See also: IRC log
<tara> Hi. For some reason, I can't get Skype to get me through the bridge - never get the prompt for the code.
<tara> But I am here on IRC and will do the best I can.
<npdoty> tara, note that the code is 1932 today, not the usual
<tara> I know - never got that far!
<npdoty> also, you might try calling in a few times, Zakim has been acting up the past few days
tara, keep on re-trying
<tara> Twice so far; will keep trying. Thanks!
I had also trouble from a normal phone, seems like there is another large conf going on
<Kboudaou> Kboudaou is Karima
<scribe> scribenick: rigo
scirbe: rigo
<christine> Regrets, Hannes Tschofenig, Erin Kenneally
Presentation: Rigo, W3C Legal Counsel
<JC> JC Cannon, Microsoft, online privacy strategy
Christine Runnegar, ISOC
JC Cannon, MS
<npdoty> Nick Doty, W3C
Joe Hall, CDT
Dominique Hazael-Massieux, W3C
<spreibus> Sören Preibusch, U Cambridge
Frederick Hirsch, Nokia, Chair of DAP WG
<tara> Tara Whalen, Office of the Privacy Commissioner of Canada, PING co-chair
Mark Lizar, working on Open Notice
<npdoty> Mark Lizar, Open Notice effort
Mary Hodder: CustomerCommons.org
<christine> Yes chair apologies for the echo
CR: have a guest today, introducing Dom
<dom> http://www.w3.org/2012/Talks/dhm-privacy-www/
DHM: issue coming up in web
platform, presented in WWW 2012, basic issue is that the more
features we bring to the browser, the more risk we create in
terms of privacy and security. Create a hole in the
sandbox
... two WGs where this is salient: DAP and WebRTC Working
Group. Want to start discussion on make the web as powerful as
it needs to be and keep its privacy preserving
capabilities
... classical issues: Making possible for web application to
access camera on the device.
... creates privacy issues. Pages shouldn't get access to your
camera, would open device to spying and surveillance
... one possible solution is to ask for permission, same issue
for location dependent services
<spreibus> recently example of Web cam problem: http://news.bbc.co.uk/1/hi/programmes/click_online/9751569.stm
DHM: hard issue ot communicate
the issue to the user on what thisis supposed to do
... difficult issues in terms of user interface. Even once you
have obtained user permission. And you want the user to be
aware that a permission is granted and active, how to do
that
... classical issues of DAP
... there is no clear plan to make this future proof
... another issue is linked with fingerprinting. The more
features youi provide, the better people can re-recognize your
device. Again the camera and its resolution can be revealing,
the codecs that is used, any number of capabilities, whether it
has a flash or not
... in most cases not a problem, but if you do that on the web,
it would be so much information to identify a browser
uniquely
... again an issue that every group is facing. The more groups
are facing it, the more fingerprinting becomes a palpable
issue.
... is fingerprintting the wrong battle?
<npdoty> some people are debating whether fingerprinting is still a battle worth fighting or not
DHM: this needs a permissions model
<fjh> think about media capabilities requests for example
DHM: in many cases people want to
have trusted applications that could ignore most of those
issues
... some also linked to site-wide authentication, might want to
share more information, non trivial problems
... once you get access to more private data, addressbook and
calendar, you get more info that allows new types of
attack
... creates tensions and difficulties. Some early solutions
that emerge, web characteristics has some ??
... another different apporach, system application WG, that
group is proposing to take all technology out of the browser
context
... leaving aside all the issues on privacy and security.
Taking an application logic, platform already provides those
barriers, sidelining the issues by taking this platform?
approach
... technical groups working on these issues. Went to F2F of
the TAG, Unfortunately, the person caring left. Now want to
find a person to drive this
... not only on privacy but also on security, mainly that
touches W3C WGs
... perhaps someone from this group would be interested. Is a
problem that was debated any number of times and there hasn't
been a clear outcome so far
... Question?
CR: Excellent presentation
<JC> Rigo: When we discuss UI in tracking protection working group, browser vendors are not open to these discussions
<npdoty> rigo: when this comes up in Tracking Protection or other groups, it's often related to key UI issues
<npdoty> ... are browser vendors ready to talk about UI? that's often been a blocker in past discussions
DHM: UI remains something that
browsers compete. So far the approach has been UI based. Not
everything can be solved in UI, especially if htere is no solid
foundation for the UI to drag on, Inconsistencies that come
into play. Need a place where browsers can discuss
... communalities where they could aline
... expressing things to the user is UI, but problems go
beyond
JC: do we know whether inconsistency is an issue for consumers
<JoeHallCDT> is JC asking for research results on cross-browser privacy confusion?
