IRC log of privacy on 2013-05-23

Timestamps are in UTC.

15:50:09 [RRSAgent]
RRSAgent has joined #privacy
15:50:09 [RRSAgent]
logging to
15:50:11 [trackbot]
RRSAgent, make logs 263
15:50:11 [Zakim]
Zakim has joined #privacy
15:50:13 [trackbot]
Zakim, this will be
15:50:13 [Zakim]
I don't understand 'this will be', trackbot
15:50:14 [trackbot]
Meeting: Privacy Interest Group Teleconference
15:50:14 [trackbot]
Date: 23 May 2013
15:50:22 [npdoty]
rrsagent, make logs public
15:50:33 [npdoty]
Zakim, this will be ping
15:50:34 [Zakim]
ok, npdoty; I see Team_(privacy)16:00Z scheduled to start in 10 minutes
15:52:10 [Zakim]
Team_(privacy)16:00Z has now started
15:52:18 [Zakim]
+ +358.504.87aaaa
15:55:59 [christine]
christine has joined #privacy
15:56:35 [Zakim]
15:57:01 [Zakim]
15:57:11 [npdoty]
Zakim, aaaa is hannes
15:57:11 [Zakim]
+hannes; got it
15:57:20 [christine]
Zakim, [IPcaller} is me
15:57:20 [Zakim]
sorry, christine, I do not recognize a party named '[IPcaller}'
15:57:41 [npdoty]
Zakim, [IPcaller] is christine
15:57:41 [Zakim]
+christine; got it
15:58:32 [Zakim]
+ +1.650.283.aabb
15:58:38 [tara]
tara has joined #privacy
15:59:15 [tara]
Why, yes! Is muted now. :-)
15:59:22 [npdoty]
Zakim, aabb is tara
15:59:22 [Zakim]
+tara; got it
15:59:48 [npdoty]
chair: tara
16:00:27 [christine]
Regrets: Erin Kennedy, Karima Boudaoud
16:00:35 [christine]
16:00:35 [wseltzer]
zakim, code?
16:00:35 [Zakim]
the conference code is 7464 (tel:+1.617.761.6200, wseltzer
16:00:46 [Zakim]
16:00:55 [christine]
1. Welcome and introductions. 2. Introduction to The app: URI scheme [1] and privacy considerations (Marcos Caceres from the Sys Apps WG) 3. Follow-up to recent emails regarding the text for privacy considerations for Ambient Light Events and Proximity Events 4. Privacy guidance documents (Privacy Considerations; Fingerprinting; Process) 5. getUserMedia privacy review (update) 6. EME privacy review (update) 7. AOB
16:02:36 [christine]
Would someone be kind enough to volunteer to scribe?
16:03:05 [Zakim]
16:03:40 [npdoty]
Zakim, [Microsoft] has JC
16:03:40 [Zakim]
+JC; got it
16:03:56 [Zakim]
16:04:10 [JC]
JC has joined #PRIVACY
16:04:38 [npdoty]
Zakim, [IPcaller] is marcos
16:04:40 [Zakim]
+marcos; got it
16:04:46 [marcosc]
marcosc has joined #privacy
16:04:54 [npdoty]
Zakim, marcos is really marcosc
16:04:54 [Zakim]
+marcosc; got it
16:05:32 [yrlesru]
yrlesru has joined #privacy
16:05:39 [christine]
Who hasn't scribed for PING before?
16:06:10 [yrlesru]
yrelsru is Frank Dawson
16:06:13 [JC]
I can scribe
16:06:24 [tara]
16:06:24 [christine]
Big thank you JC
16:06:41 [wseltzer]
scribenick: JC
16:07:09 [Zakim]
16:07:33 [JC]
Christine: Call for introductions for new people
16:07:49 [christine]
Hi JC . Tara is chairing today.
16:07:50 [yrlesru]
Frank Dawson just joined voice call.
