15:50:09 RRSAgent has joined #privacy 15:50:09 logging to http://www.w3.org/2013/05/23-privacy-irc 15:50:11 RRSAgent, make logs 263 15:50:11 Zakim has joined #privacy 15:50:13 Zakim, this will be 15:50:13 I don't understand 'this will be', trackbot 15:50:14 Meeting: Privacy Interest Group Teleconference 15:50:14 Date: 23 May 2013 15:50:22 rrsagent, make logs public 15:50:33 Zakim, this will be ping 15:50:34 ok, npdoty; I see Team_(privacy)16:00Z scheduled to start in 10 minutes 15:52:10 Team_(privacy)16:00Z has now started 15:52:18 + +358.504.87aaaa 15:55:59 christine has joined #privacy 15:56:35 +npdoty 15:57:01 +[IPcaller] 15:57:11 Zakim, aaaa is hannes 15:57:11 +hannes; got it 15:57:20 Zakim, [IPcaller} is me 15:57:20 sorry, christine, I do not recognize a party named '[IPcaller}' 15:57:41 Zakim, [IPcaller] is christine 15:57:41 +christine; got it 15:58:32 + +1.650.283.aabb 15:58:38 tara has joined #privacy 15:59:15 Why, yes! Is muted now. :-) 15:59:22 Zakim, aabb is tara 15:59:22 +tara; got it 15:59:48 chair: tara 16:00:27 Regrets: Erin Kennedy, Karima Boudaoud 16:00:35 Agenda: 16:00:35 zakim, code? 16:00:35 the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), wseltzer 16:00:46 +Wendy 16:00:55 1. Welcome and introductions. 2. Introduction to The app: URI scheme [1] and privacy considerations (Marcos Caceres from the Sys Apps WG) 3. Follow-up to recent emails regarding the text for privacy considerations for Ambient Light Events and Proximity Events 4. Privacy guidance documents (Privacy Considerations; Fingerprinting; Process) 5. getUserMedia privacy review (update) 6. EME privacy review (update) 7. AOB 16:02:36 Would someone be kind enough to volunteer to scribe? 16:03:05 +[Microsoft] 16:03:40 Zakim, [Microsoft] has JC 16:03:40 +JC; got it 16:03:56 +[IPcaller] 16:04:10 JC has joined #PRIVACY 16:04:38 Zakim, [IPcaller] is marcos 16:04:40 +marcos; got it 16:04:46 marcosc has joined #privacy 16:04:54 Zakim, marcos is really marcosc 16:04:54 +marcosc; got it 16:05:32 yrlesru has joined #privacy 16:05:39 Who hasn't scribed for PING before? 16:06:10 yrelsru is Frank Dawson 16:06:13 I can scribe 16:06:24 Thanks! 16:06:24 Big thank you JC 16:06:41 scribenick: JC 16:07:09 +??P38 16:07:33 Christine: Call for introductions for new people 16:07:49 Hi JC . Tara is chairing today. 16:07:50 Frank Dawson just joined voice call. 16:08:10 Zakim, ??P38 is yrlesru 16:08:10 +yrlesru; got it 16:08:13 Marcosc: I work for Mozilla in web API team. Work on Firefox OS for mobile 16:08:35 ... enables apps of which some rely on API, which I will discuss today 16:08:44 Topic: app URI scheme 16:08:51 zakim, who is here? 16:08:51 On the phone I see hannes, npdoty, christine, tara, Wendy, [Microsoft], marcosc, yrlesru 16:08:51 Christine: Let's move to first agenda item 16:08:53 [Microsoft] has JC 16:08:53 On IRC I see yrlesru, marcosc, JC, tara, christine, Zakim, RRSAgent, npdoty, glenn, jeffh, trackbot, wseltzer 16:08:55 link: http://www.w3.org/2012/sysapps/app-uri/ 16:09:37 Marcosc: There is a newish class of app emerging in last 6-8 years, HTML & Javascript calls 16:09:59 ... packaged into a zip file and a browswer can find the main file and startup the application 16:10:28 ... a crucial part of the app is the ability to interact with services on the web 16:10:54 ... though they are not linable they need to interach with web technologies 16:11:26 ... HTML5 and related techs define relationship around HTTP semantics 16:11:52 ... for web apps need something similar to the ability to run HTTP without bringing in a web server 16:12:04 s/linable/linkable 16:12:09 s/interach/interact 16:12:57 ... the challenge is we have one instance of an application running it has to look like its running from one origin 16:13:18 ... if there are multiple apps running it can look like there are running from dfferent locations 16:13:37 ... we usage different IDs for each app 16:13:58 ... each app can have its own cookie and storage to avoid overwriting each other's data 16:14:12 ... the privacy issue arises from the URI scheme 16:14:26 ... every person gets a unique number which makes for supertracking 16:15:00 ... Bjorn has mentioned that it may not matter as an ID generator could be created to map IDs 16:15:16 ... is this a problem that we should change? 