IRC log of privacy on 2013-08-22

Timestamps are in UTC.

15:56:00 [RRSAgent]
RRSAgent has joined #privacy
15:56:00 [RRSAgent]
logging to http://www.w3.org/2013/08/22-privacy-irc
15:56:02 [trackbot]
RRSAgent, make logs 263
15:56:02 [Zakim]
Zakim has joined #privacy
15:56:04 [trackbot]
Zakim, this will be
15:56:04 [Zakim]
I don't understand 'this will be', trackbot
15:56:05 [trackbot]
Meeting: Privacy Interest Group Teleconference
15:56:05 [trackbot]
Date: 22 August 2013
15:56:08 [npdoty]
rrsagent, make logs public
15:56:14 [npdoty]
Zakim, this will be 7464
15:56:15 [Zakim]
ok, npdoty; I see Team_(privacy)16:00Z scheduled to start in 4 minutes
15:58:32 [npdoty]
Zakim, who is on the phone?
15:58:32 [Zakim]
Team_(privacy)16:00Z has not yet started, npdoty
15:58:34 [Zakim]
On IRC I see RRSAgent, npdoty, christine, fjh, TallTed, glenn, trackbot, wseltzer
15:58:45 [npdoty]
Zakim, this is PING
15:58:45 [Zakim]
ok, npdoty; that matches Team_(privacy)16:00Z
15:58:49 [npdoty]
Zakim, who is on the phone?
15:58:50 [Zakim]
On the phone I see [IPcaller], npdoty
15:59:14 [christine]
Zakim [IPcaller] is me
15:59:24 [npdoty]
Zakim, [IP is christine
15:59:24 [Zakim]
+christine; got it
15:59:43 [Zakim]
+Frederick_Hirsch
15:59:54 [fjh]
zakim, mute me
15:59:54 [Zakim]
sorry, fjh, I do not know which phone connection belongs to you
16:00:01 [fjh]
zakim, who is here?
16:00:03 [Zakim]
On the phone I see christine, npdoty, Frederick_Hirsch
16:00:03 [Zakim]
On IRC I see RRSAgent, npdoty, christine, fjh, TallTed, glenn, trackbot, wseltzer
16:00:08 [fjh]
zakim, Frederick_Hirsch is me
16:00:08 [Zakim]
+fjh; got it
16:00:15 [JoeHallCDT]
JoeHallCDT has joined #privacy
16:00:20 [fjh]
zakim, mute me
16:00:20 [Zakim]
fjh should now be muted
16:00:31 [Zakim]
+[Apple]
16:00:40 [christine]
Agenda: 1. Welcome and introductions 2. Introduction to the draft Web Cryptography API and discussion of privacy considerations 3. Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process) 4. Update re getUserMedia privacy review 5. Update re EME privacy review 6. AOB
16:00:44 [tara]
tara has joined #privacy
16:00:48 [Zakim]
+[Microsoft]
16:00:50 [fjh]
zakim, who is here?
16:00:50 [Zakim]
On the phone I see christine, npdoty, fjh (muted), [Apple], [Microsoft]
16:00:52 [Zakim]
On IRC I see tara, JoeHallCDT, Zakim, RRSAgent, npdoty, christine, fjh, TallTed, glenn, trackbot, wseltzer
16:01:00 [fjh]
Present+ Frederick_Hirsch
16:01:01 [tara]
zakim, Apple is me
16:01:01 [Zakim]
+tara; got it
16:01:11 [Zakim]
+[CDT]
16:01:16 [markw]
markw has joined #privacy
16:01:20 [Zakim]
+Karen
16:01:23 [JoeHallCDT]
zakim, [CDT] is me
16:01:23 [Zakim]
+JoeHallCDT; got it
16:01:50 [Zakim]
+markw
16:01:54 [JC]
JC has joined #PRIVACY
16:01:58 [karen]
karen has joined #privacy
16:02:05 [Zakim]
+ +1.512.257.aaaa
16:02:06 [rsleevi]
rsleevi has joined #privacy
16:02:06 [npdoty]
chair: christine
16:02:35 [npdoty]
Zakim, aaaa may be Virginie
16:02:35 [Zakim]
+Virginie?; got it
16:03:02 [virginie]
virginie has joined #privacy
16:03:22 [Zakim]
+kodonog
16:03:23 [Zakim]
+ +1.650.275.aabb
16:03:34 [virginie]
zakim, who is on the phone ?
