IRC log of privacy on 2012-06-14

Timestamps are in UTC.

15:53:31 [RRSAgent]
RRSAgent has joined #privacy
15:53:31 [RRSAgent]
logging to http://www.w3.org/2012/06/14-privacy-irc
15:53:47 [npdoty]
rrsagent, make logs public
15:53:54 [fjh]
zakim, code?
15:53:54 [Zakim]
sorry, fjh, I don't know what conference this is
15:54:00 [npdoty]
Zakim, this is PING
15:54:00 [Zakim]
npdoty, I see Priv_IG()12:00PM in the schedule but not yet started. Perhaps you mean "this will be PING".
15:54:04 [fjh]
zakim, code?
15:54:04 [Zakim]
sorry, fjh, I don't know what conference this is
15:54:06 [npdoty]
Zakim, this will be PING
15:54:06 [Zakim]
ok, npdoty; I see Priv_IG()12:00PM scheduled to start in 6 minutes
15:54:10 [fjh]
zakim, code?
15:54:10 [Zakim]
the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), fjh
15:54:10 [npdoty]
Zakim, code?
15:54:12 [Zakim]
the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), npdoty
15:54:27 [fjh]
Present+ Frederick_Hirsch
15:54:58 [Zakim]
Priv_IG()12:00PM has now started
15:55:05 [Zakim]
+npdoty
15:55:33 [Zakim]
+??P19
15:55:54 [tara]
tara has joined #privacy
15:56:36 [Christine]
Christine has joined #privacy
15:56:38 [npdoty]
Zakim, agenda+ Introductions (and scribing)
15:56:38 [Zakim]
agendum 1 added
15:56:45 [Zakim]
+ +1.613.947.aaaa
15:56:49 [npdoty]
Zakim, agenda+ Dependencies (reports on other groups)
15:56:49 [Zakim]
agendum 2 added
15:56:56 [Zakim]
+??P20
15:57:00 [npdoty]
Zakim, agenda+ Liaisons (work outside W3C)
15:57:00 [Zakim]
agendum 3 added
15:57:02 [James]
James has joined #privacy
15:57:06 [fjh]
zakim, ??P20 is me
15:57:06 [Zakim]
+fjh; got it
15:57:09 [Zakim]
+ +1.508.380.aabb
15:57:12 [fjh]
zakim, who is here?
15:57:12 [Zakim]
On the phone I see npdoty, ??P19, +1.613.947.aaaa, fjh, +1.508.380.aabb
15:57:14 [npdoty]
Zakim, agenda+ Privacy Considerations
15:57:14 [Zakim]
On IRC I see James, Christine, tara, RRSAgent, Zakim, npdoty, fjh, jtrentadams, wseltzer
15:57:18 [Zakim]
agendum 4 added
15:57:33 [Christine]
Zakim, I may be ??P19
15:57:44 [npdoty]
Zakim, agenda+ All other business
15:57:51 [Zakim]
sorry, Christine, I do not understand your question
15:58:00 [Zakim]
agendum 5 added
15:58:08 [npdoty]
Agenda: http://lists.w3.org/Archives/Public/public-privacy/2012AprJun/0090.html
15:58:13 [Zakim]
+ +1.949.483.aacc
15:58:16 [npdoty]
Meeting: Privacy Interest Group teleconference
15:58:19 [Christine]
zakim, ??P19 is me
15:58:19 [Zakim]
+Christine; got it
15:58:39 [peacekeep3r]
peacekeep3r has joined #privacy
15:58:49 [Christine]
Apologies from: Susan Israel, Karima Boudaoud, Sören Preibusch, JC Canon
15:58:50 [jtrentadams]
zakim, +1.508.380.aabb is me
15:58:50 [Zakim]
+jtrentadams; got it
15:58:55 [fjh]
fjh has changed the topic to: privacy 7464 agenda http://lists.w3.org/Archives/Public/public-privacy/2012AprJun/0090.html (fjh)
15:59:45 [Zakim]
+??P6
15:59:52 [Christine]
Regrets+ Susan Israel, Karima Boudaoud, Sören Preibusch, JC Canon
16:00:15 [fjh]
s/Apologies from: Susan Israel, Karima Boudaoud, Sören Preibusch, JC Canon//
16:00:21 [Zakim]
+ +1.203.436.aadd
16:00:25 [tara]
zakim, +1.613.947.aaaa is me
16:00:28 [Zakim]
+tara; got it
16:01:17 [alissa]
alissa has joined #privacy
16:01:25 [Joanne]
Joanne has joined #privacy
16:01:59 [Zakim]
+ +1.415.520.aaee
16:02:03 [Zakim]
+justin_
16:02:12 [Joanne]
Zakim, aaee is Joanne
16:02:19 [Zakim]
+OpenLink_Software
16:02:19 [MacTed]
MacTed has joined #privacy
16:02:21 [Zakim]
+Joanne; got it
16:02:28 [MacTed]
Zakim, OpenLink_Software is temporarily me
16:02:29 [MacTed]
Zakim, mute me
16:02:34 [Zakim]
+??P13
16:02:38 [npdoty]
Zakim, agenda?
