Privacy Interest Group Teleconference

11 Jul 2013

See also: IRC log


Christine, +1.650.283.aaaa, tara, npdoty, JoeHallCDT, fjh, rvaneijk, +1.469.242.aabb, Frank, +358.504.87aacc, Hannes, Frederick_Hirsch
npdoty, JoeHallCDT


<trackbot> Date: 11 July 2013

<rvaneijk> Hi Wendy, Tara, Christine ! Hope all is well.

<tara> Hi Rob!

<Christine> Hi

<npdoty> yeah, I think going over the document structures would be useful

<npdoty> scribenick: npdoty

tara: welcome, know that many people are busy with intensive Tracking Protection work, but a good time to check in
... anyone new to introduce themselves? welcome back Rob vE
... overview of the agenda

<Christine> Who is on the call?

Privacy Considerations doc


<yrlesru> zakim +1.469.242.aabb is yrlesru

<JoeHallCDT> suggest Nick Weaver and Hovav Shacham's student (can't remember)

<JoeHallCDT> scribenick: JoeHallCDT

[missed the beginning of npdoty's stuff]

npdoty: as the entropy of UA strings get more complicated, increased these fingerprintability

… what are the use case that we are protecting for, and in which can we reduce entropy in UA strings?

… who is it that we should be talking to about [passive fingerpting]?

<Christine> That seems like a very sensible idea Nick

… do we know which group or which body would be working on that?

<yrlesru> Could Nick rephrase...

<npdoty> JoeHallCDT: more familiar with the academic work, so I can help you there

npdoty: Who are the right people to talk to about the use cases for the UA strings?

… and if we want to address reducing entropy in in UA strings, who should we talk to?

yrlesru: Do you want to restrict the UA strings to make them less unique?

… because I think the UA strings are widely used, e.g., in the mobile area, to understand what kind of device is accessing the site to do programmatic reformating, etc.

… seems like the horse is out of the barn in trying to restrict the diversity of values in UA strings.

npdoty: maybe not every browser is adding something to the end of the UA string...

… maybe if we have that use case down, we don't need such long UA strings.

Christine: Frank makes a great case about why this is useful.

… Can we identify which groups in w3c are principally focused on using UA strings for this kind of functionality?

npdoty: Wanted to see if anyone knew that off the top of their head. Will take as homework.

tara: you could also throw it out on the list.

… many of us would be interested to see what you find.

rvaneijk: think the document is already a great aggregation of information about fingerprinting.

<npdoty> will follow up with Joe about some of the academic work, and email public-privacy and w3c-internal lists about working groups that might affect UA

… Would like to see things like… device optimization uses vs. for deriving a tracking identifier.

… building up use cases would be very helpful.

… I am writing up a [something] on fingerprinting, so this would be very useful. Would be willing to help expand use cases.

<npdoty> great, thanks, rvaneijk

<yrlesru> I came into call a bit late. Was there anything before Fingerprinting.

JoeHallCDT: asks about focus on passive fp?

npdoty: more people think that active fp is a lost cause.

… once you're running client side code, you're hosed.

<tara> Joe, were you thinking of Keaton Mowery? http://cseweb.ucsd.edu/~kmowery/

… you might be able to detect or disable active fingerprinting.


thanks, Nick!

<yrlesru> Can we assume we will use the term "passive" and "active" relative to consumer/user participation?

tara: sounds like this is going in a good direction.

<fjh> does user participate when javascript actively checks GPU etc?

<npdoty> yrlesru, I've tried to define "passive" and "active" in that document thus far, mostly to refer to whether local client-side code is involved

… let's move to SPA from yrlesru

<npdoty> http://yrlesru.github.io/SPA/

yrlesru: the SPA is out on github. Thanks to npdoty and [Art Barstow?]

… have received some comments from bartsow and npdoty

<Christine> Would it be helpful to walk through the document today?

I sent you comments.

yrlesru: Rationale… at Nokia, we have a number of people participating in consortia and standards groups and we've begun to understand the privacy impact on our work.

… we're designing bridges w/o asking a structural engineer about integrity of design.

… lots of standards were developed before people were thinking about privacy considerations.

… in IETF you have to have a security considerations sections.

… came from IETF management, who wanted to make sure security impact was recognized as important and incorporated into standards.

… in IETF they have a security directorate, beardos that are wise in security.

… they had some guidance about what this kind of section should look like in RFCs.

… occured to us at Nokia that a similar approach could be taken for privacy.

… wanted to avoid ineherent weaknesses wrt privacy.

… want to have a common process for how editors and contributors would go about looking at privacy impacts.

… if you look at IETF, it's an *ad hoc* approach… no systematic approach to look at privacy impact.