16:03:34 [Zakim]
On the phone I see christine, npdoty, fjh (muted), tara, [Microsoft], JoeHallCDT, Karen, markw, Virginie?, kodonog, +1.650.275.aabb
16:04:00 [karen_odonoghue]
karen_odonoghue has joined #privacy
16:04:48 [npdoty]
rsleevi, can you scribe, and I'll scribe during the Crypto discussion?
16:05:10 [rsleevi]
npdoty: I'm not in a place to scribe atm
16:05:30 [npdoty]
scribenick: npdoty
16:05:54 [npdoty]
virginie: Virginie Gemaldo, chairing the Web Crypto WG
16:06:07 [npdoty]
markw: Mark Watson, from Netflix
16:06:10 [virginie]
virginie is virginie galindo, chairing web crypto WG, working for gemalto
16:06:22 [npdoty]
rsleevi: Ryan Sleevi, editing
16:06:23 [fjh]
zakim, unmute me
16:06:23 [Zakim]
fjh should no longer be muted
16:06:31 [fjh]
zakim, mute me
16:06:31 [Zakim]
fjh should now be muted
16:06:34 [npdoty]
Karen Donohoe, Internet Society
16:06:39 [fjh]
Frederick Hirsch, Nokia
16:06:44 [npdoty]
s/Gemaldo/Galindo/
16:06:45 [Zakim]
+ +358.504.87aacc
16:07:00 [JoeHallCDT]
Joe Hall, CDT!
16:07:17 [JC]
JC Cannon, Micrsoft Online Services
16:07:22 [christine]
Christine Runnegar, co-chair
16:07:25 [karen_odonoghue]
Karen O'Donoghue, Internet Society
16:07:26 [npdoty]
npd: Nick Doty, W3C
16:07:27 [tara]
Welcome, newcomers! Tara Whalen, Apple (co-chair for PING).
16:07:29 [karen]
Karen Lu from Gemalto
16:07:33 [fjh]
s/Micrsoft/Microsoft/
16:07:43 [christine]
2. Introduction to the draft Web Cryptography API and discussion of privacy considerations
16:07:51 [npdoty]
Topic: Web Crypto
16:08:21 [npdoty]
christine: request from Crypto WG for review, some work in design decisions regarding privacy considerations
16:08:29 [npdoty]
... someone from Web Crypto to give us a walkthrough
16:09:02 [npdoty]
rsleevi: try to summarize, 3 documents under active development: Web Crypto, named pre-provision key, non-normative use cases
16:09:21 [npdoty]
... lot of discussion early on regarding persistent identifiers, identify and address keys
16:09:37 [npdoty]
... API provides basic cryptographic services, encrypt/decrypt, sign, hash
16:09:55 [npdoty]
... opaque key handles, not dealing with the raw key material, may or may not be able to extract the key material
16:10:07 [npdoty]
... the privacy mitigations we've tried to work through: key material is extremely random
16:10:20 [npdoty]
... and not shared with anyone in the world
16:10:38 [npdoty]
... has a privacy risk of a very long persistent identifier with a strong mathematical binding for example for non-repudiation
16:10:52 [npdoty]
... the storage of these keys is treated as the same Web storage technologies
16:10:58 [npdoty]
... IndexedDB or PostMessage
16:11:14 [npdoty]
... choice of that design is to leverage the same privacy characteristics as those
16:11:35 [npdoty]
... if the user clears them, clears the others
16:11:48 [npdoty]
... lifetime of the key to lifetime of existing storage mechanisms
16:12:11 [npdoty]
... under discussion is extractability, can strongly identify particular user agents
16:12:34 [npdoty]
... leave that discussion to Mark
16:13:04 [Zakim]
+Wendy
16:13:08 [virginie]
the recent draft is available here : https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
16:13:23 [npdoty]
q+
16:13:47 [JoeHallCDT]
npdoty: great job documenting privacy considerations…
16:14:07 [virginie]
https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#privacy
16:14:14 [JoeHallCDT]
… is what you described as a supercookie really a canonical super cookie?
