See also: IRC log
<npdoty> Zakim who is making noise?
<christine> We have received apologies from JC Canon, Trent Adams, Piero Bonatti, Susan Israel, Erin Kenneally
<MarkL> Hi Everyone!
<robin> Hi all - apologies if I get this wrong: I am an IRC n00b <blush>
<tara> No problem.
<tara> Let us know if you're on IRC but not on the phone so we can repeat things you might miss.
<robin> thanks - am working on dialling in now...
<fjh> i'm on irc but not the phone
<npdoty> scribenick: Joanne
I may not know who is talking . Please let me know who is speaking
Tara: anyone here for the first time?
<robin> I'm here for the first time...
rudy: with Comcast global policy
Tara: next item looking at the dependencies
<kboudaou> +22.214.171.124.aabb is : Karima :-)
Matt: part of W3C team with geo-locations WG
Matt: first version of spec and will be released as recommendation soon
Matt: spec provides bunch of info
on how to prtect invidual privacy on sites that use the
... alissia can speak about the CDT proposal
... group came to consensus on section after much debate and now the hard part testing
<npdoty> GEOPRIV, http://datatracker.ietf.org/wg/geopriv/charter/
Matt: found sites could conform
to the requirements
... not an easy task
<npdoty> concept that "an API should never be allowed to lie!"
Matt: challenges is the API can
lie about where you are and the API should not be able to lie.
lots of conserns
... looked at this for a long time
Tara: are there things PING can do to be useful to your WG? what can we learn?
Matt: right people involved from teh get-go is important
<alissa> Richard Barnes from BBN was also involved
<npdoty> ... could actually see PING as a horizontal thing to get people involved across groups
Matt: PNG should be a horizontial thing and influence the work. Having privacy people involved from the beginning is important
Christine: very helpful and
couldn't agree more in having privacy people in the
... what are lessons learned in identifying privacy vulenbilities (sp). Example, how did the gropu think about privacy for that spec
Matt: lessons I learned - a lot of engineers don't necessarily look at the privacy implications
<npdoty> ... radically different legal requirements (mandated in one country, prohibited in another)
Matt: Vodafone involvement showed
how laws vary across some countries. what is ok in one country
may not be allowed in another country. how do you write a spec
with varying laws and test that these things are possible to
Matt: difficult to test and will
link to test results
... had more than just the three listed
... non-trival task
<Zakim> npdoty, you wanted to ask about TAG review
Nick: wanted to ask about tag management. was tag review useful for uncovering privacy issues, and what role tag can play in reviewing areas around privacy?
Matt: not real formal but did talk to tag for an hour or two. not sure if we can call it a tag review or not
Ashok: this version of the spec a lot better. thank you Matt
Hannes: privacy experts wasn't really heard. what do you think was done well around the privacy mechanisms. somewhat negative about the development within the group and get them to listen
Matt: did best to make sure all
comments were responded to
... Alissia may be able to comment more
Alissa (sp): disagree with Hannes characteristication (sp).
scribe: sending privacy rules around. did end up with strong normative language. Testing was difficult to make sure reqs in Sec 3 were meet
<npdoty> copying of sections of requirements on recipients wholesale into other specs, like device APIs, which might be advantageous
scribe: took some of this text wholesale and put them into their APIs. Reqs around receipents getting geo-location info hard to enforce
Matt: this did not just breeze right through.
Tara: last chance to comment
<matt> Privacy was pretty much our biggest hurdle, the technical stuff was insignificant compared to privacy actually.
Tara: going once, going twice
Nick: on the ques on testibility. we want to make it easy to test to determine conformance. should we make reqs more technicla and make privacy reqs testable against the spec
Matt: what is interesting about w3c testing people is we have to show that everything normative is implementable. low bar. not very strong. we want above and beyond w3c reqs
Hannes: how did deployment act in repsect to privacy? did that lead to any improvements in deployments? is there truly privacy prtoections
Matt: it changed on the browser side and the receipent side. no one hasn't reporoted on redeployment since Nick wrote the paper
<npdoty> we thought about doing an updated study to see if there were deployment changes over time, but it's a hard thing to measure in a comparable way
Matt: browser is deployed with active consent to sharing location data. not sure about reciepent <apologies for my bad spelling/typing>
Tara: that you Matt and hope we benfit from your experience and take advantage of that.
<christine> Zakim ??P11 is christine
Matt: love to help and am neutral about the deployments. will love to help and Alissia can input based on her experience
Tara: 3rd item ont eh agenda
Tara: moving to alissa
Alissa: IAB protocols. Look at ToC's and run through the doc
<Ashok_Malhotra> Worked for me! Cool!
Alissa: terminology section
around privacy and describes terms used in the protocals
... tired to make link between abstract threats and how internet proptocals. talk about ways threats can be mitigated
... data minization
... uyser participantion involving hte user in decisions about hisher data to minize threats
... that is the setup to give designers who aren't use to think about privacy reasons to care about it
... section 6 designed to give designers on how to think about privacy when designing protocoals
... taks about difficulty around managing body list, etc. maxium utility of systems built using proptocals
... love feedback on the doc
... hoping to now get this to the folks out in th e ITF
<npdoty> ... section 7, an example, based on SIP, managing a buddy list, experience with all of the privacy problems that can appear in Internet protocols
Alissa: main work item
... privacy survey Hannes has been spreadheading
... hoping to get feedback from people in the field
Tara: that is a lot. impressive
... help out group ...feedback on survey items
Christine: compliments to Alissa and Hannes and others in the IAB program
Nick: curous whether there is any experience with anyone trying to use the doc yet?