16:02:39 [Zakim]
+MacTed; got it
16:02:41 [Zakim]
MacTed should now be muted
16:02:47 [Zakim]
I see 5 items remaining on the agenda:
16:02:49 [Zakim]
1. Introductions (and scribing) [from npdoty]
16:02:52 [Zakim]
2. Dependencies (reports on other groups) [from npdoty]
16:02:53 [Zakim]
3. Liaisons (work outside W3C) [from npdoty]
16:02:56 [Zakim]
4. Privacy Considerations [from npdoty]
16:02:58 [Zakim]
5. All other business [from npdoty]
16:03:22 [Zakim]
+ +358.504.87aaff
16:03:41 [fjh]
yes,
16:04:05 [fjh]
zakim, who is here?
16:04:05 [Zakim]
On the phone I see npdoty, Christine, tara, fjh, jtrentadams, +1.949.483.aacc, ??P6, wseltzer, Joanne, justin_, MacTed (muted), ??P13, +358.504.87aaff
16:04:07 [Zakim]
On IRC I see MacTed, Joanne, alissa, peacekeep3r, James, Christine, tara, RRSAgent, Zakim, npdoty, fjh, jtrentadams, wseltzer
16:04:13 [erin]
erin has joined #privacy
16:04:32 [MacTed]
Zakim, unmute me
16:04:32 [Zakim]
MacTed should no longer be muted
16:05:21 [MacTed]
Zakim, mute me
16:05:21 [Zakim]
MacTed should now be muted
16:05:32 [npdoty]
Ted Thibodeau, Open Link Software, semantic web technologies, including access control
16:05:48 [MacTed]
s/Open Link Software/OpenLink Software/
16:05:53 [wseltzer]
q+
16:06:00 [Zakim]
+ +44.163.551.aagg
16:06:09 [npdoty]
Frederick Hirsch, Nokia, DAP and working more on privacy
16:06:28 [fjh]
s/DAP/DAP and XML Security/
16:06:38 [MacTed]
we make the Virtuoso Universal Server (http://virtuoso.openlinksw.com/), OpenLink Data Spaces (http://ods.openlinksw.com/), and various other data access, management, and integration tools
16:06:47 [Christine]
Virginie G will be joining us shortly
16:06:54 [wseltzer]
q-
16:06:58 [npdoty]
Wendy Seltzer, Web Cryptography working group and outside research on privacy and security
16:07:06 [peacekeep3r]
Markus Sabadello of the Personal Data Ecosystem Consortium (http://personaldataecosystem.org/)
16:07:37 [Zakim]
+ +33.4.42.36.aahh
16:07:43 [Zakim]
+Narm_Gadiraju
16:07:45 [npdoty]
scribenick: npdoty
16:08:28 [npdoty]
Virginie Galindo, Gemalto, company delivering digital security solutions, chair of Web Crypto WG
16:09:07 [virginie_galindo]
virginie_galindo has joined #privacy
16:09:34 [npdoty]
tara: overview of the agenda
16:09:35 [Zakim]
+??P11
16:09:44 [npdoty]
... any other business to add?
