Social Web Incubator Group Teleconference -- 15 Sep 2010

<trackbot> Date: 15 September 2010

<hhalpin> ?

<mischat> hhalpin: poke

<mischat> +1

<hhalpin> PROPOSED: to accept minutes of Sept 1st meeting: http://www.w3.org/2010/09/01-swxg-minutes.html

<mischat> do people accept last weeks notes ?

<MacTed> +1

<hhalpin> ACCEPTED: minutes of Sept 1st meeting

<hhalpin> scribe: Manu

Harry: meeting next week, discussing Infocard from HIggins project.

<scribe> scribenick: manu

Harry: Don't see any problems there... let's try to get through these actions.

<hhalpin> PROPOSED: to meet again Wed. Sept 22nd (Infocards and Higgins Project).

<hhalpin> ACCEPTED: Meeting next week on Infocards and Higgins project

<hhalpin> 2. Final Report Action Apocalypse

Harry: At this point, we have to move the wiki to HTML now
... so we can get a coherent draft out to the community
... We wrap up the XG in two weeks!

<hhalpin> ACTION [DONE]: Mischa to put up wiki page about social networks deploying these technologies. (i.e. reference the one from GNU Social?)

<trackbot> Sorry, couldn't find user - [DONE]

Harry: I believe most of the actions have been done.

<mischat> people are welcome

<mischat> :)

Harry: the only action that remains seems to be SWAT use case - Daniel - looking at use case document and move them to a coherent phrasing

<mischat> +1

<mischat> i am happy with that

Harry: unless the group objects, if you could use the use case out to a separate document... does that work for folks?

<melvster> +1

<hhalpin> ACTION [CANCELLED] DKA to shorten too long use-cases and see if he can reference in SWAT test cases.

<trackbot> Sorry, couldn't find user - [CANCELLED]

Scribe notes no objections

<hhalpin> ACTION: hhalpin move use-case appendix to separate document. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action01]

<trackbot> Created ACTION-177 - Move use-case appendix to separate document. [on Harry Halpin - due 2010-09-22].

mischat: One of the <unheard> is currently empty.

Harry: We'll have time during the next two weeks.

<hhalpin> [CANCEL] ACTION: For diaspora to talk about being included in final report (interoperable code-basess agreed to SWAT tests?).

Harry: We're going to cancel the diaspora thing... we ran out of time.

<melvster> diaspora opens code later today here: http://github.com/diaspora

Mischa: I think Henry went through it... haven't had a chance to read through it.

<bblfish> hi

<mischat> hi

Harry: Distributed federated networks?

<hhalpin> ACTION: [DONE] bblfish and mischa to write a new introductory paragraph with definition of social web and case for open-source/business use of standards. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action02]

<mischat> http://www.w3.org/2005/Incubator/socialweb/wiki/FinalReport

<hhalpin> http://www.w3.org/2005/Incubator/socialweb/wiki/FinalReport

Henry: So I added one paragraph... "heres my attempt at a definition..."

<hhalpin> [CANCEL] ACTION: MacTed to add to intro a "user story" of why current approaches don't work.

Harry: Cancelling that action, then.

<cperey> :-)

Harry: tried to setup a call w/ the various browser vendors, do we have any on the call?

<hhalpin> ACTION: [DONE] hhalpin to set up HTML5/Interaction domain telecon before Sept. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action03]

Harry: There is definitely intrest from Apple, Google, Mozilla on identity in the browser.
... No answer on Opera yet.
... There is enough interest to get that going.

<mischat> hello

Dirk: Hi, I'm from the Chrome team at Google.

<hhalpin> ACTION: [DONE] bblfish (and paul maybe?) flesh out and draft identity section. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action04]

<bblfish> who was that from Google?

Mischa: One more comment - all of the XRDFY type stuff... we need to review that.

Aza: I'm here

Harry: Paragraph on mobile seems to be done

<hhalpin> ACTION: [DONE] venezia to do mobile paragraph [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action05]

Harry: W3C strategy is to pull vendors in quickly.

