 09:25:49 .. privacy policies ... 4000 words... not read 09:26:01 tlr: kasey is pretty well audible in the back 09:26:12 .. users do not know what choices are.... info not available in helpful manner 09:26:22 Present+ Frederick_Hirsch 09:26:54 Present+ John_Morris 09:27:14 @tlr just about 09:27:29 kasey: if regulators decide how privacy is done, then this will chill innovation on privacy 09:27:43 .. security does not equal privacy 09:28:00 .. security is how/what info is being accessed, but not the why 09:28:01 @dsinger - I brought my camera for a laugh just to see if anyone would complain - I walked in and some guy had a huge lense taking pictures of everyone 09:28:09 .. this is broader that geolocation 09:28:26 can barriers to entry created by regulation also create possible monopoly structures due to the need for scale for meeting the regulations? 09:28:42 .. embedded code in handset can create profiles 09:28:49 updated 09:29:18 frederick: is "informed" a well defined term? 09:29:31 kasey: opened, evolving area 09:29:43 .. 4000 word policy is not "informed" 09:30:00 frederick: "reasonableness"? 09:30:03 4000 seems pretty short :) 09:30:14 anne has left #privacy 09:30:32 brian: any specific characteristics that would help us understand when users have been informed 09:30:34 @dsinger that's how we identified German morse code operators in the war 09:30:56 kasey: if we continue to focus on consent only, we have failed 09:31:13 .. one has to balance experience - we need to rethink fundamental structure 09:31:28 .. look to primary purpose, secondary purpose distinction 09:31:49 simon: have you looked at where data are located? 09:31:54 interesting. Do you give enough information to make a decision? What's happening with regards to intimate discussions between two persons. Since there are devices and private companies in between, they carry neutrally (bits transport) or not the information (data mining) 09:32:28 kasey: this is part of the problem - my employer is based in UK, but if online service is accessible everyone, what rules apply? 09:32:44 .. perhaps moving toward global standards 09:32:58 question: national content standards 09:33:18 kasey: national content standard need to still apply 09:33:28 .. privacy standards may be different 09:33:50 .. reactions are fairly similar - giving choices is what matters 09:34:30 solution is we need a global government with global laws. Is that a possible outcome of this workshop? 09:34:31 s/robert?/David Rogers/ 09:35:32 tlr: moving to general discussion 09:35:57 .. karl talked about forgetting things in real life, not online 09:36:27 .. john talked about specific regulatory framework in UK - note tension between rule and reality 09:37:21 .. kasey talked about some regulatory frameworks .. need to tell people "why" you want to use their data 09:37:47 .. common theme - there are hard and fast rules that do not map into social reality 09:38:23 john carr: when I was 15, I wanted to get a pint of beer in pub 09:39:07 .. we should not strive to match the social reality 09:39:47 .. offering of internet is aimed of family homes all over world -- we have to stop thinking about children as an afterthought 09:40:05 q+ to ask how to enable social mechanisms via technology 09:40:20 .. we should shift our mindset to recognize that lots of children are online 09:40:43 ian: to do anything useful, you must know who is a child 09:40:54 .. in US, we are against national ID card 09:40:59 q+ to ask what our are reasonable expectations of NOT revealing our age, gender, race, marital status, disabilities, etc.? 09:41:48 john carr: you will want to solve problem 09:42:38 ack fjh 09:42:38 fjh, you wanted to ask how to enable social mechanisms via technology 09:42:47 queue=soeren,drogers,dsinger 09:43:14 frederick: karl mentioned things to do, but technical solutions often do not work 09:43:28 ... we need social mechanisms 09:44:00 .. how does technology enable to social mechanisms to address concerns 09:44:16 karl: what we can do is to enable people to have more control over data 09:44:17 .. 09:44:17 the 09:44:18 re will b 09:44:19 e soci 09:44:21  09:44:22  09:44:35 there will be social catastrophes 09:45:10 q+ henry 09:45:11 q? 09:45:13 there also will be keyboard catastrophes 09:45:45 q- henry 09:45:57 question: how to create solutoins without creating monopoly? 09:46:09 s/solutoins/solutions/ 09:46:49 karl: gps is completely anonymous system, cell phone triangulation is bad because others can see 09:47:30 q? 09:47:49 soeren: age verification is one example of how things get complicated by moving to web 09:47:52 ack soeren 09:48:02 q+ bryan 09:48:02 oops forgot the queue here 09:48:25 .. some social network push authentication back to users -- peer-to-peer authentication 09:48:58 .. seems that appear to be closed are flawed on technical level 09:49:31 david singer: what if I want to interact without revealing info about myself 09:50:32 q+ 09:51:31 john carr: if there is a claim that service is age limited, then that should be enforced 09:51:36 q? 09:51:47 q- dsinger 09:52:40 q- 09:52:51 ack bryan 09:53:07 isn't it true most people will give up much information for a coupon? Research somewhere, lost pointer. 09:53:25 bryan: anonymity is weak protection - lots of info is available 09:54:28 david rogers: take issue about age limits - 18 year old limit is not a privacy rule, it is a contract/legal rules 09:54:42 .. use case is mixed up 09:55:28 john carr: my point is that sub-18 year old is not in position to evaluate privacy questions 09:55:52 .. to companies that go geoloc have a responsibility to do more 09:56:38 ian: asked for concrete proposals can follow, and I've yet to hear any proposals 09:56:52 kasey: we are setting a scene 09:57:02 tlr: we will come back to question 09:57:22 kai: liked what karl said about giving user control 09:57:33 .. parent can set computer to appear as a child 09:58:01 dan: we have not talked about role of parent 09:58:02 RRSAgent, make minutes 09:58:02 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 09:58:20 .. you buy phone for child, set it up, you give it to child 09:59:10 pat: couple issues on regulation - kids set up yahoo account to pretend to be adult 09:59:53 .. all info on kids available because of registry 09:59:54 . 09:59:54 . 10:00:40 .. in countries, 15 year olds can marry, have kids, but they cannot use location services? 10:01:03 john carr: I am enlisting your help for solving problems 10:01:04 .. 