16:10:16 [npdoty]
... Privacy Considerations doc, want to take some first steps towards that outline
16:10:28 [npdoty]
Zakim, take up agendum 2
16:10:28 [Zakim]
agendum 2. "Dependencies (reports on other groups)" taken up [from npdoty]
16:11:03 [npdoty]
fjh: Device APIs WG, co-chaired with Robin Berjon
16:11:17 [npdoty]
... JavaScript device APIs that are related to HTML5, though not Geolocation
16:11:36 [npdoty]
... media capture from a device, for example; a variety of sensors (proximity, battery status, network info)
16:11:42 [npdoty]
... actuators (like vibration)
16:11:48 [npdoty]
... information (gallery, contacts, calendar)
16:12:04 [MarkLizar]
MarkLizar has joined #privacy
16:12:06 [npdoty]
... a variety of information sources and actuators
16:12:13 [npdoty]
... several privacy issues
16:12:51 [npdoty]
... access to the info, unexpected actions, fingerprinting (like which codecs, etc.)
16:13:30 [npdoty]
... a mobile phone/device and a Web application (not necessarily through the browser) that legitimately wants to access a contact from your device's address book
16:13:48 [npdoty]
... an additional model of a device, a web page and then a third-party service somewhere on the Internet
16:14:05 [npdoty]
... maybe you want to edit your photos on another site, as a service; JavaScript mashups
16:14:35 [npdoty]
... did document requirements, principles and concerns related to privacy
16:14:53 [npdoty]
http://www.w3.org/2009/dap/
16:15:04 [npdoty]
http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/
16:15:22 [npdoty]
... some things can be handled by an API, some things really can't (like the secondary use or later distribution)
16:15:53 [npdoty]
fjh: what I keep saying, and this keeps coming up in W3C workshops, that we don't have the entire system which makes it difficult to address privacy
16:16:24 [Zakim]
+??P44
16:16:29 [npdoty]
... wrote a Web Application Privacy Best Practices, wanted to note privacy best practices that the application itself can handle (that we can't control in the API itself)
16:16:39 [npdoty]
... think this is all obvious to people on the call ;)
16:16:51 [npdoty]
http://www.w3.org/TR/2011/WD-app-privacy-bp-20110804/
16:17:38 [npdoty]
fjh: we also had an effort, via Alissa and John Morris, for users to communicate their privacy concerns to a site
16:17:58 [npdoty]
... we had a simple, clear list of rulesets, to be shared from the user to the server
16:18:11 [npdoty]
... don't expect it to progress in the Working Group because of a variety of concerns
16:18:27 [npdoty]
... potential liability, practical issues; not necessarily good or bad
16:18:44 [npdoty]
... an easier thing to do is minimization: design the API to return the minimum amount
16:18:54 [npdoty]
... you could with any system get more than you should by trying, but don't by default
16:19:01 [npdoty]
... should be a general practice, localized and doable
16:19:25 [npdoty]
... fingerprinting is a real trade-off, we don't have answers to that, I'm hearing that there's a tradeoff between privacy and utility and people tend towards utility
16:19:42 [npdoty]
... Web Intents Task Force and Media Task Force (joint with WebApps WG)
16:20:03 [npdoty]
... constraints to specify parameters for certain media (codecs, etc.)