16:14:30 [npdoty]
q-
16:14:31 [JoeHallCDT]
… there is a long list of ennumerated algorithms, are we expecting a lot of diversity in implementation?
16:15:53 [npdoty]
npd: +1, I think those persistent (perhaps permanent?) identifiers are a serious concern, I just wasn't sure about calling that "super-cookie" -- is that what we usually mean?
16:16:12 [npdoty]
npdoty: pre-provisioned keys, or other keys generated outside of this API itself
16:16:24 [npdoty]
... has use cases, Mark has worked on privacy considerations for that
16:16:42 [npdoty]
... could be tied to a smart card, or a particular user's identity
16:17:11 [npdoty]
rsleevi: realistically, expect to see a choice of algorithms, not enabled/disabled by a specific user, not installed arbitrarily like fonts
16:17:31 [npdoty]
... no plans in this version for extending that list of algorithms programmatically, plugins for browser vendors
16:17:51 [npdoty]
... realistically the choice is going to be fixed by User Agent and Operating System and potentially User Agent version
16:17:58 [npdoty]
... and that information is currently leaked through other means, so not adding to it
16:18:33 [JoeHallCDT]
npdoty: privacy considerations are all non-normative… shouldn't there be some normative requirements about same-origin?
16:19:46 [npdoty]
rsleevi: don't define a storage mechanism, this is done via existing mechanisms, like IndexedDB, so origin protections would be handled by those specs
16:19:58 [npdoty]
... can arbitrarily send across origins via PostMessage, so same risks and mitigations
16:20:53 [npdoty]
markw: Web Crypto Key Discovery, named origin-specific pre-provisioned keys
16:21:07 [virginie]
Web Crypto Key Discovery API is available here : http://www.w3.org/TR/webcrypto-key-discovery/
16:21:09 [npdoty]
... for services like Netflix's or similar, devices like televisions, set-top boxes, etc.
16:21:25 [npdoty]
... manufacturers pre-provision those with keys for a specific service, so that we can identify those devices
16:21:34 [npdoty]
... which we need to do for business purposes
16:21:49 [npdoty]
... for video services, access those keys which have been pre-provisioned
16:22:15 [npdoty]
... named keys but we expect to pre-define what the name would be with those manufacturers
16:22:28 [JoeHallCDT]
the line is very tinny
16:22:59 [npdoty]
markw: origin-specific named pre-provision keys, have a bunch of privacy considerations described
16:22:59 [Zakim]
-[Microsoft]
16:23:10 [virginie]
http://www.w3.org/TR/webcrypto-key-discovery/#privacy-considerations
16:23:13 [npdoty]
... can identify the user to a service
16:23:38 [npdoty]
... just generates an object that otherwise is defined by Web Crypto
16:24:08 [npdoty]
... privacy considerations section, but still ask for review
16:24:46 [npdoty]
christine: PING calls are a chance to get an overview, with a chance to think over in order to give specific feedback
16:24:48 [virginie]
q+
16:24:56 [npdoty]
ack virginie
16:25:27 [npdoty]
virginie: is there a timeline on review of the spec? when can we check the box that it's reviewed by the PING? is one month feasible?