10:01:05 in 10:01:06 ternet 10:01:27 .. internet is fragmenting, and will happen more unless we solve these problems 10:02:06 to jmorris: in the USA you can fight and die for your country (and vote) at the age of 18, but not drink a beer... 10:03:08 john carr: technology companies seek to avoid responsibility, and that leads gov'ts to try to step in 10:03:59 karl: would like to move away from privacy policies to other social structures to create tools 10:04:28 kasey: trying to encourage technology to allow users to decide where on the public/private spectrum they should be 10:05:16 session is closed.... 10:08:39 eisinger has joined #privacy 10:27:40 eisinger has joined #privacy 10:30:19 alissa has joined #privacy 10:30:27 Scribe:alissa 10:30:29 scribenick: alissa 10:30:39 David Singer speaking from Apple 10:30:49 have slides made it on the web yet? 10:31:02 http://www.w3.org/2010/api-privacy-ws/slides/ 10:31:04 s/would like to move away from privacy policies to other social structures to create tools/would like to move away from privacy policies discussions to focus on simple tools to control data that will enable privacy. social structures already exist/ 10:31:18 David's paper at http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-2.pdf 10:31:29 ... we don't realize something was private until it's gone 10:31:37 darobin has joined #privacy 10:31:50 who owns what? 10:32:04 ... protocols and plumbing not the W3C's problem 10:32:20 ... apps are not our problem either 10:32:33 ... formats and presentation are out problem 10:33:21 priv expression languages are hard 10:33:28 soonho has joined #privacy 10:33:50 ... with rights expr language, you can change it on every transaction 10:34:26 ... constant need to expand policies to cover everything 10:34:50 ... is it possible to verify that policy matches intention? 10:34:58 DKA has joined #privacy 10:35:16 tension between what's allowed vs. forbidden 10:36:07 how much data accumulation is too much? 10:37:02 users tend to balk at the unforeseen even if it was fairly innocuous 10:37:21 ... policies are too long for people to read 10:37:59 Kasey: law encourages long policies 10:38:32 ... but emerging legal thought in US is that important info has to be outside policy 10:39:09 dsinger: questions for W3C 10:39:14 ... can we 10:39:17 ... define privacy? 10:39:26 ... identify W3C's scope? 10:39:33 ... do policy languages? 10:39:40 ... manage degree and context? 10:40:09 ... keep disclosure informed and voluntary? 10:40:49 some key players are not members of W3C 10:41:01 ... esp sites and services 10:41:21 ... IETF has security considerations in specs 10:41:33 ... do we need privacy considerations? 10:42:00 tlr: XHR 2 has priv as exit requirement 10:42:01 +1 on proactively having a privacy considerations sections 10:42:11 s/priv as exit/security considerations as exit/ 10:42:24 +1 on there being privacy implications on most of what W3C does 10:42:38 do we have enough mistakes to learn from? 10:42:40 (Part of David's point was that neither privacy nor security considerations being mandatory in W3C specs.) 10:42:44 ... need a taxonomy 10:43:21 David Applequist: last question was driver for this workshop 10:43:41 ... want to know what we learned from implementations 10:43:48 ... of geoloc API 10:44:29 s/having a/having/ 10:44:35 s/David/Daniel/ 10:44:44 dsinger: conlusion: this is a big fluid area 10:45:03 bryan_sullivan: who owns what is a key question 10:45:28 ... as in, who owns data about my identity 10:45:29 s/conlusion/conclusion/ 10:46:00 tlr: ownership is used in broader priv literature, but it's limited 10:46:21 dom has joined #privacy 10:46:41 drogersuk has joined #privacy 10:47:25 Aram (?): machine-to-machine (m2m), like smart grid, is emerging 10:47:45 ... info about people that they don't even know can be collected about them 10:48:10 tlr: interesting questions beyond javascript APIs 10:48:33 henry: ownership is the wrong framework 10:49:06 ... value of info changes depending on who I got it from 10:49:53 dsinger: was talking about ownership of specs, not ownership of data 10:50:19 ... nefarious web sites built with our specs are not our fault 10:51:03 new speaker: Pat Walshe, GSMA 10:51:42 EU commission is looking at who owns data 10:52:04 putting the user back in the center of things 10:52:34 ... complex web of relationships around the user 10:52:47 http://www.w3.org/2010/api-privacy-ws/slides/walshe.pdf 10:53:16 Eric Schmidt recently said priv will become so impt that it will have to regulated on country-by-country basis 10:53:33 focus on consent is misguided 10:54:19 why "preservation" and "protection"? why not expression of choice and preference? innovation? 10:55:32 all different apps collect different kinds of data, but all claimed not to be PII 10:56:33 GSMA was concerned about what was happening with mobile privacy 10:56:55 ... priv not being treated consistently or in functional terms 10:57:14 ... security does not equal privacy 10:57:46 ... looking for consistent priv experiences 10:58:28 how do entities across borders agree about how to respect my privacy? 10:58:51 privacy in standards: one approach is privacy principles 10:59:40 ... users have priv needs and expectations that need to be incorporated into development processes 10:59:46 jochen has joined #privacy 11:00:13 ... focus on outcomes 11:00:25 ... long policies are not good outcomes 11:01:47 principles are looking at context-aware priv prompts 11:01:49 jmorris has joined #privacy 11:02:10 Present+ John_Morris 11:02:17 asking for consent for everything undermines privacy 11:02:43 privacy design guidelines useful for meeting global expectations 11:03:06 ... expectations transcend borders and contexts 11:04:12 ISO is doing work on priv standards, regulators are involved 11:04:42 ... some regulators concerned that SDOs can't get the job done themselves 11:04:52 jmorris has joined #privacy 11:05:42 Article 29 working party out to set express consent baseline for applications 11:06:36 developers need something that they can understand 11:07:57 DKA: mentioned that ISO is opaque 11:08:16 ... have lots of convos happening internally, but we're not talking to each other 11:08:32 I love those bug reports: I blocked the 3rd 7th and 9th cookie and now the page went in a redirect loop 11:08:52 ... would like to see more transparency around those processes 11:08:54 +q 11:09:46 Pat Walshe: our process is transparent now 11:10:19 tlr +1 to DKA 11:10:36 (speaker): what does GSMA do concretely? 11:11:00 Pat Walshe: have gotten members to agree to privacy principles 11:11:13 s/(speaker)/Sören/ 11:11:33 ... and priv design guidelines 11:12:11 previous efforts have been aimed at fixed line context 11:12:34 Sören: where do guidelines come from? 11:12:46 Pat Walshe: guidelines from many different members 11:13:26 ifette: how do you cut the crap out of priv policies? 