16:08:10 [npdoty]
Zakim, ??P38 is yrlesru
16:08:10 [Zakim]
+yrlesru; got it
16:08:13 [JC]
Marcosc: I work for Mozilla in web API team. Work on Firefox OS for mobile
16:08:35 [JC]
... enables apps of which some rely on API, which I will discuss today
16:08:44 [npdoty]
Topic: app URI scheme
16:08:51 [wseltzer]
zakim, who is here?
16:08:51 [Zakim]
On the phone I see hannes, npdoty, christine, tara, Wendy, [Microsoft], marcosc, yrlesru
16:08:51 [JC]
Christine: Let's move to first agenda item
16:08:53 [Zakim]
[Microsoft] has JC
16:08:53 [Zakim]
On IRC I see yrlesru, marcosc, JC, tara, christine, Zakim, RRSAgent, npdoty, glenn, jeffh, trackbot, wseltzer
16:08:55 [marcosc]
16:09:37 [JC]
Marcosc: There is a newish class of app emerging in last 6-8 years, HTML & Javascript calls
16:09:59 [JC]
... packaged into a zip file and a browswer can find the main file and startup the application
16:10:28 [JC]
... a crucial part of the app is the ability to interact with services on the web
16:10:54 [JC]
... though they are not linable they need to interach with web technologies
16:11:26 [JC]
... HTML5 and related techs define relationship around HTTP semantics
16:11:52 [JC]
... for web apps need something similar to the ability to run HTTP without bringing in a web server
16:12:04 [wseltzer]
16:12:09 [wseltzer]
16:12:57 [JC]
... the challenge is we have one instance of an application running it has to look like its running from one origin
16:13:18 [JC]
... if there are multiple apps running it can look like there are running from dfferent locations
16:13:37 [JC]
... we usage different IDs for each app
16:13:58 [JC]
... each app can have its own cookie and storage to avoid overwriting each other's data
16:14:12 [JC]
... the privacy issue arises from the URI scheme
16:14:26 [JC]
... every person gets a unique number which makes for supertracking
16:15:00 [JC]
... Bjorn has mentioned that it may not matter as an ID generator could be created to map IDs
16:15:16 [JC]
... is this a problem that we should change?
16:15:22 [JC]
... or address
16:15:36 [JC]
... Windows 8 and Chrome have similar features
16:15:49 [christine]
16:15:51 [npdoty]
16:16:08 [JC]
Christine: Ready for feedback or questions
16:16:25 [wseltzer]
16:16:34 [tara]
ack christine
16:16:49 [JC]
Christine: Can you give me a practical example of multiple instances running at same time
16:17:07 [JC]
Marcosc: Do you know dashboard widgets that come with Macs
16:17:22 [JC]
... you can spawn two instances of calculator or other app
16:17:27 [JC]
... that is the idea
16:17:39 [tara]
ack npdoty
16:17:53 [wseltzer]
16:18:01 [JC]
Npdoty: Do we need a unique identifier?
16:18:16 [JC]
... it seems like it is needed so each instance needs its own storage
16:18:31 [JC]
... does that mean they need a unique ID?
16:19:14 [JC]
Marcosc: You are right. From a dev point of view it is not needed e.g. files dont need them
16:19:37 [JC]
... the reason they are needed is because browsers are designed to use a ID like domain name
16:20:04 [marcosc]
16:20:07 [JC]
... it would mean writing a great chunk of web browsers to get around this
16:20:18 [npdoty]
but does it need to be a *persistent* identifier? or could it be just as opaque if it changed on every run?
16:20:40 [marcosc]
16:20:53 [JC]
... the alternative is to use a string like app://myfunkyapp/myfile.js
16:21:09 [JC]
... if I get rid of multiple instance problem that would solve problem
16:21:38 [JC]
npdoty: does the identifier need to be persistant?
