Privacy Interest Group teleconference

18 Oct 2012


See also: IRC log


+1.206.910.aaaa, +44.208.123.aabb, [IPcaller], +1.817.329.aacc, +1.508.380.aadd, +1.613.947.aaee, +1.916.641.aaff, Ashok_Malhotra, npdoty, bblfish, Rigo, +1.303.661.aagg, Joanne, MacTed, JoeHallCDT, jtrentadams, tara, JC
SusanIsrael, KarimaBoudaoud, DavidSinger


<npdoty> slight delay on the call-in / Zakim slot, my apologies

(hmmm, the phone PIN of 7464 doesn't seem to be working)

<tara> Hm. I am getting "this passcode is not valid."


<rigo> wait a bit

<rigo> nick needs to create the conference, because it seems there was some hickup

<tara> Okay; we'll hold tight. Thanks.

<rigo> look here for message from nick

<tara> In the meatntime, any volunteers to scribe?

I would volunteer but this is only my 2nd w3c call, so not sure I know how to do it or do it well

<bblfish> hello

<bblfish> what is the code toay?

<bblfish> 7464 as code does not seem to work

<jtrentadams> Apologies for bursting in... but the conference code "7464" doesn't seem to work.

nick is creating a new code

<rigo> hold on with calls

<tara> We're working on it - thanks for your patience.

<bblfish> ok. thanks

<npdoty> okay, call-in should work now!

<jtrentadams> Success with 7464#

<jtrentadams> Thanks

<Simon> Hello, This is Simon Krauss (CableLabs) seeing familiar names. My dial in info isn't working. please post. Thx.

try again

<bblfish> ok seems to be working

<Joanne> I'm in

<Simon> thanks!

<christine> I am either IPcaller or ??P30

<tara> We have a scribe?

<npdoty> Robin Wilton, here from the Internet Society, sitting in an OECD Paris meeting room

<npdoty> Stephanie, information policy PhD student, DPI

<christine> Hello Simon. Great to see you here.

<npdoty> Simon Krauss, Cable Labs, R&D for cable industry

<npdoty> Joe Hall, Center for Democracy and Technology

<npdoty> Frank Dawson, Nokia, first call but following public-privacy

<bblfish> Hi, it's Henry Story here ( http://bblfish.net/ ) working on http://webid.info/

<christine> Hello Frank and Henry. Is Fred Andrews here to (re agenda item 3)?

<npdoty> any additional agenda items? hearing none...

<npdoty> volunteers to scribe?


<npdoty> Joe, if you want to start, I can support you


<npdoty> scribenick: JoeHallCDT

<christine> Thank you Joe!!!

First item, Frank Dawson on Specification of Privacy Assessment

<npdoty> links available from here: http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/0023.html

Frank's background: software industry, standards particip., staring industry consortiums, last 12 years at Nokia in Mobile… new to w3c

Privacy officer within CTO group, responsibility for privacy standards in industry

a PbD champ!

has working on privacy by design for NFC applications

discussing: http://lists.w3.org/Archives/Public/www-archive/2012Oct/att-0031/From_Principles_to_Technology-Nokia_Position_Paper-20120829__2_.pdf

"How can we create protocols, standards that have privacy baked in for software engineers"

this methodology is more of an Agile than Waterfall method

How might PING better work with other WGs to promote privacy.

<npdoty> Frank: what is the way of working we would use in working with other Working Groups?

Frank advocates for adopting a w3c specification for privacy assessment.

similar to PIAs

have a clause in specificaitons that address privacy issues

privacy assessment is somewhat standardized

Frank would expect actors, flows, concerns, privacy threats within a WG

Frank ices cakes before baking

document "Specification Privacy Assessment": http://lists.w3.org/Archives/Public/www-archive/2012Oct/att-0030/SpecificationPrivacyAssessment-20121008.pdf

understand where data is being collected, for what purpose

is it being stored, where?

is it personally-identifiable at the granular level or with more linkages to other resources

<npdoty> might be useful to diagram data flows, controllers, points where privacy might be impacted

in a network environment can help to map out flows, points of controls and where the user can insert themselves

helps to design safeguards and safeguarding reqs.

from Frank's IETF experience, there is a security consideration section to RFCs

for w3c Frank would like to see a privacy consideration section

<bblfish> would be interesting to have a privacy consideration section in http://webid.info/spec

would include a brief summary where there are potential threats, what privacy prinicples apply and what kinds of recs/safeguards could apply to mitigate


<npdoty> threats and potential mitigations that implementers could use to address those threats

not sure who is speaking

Q: is there a document that I should use to build this into my spec?