16:25:49 [npdoty]
christine: ask for a volunteer or two to lead a review of the specs
16:26:22 [npdoty]
... anyone on the call? or I have some people I could tap on the shoulder
16:27:15 [npdoty]
... will ask some people offline for review. is the deadline hard?
16:27:41 [npdoty]
virginie: would be good to solve issues by Last Call, which is planned for fall, around TPAC, so good to get issues earlier to get technical solutions in the WG
16:28:07 [npdoty]
christine: good to know, different groups have tended to have different timelines
16:28:25 [npdoty]
q+
16:28:52 [JoeHallCDT]
npdoty: key discovery could allow an extremely persistent identifier...
16:29:04 [JoeHallCDT]
… won't really be like clearing cookies which is how we deal with local storage
16:29:24 [JoeHallCDT]
… any ideas about how to solve these problems or handle this situation?
16:29:44 [rsleevi]
q+
16:29:47 [npdoty]
scribenick: JoeHallCDT
16:29:48 [npdoty]
q-
16:29:49 [markw]
q+
16:30:11 [JoeHallCDT]
rsleevi: from the UA side, we are concerned about this and currently don't have plans to implement this...
16:30:25 [JoeHallCDT]
… this is probably more intended for the embedded device scenario
16:30:36 [JoeHallCDT]
… we do have reservations about this, even when connected to a user's cookie store
16:30:53 [JoeHallCDT]
… the user interaction should allow the user to understand the risks
16:31:00 [npdoty]
ack rsleevi
16:31:03 [npdoty]
ack markw
16:31:27 [JoeHallCDT]
markw: would say the UA/Device that has an anonymity mode should not respond with this information
16:31:43 [rsleevi]
q+
16:31:46 [JoeHallCDT]
… this can be a mechanism for controling the exposure of this resource
16:32:00 [JoeHallCDT]
npdoty: (didn't understand the q)
16:32:44 [npdoty]
npd: but it could still be transmitted across origins, I could start a business with a hardware embedded key and share it with PostMessage, right?
16:33:15 [JoeHallCDT]
rseelvi: as far as comm. to users, e.g., what Moz does with FF users, the incognito or private browsing modes are not seen as anonymity
16:33:22 [JoeHallCDT]
… they are not modes that prevent tracking
16:33:52 [JoeHallCDT]
… by granting access to a key to an origin, that could include multiple origins
16:33:58 [JoeHallCDT]
… exists elsewhere
16:34:18 [JoeHallCDT]
… e.g., in a geolocation API an origin can surely postmessage to another origin
16:35:19 [JoeHallCDT]
… (essentially it's hard to constraint server-side sharing of tracking elements)
16:35:25 [npdoty]
except the random number could be a hardware-embedded device identifier in this case, right?
16:35:32 [JoeHallCDT]
+1
16:36:06 [JoeHallCDT]
markw: origins can collude on server side using information from the client side… there's no additional issue raised by this that is different
16:37:05 [npdoty]
thanks markw and rsleevi; I still have concerns, but they're much better informed now :)
16:37:09 [christine]
3. Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process)
16:37:15 [JoeHallCDT]
agenda: update on various privacy consideration documents
16:37:19 [Zakim]
-rsleevi
16:37:22 [npdoty]
Topic: Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process)
16:37:23 [Zakim]
-Karen
16:37:25 [rsleevi]
rsleevi has left #privacy
16:37:37 [JoeHallCDT]
neither Hannes nor Frank appear to be on the call
16:38:15 [JoeHallCDT]
npdoty to give quick update on fingerprinting doc
16:38:18 [npdoty]
http://w3c.github.io/fingerprinting-guidance/
16:38:35 [JoeHallCDT]
npdoty: have lots of good input
16:38:57 [JoeHallCDT]
… WebCrypto gives yet another set of things to consider in the space of cookie-like stuff
16:39:22 [JoeHallCDT]