11:13:48 ... everyone has to explain the same nonsurprising stuff 11:14:39 Sören: users care about different things, may be surprised by diff things 11:15:10 need to focus on exceptions, management by exception 11:15:31 bryan_sullivan: priv by design still has a long way to go 11:15:46 +1 to ifette 11:15:49 ... how are we going to determine conformance to PbyD principles? 11:16:03 Pat Walshe: looking at a seal program 11:16:05 I cannot believe that comment: "if you want to know what a cookie is, go to W3C" - that is so far out of touch with the reality of 99% of users to be offensive 11:16:37 rbarnes: GSMA has one API program that has good building blocks for higher layer decisions 11:17:16 Pat Walshe: one API allows one interface for buying on mobile 11:17:29 next speaker: Hannes Tschofenig 11:17:40 drogersuk, the issue is not necessary where it is defined but more how people access it and in which language do we explain it. That's another issue of privacy policies. Living in a foreign country with a different language. 11:17:49 DKA: developers are interested in ideas around privacy guidelines 11:17:49 jochen has joined #privacy 11:18:44 http://www.w3.org/2010/api-privacy-ws/slides/tschofenig.pdf 11:18:53 HT: IAB shares goal with IETF of making internet work better 11:18:54 GSMA OneAPI: http://www.gsmworld.com/our-work/mobile_lifestyle/oneapi.htm 11:19:00 @karl, completely agree but most users do not have a clue about anything technical, we need to bring it down some notches to what is understandable 11:19:19 privacy = fair information practices 11:19:35 ... no shortage on priv principles 11:20:33 IETF applies hybrid of PbyD and "priv by policy" 11:21:17 ... PbyD is more understandable to engineers 11:21:25 ... although it's often advocated by non-designers 11:21:52 role of SDOs 11:22:24 ... some orgs are strongly focused on standardizing everything -- 3GPP, OMA, ETSI, ITU-T 11:22:47 ... then proprietary: not Internet-based 11:23:02 ... then built on top of standards 11:23:18 ... need for standards decreases as you go up the protocol stack 11:24:14 ... priv seals and certifications haven't provided a lot of value 11:24:28 ... IETF has remained generic in protocol definition 11:26:14 IETF often standardizes after implementations and deployments exist, limiting designability 11:26:24 programmatic forgetfulness = creating a system which makes it possible to automatically delete information against certain criterias (once seen by X, in 3 days, once seen by someone in that location, etc.) 11:26:49 jmorris has joined #privacy 11:27:03 ... pragmatic approach required 11:27:32 jmorris has joined #privacy 11:27:37 IETF also often doesn't see what happens when things get deployed 11:28:54 ... limits to what behavior IETF can dictate 11:29:29 Example: SIP 11:29:31 http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html 11:29:40 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 11:29:50 ... protocol for sesson establishment and maintence 11:30:13 ... priv not incorporated at first, but extensions developed throughout 11:30:38 ... with deployments, got regulatory requirements and business requirements 11:30:51 ... e.g., recording sessions 11:31:01 IETF Policy on Wiretapping http://www.ietf.org/rfc/rfc2804.txt 11:31:37 ... tension between security/priv and these requirements 11:31:42 RRSAgent, make minutes 11:31:42 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 11:31:49 ... e.g., lawful intercept 11:32:06 ... question is how to tackle conflicting requirements? 11:32:18 things for W3C/IETF to do 11:32:25 ... (acknowledging limitations) 11:32:31 http://tools.ietf.org/html/draft-hansen-privacy-terminology-00 11:32:57 (July 5 2010) 11:33:01 ... feedback appreciated on priv terminology doc 11:33:20 ... education and awareness for engineers 11:34:05 ... guidelines for having privacy considerations in standards 11:34:52 ... establish review teams for privacy considerations 11:36:19 would like to establish smilar views among other SDOs 11:36:49 ... want to avoid forum shopping 11:37:17 identify implementation and research challenges (IRTF) 11:37:19 -> http://www.irtf.org/ Internet Research Task Force 11:38:07 education of regulators 11:38:41 ... regulators can help increase transparency 11:39:34 bryan_sullivan: how is IPv6 going to affect privacy? 11:40:05 HT: if your IP address never changes, sites you visit will see it all the time, but there are standardized solutions to change that 11:40:54 Sören: theme seems to be need to cut down to simple decisions 11:41:14 ... on other hand we have frameworks and guidelines 11:41:24 ... lack of empirical evidence about what users want 11:41:30 ... or what will surprise them 11:41:46 DKA: we are talking across a wide range of things 11:42:06 ... PbyD can be about app or service, but HT was talking about design of protocols 11:42:35 Sören: IETF trying to engineer new protocols 11:42:44 HT: at the end it's about what goes over the wire 11:42:51 ... but more complicated than that 11:43:05 ... whole collection of entities need to work together 11:43:33 ... e.g., XMPP made deliberate decision to route all traffic through core nodes, but could be totally different 11:43:58 Pat Walshe: research has been conducted about what people want 11:44:04 ... but we need more 11:44:41 ... guidelines are needed to unify across platforms 11:45:42 tlr: there are diff pieces of the system that have entirely different privacy discussions 11:46:21 ... location acquisition (GPS, cell triangulation) vs. consumer of location information 11:46:40 ... designing pieces of protocol vs. pieces that interface with apps 11:47:03 DKA: only as private as the weakest privacy link 11:47:36 q? 11:48:02 HT: we did something specific in geolocation about how granular preferences are 11:48:57 Pat Walshe: speech-to-text app dropped in rankings because it started invading privacy 11:49:22 Kasey Chapelle: privacy fiascos tell us about what users want 11:49:58 dsinger: targeted advertising spooks people 11:50:36 John Carr: many companies shape consumer expectations, don't they have an ethical view of these questions? 11:51:21 (speaker?): have done consumer research 11:51:37 ... we shouldn't make decisions for consumers 11:52:08 ... but we've found that there's a big difference between sharing with friends and sharing with companies 11:52:15 s/(speaker?)