<hhalpin> ACTION: [DONE] hhalpin to work on strategy document [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action06]

<hhalpin> 3. Aza Raskin on Privacy Icon

Privacy Icons

Harry: From a W3C strategy perspective, we are revamping process to make it more lightweight.
... Hope to have it sorted out by november.
... Hopefully, more W3C resources to federated social web area.
... Looking for more vendor input on digital identity.
... W3C should support these identity efforts.
... W3C is not quite sure what the right move to make is yet... which is why Aza is here today. To see if there is a clear sign. W3C would like to make a move in this area. Perhaps a workshop, Perhaps with OpenID Foundation.

<melvster> IIW Europe 11th October by the way

Harry: If there are compelling technical solutions on the table, W3C may move into a WG on that.
... This is an issue that is near to W3C's CEO's heart.

his gooey identity-loving heart.

Paul (higgin's project: So, last week at IW in DC there was some meetings - not public info yet, but general idea is there are a number of people involved in active client work.

Paul: The gist of the meetings is that you're going to see a change in the ?IETF? and see some changes in the browser based on the Infocard experience... definitely decisions are starting to get made.

<melvster> Paul Trevithick

<mischat> there you go

Harry: W3C is looking for some technical leadership from people that have been in this space for longer than them... Infocard has been around here for a very long time.

<mischat> http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-22.txt

<mischat> http://www.azarask.in/

Aza Raskin: I'm the create lead for Firefox, used to head up User Experience at Mozilla - did Ubiquity, Geolocation spec, etc.

Aza: Been working on Firefox4 features - working on Privacy for the Web.
... Do a lot of design work - design focus - trying to understand the privacy space.

<melvster> manu: instead of typing Aza: each time you can just type '...'

Aza: Looking at P3P, Lorie Craynor Privacy finder, Nutrition labels - one of the things that we found were that these things were taking a taxonomical viewpoint.
... We were letting the perfect be the enemy of the good - we wanted to focus on one question.

<mischat> http://www.slideshare.net/azaraskin/mozilla-privacy-icons-project

Aza: We do not want to make sure a user understands everything in a privacy policy - that is a difficult taks.

<mischat> slides ^^

<mischat> private broswer

Aza: Schematics - looking at things like Firefox anti-malware site protection.
... We fixed issues, but changes were not understandable to a end user.
... So, we are asking what 'should' people care about in privacy?
... That's the one question we're trying to answer... the fewer choices, the easier it is for people to understand and care.

<hhalpin> also folks my want to look at Zittrain and co.'s http://www.stopbadware.org/

Aza: Privacy often goes down the route of per-user or based on preferences, usually based on defaults - why not help people choose.
... Problem is that people don't usually know what they want.
... What do you want to eat? Difficult to answer.

<aza> http://www.flickr.com/photos/azaraskin/4786688290/in/photostream/

<mischat> from Sören

Aza: Do you want delicious steak with a little bit of truffle oil and fois gras with a baked potato and mahi-mahi??? People find it easier to say yes to that.

<melvster> ah that's soeren's work, he's part of the SWXG too

Aza: most of US population can be identified down to name using only - zip code, birthday, gender
... Those things people feel are not sensitive - first and last names are more sensitive than those previous three pieces of information.
... People don't understand the meaning of giving up that data - so we're the experts, we need to help them understand.
... But simultaneously, every time we ask a user what they don't care about - we've failed.
... So this is how we ended up with the privacy icons stuff
... What attributes of privacy should people care about?
... I wanted to go into more basic stuff before delving into the icons.
... the icons can be highly contentious, so we'll cover that last.
... our goal is not to make this understandable by everyone.
... we just need it to work for most people.
... Privacy marketplace... we're not going after Facebook (yet) with Privacy policieis...
... we're focusing on places where Privacy already affects you.
... places like sites that say they're not going to re-use your e-mail address.
... will it change the way you use google or facebook? probably not
... however, it may make sense on sites that you don't know anything about.
... we want to get adoptives to understand this transparency.
... Washington Journal did a cover on all the diferent types of privacy policies that companies did
... they had to do a ton of digging
... we want to make it simpler
... taxonimical view doesn't work - it's too much information.
... writing a privacy policy is very company-specific (at least, that's what the lawyers want us to think)
... when you use an icon, it gets bolted to the very end of the privacy policy.
... "We do not sell data or barter with your data."
... no matter what the privacy policy says, this is asserted somewhere in the privacy policy.
... it's a minimum guarantee.