16:20:29 [npdoty]
... all of those constraints taken together can perform a fingerprinting function, but having them helps provide the service in the appropriate way
16:20:48 [npdoty]
... can accrete a lot of minor pieces and in the aggregate have a substantial impact on privacy
16:21:18 [npdoty]
... can't really have policy per se because who would determine the policy in the decentralized system
16:21:37 [npdoty]
... so we'll have user interaction instead (transparent, user will have a choice, which may be persisted)
16:21:57 [npdoty]
... do not mandate any user interface (a generally accepted principle), or even mandate a particular interaction, which is left to the implementation
16:22:12 [npdoty]
... relying on the market to decide, or legislation, or best practices or competition; not in the spec itself
16:22:54 [npdoty]
... on the UI question, mandating that is a mistake, makes more sense to insist on a particular UI paradigm
16:23:29 [npdoty]
... Web Intents (also Web Activities from Mozilla): the user mediates the selection of a service with some controls
16:23:44 [npdoty]
... in some cases we don't need the user interaction? leads to a potential privacy issue
16:24:00 [npdoty]
... will go to FPWD soon, doesn't have a privacy considerations section yet
16:24:29 [npdoty]
... our group handles only the Device APIs segment of an entire system which is a fundamental problem
16:24:41 [npdoty]
... but at least hope to alert people to the privacy issues at hand
16:24:52 [Christine]
+q
16:25:01 [npdoty]
ack Christine
16:25:07 [Zakim]
-??P11
16:25:30 [npdoty]
present+ Kasey
16:25:42 [npdoty]
Kasey: what is it that we can provide here? are there open issues we can advise on?
16:26:11 [npdoty]
fjh: I was just coming today to inform on this. any input or help is welcome, although I don't want us to repeat any long debates.
16:26:28 [npdoty]
... the rulesets there's not much we can do with at this point, but any other suggestions are welcome
16:26:57 [wseltzer]
q+
16:27:06 [npdoty]
... the political aspect we wore ourselves out over the course of a year. user mediation and then minimization and practical things
16:27:15 [James_]
James_ has joined #privacy
16:27:30 [npdoty]
... an approach across all of W3C, but we need help with specifics
16:27:45 [tara]
ack wseltzer
16:27:45 [npdoty]
... a way to handle fingerprinting, or balance against the usefulness
16:27:48 [npdoty]
q+
16:28:27 [npdoty]
wseltzer: work with Tor, which specifically works on preventing fingerprinting
16:28:35 [wseltzer]
-> https://www.torproject.org/torbutton/en/design/#adversary
16:28:44 [npdoty]
... a standardized profile if you want to avoid fingerprinting, even across browsers, a larger anonymity set
16:29:39 [npdoty]
fjh: why not, even in the media case, just define profiles, a great idea
16:29:54 [tara]
ack npdoty
16:30:44 [wseltzer]
[perhaps offer a standard "anonymity profile"]
16:32:24 [npdoty]
npd: can we help a little with fingerprinting by making it easier for the browser (or a researcher) to detect?
16:32:45 [npdoty]
fjh: do we have that documented somewhere to follow up? (not that I know of)
16:32:54 [fjh]
thanks for the various ideas
16:33:04 [npdoty]
virginie_galindo: started the Cryptography WG recently
16:33:30 [fjh]
I will share profile idea on the media task force list, also follow up on fingerprinting detection. Can follow up on PING list if that helps
16:33:37 [wseltzer]
[note Panopticlick, re fingerprinting detection: https://panopticlick.eff.org/ ]
16:33:54 [npdoty]
... some ideas inside W3C on Identity with a wide variety of topics, our scope is to develop APIs, cryptographic tools for developers
16:34:33 [npdoty]
... create key, encrypt/decrypt, sign/check signature, anything a developer needs to add cryptography to their application (end-to-end security)
16:34:59 [npdoty]
... developers using the Crypto API should be able to provide privacy, but we do not give one solution, just tools for developers to build their own solution
16:35:51 [npdoty]
... currently discussing the JavaScript API, how to handle the secrets, make sure that when the user generates a secret they won't be tracked by that secret
16:36:23 [npdoty]
... when you generate identifiers, shouldn't be associated with a particular user, a problem we are trying to solve
16:36:31 [fjh]
q+
16:36:39 [npdoty]
tara: looking for starting points to help with this problem?
16:36:47 [tara]
ack fjh
16:37:14 [Zakim]
-MacTed
16:37:37 [npdoty]
fjh: sometime you want to know who the counterparty is (use a PKI), but for confidentiality you want to do key management in a way.... would think you would want to use symmetric keys
16:37:54 [npdoty]
virginie_galindo: want to build the basic tools to use any model that they want
16:38:26 [npdoty]
Kasey: can we circulate documents and get back to you with comments?