/Zoli Piroska/ 11:52:25 ... most privacy issues are with friend sharing 11:52:52 ... company data collection is important, but consumers care about social sharing more 11:53:34 tlr: powerful frame for a general discussion 11:54:09 rbarnes: challenge Kasey notion that we know what consumers want 11:54:17 Kasey: we learn from fiascos 11:55:17 dsinger: all of my transactions used to be physically distinct 11:56:38 drogers: different users have diff expectations 11:57:49 alissa: consumers can't care about things they don't know about 11:58:01 lunch time! 12:16:48 MikeS has joined #privacy 12:17:10 RRSAgent, make minutes 12:17:10 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 12:18:33 MikeS has joined #privacy 12:28:48 MikeS has joined #privacy 12:59:13 jochen has joined #privacy 13:02:37 Kangchan has joined #privacy 13:02:58 jmorris has joined #privacy 13:04:50 Kangchan has joined #privacy 13:06:10 alissa has joined #privacy 13:07:34 soonho has joined #privacy 13:11:07 dsinger has joined #privacy 13:11:09 cullenfluffyjenni has joined #privacy 13:13:18 jochen has joined #privacy 13:14:40 tlr has joined #privacy 13:15:24 dsinger_ has joined #privacy 13:15:44 useful for this workshop http://mypoyozo.com/ Poyozo is an automatic, personal diary system to help reclaim and consolidate your ever-expanding digital life with simple visualizations that you can use every day. 13:15:54 scribe: karl 13:15:59 s/,/: 13:16:23 topic: Consumers' privacy decision-making 13:16:31 pkelley has joined #privacy 13:16:53 rbarnes has joined #privacy 13:17:01 soren: I have been looking at how users make decisions 13:17:36 drogersuk has joined #privacy 13:17:50 ... if users are not satisfied with their privacy will feed competition. 13:18:19 ... toxic triangle: cancel and switch / false data / cancel 13:18:21 http://www.w3.org/2010/api-privacy-ws/slides/preibusch.pdf 13:18:38 ... these will create negative business impacts 13:18:47 wonsuk has joined #privacy 13:18:50 ... we do not know why people switch between these three 13:19:29 ... privacy negotiation is not necessary formalized. It can be a straightforward process. 13:19:47 ... There could be incentives behind privacy questions. 13:19:58 fjh has joined #privacy 13:20:47 ... Privacy practices have been better when you have more users, longer history, bigger web sites, etc. 13:21:05 ... This is correlation and not causality. 13:21:19 bryan_sullivan has joined #privacy 13:21:27 ... We did laboratory experiment. 13:21:42 ... We really need more data by observing people. 13:21:49 ... We need to know what people do. 13:23:17 ... experiment made around buying DVDs. 13:24:13 ... Two companies forms look like exactly the same 13:25:59 ... on one side we asked for the colour on the other one for the income for the same price. And the an additional case with a lower price. 13:27:08 ... if the price is better, they are ready to give more information. 13:27:16 ... they go to discount instead of privacy. 13:28:19 xxx: what was the population distribution? 13:28:23 soren: students. 13:28:32 xxx: did they have incomes at all? 13:29:26 soren: the experiment was real. They really bought the DVD. 13:29:34 s/xxx/several people/ 13:30:10 kai: is the sample too low? 13:30:25 soren: it's too low for binomail interpolation 13:30:32 MikeS has joined #privacy 13:30:42 RRSAgent, make minutes 13:30:42 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 13:30:45 ... but it's fine for the studies. 13:31:20 s/binomail/binomial/ 13:31:32 ... we know that people made this choice even if they were not satisfied about it 13:31:57 s/studies/heuristics studies/ 13:32:54 ... we asked them if they were willing to reveal their data. 13:33:36 ... people will user the cheaper company against their own rules. 13:35:22 ... data about privacy preferences are not homogeneous. 13:35:58 ... valid experiments reveal user's privacy decision-making. 13:36:05 ... forget intuitions 13:36:16 ... collect real data from experiments. 13:37:10 bbb: it's difficult to assess what users want in this kind of experiment for zzz 13:37:15 soren: true 13:37:37 ... maybe collection is not the right thing to test, but the use. 13:38:21 http://www.w3.org/2010/api-privacy-ws/slides/kelley.pdf 13:38:22 Topic: User-Controllable Location Privacy 13:39:05 http://www.w3.org/2010/api-privacy-ws/slides/kelley.pdf 13:39:13 pkelley: We are actually working with users. 13:39:21 ... to be sure the information is really usable. 13:39:28 darobin has joined #privacy 13:39:35 MikeS has joined #privacy 13:40:00 ... Users have things more and more difficult to configure. 13:40:05 ... example a router. 13:40:35 ... I will focus on sharing in a mobile social way. 13:41:15 ... These apps on mobile location have been developed by dozens. 13:41:39 ... We do not have yet a situation of the size of Facebook, even 4square. 13:42:11 ... We developed Locaccino in a way to study the privacy settings and their usage. 13:42:37 ... We study how they use their phone on a long term. 13:43:25 ... There is no policy which makes it acceptable for every type of users. 13:43:30 ... It doesn't exist. 13:44:25 ... people have been asked for every location what would be their sharing behaviour. 13:44:55 ... Is it possible to group the results in a way which is meaningful for creathing rules. 13:45:38 ... location rules don't exist 13:45:43 ... time rules don't exist 13:46:07 ... you can only put in group rules 13:46:14 ... (friends, etc.) 13:47:19 ... The white list is the lowest "average time shared" 13:47:31 ... for each type of groups. 13:47:57 ... People do not want to share with Advertisers group 13:48:10 Zakim has left #privacy 13:49:03 Younsung has joined #privacy 13:50:06 jochen has joined #privacy 13:50:11 ... Future work 13:50:30 ... soft paternalism… 13:50:50 ... We have been running the system for 3 years and thousands of people 13:51:01 ... users have complex privacy settings 13:51:08 rbarnes has joined #privacy 13:51:57 ... There are not enough people using LBS to be sure about the true complexity of your Privacy policies. 13:52:29 ... approving and disapproving a friend, your mother and your work colleague are quite hard challenges. 13:52:43 ... We need time to see how it will evolve. 13:53:43 ... we have studied labels design and we come up with two types of designs. 13:54:36 ... The table one was the more effective overall. 13:55:42 ... 20% of people miss the word cookie in the middle of a paragraph. 13:55:50 ... People prefer the graphical approach. 13:56:36 kai: did you measure blacklist and whitelist? 13:56:52 pkelley: no, we didn't 13:57:07 ccc: blabla 13:57:20 pkelley: I can't answer this question 13:58:00 ... I'm not sure I can believe users, but it's what they report. 13:58:14 dka: location obnoxious 13:58:54 pkelley: It is often unclear what is the ideal outcome 13:59:15 ... where do you try to push the users to? 13:59:32 ... people do not want to be completely private. 14:00:02 ... Nudging could be "Are you really sure to do that?" 14:00:13 DKA: Users might turn off 14:00:21 pkelley: yes indeed. 14:01:00 dsinger: did you dig in personal preferences or is it just the results of social context? 14:01:23 pkelley: Long time research shows that people are not going to many places 14:01:33 ... it's hard to find out 14:01:41 ... the quality of data. 14:01:49 s/find out/assess/ 14:03:42 Simon has joined #privacy 14:04:13 Is there a twitter tag people are using for this workshop ? 