<npdoty> there may be some research on this question, if not explicitly with different browsers than with different software platforms in general
<npdoty> JoeHallCDT, yes, I think so, do you have a good source?
<JC> I was asking a general question not specific to privacy
DHM: Web Security UI WG worked on security indicator for browser, it was mixed experience
<JoeHallCDT> npdoty, probably… if we can refine the query a bit!
<npdoty> File->Open didn't require explicit standardization, though, so maybe we could use a lighter weight process to achieve those commonalities
CR: so far we have been unfortunate about UI standardization, but there are also other approaches, can they replace a focus on UI?
<npdoty> dom, are you referring to this doc: http://www.w3.org/TR/wsc-ui/ ?
ML: there is value in looking what possible solutions are
<dom> yes, npdoty
FJH: not everything goes into UI,
compositing that mashes, red eye removal is a functionality
somewhere on the web without user interaction
... is there informed consent? There is not always an UI
<Zakim> dom, you wanted to mention mobile as another issue with UI and to talk about help on fingerprinting
DHM: another reason why pure UI approaches are difficult is that on mobile devices screen real estate is reduced
<fjh> an example of not having a UI and not getting permission from the user is when you have a composite app that makes externally used apps transparent
DHM: mobile further complicates
things
... group asked about finger printing, would be extremely
useful if this group could explain what fingerprinting is and
what the challenge is and present ways to mitigate while still
allowing for deeper integration. I don't think there has been
enough discussion so far, What about private browsing mode. It
would be great if htis group could work on that
<npdoty> is the suggestion there input to various WGs about what they should keep in mind regarding fingerprinting as they develop new features?
CR: see your clear message to work on fingerprinting and have some good people to work on that
FJH: what question are we answering, we have to get the question right. many players and components, not privacy by design will help, people simplify and this is good engineering. Should we address limitations of service providers
<npdoty> I think JC had also mentioned the possibility of recommendations for deployments/developers and not just spec-writers and browser implementers
<JC> Yes
DHM: agree that finding the right
question is part of the problem. On ISP, there are two kind of
service providers. One is rather attackers that do not care
about privacy, and good guys who lack guidance
... in practice we can not do much about attackers other than
making their life as hard as possible and give them less
data
... too little effort on service providers who want to do the
right things.
<JC> Got it
<fjh> http://www.w3.org/TR/2012/NOTE-app-privacy-bp-20120703/
<dom> (settings work for expressing your preference, but doesn't work for reacting to permissions request AFAICT)
<fjh> what is the incentive to obtain implementation?
<npdoty> rigo: some research experience from PrimeLife about UI, that footsteps are very recognizable
RW: organize Workshop between the DAP and other WGs and the Privacy community
<fjh> maybe that is a rhetorical question.
I think we could organize one in Sophia
<dom> (I think a workshop in Sillicon Valley might actually be better to attract e.g. browser vendors)
<Zakim> npdoty, you wanted to mention November workshop
<JC> What do we do where there is inadequate regulation?
ND: wanted to talk about the workshop question. We are having a workshop end of November in Berkeley, Mostly taling about discussing about what to do after DNT, but may be one opportunity for people in the valley to discuss
<fjh> that is the next logical question
JC, I would start with tears
<dom> (I personally don't think that regulation is the only reward; making the Web a better dev platform is a pretty strong motivation for a number of vendors)
<dom> [thanks for inviting me, I'll be going now]
<fjh> customers do value privacy I
<npdoty> thx dom!
<tara> Much thanks, Dom!
<npdoty> I think a lot of people in the community can benefit directly from consumer trust in the Web platform
<spreibus> Many thanks, Dom.
<Kboudaou> Thanks dom !
Navigation timing and Web intents suggested
navigation timeing: http://www.w3.org/TR/navigation-timing/
<npdoty> Web Cryptography has just published a first draft
Web Intents: https://dvcs.w3.org/hg/web-intents/raw-file/tip/spec/Overview-respec.html
CR: before going into this, wanted to discuss procedure more generally and how to organize review in a timely fashion
<tara> No - just got kicked off Skype. Back now!