16:15:22 ... or address 16:15:36 ... Windows 8 and Chrome have similar features 16:15:49 q+ 16:15:51 q+ 16:16:08 Christine: Ready for feedback or questions 16:16:25 s/Christine:/Tara:/ 16:16:34 ack christine 16:16:49 Christine: Can you give me a practical example of multiple instances running at same time 16:17:07 Marcosc: Do you know dashboard widgets that come with Macs 16:17:22 ... you can spawn two instances of calculator or other app 16:17:27 ... that is the idea 16:17:39 ack npdoty 16:17:53 q+ 16:18:01 Npdoty: Do we need a unique identifier? 16:18:16 ... it seems like it is needed so each instance needs its own storage 16:18:31 ... does that mean they need a unique ID? 16:19:14 Marcosc: You are right. From a dev point of view it is not needed e.g. files dont need them 16:19:37 ... the reason they are needed is because browsers are designed to use a ID like domain name 16:20:04 app://foo/myfile.js 16:20:07 ... it would mean writing a great chunk of web browsers to get around this 16:20:18 but does it need to be a *persistent* identifier? or could it be just as opaque if it changed on every run? 16:20:40 app://myfunkyapp/myfile.js 16:20:53 ... the alternative is to use a string like app://myfunkyapp/myfile.js 16:21:09 ... if I get rid of multiple instance problem that would solve problem 16:21:38 npdoty: does the identifier need to be persistant? 16:22:04 Marcosc: No, it doesn't. the app would need to regenerate it 16:22:16 ... this is something browsers need to work out though 16:22:34 Npdoty: that's onlye one mitigation 16:22:57 ... Even if we avoided this the app could create a unique ID 16:23:17 Marcosc: My proposal was to be able to clear all history and start with a new number 16:23:42 ... let's say its a FB app running. You would get the same cookie, but login identifies the user 16:24:03 ... It is fair to clear all data and start with a new ID 16:24:12 Npdoty: was there pushback? 16:24:24 Marcosc: Yes, because users would lose their data 16:24:45 ... I think that is okay to lose the data. It shouldn't be that traumatic 16:24:56 ... the dev can provide mechanisms to backup data 16:25:10 ack wseltzer 16:25:27 Wseltzer: The app serves as origin and acts as server? 16:25:32 Marcosc: Yes 16:25:59 Wseltzer: that is counter intuitive as far as user agent interaction. 16:26:17 ... I like the idea of clearing the data. Is there room for other best practices? 16:26:38 Marcosc: We could ask user if the domain can track location. 16:26:57 ... In that situation it would not be good to show random set of numbers 16:27:11 Tara: is there a way to get the UA to translate the data back 16:27:20 +1, these would make for horribly ugly Geolocation permissions dialogs 16:27:34 Marcosc: the app ships with a manifest file so we can determine the name of the app 16:27:38 ..... assuming the name is correct 16:28:02 scribenick: npdoty 16:28:02 s/Tara:/Wseltzer:/ 16:28:22 -[Microsoft] 16:28:30 hannes: for the uri scheme, there is a security aspect (the same-origin policy) 16:28:46 ... to have the functionality of a port number to deal with multiple instances of the same application running on the host 16:29:00 ... the port number concept illustrates that you can use regular numbers without exposing a long identifier 16:29:08 ... only needs to be local to the host, not globally unique 16:30:06 ... re: security aspects, if the app wants to communicate with someone else and store data, they will need concepts beyond this identifier -- you won't want to base your security on this made-up identifier, not a cookie-like equivalent 16:30:36 ... uuid wouldn't be enough to let the application be reachable, no resolution mechanism to translate the ID into an IP address for example 16:30:59 marcosc: outside of scope, but it may relate back. instead of using an ID, using a human-readable string 16:31:27 ... in making an HTTP request, would send an Origin header, but send it with a random ID, then the server won't know who you