16:38:31 [npdoty]
q+
16:38:39 [fjh]
it seems that if you use public key crypto and PKI it might be hard to keep identity information secret?
16:38:51 [npdoty]
virginie_galindo: can send you a link, but discussion ongoing very actively on the mailing list
16:38:55 [wseltzer]
-> http://www.w3.org/2012/webcrypto/ Web Cryptography WG
16:38:56 [tara]
ack npdoty
16:39:10 [wseltzer]
-> http://www.w3.org/2012/webcrypto/WebCryptoAPI/ Editor's Draft
16:39:56 [fjh]
ndoty: why is there a privacy problem with crypto, what is the tracking problem?
16:40:13 [fjh]
s/ndoty/npdoty/
16:41:50 [fjh]
cviriginie_galindo: oncern of leakage of service use through leakage of key information - want to maintain privacy around use of service
16:41:59 [fjh]
s/cvirginie/virginie/
16:42:12 [fjh]
s/ oncern/concern/
16:42:26 [fjh]
s/key information/crypto key information/
16:42:35 [virginie_galindo]
Web Crypto WG wiki is : http://www.w3.org/2012/webcrypto/
16:42:43 [npdoty]
heard warnings from vendors (and from Wendy on fingerprinting)
16:43:11 [fjh]
npdoty: tracking protection WG started in April
16:43:45 [wseltzer]
-> http://www.w3.org/2011/tracking-protection/ Tracking Protection WG
16:43:56 [fjh]
npdoty: web services can track user activity so do not track DNT which has been focus
16:44:13 [fjh]
npdoty: user expresses preference then this is followed by service
16:44:41 [fjh]
npdoty: not enforcement, user expressing preferences, service needs to respect it
16:45:28 [fjh]
npdoty: new work in W3C on defining what it means to "comply"
16:45:42 [fjh]
npdoty: heated debate
16:46:13 [fjh]
npdoty: F2F next week, trying to get to last call
16:46:54 [tara]
Thanks, Frederick!
16:47:03 [fjh]
npdoty: focus is 3rd party tracking
16:47:59 [fjh]
q+
16:49:23 [tara]
ack fjh
16:51:06 [Zakim]
-Narm_Gadiraju
16:51:51 [npdoty]
http://www.w3.org/2011/tracking-protection/
16:52:07 [Christine]
Thank you very much Frederick, Virginie, Nick.
16:52:13 [npdoty]
npdoty: some challenges we've had with handling press coverage
16:52:42 [npdoty]
+1, take it up next call
16:52:51 [npdoty]
Zakim, take up agendum 4
16:52:51 [Zakim]
agendum 4. "Privacy Considerations" taken up [from npdoty]
16:52:59 [npdoty]
tara: needs to move forward
16:53:09 [npdoty]
... lots of conversation last time what such a document might entail
16:53:13 [npdoty]
... sufficient interest to begin work on this
16:53:21 [Zakim]
-fjh
16:53:26 [npdoty]
... need volunteers, people who are able to write text
16:53:34 [npdoty]
... and content, what an outline would look like
16:53:47 [Christine]
+q
16:53:48 [npdoty]
Kasey: to what extent can we take into account prior art?
16:54:39 [npdoty]
tara: yes, would certain like to coordinate with other groups' work
16:54:44 [npdoty]
Kasey: happy to help
16:54:55 [npdoty]
ack Christine
16:55:15 [npdoty]
Christine: please bring what pieces are relevant to the table
16:55:23 [Joanne]
happy to help where I can
16:55:33 [npdoty]
... keep in mind that this is for those who write W3C specifications in particular
16:55:43 [Christine]
q-
16:56:00 [Christine]
+q
16:56:07 [Zakim]
-??P6
16:56:27 [Christine]
q-
16:56:34 [Christine]
+q
16:56:44 [npdoty]
Christine: can organize these resources on the wiki
16:56:45 [npdoty]
http://www.w3.org/wiki/Privacy/Privacy_Considerations
16:56:55 [npdoty]
Kasey: how are these usually structured? is there something else we can look at?