ND: generally it would be great
if we could do this. If htere are documents we can provide
input to. In IETF the IAB has provided insight, there were lots
of requests, but no right expertise in the WG, so faded
away.
... we might want to make sure that we only work on documents
where we have time and people
FJH: one question with web intents is that once you trust the origin the privacy barriers go low. This is related to explicit intents in WebIntents for example.
CR: thanks for explanation, not visible from title
<npdoty> I think just documenting the different concepts we have around trust for particular origins would be worthwhile
<npdoty> in some groups, we've been referring to an origin-pair as a useful privacy concept
CR: Introducing request wanted to ask for someone working on this
<npdoty> for Web Intents and Navigation Timing, do we have volunteers to help?
<npdoty> I might be able to review on Web Intents, though I have limited time
<npdoty> if someone wants me to help and wants to help me with that :)
CR: if this an issue of
expertise? Or is is it generally to get involved in privacy
reviews?
... no answer
<npdoty> move this discussion to the mailing list, +1
lets move this discussion to the mailing - list
CR: we had discussion in August on Privacy considerations and could include the issues that Dom raised.
<JoeHallCDT> the wall is listening, Rigo, unclear how to respond (talking for myself)
<npdoty> I think we may have a different group of people on the call this time than last time
<Fred> Hello all, thank you for the invitation. Is the CSP spec. something you think needs a review?
FJH: one issue is privacy in general. Should do "something" but has no normative impact.
CR: everybody tired but you get homework
<npdoty> 25 October for the next call? any conflicts?
CR: 25 Oct for a call
<spreibus> fine with me
<JoeHallCDT> wfm
<Kboudaou> fine for me
<npdoty> and it's just before TPAC
<npdoty> 18 October?
<tara> 25 is not optimall, but okay.
<tara> Um optimal. either!
18 October is the next call!
<spreibus> apologies for 18 Oct.
<fjh> regrets, 18 Oct
<npdoty> 18 October, any other major conflicts?
<fjh> s/COt/Oct/
<Kboudaou> me too: will not available on 18 oct.
CR: for homework, watrch for mail
from Nick on Workshop in November. Would be good if we could
develop a list of issues to discuss. Also should discuss
requests for review from other groups. First is navigation
timing and web intents
... should continue discussion on privacy considerations on
mailing list
AOB?
<spreibus> many thanks and bye bye -- see you on the mailing list
CR: Adjourned
<Kboudaou> thanks
<fjh> thanks
nick, will you link them from the PING page?
<fjh> s|s/Fred, rather web intent is the most urgent//||
if the script already executed I can't but I can do manual edits. Will do
Now I know why I'm the lawyer and you the engineer :)
This is scribe.perl Revision: 1.136 of Date: 2011/05/12 12:01:43 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Dom/Dominique Hazael-Massieux/ Succeeded: s/Open Notes/Open Notice/ Succeeded: s/?? Customer comments/Mary Hodder: CustomerCommons.org/ Succeeded: s/??/Web Security UI/ Succeeded: s/intention/question/ Succeeded: s/Highlight it here/This is related to explicit intents in WebIntents for example./ Succeeded: s/Fred, rather web intent is the most urgent// Succeeded: s/COt/Oct/ FAILED: s/COt/Oct/ FAILED: s|s/Fred, rather web intent is the most urgent//|| Succeeded: s|rragent, generate minutes|| Found ScribeNick: rigo Inferring Scribes: rigo Default Present: +33.4.92.96.aaaa, Rigo, npdoty, fjh, spreibus, +1.510.701.aadd, tara, Dom, [Microsoft], joehall, Karima_Boudaoud, +1.207.756.aaee, christine, dsinger, MacTed Present: +33.4.92.96.aaaa Rigo npdoty fjh spreibus +1.510.701.aadd tara Dom [Microsoft] joehall Karima_Boudaoud +1.207.756.aaee christine dsinger MacTed Frederick_Hirsch Regrets: Hannes_Tschofenig Erin_Kenneally Got date from IRC log name: 20 Sep 2012 Guessing minutes URL: http://www.w3.org/2012/09/20-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]