15:56:00 <RRSAgent> RRSAgent has joined #privacy
15:56:00 <RRSAgent> logging to http://www.w3.org/2013/08/22-privacy-irc
15:56:02 <trackbot> RRSAgent, make logs 263
15:56:02 <Zakim> Zakim has joined #privacy
15:56:04 <trackbot> Zakim, this will be
15:56:04 <Zakim> I don't understand 'this will be', trackbot
15:56:05 <trackbot> Meeting: Privacy Interest Group Teleconference
15:56:05 <trackbot> Date: 22 August 2013
15:56:08 <npdoty> rrsagent, make logs public
15:56:14 <npdoty> Zakim, this will be 7464
15:56:15 <Zakim> ok, npdoty; I see Team_(privacy)16:00Z scheduled to start in 4 minutes
15:58:32 <npdoty> Zakim, who is on the phone?
15:58:32 <Zakim> Team_(privacy)16:00Z has not yet started, npdoty
15:58:34 <Zakim> On IRC I see RRSAgent, npdoty, christine, fjh, TallTed, glenn, trackbot, wseltzer
15:58:45 <npdoty> Zakim, this is PING
15:58:45 <Zakim> ok, npdoty; that matches Team_(privacy)16:00Z
15:58:49 <npdoty> Zakim, who is on the phone?
15:58:50 <Zakim> On the phone I see [IPcaller], npdoty
15:59:14 <christine> Zakim [IPcaller] is me
15:59:24 <npdoty> Zakim, [IP is christine
15:59:24 <Zakim> +christine; got it
15:59:43 <Zakim> +Frederick_Hirsch
15:59:54 <fjh>  zakim, mute me
15:59:54 <Zakim> sorry, fjh, I do not know which phone connection belongs to you
16:00:01 <fjh> zakim, who is here?
16:00:03 <Zakim> On the phone I see christine, npdoty, Frederick_Hirsch
16:00:03 <Zakim> On IRC I see RRSAgent, npdoty, christine, fjh, TallTed, glenn, trackbot, wseltzer
16:00:08 <fjh> zakim, Frederick_Hirsch is me
16:00:08 <Zakim> +fjh; got it
16:00:15 <JoeHallCDT> JoeHallCDT has joined #privacy
16:00:20 <fjh> zakim, mute me
16:00:20 <Zakim> fjh should now be muted
16:00:31 <Zakim> +[Apple]
16:00:40 <christine> Agenda: 1. Welcome and introductions 2. Introduction to the draft Web Cryptography API and discussion of privacy considerations 3. Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process) 4. Update re getUserMedia privacy review 5. Update re EME privacy review 6. AOB
16:00:44 <tara> tara has joined #privacy
16:00:48 <Zakim> +[Microsoft]
16:00:50 <fjh> zakim, who is here?
16:00:50 <Zakim> On the phone I see christine, npdoty, fjh (muted), [Apple], [Microsoft]
16:00:52 <Zakim> On IRC I see tara, JoeHallCDT, Zakim, RRSAgent, npdoty, christine, fjh, TallTed, glenn, trackbot, wseltzer
16:01:00 <fjh> Present+ Frederick_Hirsch
16:01:01 <tara> zakim, Apple is me
16:01:01 <Zakim> +tara; got it
16:01:11 <Zakim> +[CDT]
16:01:16 <markw> markw has joined #privacy
16:01:20 <Zakim> +Karen
16:01:23 <JoeHallCDT> zakim, [CDT] is me
16:01:23 <Zakim> +JoeHallCDT; got it
16:01:50 <Zakim> +markw
16:01:54 <JC> JC has joined #PRIVACY
16:01:58 <karen> karen has joined #privacy
16:02:05 <Zakim> + +1.512.257.aaaa
16:02:06 <rsleevi> rsleevi has joined #privacy
16:02:06 <npdoty> chair: christine
16:02:35 <npdoty> Zakim, aaaa may be Virginie
16:02:35 <Zakim> +Virginie?; got it
16:03:02 <virginie> virginie has joined #privacy
16:03:22 <Zakim> +kodonog
16:03:23 <Zakim> + +1.650.275.aabb
16:03:34 <virginie> zakim, who is on the phone ?
16:03:34 <Zakim> On the phone I see christine, npdoty, fjh (muted), tara, [Microsoft], JoeHallCDT, Karen, markw, Virginie?, kodonog, +1.650.275.aabb
16:04:00 <karen_odonoghue> karen_odonoghue has joined #privacy
16:04:48 <npdoty> rsleevi, can you scribe, and I'll scribe during the Crypto discussion?