16:56:56 [Christine]
q-
16:57:59 [tara]
W3C document to use as model? Accessibility.
16:58:06 [virginie_galindo]
q+
16:58:21 [npdoty]
npdoty: Security Considerations at IETF, but also Accessibility work at W3C
16:58:40 [npdoty]
tara: seeing some volunteers here, and will also canvass on the mailing list
16:58:53 [tara]
See also IETF security considerations documents
16:59:08 [npdoty]
... a subgroup that can compile those resources and start working on an outline
16:59:25 [npdoty]
virginie_galindo: the privacy topic raised by the TAG as well, Robin Berjon and @torgo
16:59:37 [virginie_galindo]
http://darobin.github.com/api-design-privacy/api-design-privacy.html
16:59:48 [alissa]
IETF security considerations doc: http://tools.ietf.org/html/rfc3552
17:00:19 [npdoty]
Christine: have been in conversation with the TAG, hope to sort out how the two groups can work together
17:00:54 [Christine]
+1
17:00:59 [npdoty]
July 19th, at the same time?
17:01:02 [Joanne]
+1
17:01:03 [npdoty]
works for me
17:01:16 [jtrentadams]
conflicts with me, but not a deal-breaker
17:01:25 [erin]
copy on my end
17:01:36 [npdoty]
this time again on Thursday, July 19th
17:01:46 [Christine]
AOB: Pär Lannerö would like comments on the Common Terms Project (see the email dated 19 April 2012).
17:01:48 [npdoty]
tara: hope to have some progress on these documents to discuss next time
17:01:54 [Zakim]
-Joanne
17:01:55 [Zakim]
-justin_
17:01:56 [Zakim]
-virginie_galindo
17:01:58 [Zakim]
- +44.163.551.aagg
17:01:58 [Zakim]
- +358.504.87aaff
17:01:59 [Zakim]
-??P13
17:02:00 [Zakim]
-npdoty
17:02:00 [Christine]
Reports on OECD and APEC moved to next meeting
17:02:00 [Zakim]
-wseltzer
17:02:02 [Zakim]
-tara
17:02:03 [Zakim]
-jtrentadams
17:02:09 [MarkLizar]
thanks,
17:02:09 [Zakim]
-Christine
17:02:12 [npdoty]
Zakim, list attendees
17:02:12 [Zakim]
As of this point the attendees have been npdoty, fjh, +1.949.483.aacc, Christine, jtrentadams, +1.203.436.aadd, tara, wseltzer, +1.415.520.aaee, justin_, Joanne, MacTed,
17:02:16 [Zakim]
... +358.504.87aaff, +44.163.551.aagg, +33.4.42.36.aahh, Narm_Gadiraju, virginie_galindo
17:02:21 [jtrentadams]
jtrentadams has left #privacy
17:02:30 [npdoty]
RRSAgent, draft minutes
17:02:30 [RRSAgent]
I have made the request to generate http://www.w3.org/2012/06/14-privacy-minutes.html npdoty
17:02:37 [Zakim]
-??P44
17:03:04 [James_]
James_ has left #privacy
17:03:14 [erin]
erin has left #privacy
17:03:15 [npdoty]
chair: tara
17:03:24 [npdoty]
Zakim, bye
17:03:24 [Zakim]
leaving. As of this point the attendees were npdoty, fjh, +1.949.483.aacc, Christine, jtrentadams, +1.203.436.aadd, tara, wseltzer, +1.415.520.aaee, justin_, Joanne, MacTed,
17:03:24 [Zakim]
Zakim has left #privacy
17:03:27 [Zakim]
... +358.504.87aaff, +44.163.551.aagg, +33.4.42.36.aahh, Narm_Gadiraju, virginie_galindo
17:03:34 [npdoty]
RRSAgent, bye
17:03:34 [RRSAgent]
I see no action items