… this document tries to describe both passive (no code) and active (ship code to the UA) fingerprinting
16:39:37 [JoeHallCDT]
… then cookie-like fingerprinting that involves storing state in the UA
16:39:55 [JoeHallCDT]
… passive fingerprinting are the most dangerous, hard to detect, block
16:40:07 [JoeHallCDT]
… so we should avoid increasing this capability
16:40:32 [JoeHallCDT]
… wrt to active, if you run enough code on the UA, you can do arbitrary fingerprinting
16:40:55 [npdoty]
http://w3c.github.io/fingerprinting-guidance/#clearing-all-local-state
16:41:07 [JoeHallCDT]
… have a new section that talks about clearing local state
16:41:25 [JoeHallCDT]
…. any spec that enables setting and retrieving local state, needs to note that
16:41:45 [JoeHallCDT]
… must call that out so that UAs can knowingly clear state with their mechanism
16:41:55 [JoeHallCDT]
… UAs may not be able to clear all local state
16:42:17 [JoeHallCDT]
… e.g., pre-specified keys, I may lose my ability to see netflix videos
16:42:38 [JoeHallCDT]
q
16:44:08 [fjh]
joeHallCDT: surprised passive mentioned as more dangerous, hard to detect but active can be amazing attacks
16:44:57 [JoeHallCDT]
npdoty: when I say danger, danger! the height of the concern is related to prevention on the client and hard to externally detect
16:45:41 [JoeHallCDT]
… the way to address this is to say that maybe the entropy is not as high and web specs should not increase the entropy unless not strictly necessary
16:46:13 [JoeHallCDT]
… there may be mitigations for active fp that aren't as effective
16:46:36 [JoeHallCDT]
… in part, what we're hearing that the attacks are so sophisticated that why should we deal with this at all in *our* spec?
16:47:42 [npdoty]
yes, I'll help anyone who wants to contribute with pull requests on github
16:47:43 [christine]
4. Update re getUserMedia privacy review 5. Update re EME privacy review 6. AOB
16:48:09 [JoeHallCDT]
christine: Hannes is leading getUserMedia and Frank has given input
16:48:17 [markw_]
markw_ has joined #privacy
16:48:24 [JoeHallCDT]
… also have EME privacy review and been tapped on the shoulder
16:48:33 [JoeHallCDT]
… Joe has offered to help
16:48:48 [npdoty]
q+ on EME
16:48:48 [JoeHallCDT]
wseltzer: no update, but excitement!
16:49:12 [JoeHallCDT]
ack rsleevi
16:49:15 [JoeHallCDT]
ack npdoty
16:49:15 [Zakim]
npdoty, you wanted to comment on EME
16:49:39 [markw_]
Content Decryption Modules
16:49:40 [JoeHallCDT]
npdoty: are we just talking about CDMs or other things
16:50:16 [JoeHallCDT]
npdoty: is this review about CDMs or other parts that we're trying to review?
16:50:36 [JoeHallCDT]
wseltzer: haven't scope it, but are looking for places that the use of EME could raise privacy concerns
16:50:58 [JoeHallCDT]
… some of those could be outside EME per se, in CDMs, or in exchange of information described by EME specifically
16:51:34 [JoeHallCDT]
christine: one problem is a lot of our privacy experts have been working in the TPW (DNT) WG
16:51:50 [JoeHallCDT]
q+
16:52:51 [npdoty]
JoeHallCDT: question for markw, are there places you would specifically like to see input in particular on EME? that mailing list has been on/off topic. what would you like to see from PING?
16:53:03 [JoeHallCDT]
markw: probably not a great deal in the EME spec itself
16:53:22 [JoeHallCDT]
… big question, providing constraints, guidances as to what CDMs should/shouldn't do wrt privacy
16:53:41 [JoeHallCDT]
… we see it as what people do today with proprietary DRM and don't know what's going on
16:53:57 [JoeHallCDT]
… but might we have some common constraints around them?