are 16:31:38 ... there is a proposal that applications should be able to fake their origin 16:31:49 app://google.com 16:31:56 ... instead of faking an origin like http://google.com, instead: app://google.com 16:32:32 ... fear of hijacking, how you would download an app, verify the app and send it to the server as authorized 16:32:57 ... could eventually come back into the app uri scheme 16:33:02 ... has to be part of a complete solution 16:33:43 hannes: have you written these different aspects already? a somewhat complicated story, same origin in the context of downloaded application 16:34:07 ... same-origin intended to protect against a browser sending off data to some other server 16:34:19 ... downloaded applications historically could send data to any place 16:34:26 marcosc: these are not supposed to do that 16:34:50 ... at least in Mozilla, came up with a System XHR which does contact any server you want, not a great solution 16:35:19 ... spec at the moment is limited to the use case where a developer wants to access or save something locally to the package, which all rely on origin 16:35:45 ... I'm treating them as outside the scope, because these applications can't yet communicate with the outside world 16:35:55 ... enable with CSP and CORS 16:36:17 ... in theory the app uri scheme can be used with CORS, no reason why it can't; in theory it works quite nicely with CSP 16:36:55 hannes: will have a look at the document, seems like a complicated story 16:37:08 marcosc: that story is not covered yet, but sysapps will need to address that in one spec eventually 16:37:18 ... if you have any idea about that, it would be a huge help, but a broader scope 16:37:44 tara: could use more discussion on the mailing list about this? 16:37:54 marcosc: I think so, the points have been raised already, but can discuss more on the list 16:38:25 ... at least as it evolves, if we do address using CORS or faking origins, looking at those implications and possible solutions 16:38:50 ... could we somehow get a token from the server that owns a domain to prove this app is 'okay' 16:39:02 hannes: that @@@ exists 16:39:09 marcosc: can you point me to papers or examples? 16:39:30 tara: encourage more of this discussion on the list, and if we have more extensive resources 16:39:38 +1, thanks marcosc! 16:39:43 tara: thanks, marcos! 16:39:52 Topic: Ambient Light / Proximity follow-up 16:40:06 christine: security and privacy considerations proposed by Frederik 16:40:17 ... nick raised some questions, then addressed by Frederik 16:40:45 ... spec updated by the editor, and then some editorial changes by fjh 16:40:52 ... we should provide our comments before next week 16:41:06 https://dvcs.w3.org/hg/dap/raw-file/default/proximity/Overview.html#security-and-privacy-considerations 16:41:16 https://dvcs.w3.org/hg/dap/raw-file/default/light/Overview.html#security-and-privacy-considerations 16:41:20 tara: please do send those comments along 16:41:30 Topic: Document Status 16:43:06 npd: on fingerprinting, no new updates on the fingerprinting-guidance text in particular 16:43:31 ... but the app: uri scheme we just talked about might actually be a great example for us to discuss in terms of cookie-like 16:43:41 http://www.tschofenig.priv.at/privacy-questions-markup.doc 16:43:57 hannes: went through the list of privacy questions, a great list, to see how they might work in our privacy considerations 16:44:21 ... some of them already exist; a few where I have clarity questions (from Karl D. in particular) 16:44:31 ... some questions were new, which I made as updates to the document 16:44:56 ... some questions I didn't have answers for (from Nick and Wendy) 16:45:18 ... it would be nice to get some reviewers for an updated version of the document, further room for improvement 16:45:34 ... included links to Nick's fingerprinting document for definitions 16:46:04 yrlesru: Specification Privacy Assessment document 16:46:13 ... working with Nick to get that up on GitHub, should be there soon hopefully 16:46:20 ... haven't received any comments on that 16:46:32 tara: looking for comments now? wait to get it on GitHub? 