16:05:10 <rsleevi> npdoty: I'm not in a place to scribe atm
16:05:30 <npdoty> scribenick: npdoty
16:05:54 <npdoty> virginie: Virginie Gemaldo, chairing the Web Crypto WG
16:06:07 <npdoty> markw: Mark Watson, from Netflix
16:06:10 <virginie> virginie is virginie galindo, chairing web crypto WG, working for gemalto
16:06:22 <npdoty> rsleevi: Ryan Sleevi, editing
16:06:23 <fjh> zakim, unmute me
16:06:23 <Zakim> fjh should no longer be muted
16:06:31 <fjh> zakim, mute me
16:06:31 <Zakim> fjh should now be muted
16:06:34 <npdoty> Karen Donohoe, Internet Society
16:06:39 <fjh> Frederick Hirsch, Nokia
16:06:44 <npdoty> s/Gemaldo/Galindo/
16:06:45 <Zakim> + +358.504.87aacc
16:07:00 <JoeHallCDT> Joe Hall, CDT!
16:07:17 <JC> JC Cannon, Micrsoft Online Services
16:07:22 <christine> Christine Runnegar, co-chair
16:07:25 <karen_odonoghue> Karen O'Donoghue, Internet Society
16:07:26 <npdoty> npd: Nick Doty, W3C
16:07:27 <tara> Welcome, newcomers! Tara Whalen, Apple (co-chair for PING).
16:07:29 <karen> Karen Lu from Gemalto
16:07:33 <fjh> s/Micrsoft/Microsoft/
16:07:43 <christine> 2. Introduction to the draft Web Cryptography API and discussion of privacy considerations
16:07:51 <npdoty> Topic: Web Crypto
16:08:21 <npdoty> christine: request from Crypto WG for review, some work in design decisions regarding privacy considerations
16:08:29 <npdoty> ... someone from Web Crypto to give us a walkthrough
16:09:02 <npdoty> rsleevi: try to summarize, 3 documents under active development: Web Crypto, named pre-provision key, non-normative use cases
16:09:21 <npdoty> ... lot of discussion early on regarding persistent identifiers, identify and address keys
16:09:37 <npdoty> ... API provides basic cryptographic services, encrypt/decrypt, sign, hash
16:09:55 <npdoty> ... opaque key handles, not dealing with the raw key material, may or may not be able to extract the key material
16:10:07 <npdoty> ... the privacy mitigations we've tried to work through: key material is extremely random
16:10:20 <npdoty> ... and not shared with anyone in the world
16:10:38 <npdoty> ... has a privacy risk of a very long persistent identifier with a strong mathematical binding for example for non-repudiation
16:10:52 <npdoty> ... the storage of these keys is treated as the same Web storage technologies
16:10:58 <npdoty> ... IndexedDB or PostMessage
16:11:14 <npdoty> ... choice of that design is to leverage the same privacy characteristics as those
16:11:35 <npdoty> ... if the user clears them, clears the others
16:11:48 <npdoty> ... lifetime of the key to lifetime of existing storage mechanisms
16:12:11 <npdoty> ... under discussion is extractability, can strongly identify particular user agents
16:12:34 <npdoty> ... leave that discussion to Mark
16:13:04 <Zakim> +Wendy
16:13:08 <virginie> the recent draft is available here : https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
16:13:23 <npdoty> q+
16:13:47 <JoeHallCDT> npdoty: great job documenting privacy considerations…
16:14:07 <virginie> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#privacy
16:14:14 <JoeHallCDT> … is what you described as a supercookie really a canonical super cookie?
16:14:30 <npdoty> q-
16:14:31 <JoeHallCDT> … there is a long list of ennumerated algorithms, are we expecting a lot of diversity in implementation?
16:15:53 <npdoty> npd: +1, I think those persistent (perhaps permanent?) identifiers are a serious concern, I just wasn't sure about calling that "super-cookie" -- is that what we usually mean?
16:16:12 <npdoty> npdoty: pre-provisioned keys, or other keys generated outside of this API itself
16:16:24 <npdoty> ... has use cases, Mark has worked on privacy considerations for that
16:16:42 <npdoty> ... could be tied to a smart card, or a particular user's identity
16:17:11 <npdoty> rsleevi: realistically, expect to see a choice of algorithms, not enabled/disabled by a specific user, not installed arbitrarily like fonts
16:17:31 <npdoty> ... no plans in this version for extending that list of algorithms programmatically, plugins for browser vendors
16:17:51 <npdoty> ... realistically the choice is going to be fixed by User Agent and Operating System and potentially User Agent version
16:17:58 <npdoty> ... and that information is currently leaked through other means, so not adding to it
16:18:33 <JoeHallCDT> npdoty: privacy considerations are all non-normative… shouldn't there be some normative requirements about same-origin?
16:19:46 <npdoty> rsleevi: don't define a storage mechanism, this is done via existing mechanisms, like IndexedDB, so origin protections would be handled by those specs
16:19:58 <npdoty> ... can arbitrarily send across origins via PostMessage, so same risks and mitigations
16:20:53 <npdoty> markw: Web Crypto Key Discovery, named origin-specific pre-provisioned keys
16:21:07 <virginie> Web Crypto Key Discovery API is available here : http://www.w3.org/TR/webcrypto-key-discovery/
16:21:09 <npdoty> ... for services like Netflix's or similar, devices like televisions, set-top boxes, etc.