14:05:25 #w3cprivacy 14:06:17 pkelley has joined #privacy 14:07:16 Topic: Access Control is an Inadequate Framework for Privacy Protection 14:07:28 lalana: I do not propose any technical solutions. 14:07:44 ... I will propose future directions researchs. 14:07:58 ... Brandeis = access to information 14:08:08 ... willis = use of information 14:08:35 ... sensitive information can be inferred from public resources. 14:08:40 s/willis/westing/ 14:09:06 ... (slide 3 of 9) 14:09:43 ... Once I have access to an information, I can post it in another context 14:10:03 ... but the context has changed and then I might violate the privacy of a friend 14:10:36 ... Gaydar project helped to reveal the sexual orientation in Facebook. 14:10:51 ... even with people having totally private profile. 14:11:15 ... It was before the list of friends was made public. 14:11:48 ... We should have system where data could be used in a more sensitive way. 14:11:52 shepazu has joined #privacy 14:12:27 ... privacy social systems should be built in accordance of physical social norms 14:13:07 ... Signals and signs in human society describe behavior (example car parking sign) 14:13:37 ... There are mechanisms to identify violators and to respect the rule. 14:14:09 ... We do not know if there is a technical solutions. 14:14:18 ... we have ideas about possible systems 14:14:30 ... give enough information to users to make decisions. 14:14:46 ... If their privacy will be respected, if they should sue, etc. 14:15:01 ... Google Dashboard goes into the right direction. 14:15:40 ... information accountability should be supported. 14:15:46 rbarnes has joined #privacy 14:16:03 ... We are interested in privacy enabling interface design. 14:16:28 ... When I try to copy a picture, make a box for warning the users of the context of the photos. 14:17:00 ... Not an enforcement mechanisms but an information that users will be reminded of the privacy context. 14:17:29 ... policy awareness through icons for example. 14:17:58 jochen has joined #privacy 14:18:16 ... privacy nudges help to prevent users to send emails. 14:18:40 ... "Are you sure you want to send to all these people?" 14:19:17 ... Before you submit, having a message explaining the consequences. 14:19:31 ... There are works on data usage. 14:20:24 karl: you need a google account to check google dashboard. It's an issue. 14:20:32 lalana: indeed. 14:20:46 dsinger: question 14:20:47 soonho has joined #privacy 14:21:07 lalana: When I see the CreativeCommons I can make a decision to care or not care about 14:21:13 ... but I make an informed choice. 14:21:36 casper: access control is only a part of the solution 14:21:58 ... but you should distinguish the notion of social networks and user with organizations. 14:22:54 ... access control is different, for example, for employees of organization dealing with users data. 14:23:52 lalana: discussing with facebook people, they said that "oh we tell them to not look at the data" 14:24:15 casper: at microsoft, we have very strict policies. 14:24:38 ... very small set of persons access emails for example. 14:25:07 dka: Who at facebook look at the picture? 14:25:47 hstory: one of the weird things with a network with a uri and a photo. 14:26:20 ... Even for access control, there is a need for interface 14:26:38 ... it's much easier to link to photos than copy. 14:27:13 ... Access control for friends is necessary too. 14:27:51 dka: how do we make privacy information usable in many different contexts and for different type of users? 14:29:09 tlr: people have no idea when they are asked. 14:29:55 ... disconnect about what they have set and what they say they have set. 14:30:28 Younsung has joined #privacy 14:30:58 aaa: People are bad at making decisions about their privacy in advances 14:31:16 ... maybe the best way is to let people know after the facts the implications. 14:31:33 soren: Nudges remind me of a paperclip. 14:31:39 ... it can be annoying. 14:32:18 aaa: icons are meaningful, tables are meaningful. 14:32:33 jochen has joined #privacy 14:32:36 bbb: this is nothing new. You trust your bank. 14:32:55 ... Vodafone can listen any of your conversations. 14:33:49 hstory: the best way to help users would be to have systems what their page look like for another user. 14:34:15 drogersuk has joined #privacy 14:34:25 ccc: people do not want to have to configure. 14:34:45 ... is there more things we can do for defaults. 14:35:08 soren: How to choose the default is the issue. There are very powerful. 14:35:49 pkelley: there could be a set of predefined defaults 14:36:06 ... the issue is when they change the sets 14:36:16 ... it's what happening with Facebook. 14:36:47 soren: giving an example of 4 sets. 14:37:26 alissa: what are the things which are right for standardization? 14:37:38 ... Is it better to have competition 14:37:48 ... is it better to have the same for every companies 14:37:57 Lalana's slides: http://www.w3.org/2010/api-privacy-ws/slides/kagal.pdf 14:38:28 lalana: standardizing icons could be good thing 14:40:07 ianfette: In real life, companies are not necessary comfortable with generic profiles. 14:40:26 ... they want to know exactly what the user wants. 14:41:08 ... antifishing practices 14:41:59 ... each time a user is confronted with something new, users are freaking out about it. 14:42:27 tlr: we should take into consideration the length of time the users are freaked out. 14:42:51 lalana: is it a question of design of interface 14:43:01 ianfette: I do not think it will solve it. 14:43:20 ddd: we know that people do not know what they want. 14:44:10 ... should people care about privacy? 14:44:57 pkelley: researchs help to figure out some of the data around privacy policies. 