16:46:44 yrlesru: should be up there this week and then ask for comments 16:47:29 tara: want to make sure we're getting the feedback you all need 16:47:36 Updated privacy guidance document is here: http://www.tschofenig.priv.at/w3c-privacy-guidelines.html 16:47:41 npd: examples of the new questions we need answers for 16:48:04 hannes: does the service/browser provide some information so that the user can adjust their behavior? 16:48:22 ... background events firing in all browser contexts allow correlation of users across contexts, not sure how to answer that yet 16:48:42 ... david asked a couple of questions about correlation, so added some text on that 16:48:59 ... user preferences / user control; who can have access to the data, how visible is that to the user 16:49:26 ... can code send signals to nearby devices, an interesting thought 16:50:41 npd: great, thanks. hope we can be more systematic than just the questions that we have asked so far, maybe Frank's document can help with that 16:51:16 hannes: I've tried to provide some clustering, but Frank's document might be more principled with regard to process 16:51:46 yrlesru: had sent around one document with Security and Privacy Considerations 16:51:54 ... a PIA template, will dig that up and post to the list 16:52:25 christine: the Privacy Impact Assessment Template 16:53:03 yrlesru: might be a nice way of grouping the questions; engineers may prefer a checklist like a pilot, rather than a formal process 16:53:12 ... checklist of questions might be more operational 16:53:35 tara: thanks all, can give some time for Frank on the next phone call 16:54:04 Topic: Quick Updates on ongoing privacy reviews 16:54:13 hannes: a bit behind on getUserMedia privacy review 16:54:31 ... have looked at the document, somewhat similar to the Geolocation privacy assessment 16:54:52 ... with the difference that you can't as easily utilize data minimization because reducing the quality of audio in a conference call isn't all that useful 16:55:09 ... maybe someone can help me with a short write-up? tara: volunteers? 16:55:38 christine: joe might have offered to help previously, to review something that's been drafted 16:56:07 ... hard because the TPWG is taking up a lot of privacy people's time 16:56:32 tara: understanding that we all have a lot of work; any assistance is much appreciated 16:57:22 wseltzer: EME, would love to get volunteers to help look into the privacy considerations in encrypted media 16:57:31 ... a rich spec for investigation, nothing new to report 16:57:41 Can we have draft privacy reviews done before the next call? 16:58:22 christine, no 16:58:38 fjh has joined #privacy 16:58:46 zakim, code? 16:58:46 the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), fjh 16:58:50 npd: timeline for EME? are there particular people we could recruit inside that group? 16:59:14 Wseltzer: good questions 16:59:16 wseltzer: a long potential timeline, going through bugs, etc.; don't know of people in particular, but we should enjoin them to encourage participation 16:59:31 next call? 16:59:38 I prefer 20/6 16:59:54 rrsagent, generate minutes 16:59:54 I have made the request to generate http://www.w3.org/2013/05/23-privacy-minutes.html fjh 17:00:49 If it is 27/6, I am may be in transit or still in a far east time zone 17:01:23 Thx. Bye. 17:01:24 how about tentatively June 20th, and north-europeans should let us know about their summer party schedules 17:01:26 -Wendy 17:01:27 -marcosc 17:01:28 tara: thanks all 17:01:29 -tara 17:01:30 -hannes 17:01:58 Zakim, list attendees 17:01:58 As of this point the attendees have been +358.504.87aaaa, npdoty, hannes, christine, +1.650.283.aabb, tara, Wendy, JC, marcosc, yrlesru 17:02:04 rrsagent, please draft the minutes 17:02:04 I have made the request to generate http://www.w3.org/2013/05/23-privacy-minutes.html npdoty 17:02:09 Zakim, bye 17:02:09 leaving. As of this point the attendees were +358.504.87aaaa, npdoty, hannes, christine, +1.650.283.aabb, tara, Wendy, JC, marcosc, yrlesru 17:02:09 Zakim has left #privacy 17:02:18 rrsagent, bye 17:02:18 I see no action items