<mischat> http://www.azarask.in/blog/post/what-should-matter-in-privacy/

Aza: we're also trying really hard not to penalize business as usual.
... it's a fail if people have to put up an icon that scares people.
... is 3rd party sharing of data suspect?
... it's not
... amazon sharing your addresss with UPS to ship something to you is 3rd party sharing
... but thats not bad.
... we're still writing some of the legal behind some of the icons we're doing.
... not everyone has to use a bad icon
... last point that I want to bring up as background
... is that these icons are different from Creative Commons in a very important respect.
... in CC, everyday authors have to figure out what they are to license their work under.
... you have to be able to write what your work is licensed under.
... with Privacy icons, you don't have to do the writing part... that's the job of the lawyer... we just needt o make sure these things are readable.
... conditions for Privacy Icons are more lax when deciding what icon to use.
... why Firefox, why now?
... we thing that the taxonomical look didn't work well, and we don't think that the product people looked at it in this way before.

<aza> http://www.flickr.com/photos/azaraskin/4128966575/in/photostream/

Aza: we're looking at what identity in the browser looks like

<aza> http://www.flickr.com/photos/azaraskin/4156454152/in/photostream/

Aza: here are a couple of things that we're looking at right now
... about what we're thinking of putting into firefox.

<aza> http://www.mozilla.com/en-US/firefox/accountmanager/

Aza: the basic idea is that you don't need to do the whole signing in/signing out to a website.
... browser should understand who you are

<bblfish> aza: Are you working on tying this in with the SSL layer?

Aza: Weave

<hhalpin> very nice design BTW

Aza: should understand all of your passwords - getting rid of login

<bblfish> very nice, I present it at all my talks

<paul> agreed

Aza: This is supposed to be a very fast thing for websites to implement - in 15 minutes.
... So, if we manage to get something like this
... these are early markups
... if we do this, browsers become a user agent to all sites.
... they are intermediaries of identity. If that is true, then we own the sign-in sign-out experience.
... decreases sign-up time, increases conversion rate, etc.
... lots of good things related to this.
... sign in to a site using one button click.
... this also means that we control the way in which end-users see the sign-up process.
... we have a huge opportunity to affect the way the web works.
... if this is the case, we can start bubbling up information about privacy policities.
... Mozilla is very privacy-cognizant

<hhalpin> machine-readable - perhaps in RDFa?

Aza: We need to make sure people know what their privacy state is... we can tell the user how the information is used.
... We think that's exciting... we can take a very pro-active standpoint
... it also helps identify bad-actors... if they don't give any sort of machine readable form of privacy data.
... So, that's the background.
... Questions?

Mischat: I was wondering how people are going to be representing the privacy icons.
... If I am a provider, how do I display privacy icons?

Aza: We haven't delved into that yet - mainly because we want to figure out where to show these things in the interface.
... What are the things that matter most to people.

<mischat> ok

Aza: Delving into how people link, how to display - is just things to figure out as we move down the path... no strong preferences as long as it is pragramtic.

<bblfish> http://chromium.googlecode.com/issues/attachment?aid=-3626469059404489666&name=Picture+1.png&token=c3f3619e4a2e8a18d0031d6e9f912422&inline=1

Henry: Wonder if you're interested in demo by Google

<bblfish> http://code.google.com/p/chromium/issues/detail?id=29784

Henry: Would be interesting to see how this would work with SSL layer
... if you don't do things over https, then we don't really have secure identity.
... Just to show how Google/Chrome/Firefox could complement each other.
... There is a bug report on Firefox on SSL security issue - we really need Firefox to lead this

<hhalpin> http://www.phreedom.org/research/rogue-ca/

Aza: I'm always sad when CA's get more authority.

Henry: No, we can bypass CAs entirely with this.

<hhalpin> must be careful with CAs.

Henry: Client side certs don't need to have CAs

<aza> http://blog.sidstamm.com/2010/08/http-strict-transport-security-has.html

Henry: That's a big misunderstanding.

Aza: We did just add HSTS
... We really need to discuss having the User Agent intermediate the login process.
... This solves a big problem.
... Both from a technical as well as a user perspective.

<bblfish> yes definitively allowing the user to see what he logged in as is really important

Henry: I was trying to understand privacy icon work... they don't know there is absence, they know there is presence.