<bblfish> this one http://lists.w3.org/Archives/Public/www-archive/2012Oct/att-0030/SpecificationPrivacyAssessment-20121008.pdf

Frank: look at the two documents I've shared (links above)

<jtrentadams> As a side note, the IETF is also ramping up increased support for a Privacy Considerations section added to RFCs that is akin to the Security Considerations.

Frank: also look at the IETF RFC catalog… that has privacy considerations… internet draft 03 (not yet an RFC)

(not sure I have that right)

<bblfish> Frank: one needs prior art draft 03 on privacy considerations. [ but Frank is saying these are are just thinking of the threats ]

<npdoty> IAB Privacy Considerations draft: http://tools.ietf.org/html/draft-iab-privacy-considerations-03

<Simon> I look forward to reviewing the documents

Nick: responding to Henry, not sure that's exactly what we want to do in PING.

We'd also like to help do reviews for different WGs.

Henry: would appreciate that… get's dang complicated.

<npdoty> npdoty: I think coming up with that guidance, a single document for protocol authors, is exactly what we're working on at PING


<npdoty> ... and while PING might be doing reviews, we'd like to come up with a document for authors from within individual groups

rigo: not sure if the right knowledge is yet present in the WG.

<npdoty> rigo: requires a lot of knowledge to translate down from the PbD principles all the way down to spec-writing

Frank: from IETF, the first set of specs that did security considerations was a learning experience… will be the case here.

<npdoty> +1, the experience from security considerations is that early on it wasn't particularly comprehensive, but obviously improved over time

Simon asks where do you see this going?

<Robin> rigo: greetings (test)

Is this a procedure or a seal of approval?

<rigo> success: great back

Frank sees these as assessments but not audits.

More about a cumulative feedback process.

<npdoty> I imagine that's pretty familiar in the software engineering context: security reviews, performance reviews, even basic code reviews; not a post-facto audit but input during the process

(scribe's wording)

<yrlesru> I am back on IRC, Tara.

Simon is concerned about having a grey zone between privacy aspirations being documented re litigation threat.

<Robin> jtrentadams: hi Trent - how's life?

Frank says whatever your accountability model is, there needs to be someone who can sign off for the w3c publication process for spec text.

<npdoty> I think better documentation (usually accompanied by improvement or mitigation) will be a net positive, rather than a risk of attack for the technology being imperfect

Want to move from vague regulatory text to crystal clear technical text.

Simon is wary of this serving as a w3c seal of approval.

<Zakim> rigo, you wanted to tell the story about ipse

Rigo describes how w3c wants to have very solid technical sections… this is not concrete enough for w3c.

<npdoty> Simon, I'm not sure the intent is a "seal" approach, but just having done and documented considerations

Too high-level for w3c.

Frank responds that the SPA document was intended to be submitted to the primary (in Nokia's view) web and technical standards settings.

so it hasn't yet been translated to w3c context.

<npdoty> rigo, I think we can use this framework as a starting point, and might be an outline to writing our document

<rigo> nick, I agree, but we have to remain plumbers

The w3c standards will be different from management standards for ISO 20 (something? didn't get it)

CSP specification - privacy issues

<rigo> http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/0008.html

Tara: this has been on ongoing process to try and solidify what PING has been interested in into documentary form.

<christine> Is Fred here?

haven't seen him

who gave that man buttons?

<npdoty> https://www.w3.org/2011/webappsec/track/issues/11

<Zakim> npdoty, you wanted to ask about the use case for 'phoning home' violation reports

Nick asks if anyone has a good grasp on the use cases for when this would be invoked.