16:54:06 [christine]
Note: it would also be useful to review the earlier PING discussion re EME in the informal chairs summary
16:54:22 [JoeHallCDT]
… don't have a lot of suggestions, but there is quite a bit of conversation on that list about options.
16:54:55 [npdoty]
this might be a chance for us to think about guidance for privacy guidelines for Web plugins in general
16:55:07 [npdoty]
s/guidance for//
16:55:26 [JoeHallCDT]
oh boy, no ambition, npdoty
16:55:41 [npdoty]
why solve a problem when you can solve all problems simultaneously
16:55:47 [JoeHallCDT]
punk
16:56:16 [christine]
AOB - discovery of privacy policies
16:56:43 [karen_odonoghue]
+q
16:56:47 [jeffh]
jeffh has joined #privacy
16:57:06 [JoeHallCDT]
ack
16:57:09 [npdoty]
ack karen_odonoghue
16:57:12 [JoeHallCDT]
ack JoeHallCDT
16:58:21 [wseltzer]
[ http://tosback.org/ ]
16:58:23 [JoeHallCDT]
ndoty: part of the impetus for the discussion of privacy policy discovery and simplification is to make those projects easier
16:58:27 [christine]
examples of work - EFF TosBack and WSJ Data transparency hackathon
16:58:52 [JoeHallCDT]
karen_odonoghue: we thought it would be helpful to separate the TOS archive and analysis, and standardize the interface
16:59:11 [JoeHallCDT]
… if there were a way to create that interface/API, that would be neat
16:59:30 [JoeHallCDT]
… Inet Soc. and EFF had discussed developing that API, but haven't made a lot of progress
16:59:50 [JoeHallCDT]
npdoty: for this imagined API, what would the interaction be?
17:00:13 [JoeHallCDT]
karen_odonoghue: this is more along the lines of analyzing changes over time and getting specific policies for a specific site
17:00:29 [JoeHallCDT]
… as part of the data transparency hackathon, TOSback went from 50 to 500 policies
17:00:48 [JoeHallCDT]
… as far as a standardized location for a PP on a site, that would be another aspect, not currently what we're looking at
17:01:06 [JoeHallCDT]
npdoty: please put us in touch with TOSBack2 folks
17:01:18 [JoeHallCDT]
karen_odonoghue: will send a note to the list
17:01:37 [JoeHallCDT]
christine: adjorned
17:02:23 [Zakim]
-JoeHallCDT
17:02:26 [Zakim]
-christine
17:02:27 [Zakim]
-Wendy
17:02:28 [Zakim]
-fjh
17:02:29 [Zakim]
-npdoty
17:02:29 [Zakim]
-tara
17:02:30 [Zakim]
-Virginie?
17:02:30 [Zakim]
-markw
17:02:31 [npdoty]
September 19th or October 3rd?
17:02:32 [Zakim]
-kodonog
17:02:39 [npdoty]
Zakim, list attendees
17:02:39 [Zakim]
As of this point the attendees have been [IPcaller], npdoty, christine, fjh, [Microsoft], tara, Karen, JoeHallCDT, markw, +1.512.257.aaaa, Virginie?, kodonog, +1.650.275.aabb,
17:02:43 [Zakim]
... rsleevi, +358.504.87aacc, Wendy
17:02:46 [npdoty]
rrsagent, please draft the minutes
17:02:46 [RRSAgent]
I have made the request to generate http://www.w3.org/2013/08/22-privacy-minutes.html npdoty
17:02:50 [JoeHallCDT]
can't attend 10/3 due to IAPP in WA
17:02:59 [JoeHallCDT]
ttyl all
17:03:01 [JoeHallCDT]
JoeHallCDT has left #privacy
17:03:02 [npdoty]
oh, IAPP might be a common conflict
17:03:08 [npdoty]
thanks all
17:03:10 [npdoty]
rrsagent, bye
17:03:10 [RRSAgent]
I see no action items