Harry: If you don't have a license, then we know you're a bad actor.
... These icons may be everywhere?

<melvster> yes about 25%

Harry: There is a substantial minority of people that care about privacy.

<melvster> 'privacy fundamentalists' was the category

Harry: The user must set this in their privacy settings...
... perhaps we can control what privacy icons appear based on the site that they refer to?

Aza: Privacy rules are pretty fascinating.
... We want these icons to be important and universal.
... if the site doesn't have it, perhaps we can crowd-source the icons to a site.
... as soon as the site puts up info, they get a better icon
... There are some questions of adoption, in the beginning, we wouldn't bubble the information up.
... only the 20% that care would see it at first.
... We hope that all major sites adopt it... but it'll take time.

<Zakim> manu, you wanted to offer RDFa communities help on this

<mischat> Manu: asks about vetting the icons themselves, do you have any relationships with the CC group, for they have lots of experience in this space ?

<hhalpin> manu: any connections to creative commons

Aza: Yeah, so we've worked with Joi Ito and CC guys a bit

<hhalpin> manu: I'm sure RDFa community would be happy to help, I'm on the WG

<mischat> Manu: the microformats/microdata/ and rdfa, would help out, and would give input into this process

Aza: As soon as we have some legal text, they'll help us there.
... It's incredibly important to people like that.
... As far as actual method of machine readability, there are a lot of smart people that will solve it.
... Anything that is pragmatic makes sense.

Mischa: Two questions - all this talk about decentralized social networks - does it fit?
... Do you think privacy icons relate to that?

Aza: potentially, but one of the things we're ignoring is the social networking case.

<mischat> http://semanticidentity.com/Resources/Entries/2010/7/1_Virtual_Goods_+_ODRL_Workshop_2010.html

Aza: granted, when expectations of privacy on social network is violated.
... people care at that point.
... so there is this secondary use problem.

Mischa: Second question, identity in the browser: Is that basically a username/password management thing? Firefox Weave?
... You're not using client-side certs... not using passwords?

<mischat> ODRL machine readable privacy icons for social networking ^^

Aza: A little bit more than that... one time passwords... name, address, credit card... if people are okay with that in the browser, you can do progressive input to websites.

<hhalpin> contact API - DAP Working Group?

Aza: We should provide an API for this, so it's easier for sites to ask for that data.

<hhalpin> PortableContacts...

Aza: identity starts to become much more powerful at that point.
... it's interesting middle-ground - the browser isn't just a client - it also could have a cloud-side to it.

Mischa: So, that's working with the DAP working group?

Aza: Yes.

Mischa: How does privacy icons relate to that group?

<tlr> http://www.w3.org/2010/api-privacy-ws/report.html

Aza: Really like that approach - these are two complementary approaches.

<mischat> http://dev.w3.org/2009/dap/privacy-rulesets/

Aza: Especially around secondary use... many things boil down to that.

Harry: Quite interesting, going in direction where it could work with federated social networks.
... Question that I have is: What is the cross-browser work in this area? You could just push this into Firefox when ready.
... People most interested in Privacy probably also use Firefox.
... There are other browsers that have interest in this area - do you think there is room for cross-browser work?

Aza: yes, the browser agents are always collaborating in some ways.
... We are also competing... but real interest is in making the web better.

<mischat> :)

Aza: we'll see other browser vendors do this if it's important.

<hhalpin> then the problem is also multiple devices...

<hhalpin> like identity transfer

Aza: It's not required that it happens everywhere re: Privacy Icons.
... helps us bootstrap much faster.
... Making all user agents do it? Maybe we can popularize it?
... maybe if we can get a few million to care about it... that would be great.

Harry: What about identity over multiple devices?

<dpranke> i can chime in at some point - there's definitely a place and a desire for browser vendors to work together on identity. probably on privacy as well

<hhalpin> http://www.links.org/?p=932

Harry: Are you guys looking at that space as well? How do you transfer identity over multiple devices - Nigori protocol like stuff?

Aza: I'm not the best person to talk about this - Firefox 4 has sync stuff
... I can transfer where I'm browsing, passwords, etc, between browsers.
... As long as experience gets richer and richer, that "identity" will get synched across from point to point.