16:22:04 [JC]
Marcosc: No, it doesn't. the app would need to regenerate it
16:22:16 [JC]
... this is something browsers need to work out though
16:22:34 [JC]
Npdoty: that's onlye one mitigation
16:22:57 [JC]
... Even if we avoided this the app could create a unique ID
16:23:17 [JC]
Marcosc: My proposal was to be able to clear all history and start with a new number
16:23:42 [JC]
... let's say its a FB app running. You would get the same cookie, but login identifies the user
16:24:03 [JC]
... It is fair to clear all data and start with a new ID
16:24:12 [JC]
Npdoty: was there pushback?
16:24:24 [JC]
Marcosc: Yes, because users would lose their data
16:24:45 [JC]
... I think that is okay to lose the data. It shouldn't be that traumatic
16:24:56 [JC]
... the dev can provide mechanisms to backup data
16:25:10 [tara]
ack wseltzer
16:25:27 [JC]
Wseltzer: The app serves as origin and acts as server?
16:25:32 [JC]
Marcosc: Yes
16:25:59 [JC]
Wseltzer: that is counter intuitive as far as user agent interaction.
16:26:17 [JC]
... I like the idea of clearing the data. Is there room for other best practices?
16:26:38 [JC]
Marcosc: We could ask user if the domain can track location.
16:26:57 [JC]
... In that situation it would not be good to show random set of numbers
16:27:11 [JC]
Tara: is there a way to get the UA to translate the data back
16:27:20 [npdoty]
+1, these would make for horribly ugly Geolocation permissions dialogs
16:27:34 [JC]
Marcosc: the app ships with a manifest file so we can determine the name of the app
16:27:38 [npdoty]
..... assuming the name is correct
16:28:02 [npdoty]
scribenick: npdoty
16:28:02 [wseltzer]
16:28:22 [Zakim]
16:28:30 [npdoty]
hannes: for the uri scheme, there is a security aspect (the same-origin policy)
16:28:46 [npdoty]
... to have the functionality of a port number to deal with multiple instances of the same application running on the host
16:29:00 [npdoty]
... the port number concept illustrates that you can use regular numbers without exposing a long identifier
16:29:08 [npdoty]
... only needs to be local to the host, not globally unique
16:30:06 [npdoty]
... re: security aspects, if the app wants to communicate with someone else and store data, they will need concepts beyond this identifier -- you won't want to base your security on this made-up identifier, not a cookie-like equivalent
16:30:36 [npdoty]
... uuid wouldn't be enough to let the application be reachable, no resolution mechanism to translate the ID into an IP address for example
16:30:59 [npdoty]
marcosc: outside of scope, but it may relate back. instead of using an ID, using a human-readable string
16:31:27 [npdoty]
... in making an HTTP request, would send an Origin header, but send it with a random ID, then the server won't know who you are
16:31:38 [npdoty]
... there is a proposal that applications should be able to fake their origin
16:31:49 [marcosc]
16:31:56 [npdoty]
... instead of faking an origin like, instead: app://
16:32:32 [npdoty]
... fear of hijacking, how you would download an app, verify the app and send it to the server as authorized
16:32:57 [npdoty]
... could eventually come back into the app uri scheme
16:33:02 [npdoty]
... has to be part of a complete solution
16:33:43 [npdoty]
hannes: have you written these different aspects already? a somewhat complicated story, same origin in the context of downloaded application
16:34:07 [npdoty]
... same-origin intended to protect against a browser sending off data to some other server
16:34:19 [npdoty]
... downloaded applications historically could send data to any place
16:34:26 [npdoty]
marcosc: these are not supposed to do that
16:34:50 [npdoty]
... at least in Mozilla, came up with a System XHR which does contact any server you want, not a great solution
16:35:19 [npdoty]
... spec at the moment is limited to the use case where a developer wants to access or save something locally to the package, which all rely on origin
16:35:45 [npdoty]
... I'm treating them as outside the scope, because these applications can't yet communicate with the outside world
16:35:55 [npdoty]
... enable with CSP and CORS
16:36:17 [npdoty]
... in theory the app uri scheme can be used with CORS, no reason why it can't; in theory it works quite nicely with CSP
16:36:55 [npdoty]
hannes: will have a look at the document, seems like a complicated story
16:37:08 [npdoty]
marcosc: that story is not covered yet, but sysapps will need to address that in one spec eventually
16:37:18 [npdoty]
... if you have any idea about that, it would be a huge help, but a broader scope
16:37:44 [npdoty]
tara: could use more discussion on the mailing list about this?