… simply having a set of use cases without understanding how they apply is not systematic.

… having a checklist is much more systematic.

… checklists are very important in health care and aviation contexts.

… having working in ISO on some of the management standards, and privacy impact methodologies, a PIA approach is gaining a lot of momentum.

… it could be that a PIA approach could be a good baseline to start a privacy impact section in a spec.

… about 7 steps that one would want to do.

… like security, privacy impact goes with the data

… by following the data, can figure out where the privacy impact is going to be.

… can then put in safeguards to mitigate those impacts.

… bascially I've just described what's in the SPA document.

… use cases help you understand primary and secondary uses.

… looking at data flow allows you to see how data affects those use cases.

… describes a spec that narrowed the request of contacts after such an examination.

… once you have an understanding of data flows and basic architecture, you can see where there are opportunities to put in controls and safeguards.

… latter element in SPA considers where the impact may be non-architectural but on deployment

… so privacy considerations should touch on deployment too.

<Christine> That was a superb overview Frank

<npdoty> +1


<Zakim> npdoty, you wanted to be skeptical about data flows

npdoty: have been mulling over questions...

… want to focus on whether to apply the process and when.

… want to be skeptical about data flows.

… going through a set of [FIPS-like] principles is very valuable

… less certain how useful it would be to identify specific data flows or to id which information is personal or not.

<yrlesru> FIPP

… some of the questions are less about what kind of data but more about how these principals work.

yrlesru: I heard 1) skepticism about data flows, and 2) the logic diagram that outlines whether or not a specific assessment is needed.

… they're kind of tied together.

… has talked to sensor engineers who don't work with software so much.

… from them, the guidance I got, was "if you could privacy into a set of equations, these people can grok it"

… I came up with four equations.

… they were bored until I showed the equations.

… this enlightened me: engineers will understand privacy a bit better if we can make privacy quantifiable and measurable.

… first equation: what do you mean by data? if you don't have data, you don't have privacy.

… second eq.: breaks down identifiability, observability and linkability

… the point being that it's very important to understand the data flow.

… if there is no flow, there is no or minimal privacy impact.

… under the SUR [? frank likes acros]

<npdoty> "specification under review"

… for me, once I mapped data flows, I had a much better understand of privacy impacts.

… npdoty doesn't need no data flows.

… so this is more for engineers, rather than seasoned privacy experts who know FIPs/FIPPs.

… and this is very simple data flows in a uses case to understand the trust boundaries.

… e.g., if a sensor is collecting information but the data never leaves the sensor register, then there's probably minimal to no impact.

… might not understand that without mapping flows.

[hannes?]: The main part of the specification is entirely about the data flows.

<npdoty> I think Frank is making two points: both that to do a privacy review you need to deeply understand the functionality

<npdoty> and that you need to identify where the data is flowing to explain whether privacy is impacted at all

… I don't think it's good advice to have people write up a summary of the protocol in the privacy considerations section.

<npdoty> (and I'm generally more supportive of the first than of the second, which I fear can be misleading)

<yrlesru> Please, Hannes, read the SPA. THere is no request to put DFD in Privacy Considerations.

Isn't the SPA an instrument for creating a privacy considerations section?

<yrlesru> The DFD is needed for assessor, not to put in PC section.

… [having a hard time scribing Hannes]

yrlesru: SPA says there are only two or three things that go in privacy considerations section.

… where is personal information being collected and processed.

… where is privacy being impacted

… how has this been addressed

… [one other thing Joe missed]

<npdoty> hannes: specifications tend to be very generic, APIs aren't used only in a single place, in the home, but used generally

hannes: need to outline what's the responsiblity of spec writers vs. deployers.

… e.g., a protocl dev can't say anything about a retention period.

… no way to enforce a recommended retention period.

… requiring protocol authors to write anything meaningful about deployment is very challenging.

yrlesru: however, for the person deploying the spec, if the service designers haven't thought about, e.g., retention, they might be impacted by this being in the spec.

<npdoty> fjh may have some experience with providing guidance to implementers, and how useful they might be

… the underlying fundamental point is that if you're creating protocols/specs, it behooves us from the beginning to take into account S&P in a systematic and considered manner.

… need to map the protocol into how it will be used.

hannes: IAB published "writing protocol models" that goes into some depth about how to write protocols to be analyzeable from security folks.

… challenge is that people are super-busy, now you're throwing another piece of work on them.

… they won't be able to do everything that your asking.

<yrlesru> Challenging part of the privacy work is to mature the privacy maturity of the group. We are at a primitive stage.

… what do you want them to do?