<mischat> sure, you ask my question hhalpin

Aza: just to make sure that all devices are in sync

Dirk: I agree with almost everything that Aza has said - the days of us using one browser on one computer are going away.
... we need to interoperate across browsers.

<cperey> bye bye!

<mischat> bye cperey

Dirk: vendors need to interoperate across browsers.

<cperey> thank you, very interesting talk and discussion!

<hhalpin> Role of the W3C in this sort of work? Workshop? Group?

Harry: Do you think there is a role for W3C here?

Dirk: I think there is always a role for W3C to work together...
... I'm still trying to understand how we can work together.

Harry: W3C is definitely interest in work around this.

<dpranke> one more thing … the nigori protocol is definitely interesting

Mischa: When you're thinking about identity, are you always thinking it's going to be inside the browser? Or is there a place for cloud-based identity.

Aza: Whatever solution we go with, it has to be federated - it has to be distributed.
... We need best-in-class identity via the browser.

<melvster> +1 set up your own servers, yay!

<hhalpin> agreed re nigori protocol

Aza: You shouldn't have to remember your identity.
... OpenID is a good example of a route that we don't want to go.

<hhalpin> if you want to chime in on that dirk, just chime in right after mischa.

Aza: Always want an option to do federated identity.

<bblfish> that is what WebID is for :-) solving the nascar problem - login without typing username or password, in one click

Dirk: Nigori is interesting in-so-far as distributing secrets in the cloud.

<hhalpin> yes, we should definitely ping mike hanson for his opinion

Dirk: There are people that are not going to be happy with one company knowing all of your information... so Nigori is an interesting answer to that. I also think WebID is very intersting.

<bblfish> cool :-)

Dirk: The problem with OpenID is the UI/Nascar problem.

Harry: Any more final questions? We're at the end of the hour.

<bblfish> (unemployed now so always happy to help out)

<aza> http://www.flickr.com/photos/azaraskin/4796824084/

<mischat> !?!?

Mischa - this is what the NASCAR problem is about: http://xauth.org/info/

<dpranke> NASCAR - you have to put a whole bunch of icons onto the page

Aza: 3rd party sharing of PII for purposes that you don't intend.

<dpranke> and end up looking like a stock car :)

Aza: These are not mutually exclusive icons...
... data could be given to law enforcement.
... warrant or not to get data (icon)
... Legal nightmare, at times.

<mischat> these slides, describe them http://www.slideshare.net/azaraskin/mozilla-privacy-icons-project

Aza: Cannot talk about whether or not you can delete or export PII data (icon)
... How long is your data kept for (icon)
... 3 months, 9 months, 18 months, etc.
... Ads - do you know wheter a site is using ads - don't need an icon for that, but behavioral tracking is difficult (icon)
... Does the site give the data to an Ad network? too finiky to add, but it's our strawman - some more thinking to do on that.
... We will need to tweak these icons - what can and can't you do - how can the icons be used on our site.
... We are going to eat our own dogfood.

<bblfish> cool

Harry: Let us know how you want W3C to track or help with your work.

<dpranke> cheers!

<bblfish> thanks all

<hhalpin> trackbot, meeting adjourned

<trackbot> Sorry, hhalpin, I don't understand 'trackbot, meeting adjourned'. Please refer to http://www.w3.org/2005/06/tracker/irc for help

<mischat> um

<melvster> rdf is still in mozilla

<mischat> are things needed to make the minutes and stuff

<melvster> need to upgrade to rdflib

<mischat> rdf is still in mozilla

<mischat> they were super early adopters

<melvster> it wasnt updated for ages

<melvster> also look at the tabulator library ...

<melvster> i think danbri was maintaining the rdf thing in mozilla :)

<melvster> i could be wrong, but he knows about it at least

<mischat> iirc the namespaces they uses on mozilla.org aren't there anymore

<mischat> hhalpin:

<mischat> can you make the minutes and stuff

<mischat> i dont know how to do it

<hhalpin> yes

<hhalpin> it's already done

<hhalpin> trackbot, end meeting

- DRAFT -

Social Web Incubator Group Teleconference

15 Sep 2010

Attendees

Contents

Privacy Icons

Summary of Action Items

Scribe.perl diagnostic output