14:45:32 s/ddd/aza/ 14:46:03 aza: for most of people, it goes over their head 14:47:01 kai: what about users who never find out? 14:47:32 ... every time you visit a Web site, they check. Nobody knows that. 14:47:58 soren: if they learn it later on in NYT, they will really freak out. 14:48:39 eee: Google has no way inferring the uri because of a hash. 14:49:05 fff: What kind of change do you need? 14:49:53 ianfette: (missed the answer) 14:50:30 ggg: What is the best way to communicate to users what they want 14:50:35 ... they know what they want 14:50:44 wonsuk has left #privacy 14:52:11 tlr: the question is often the mismatch between what the user wants and what is happening 14:52:58 casper: we can learn a lot of p3p 14:53:15 ... if we do not remember that stuff, we will fail. 14:53:55 ianfette: some things just do not work. 14:54:46 RRSAgent, make minutes 14:54:46 I have made the request to generate http://www.w3.org/2010/07/12-privacy-minutes.html MikeS 15:17:07 soonho has joined #privacy 15:21:43 drogersuk has joined #privacy 15:21:51 alissa has joined #privacy 15:22:11 rbarnes has joined #privacy 15:22:55 bryan_sullivan has joined #privacy 15:23:27 darobin has joined #privacy 15:24:03 q? 15:24:11 Scribe: darobin 15:24:12 jochen: geolocation is a content setting 15:24:21 Talk about geolocation api and problems implementation of it 15:24:22 ... the spec tells you to get consent from the user 15:24:41 ... you should include the URI of the respource that wants geolocation 15:24:55 ... but it's not just text+markup, it's an application stack 15:25:33 rbarnes has joined #privacy 15:25:38 ... the straightforward approach is to just prompt the user with lengthy information about where the javascript requesting info comes from 15:25:49 ... it's complex because there can be iframes and remote scripts involved 15:26:14 Sören: do you need an API key to use the Google geolocation service 15:26:15 pkelley has joined #privacy 15:26:23 jochen: only for mashups 15:26:29 kai: with v2 you don't need it 15:26:39 ian: this is a generic problem with javascript on the web 15:26:48 jochen: including the domain, but of what? 15:27:05 ... you have to track where each piece of js comes from, and what it's talking to 15:27:27 ... once you have permission from the user, the spec says she should be able to change her mind 15:27:38 ... which means you then need some UI to make this accessible 15:27:55 ... if you go to maps.google.com it's easy, everything's from google 15:28:09 ... (demonstrates infobar in chrome) 15:28:46 ... an icon in the address bar tells you that the page is using geo, and you can revoke 15:28:53 ... it's accessible, but that's the easy case 15:29:18 ... (shows the same case, but with google maps embedded in a third party site) 15:29:38 ... should we show this as google requesting or as the 3rd party site requesting? 15:29:43 ... it's not an easy question 15:29:55 ... we ask the user for what's included 15:30:32 .... but if you go to the revocation UI it shows the permission for what's included as embedded by the third party 15:30:58 RB: do you go several levels of embedding down? 15:31:05 jochen: no only one 15:31:26 tlr: you're matching on the top origin and on the embedded origin? 15:31:28 jochen: yes 15:31:52 ... in-between levels of embedding, if any, are not listed 15:32:30 ... the reason it took me 8 clicks to get to these settings is because we believe that this is a level of detail that is too advanced for users 15:32:57 ... we had a similar settings exposed for cookies earlier 15:33:08 ... but users used them in random ways that broke websites 15:33:18 kai: so you think it's too complicated, and therefore hide it? 15:33:49 jochen: yes, average users don't understand embedding 15:33:57 kai: it could just be your UI design that's bad 15:34:19 ianf: only 10% of users even understand the menu from the icon in the address bar 15:34:46 dka: do you know whether or not average users are paying attention to that icon 15:34:58 [scribe may have misunderstood ianf's input] 15:35:19 jochen: we track this information, but the data are skewed 15:35:32 ... but based on the data we have people don't use them 15:35:47 alissa: how many people are going to location-aware sites? 15:35:55 jochen: google home page, google mobile... 15:36:18 tlr: alissa's question is how many folks are exposed to an activated geo page, and how many use the icon 15:36:41 jochen: I can't tell for chrome, but for the mobile browser location is a highly used feature 15:37:04 dka: on the android browser I don't see the icon 15:37:12 jochen: it's not there currently 15:37:20 tlr: what were your considerations in changing it 15:37:54 jochen: we found that the way we used to do it (accept once) was not what users wanted — controlling geo more granularly should be easy 15:38:14 ... you don't want to share your location every time you open maps 15:38:32 sören: how many people revoke permissions: 15:38:34 ianf: none 15:38:42 drogersuk has joined #privacy 15:38:46 kai: are you going to make the android UI the same? 15:38:58 jochen: there isn't a lot of room... 15:39:13 dka: there's the title bar with room 15:40:01 jochen: from an implementers' point of view we'd like to see standards that take usabiilty into account 15:40:10 wonsuk has joined #privacy 15:40:14 ... try browsing with cookies set to "promtp" to get an idea 15:40:35 ... you don't want to prompt the user all the time 15:40:53 ... you want a way to grant permissions for an entire web application 15:41:03 room murmurs "widgets" a lot 15:41:25 ... if you don't grant access, the application doesn't get installed (or doesn't run) 15:42:12 jochen: in chrome we have a file api that grants access to a virtual file system 15:42:22 ... it can be granted to a given origin, and no other website can access it 15:42:36 ... it's tightly sandboxed 15:43:01 kai: over time you can build up a large number of sites which you trust, can that be saved and sent to another chrome browser? 15:43:07 jochen: yes, with chrome sync 15:43:21 jochen: the file system API is a good example of privacy by design 15:43:23 sometimes, you can't know beforehand. 15:44:02 example: The Facebook like button which are tracking fb users out there even if they do not click the "like" button. 15:44:15 s/which are/which is/ 15:44:20 ... designed in such a way that you don't need to prompt the user 15:44:31 robin: is that the DAP/WebApps file system API? 15:44:33 ianf: yes 15:44:57 alissa: geo says nothing about the iframe issue, you guys took it upon yourselves to handle that 15:45:12 jochen: from an implementers' perspective, you know these things and you have to deal with them 15:45:24 dom: have you submitted that to the WG? 15:45:27 ian: yes 15:45:35 ... and our solution is conforming 15:45:50 ... but had the spec been wrong, we would have ignored it 15:45:59 tlr: the specification could use some clarification, possibly 15:46:30 dka: there might be a disconnect between the creation of the API and the implementation 15:46:46 ... google was a key driver in the development of the API, so we need to work on closing that loop 15:47:10 cullen: problems for mobile implementation, the icon is a problem? 