… I would like to focus them on something else?

npdoty: Frank is saying if you're doing a privacy review but did not write the spec, you need to do these things to understand how it's working.

… curious if privacy requirements are more productive than data flow?

yrlesru: how do you know what to apply if you don't know what it's doing?

… notice and consent, e.g., may not even apply.

… how do you know what to apply without knowing what the spec is doing?

… doesn't want to see privacy principle opportunism.

… agrees with Hannes that we don't want to make undue work for folks.

<fjh> +1 need to be pragmatic and reasonable work for those producing work products

… look at the intent of the processes and can then consider if you need to put in back up processes.

npdoty: wanted to understand why the data flow is useful.

yrlesru: in some of the less systematic approaches, people just have a set of threats.

… e.g., unauth. access… how do you know that applies?

… you don't unless you understand the process.

<fjh> if done right, systematic approach could be less work?

less work than copy+paste? :)

… editors will be in a better place as they already understand flows

… but for assessors, the flows will be key.

… for ISO 90001 [?] and the associated assessors, this will be important.

<npdoty> I'm personally a little concerned that "oh, there's no data" may be misleading; some of the privacy concerns we've identified on event notification and correlation might not identify a set of new data that's flowing

Christine: my understanding is that we have two privacy reviews in the queue

… yrlesru is doing something like the SPA process in GetUserMedia

… might help to see an example of a SPA applied to a real spec.

<Christine> Re Nick - yes - Hannes leading GetUserMedia and Wendy leading EME

rvaneijk: concur with frank that flows are important and understanding is too.

… from a DPA perspective, I have to look at lot of implementations of that policy

… have a set of questions that I ask.

… flows are key for me. I always ask for a diagram or summary.

<Christine> Rob is speaking

… this Q&A helps a lot to understand if there is a processing, collection of personal information.

<npdoty> thanks, rvaneijk, that's great input

hannes: you get to review a subset of a service.

… not a spec.

… data model may be more obvious in a spec.

<Christine> Time monitor: 5 mins to the hour

… while I agree that flows are important, what is the responsibility of the editors?

rvaneijk: if you have a little piece from a car, does the manuf. have to worry about the impact of that little piece or the whole car?

hannes: parts for the care are very specific, but here we're definiing very specific contexts.

<tara> Thanks, Christine...we should wrap this up.

<tara> Thanks, Joe!

<npdoty> scribenick: npdoty

hannes: very difficult, because specifications are very generic, to be applied to many different types of applications

<yrlesru> I believe that it is good to have such as process, even if today (2013) the privacy maturity of W3C is not sufficient to leverage every step in the process.

<fjh> I'll share my comment on the list

hannes: HTTP cookies, for example, some applications needed state management, but hard to see all the implications at that time

tara: hate to cut off, but running out of time

<Christine> We need people to work with Frank, Hannes and Nick on the 3 privacy guidance documents. Please volunteers.

yrlesru: both general and specific comments are welcome; this discussion is important regarding maturity levels of the process

<Christine> We also need volunteers to help Hannes and Wendy with the GetUserMedia and EME specs

yrlesru: work in progress (with GitHub); tried to apply to getUserMedia but found the high-level API difficult so falling back on use cases for now

<Christine> Next call?

<Christine> 22 August?

tara: any conflicts for 22 August? (let tara and christine know)

<fjh> thanks

<yrlesru> No conflict with 22.8.

<Christine> Thanks Frank! Joe! Hannes! Tara! Everyone!

<yrlesru> Thanks to all for lively discussion!

tara: thanks all for joining, and to Joe for scribing

<yrlesru> +358 was Hannes.

<yrlesru> +1-469 was yrlesru/Frank

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013-07-11 17:02:37 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/someone/yrlesru/
Succeeded: s/Bartsow/Barstow/
Succeeded: s/havig/having/
Succeeded: s/whole care/whole car/
Succeeded: s/fjh/rvaneijk/
Found ScribeNick: npdoty
Found ScribeNick: JoeHallCDT
Found ScribeNick: npdoty
Inferring Scribes: npdoty, JoeHallCDT
Scribes: npdoty, JoeHallCDT
ScribeNicks: npdoty, JoeHallCDT
Default Present: Christine, +1.650.283.aaaa, tara, npdoty, JoeHallCDT, fjh, rvaneijk, +1.469.242.aabb, Frank, +358.504.87aacc, Hannes
Present: Christine +1.650.283.aaaa tara npdoty JoeHallCDT fjh rvaneijk +1.469.242.aabb Frank +358.504.87aacc Hannes Frederick_Hirsch
Found Date: 11 Jul 2013
Guessing minutes URL: http://www.w3.org/2013/07/11-privacy-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]