16:37:54 [npdoty]
marcosc: I think so, the points have been raised already, but can discuss more on the list
16:38:25 [npdoty]
... at least as it evolves, if we do address using CORS or faking origins, looking at those implications and possible solutions
16:38:50 [npdoty]
... could we somehow get a token from the server that owns a domain to prove this app is 'okay'
16:39:02 [npdoty]
hannes: that @@@ exists
16:39:09 [npdoty]
marcosc: can you point me to papers or examples?
16:39:30 [npdoty]
tara: encourage more of this discussion on the list, and if we have more extensive resources
16:39:38 [npdoty]
+1, thanks marcosc!
16:39:43 [npdoty]
tara: thanks, marcos!
16:39:52 [npdoty]
Topic: Ambient Light / Proximity follow-up
16:40:06 [npdoty]
christine: security and privacy considerations proposed by Frederik
16:40:17 [npdoty]
... nick raised some questions, then addressed by Frederik
16:40:45 [npdoty]
... spec updated by the editor, and then some editorial changes by fjh
16:40:52 [npdoty]
... we should provide our comments before next week
16:41:06 [christine]
16:41:16 [christine]
16:41:20 [npdoty]
tara: please do send those comments along
16:41:30 [npdoty]
Topic: Document Status
16:43:06 [npdoty]
npd: on fingerprinting, no new updates on the fingerprinting-guidance text in particular
16:43:31 [npdoty]
... but the app: uri scheme we just talked about might actually be a great example for us to discuss in terms of cookie-like
16:43:41 [christine]
16:43:57 [npdoty]
hannes: went through the list of privacy questions, a great list, to see how they might work in our privacy considerations
16:44:21 [npdoty]
... some of them already exist; a few where I have clarity questions (from Karl D. in particular)
16:44:31 [npdoty]
... some questions were new, which I made as updates to the document
16:44:56 [npdoty]
... some questions I didn't have answers for (from Nick and Wendy)
16:45:18 [npdoty]
... it would be nice to get some reviewers for an updated version of the document, further room for improvement
16:45:34 [npdoty]
... included links to Nick's fingerprinting document for definitions
16:46:04 [npdoty]
yrlesru: Specification Privacy Assessment document
16:46:13 [npdoty]
... working with Nick to get that up on GitHub, should be there soon hopefully
16:46:20 [npdoty]
... haven't received any comments on that
16:46:32 [npdoty]
tara: looking for comments now? wait to get it on GitHub?
16:46:44 [npdoty]
yrlesru: should be up there this week and then ask for comments
16:47:29 [npdoty]
tara: want to make sure we're getting the feedback you all need
16:47:36 [christine]
Updated privacy guidance document is here:
16:47:41 [npdoty]
npd: examples of the new questions we need answers for
16:48:04 [npdoty]
hannes: does the service/browser provide some information so that the user can adjust their behavior?