15:47:21 s/the specification could use some clarification, possibly/the specification seems clear if you read it with a spec-writer's mindset. interesting that there's a need for clarification/ 15:47:23 jochen: no, there wasn't much thought put into what the UI ought to do 15:47:39 jmorris: but that's because google was against us saying anything useful about the UI 15:47:58 cullen: is your complaint that we chose the wrong thing or that you couldn't figure out which is best? 15:48:15 jochen: including these sections in specs is good 15:48:25 cullen: missing the details of what you were missing, we want it 15:48:47 tlr: think we will come back to this in the final discussion 15:48:56 dka: implementation experience is crucial 15:50:49 http://www.w3.org/2010/api-privacy-ws/slides/caceres.pdf 15:50:49 Marcos Caceres, Opera — Privacy of Geolocation Implementations 15:51:08 marcos: I looked at chrome, opera, mobile safari 15:52:02 ... firefox 15:52:26 ... I made a critical framework including Accessibility, Control, and Confidentiality 15:53:00 jochen has joined #privacy 15:53:12 (the book/author are "Database Nation: The Death of Privacy in the 21st Century", by S. Garfinkel) 15:53:19 ... in iOS, all apps must get user permission 15:53:33 -> http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-21.pdf Marcos' paper: Privacy of Geolocation Implementations 15:54:11 it actually was The Future of Reputation: Gossip, Rumor, and Privacy on the Internet, Solove 15:54:15 ... lots of modal dialogs lead to click fatigue, you can't see what's on the website while the dialog is up 15:55:10 [less scribing for Marcos as he has slides people can read] 15:55:42 ... iOS has 50 pages of unreadable text with unclickable URLs 15:55:47 ... it's super frustrating 15:55:48 "hard to read gray" (tm) 15:55:57 ... but users probably just don't care 15:56:28 ... revocation can only be done in a very well hidden screen 15:56:48 ... potentially that could be improved [speaker enjoys udnerstatements] 15:57:01 ... in v4 there's an indicator 15:57:10 ... there's a semiotic connection there 15:57:51 sören: I had a problem with the first dialog — does "current" location mean current = now or current as in always current 15:57:57 marcos: yes, it's unclear 15:58:08 alissa: does the permission time out after 24h 15:58:09 [I wonder if any of the implementations make a distinction between watchPosition() and getCurrentPosition() ] 15:58:11 [also, it does not ask you "remember? yes/no" 15:58:12 marcos: I don't know 15:58:45 ... verdict: iOS not very accessible, some level of control, some level of confidentiality 15:59:25 ... moving on to firefox 15:59:50 ... more control, non-modal, access to learning more about the privacy policies 15:59:55 [It would be fun to be able to define shapes of location forbidden for tracking. Automatic switch… but how do you know you are out of the shape :) 16:00:04 ... the FF guys have done great work 16:00:07 ... but 16:00:31 ... if you want to do more advanced tasks, you gotta go to access:config 16:00:37 ... way too technical 16:01:14 ... it will even warn you against hacking it 16:02:01 ... verdict: hard to manage sites, control hard to change, hard to make confidential 16:02:19 tlr: can you remind me how I can find out whether a site I'm using is tracking me? 16:02:35 marcos: it's somewhere under tools 16:02:39 ... not easy 16:02:45 ... looking at Opera now 16:02:56 ... similar to FF, no access to privacy policy 16:03:28 ... reason for that is that on first use of the feature we display T+C for the service 16:04:03 ... it's quite bad, it has links but no back button so that if you click one of the links you lose the policy and can't read the rest 16:04:12 ... this is what happens when you mate lawyers and UI people 16:04:18 ... we are going to fix that 16:04:43 ... FF approach better 16:05:06 dka: this is the geo policy right, not the requesting site's policy? 16:05:10 marcos: correct 16:05:37 ... our location provider dialog is also in opera:config 16:05:44 ... a little more accessible than the FF version 16:06:07 ... some built a fake Opera Unite geo provider so that people can fake their own location 16:06:13 ... which is handy 16:06:34 ... the contextual help for the dialog says "no data available" 16:07:01 verdict: accessibility yes, control yes but hidden, confidentiality yes 16:07:25 ... now looking at chrome 16:07:44 ... kudos to the chrome guys for solving the embedding problem 16:08:00 ... we people who work for browser vendors are kind of unique 16:08:37 ... verdict: accessibility yes, control yes but no control over provider, confidentiality yes 16:09:14 ... do we need more standards for UI? or leave it to the market? 16:09:26 side-by-side comparison of the four desktop implementations on Mac OS: http://geopriv.dreamhosters.com/w3c/w3c-geolocation-implementation.gif 16:09:28 ... equivalent to the padlock for https 16:09:52 ... browsers have different icons, should we align? and if so how? 16:10:08 ... we compete on user experience 16:10:21 [the limit of UI indicators is: how many of them can you usefully deploy as the number of indicators grow (e.g. with the number of APIs] 16:10:28 sören: there's also the RSS icon where the market found a solution 16:10:56 karl: what's frustrating with multi browsers is that you have to control your preferences n times 16:11:02 ... it would be good to have a common standard for that 16:11:12 marcos: people use different browsers for different things 16:11:19 [scribe agrees with karl] 16:11:53 chris: am I gonna to have to go through all these menus and indicators? 16:12:04 marcos: depends on how much you care about revoking and various services 16:12:05 +1 to karl / ian / scribe 16:12:14 ... the ccritical side is the server-side too 16:12:28 ... we're going to fix it over time though, don't know how but that's why we're here 16:12:36 [it could be multiple profiles, but a standard format across browsers for preferences including privacy settings would be super helpful] 16:13:27 sören: I think it's okay to have complexity because at one point in time you will have an addon that hides that complexity. We can have complexity so long as there is a way for third-parties to fix it 16:13:35 marcos: there is no API to access this though 16:14:02 tlr: for our purpose there is a UA that has access to a sensor, there are inherent issues with that and how it interacts with the web 16:14:18 drogersuk: in desltop we have more screen space, in mobile it's constrained 16:14:33 ... you run the risk of having lots of blinking lights that make things hard to use 16:14:49 marcos: yes, we're looking for solutions 16:15:57 richard: a lot of the implementation concerns ought to be rolled back into the spec 16:16:09 ... it's striking how similar the implementations are 16:16:21 marcos: people are violently against this, there might be a new WG? 16:16:42 no need to create another working group 16:16:53 confront this head on in our existing working groups 16:16:57 (my view) 16:17:09 ianis? 