Alissa: not aware of anyone yet. I have pointed a few people to it working on early drafts and have gotten feedback. It is overkill. this was expected. I have tired to use it
Hannes: feedback has reulted in additional terminology and clarifications
tara: more questions?
... thanks again Alissa
<npdoty> tara: open to comment on how this should go forward
Tara: we are trying to get a sense of the best way to move forward on the document. Opening up for comment based upon experience on how to move forward
Tara: when to bring people in with research and look for commonailities across groups to provide guidance
<npdoty> * decisional tool (help authors when they're making authoring decisions)
<npdoty> * issue spotting (helping WGs find when they should seek out expertise in understanding the privacy issues)
<npdoty> * architectural considerations (common issues that turn up on the Web that we'd like to handle in a consistent way)
Christine: thank you Nick. I agree and we seem to be in agreement. A good way to make this happening is first provide guidance to WGs on when they need to invole PNG and TAG. Then identify common problems across the groups
<robin> It could be that influencing a WG on privacy is a lot like influencing end users on privacy… i.e. hard. ;-)
<fjh> +1 to alissa re difficulty of adding-in privacy into WG later, needs to be part of WG overall
alissa: might be controversial. it is diff to have influence over the trajectory of a WG by inserting a random timeline. you need to be involved the work of the group.
<fjh> isn't that called "privacy by design" :)
alissa: advocate building this capability into those working across the w3c
Christine: agree and if we can get there that would be fantastic
Alissa: difficule, not necessarily controversal. its how we get there
<robin> In both cases, it's a problem of persuading people to adopt different privacy-related behaviours (and people's motivation for changing behaviour is notoriously tricky)
Nick: maybe that answers the question of when. having this integrated in the discussion from the beginning stages
Hannes: it is easy to say you need to consider security at the beginning same for privacy
<robin> I should also clarify: this is Robin Wilton, not Robin Berjon (Hannes is referring to a doc by Robin B)
Hannes: what is the foundation
you want to rely on. some people think data minization is the
idea others think user consent is the best. there are other
... need to ask the bigger question otherwise difficult to adivse
<robin> Sorry, that got converted to an emoji. I meant "Hannes is referring to a document by Robin Berjon"
fjh: it is a hard problem. it can't be bolt on later and needs to be done at the beginning, including getting involvement of various constituencies..
<npdoty> fjh: parties who aren't even in the Working Group may be relevant too; charter needs to get the right constituencies involved
Tara: challenges to get the right people involved
Christine: may not have the answers today.
Hannes: I believe you are asking
... if you start with something like js api. if some scoping is included in the doc. the most improtant qustions are - is asking the user consnet on the api. sme other work that falls outside the js mechansim allow a much richer choice of approach to look into
... not bound by design decisionsof of the past
Tara: eye on the time. lots of
considerations and putting together task force to wrk on doc,
plus best praitces
... move to mailing list and next agenda
<npdoty> if when/how to integrate into the process sounds like a good starting point for writing, I'm happy to help with that
<npdoty> and that might be something that doesn't duplicate the IAB document
Tara: last thing - the next call
<christine> 16 August might be hard for me
Tara: week of Aug 16 around same time. Is there a conflict? can move to the aug 23rd
<christine> Thank you
<npdoty> August 16th? August 23rd?
<npdoty> Aug 23rd fine with me
Tara: August 23rd at this same time
<robin> 16th *may* be an NSTIC meeting, according to OIX website...
Tara: tentative for Aug 23rd
<christine> Thanks Tara and Matt
<kboudaou> Thanks. Bye !
This is scribe.perl Revision: 1.136 of Date: 2011/05/12 12:01:43 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Christin/Tara/ Succeeded: s/PNG/PING/ Succeeded: s/unknow/Ashok/ Succeeded: s/Allisia/Alissa/g Succeeded: s/unknown/Hannes/ Succeeded: s/Tata/tara/ Succeeded: s/proble/problem/ Succeeded: s/parties who/fjh: parties who/ Succeeded: s/beginning/beginning, including getting involvement of various constituencies./ Found ScribeNick: Joanne Inferring Scribes: Joanne WARNING: No "Present: ... " found! Possibly Present: Alissa Ashok Ashok_Malhotra Hannes IPcaller James Joanne KevinT MacTed MarkL Nick P11 P22 P31 P34 Patrick Tara aaaa aabb aadd bilcorry christine fjh justin kboudaou matt npdoty robin rudy rudy_ scribenick wseltzer You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy Regrets: JC_Canon Trent_Adams Piero_Bonatti Susan_Israel Erin_Kenneally Got date from IRC log name: 19 Jul 2012 Guessing minutes URL: http://www.w3.org/2012/07/19-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]