16:48:22 [npdoty]
... background events firing in all browser contexts allow correlation of users across contexts, not sure how to answer that yet
16:48:42 [npdoty]
... david asked a couple of questions about correlation, so added some text on that
16:48:59 [npdoty]
... user preferences / user control; who can have access to the data, how visible is that to the user
16:49:26 [npdoty]
... can code send signals to nearby devices, an interesting thought
16:50:41 [npdoty]
npd: great, thanks. hope we can be more systematic than just the questions that we have asked so far, maybe Frank's document can help with that
16:51:16 [npdoty]
hannes: I've tried to provide some clustering, but Frank's document might be more principled with regard to process
16:51:46 [npdoty]
yrlesru: had sent around one document with Security and Privacy Considerations
16:51:54 [npdoty]
... a PIA template, will dig that up and post to the list
16:52:25 [npdoty]
christine: the Privacy Impact Assessment Template <author unknown>
16:53:03 [npdoty]
yrlesru: might be a nice way of grouping the questions; engineers may prefer a checklist like a pilot, rather than a formal process
16:53:12 [npdoty]
... checklist of questions might be more operational
16:53:35 [npdoty]
tara: thanks all, can give some time for Frank on the next phone call
16:54:04 [npdoty]
Topic: Quick Updates on ongoing privacy reviews
16:54:13 [npdoty]
hannes: a bit behind on getUserMedia privacy review
16:54:31 [npdoty]
... have looked at the document, somewhat similar to the Geolocation privacy assessment
16:54:52 [npdoty]
... with the difference that you can't as easily utilize data minimization because reducing the quality of audio in a conference call isn't all that useful
16:55:09 [npdoty]
... maybe someone can help me with a short write-up? tara: volunteers?
16:55:38 [npdoty]
christine: joe might have offered to help previously, to review something that's been drafted
16:56:07 [npdoty]
... hard because the TPWG is taking up a lot of privacy people's time
16:56:32 [npdoty]
tara: understanding that we all have a lot of work; any assistance is much appreciated
16:57:22 [npdoty]
wseltzer: EME, would love to get volunteers to help look into the privacy considerations in encrypted media
16:57:31 [npdoty]
... a rich spec for investigation, nothing new to report
16:57:41 [christine]
Can we have draft privacy reviews done before the next call?
16:58:22 [wseltzer]
christine, no
16:58:38 [fjh]
fjh has joined #privacy
16:58:46 [fjh]
zakim, code?
16:58:46 [Zakim]
the conference code is 7464 (tel:+1.617.761.6200, fjh
16:58:50 [npdoty]
npd: timeline for EME? are there particular people we could recruit inside that group?
16:59:14 [wseltzer]
Wseltzer: good questions
16:59:16 [npdoty]
wseltzer: a long potential timeline, going through bugs, etc.; don't know of people in particular, but we should enjoin them to encourage participation
16:59:31 [npdoty]
next call?
16:59:38 [christine]
I prefer 20/6
16:59:54 [fjh]
rrsagent, generate minutes
16:59:54 [RRSAgent]
I have made the request to generate fjh
17:00:49 [christine]
If it is 27/6, I am may be in transit or still in a far east time zone
17:01:23 [yrlesru]
Thx. Bye.
17:01:24 [npdoty]
how about tentatively June 20th, and north-europeans should let us know about their summer party schedules
17:01:26 [Zakim]
17:01:27 [Zakim]
17:01:28 [npdoty]
tara: thanks all
17:01:29 [Zakim]
17:01:30 [Zakim]
17:01:58 [npdoty]
Zakim, list attendees
17:01:58 [Zakim]
As of this point the attendees have been +358.504.87aaaa, npdoty, hannes, christine, +1.650.283.aabb, tara, Wendy, JC, marcosc, yrlesru
17:02:04 [npdoty]
rrsagent, please draft the minutes
17:02:04 [RRSAgent]
I have made the request to generate npdoty
17:02:09 [npdoty]
Zakim, bye
17:02:09 [Zakim]
leaving. As of this point the attendees were +358.504.87aaaa, npdoty, hannes, christine, +1.650.283.aabb, tara, Wendy, JC, marcosc, yrlesru
17:02:09 [Zakim]
Zakim has left #privacy
17:02:18 [npdoty]
rrsagent, bye
17:02:18 [RRSAgent]
I see no action items