16:17:29 ioannis up now 16:17:30 s/ianis/Ioannis/ 16:17:56 ioannis: location privacy is not just about not revealing where you are right now, but mostly about past locations 16:18:30 [location privacy idea: if you are at less than 500m from this person, hides me] 16:18:31 ... some services don't require that you identify yourself to use geo 16:18:41 ... eg google maps don't require a google account 16:18:46 .... we like that usage 16:18:50 s/hides/hide/ 16:19:14 ... we want to provide unlinkability between the locations that have been provided 16:20:09 ... threat comes from unique identifiers (IP addresses, esp ipv6, cookies, LSO) plus geo 16:20:18 [people laughing at http://ncowie.files.wordpress.com/2009/04/xfgeye1iupqro5pold.jpeg] 16:20:22 ... there are some defense mechanisms 16:20:33 ... (shows the panopticlick study) 16:20:52 ... footprinting attack remove the need for cookies 16:21:17 ... 94% of browsers are unique if you have java/js/flash 16:21:48 ... footprinting can therefore be used in conjunction with geo, which can lead to building location traces 16:22:11 ... services might not know to whom the location belong, but it only takes one idenfitication to create that link 16:22:19 ... FB Share for instance is enough 16:22:45 ... another attack can be built on the fact that people move in restricted spaces and move in restricted patterns 16:23:47 ... the threat becomes more interesting if we think of 3rd party geo providers who accumulate information sent to many websites 16:24:17 ... they concentrate a lot of information 16:24:42 ... solution approaches with privacy by policy 16:25:02 ... but these are not tamper proof against stronger attackers not deterred by regulation 16:25:09 ... and accidental disclosure happens 16:25:54 ... looking at privacy by design, there's minimisation (for geo, granularity of information) 16:26:08 ... but this does not solve the 3rd party geo provider issue 16:26:20 ... and also only works when precise location is not required 16:26:51 ... we could decrease footprinting, e.g. suppressing Java 16:27:39 ... we could have a monitoring process that computes our general privacy exposure 16:27:45 [but who monitors the monitor? :) ] 16:28:02 [need to be on the browser side?] 16:28:25 ... maybe the W3C could enforce some additional measures for web browsers 16:28:58 tlr: we might persuade, not sure we can send the conformance police 16:29:36 henry: what you're pointing out is that geo info is sent and can be tied to identity — what is needed is a very clear way for users to change identities, not sure it is possible 16:29:58 ... currently at the SSL layer, browsers send certificates without asking you, it is hard to change 16:30:10 ... FF working on an identities framework 16:30:17 ... privacy is identity plus extra information 16:30:27 ... if you can't change the identity you're in trouble 16:30:49 tlr: no, there are ways of tracking users based on incidental information — no need for actual identity to track 16:31:00 ... how do we avoid unintended user identification 16:31:14 dave: it's very difficult to prevent footprinting attacks 16:31:49 dave: you said you wanted to reveal when the user has revealed "too much". How? What is too much? 16:32:07 ioannis: we would need a metric, we don't have it now 16:32:37 ... it depends on the level of precision of your location, the frequency, the location of what it is (house or other) 16:32:40 bblfish has joined #privacy 16:32:43 ... lots of contextual information needed 16:32:54 ... I don't think that we have the means to do it right now 16:33:24 dom: related to massive data aggregration, does any implementation distinguish between getPosition and watchPosition? 16:33:37 ... and throttling 16:33:45 marcos: Opera does, though it's a bit hidden 16:34:05 dom: you're talking about the service provider, not at the API level 16:34:08 marcos: I don't know 16:34:20 sören: wouldn't it be great if Amaya implemented geo? 16:34:30 tlr: we'd need a javascript runtime first... 16:34:41 marcos: we haven't had that many issues, no showstoppers 16:34:58 ianf: suggestions that now that we have this experience we shold shove it in the spec 16:35:05 [just for clarification, Amaya is not a reference implementation, but a tool to test a few things] 16:35:10 ... I think that we're still experiementing, shouldn't overspecify 16:35:23 ... great to document best practices, but we should be careful with detail 16:36:02 richard: I wasn't thinking about making it normative, but document it in the spec so that it is captured 16:36:19 jochen: it is important to keep in mind when writing specs that someone will have to implement it 16:36:46 dka: this is important because geo is rechartering, this is useful feedback 16:37:02 so one issue is simply that it should be possible for the user to change their logged on identity. I think Firefox is working on the Weave plugin, which I suppose I am now thinking is an important solution. 16:37:06 ... what can we pull out of this that could apply to DAP, eg the camera? 16:37:19 ... can we apply the geo lessons to camera, etc. or is it all too different? 16:37:39 then there are issues with client certs. Chrome has a bug issue on this http://code.google.com/p/chromium/issues/detail?id=29784 16:37:39 jochen: one basic thing is that it ought to be asynch 16:38:47 robin: all the DAP APIs have asynch security entry points 16:39:09 karl: do we know how many people want to share their location versus people who just want to know their location? 16:39:18 jochen: I don't have data about that 16:40:17 dom: notion that accessing the data locally will have a different impact than getting it off the network — though of course if you have a map it goes back to the map provider 16:40:33 ianf: most browsers use a remote service to get the lcoation anyway 16:40:48 tlr: that's one provider though, as opposed to an indeterminate number of sites 16:41:21 henry: issue with javascript and asynch, what happens if your browser is a web server and your geo data is at a URL 16:41:40 [scribe sort of loses the point] 16:42:00 marcos: it's always more complicated, switching to REST doesn't change the fundamental problems 16:42:51 drogersuk: issue with passing information in URLs 16:43:05 marcos: that's not a problem, the communication channel needs to be secure 16:43:20 SCRIBE NEED BEER 16:43:41 adjourn to beer 16:44:18 wonsuk has left #privacy 17:18:07 karl has joined #privacy 17:22:44 alissa has joined #privacy 17:24:06 alissa has joined #privacy 18:07:25 bblfish has joined #privacy 18:09:57 MikeSs has joined #privacy 18:20:10 MikeSs has joined #privacy 18:30:25 MikeSs has joined #privacy 20:51:05 jmorris has joined #privacy 20:55:35 jmorris_ has joined #privacy 21:31:03 jochen has joined #privacy 22:02:16 jmorris has joined #privacy 22:52:55 http://info.gigya.com/Identity.html 22:53:43 Which Identities Are We Using to Sign in Around the Web? 23:01:19 bblfish has joined #privacy 23:17:12 dsinger has joined #privacy 23:30:44 mischat has joined #privacy