<yrlesru> CSP? Use case?

<npdoty> npdoty: does someone know the precise use cases for when a violation report is sent? is it likely to reveal information that might be sensitive?

Christine asks what could/shound PING do here that would be useful?

Nick says that maybe we can understand or communicate the concerns in a more useful way.

<npdoty> JoeHallCDT: one helpful function of PING can be in deducing a core concern, best delivery

<christine> Thank you Trent.

<rigo> jtrentadams++

jtrentadams takes this as an item to unravel and help lucidify

(my words)

<npdoty> jtrentadams ++

(I have to hop off at 13:00 EDT, so need to pass the scribe pen at that time)

<npdoty> jtrentadams, if it's helpful to loop one of us in, feel free

<jtrentadams> No problem.... I hope we're able to uncover the true issues and ensure they're addressed as appropriate.

W3C Workshop

Impetus behind DNT and Beyond is to figure out how w3c should chart a future course in this flavor of privacy expression.

want to have quite a few people to talk about privacy techniques and issues

very short position papers, due Monday

Berkeley is great!

There is an implicit scope for this for web work, coming from the w3c.

<christine> Or I can?

CSP specification - privacy issues


Fingerprinting breakout session at TPAC

<npdoty> http://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinting_a_lost_cause.3F

where is the bar on trackability?

lessons from browser modes and protections?

TPAC will have an informal PING get together… drinks!

<rigo> I am going

<bblfish> I'll be there.

<npdoty> +1, informal get-together

Alissa from our shop I think will be around

<bblfish> note that related on the SEssion Ideas page there is http://www.w3.org/wiki/TPAC2012/SessionIdeas#WebID_and_RWWeb

(I think)

<christine> Can we do the next call on 22 Nov?

<npdoty> email Christine if you'll be around at TPAC and want to gather for drinks

that is american thanksgiving


<npdoty> US Thanksgiving, yeah

the 29th is close

<christine> I'm booked 15 and 29

<npdoty> Nov 15 or Nov 29?

to the w3c thing,… traveling

<christine> but can try to fit it in

11/15 WFM

<rigo> Nov 29 in Berkeley

<yrlesru> I submitted a position paper (SPA) but no reply.

<npdoty> either day works for me, or we can look at Fridays

<rigo> what about 22 Nov? or early Dec

<Joanne> either day works for me

we'll be cooking and getting fatter that day, rigo

<npdoty> December 6th?

<npdoty> works for me

<christine> okay for me

wfm 12/6

<Joanne> okay for me

<Robin> Dec 6th... St Nick's Day

<christine> Apologies to Henry that we did not have time for your item today. We can add to next call if you like.

<bblfish> hope to see you at TPAC in Lyon

<npdoty> tara: excellent discussion today

<jtrentadams> Thanks all!

<npdoty> thanks, good talking with you all

<tara> Thanks Joe for scribing! Bye!

<yrlesru> Thanks, Tara (Frank = yrlesru)

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2012/10/18 17:02:01 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.137  of Date: 2012/09/20 20:19:01  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/Q: Rigo is/rigo:/
Found ScribeNick: JoeHallCDT
Inferring Scribes: JoeHallCDT
Default Present: +1.206.910.aaaa, +44.208.123.aabb, [IPcaller], +1.817.329.aacc, +1.508.380.aadd, +1.613.947.aaee, +1.916.641.aaff, Ashok_Malhotra, npdoty, bblfish, Rigo, +1.303.661.aagg, Joanne, MacTed, JoeHallCDT, jtrentadams, tara, JC
Present: +1.206.910.aaaa +44.208.123.aabb [IPcaller] +1.817.329.aacc +1.508.380.aadd +1.613.947.aaee +1.916.641.aaff Ashok_Malhotra npdoty bblfish Rigo +1.303.661.aagg Joanne MacTed JoeHallCDT jtrentadams tara JC
Regrets: SusanIsrael KarimaBoudaoud DavidSinger
Agenda: http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/0022.html
Got date from IRC log name: 18 Oct 2012
Guessing minutes URL: http://www.w3.org/2012/10/18-privacy-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]