16:21:25 <npdoty> ... manufacturers pre-provision those with keys for a specific service, so that we can identify those devices
16:21:34 <npdoty> ... which we need to do for business purposes
16:21:49 <npdoty> ... for video services, access those keys which have been pre-provisioned
16:22:15 <npdoty> ... named keys but we expect to pre-define what the name would be with those manufacturers
16:22:28 <JoeHallCDT> the line is very tinny
16:22:59 <npdoty> markw: origin-specific named pre-provision keys, have a bunch of privacy considerations described
16:22:59 <Zakim> -[Microsoft]
16:23:10 <virginie> http://www.w3.org/TR/webcrypto-key-discovery/#privacy-considerations
16:23:13 <npdoty> ... can identify the user to a service
16:23:38 <npdoty> ... just generates an object that otherwise is defined by Web Crypto
16:24:08 <npdoty> ... privacy considerations section, but still ask for review
16:24:46 <npdoty> christine: PING calls are a chance to get an overview, with a chance to think over in order to give specific feedback
16:24:48 <virginie> q+
16:24:56 <npdoty> ack virginie
16:25:27 <npdoty> virginie: is there a timeline on review of the spec? when can we check the box that it's reviewed by the PING? is one month feasible?
16:25:49 <npdoty> christine: ask for a volunteer or two to lead a review of the specs
16:26:22 <npdoty> ... anyone on the call? or I have some people I could tap on the shoulder
16:27:15 <npdoty> ... will ask some people offline for review. is the deadline hard?
16:27:41 <npdoty> virginie: would be good to solve issues by Last Call, which is planned for fall, around TPAC, so good to get issues earlier to get technical solutions in the WG
16:28:07 <npdoty> christine: good to know, different groups have tended to have different timelines
16:28:25 <npdoty> q+
16:28:52 <JoeHallCDT> npdoty: key discovery could allow an extremely persistent identifier...
16:29:04 <JoeHallCDT> … won't really be like clearing cookies which is how we deal with local storage
16:29:24 <JoeHallCDT> … any ideas about how to solve these problems or handle this situation?
16:29:44 <rsleevi> q+
16:29:47 <npdoty> scribenick: JoeHallCDT
16:29:48 <npdoty> q-
16:29:49 <markw> q+
16:30:11 <JoeHallCDT> rsleevi: from the UA side, we are concerned about this and currently don't have plans to implement this...
16:30:25 <JoeHallCDT> … this is probably more intended for the embedded device scenario
16:30:36 <JoeHallCDT> … we do have reservations about this, even when connected to a user's cookie store
16:30:53 <JoeHallCDT> … the user interaction should allow the user to understand the risks
16:31:00 <npdoty> ack rsleevi
16:31:03 <npdoty> ack markw
16:31:27 <JoeHallCDT> markw: would say the UA/Device that has an anonymity mode should not respond with this information
16:31:43 <rsleevi> q+
16:31:46 <JoeHallCDT> … this can be a mechanism for controling the exposure of this resource
16:32:00 <JoeHallCDT> npdoty: (didn't understand the q)
16:32:44 <npdoty> npd: but it could still be transmitted across origins, I could start a business with a hardware embedded key and share it with PostMessage, right?
16:33:15 <JoeHallCDT> rseelvi: as far as comm. to users, e.g., what Moz does with FF users, the incognito or private browsing modes are not seen as anonymity
16:33:22 <JoeHallCDT> … they are not modes that prevent tracking
16:33:52 <JoeHallCDT> … by granting access to a key to an origin, that could include multiple origins
16:33:58 <JoeHallCDT> … exists elsewhere
16:34:18 <JoeHallCDT> … e.g., in a geolocation API an origin can surely postmessage to another origin
16:35:19 <JoeHallCDT> … (essentially it's hard to constraint server-side sharing of tracking elements)
16:35:25 <npdoty> except the random number could be a hardware-embedded device identifier in this case, right?
16:35:32 <JoeHallCDT> +1
16:36:06 <JoeHallCDT> markw: origins can collude on server side using information from the client side… there's no additional issue raised by this that is different
16:37:05 <npdoty> thanks markw and rsleevi; I still have concerns, but they're much better informed now :)
16:37:09 <christine> 3. Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process)
16:37:15 <JoeHallCDT> agenda: update on various privacy consideration documents
16:37:19 <Zakim> -rsleevi
16:37:22 <npdoty> Topic: Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process)
16:37:23 <Zakim> -Karen
16:37:25 <rsleevi> rsleevi has left #privacy
16:37:37 <JoeHallCDT> neither Hannes nor Frank appear to be on the call
16:38:15 <JoeHallCDT> npdoty to give quick  update on fingerprinting doc
16:38:18 <npdoty> http://w3c.github.io/fingerprinting-guidance/
16:38:35 <JoeHallCDT> npdoty: have lots of good input
16:38:57 <JoeHallCDT> … WebCrypto gives yet another set of things to consider in the space of cookie-like stuff
16:39:22 <JoeHallCDT> … this document tries to describe both passive (no code) and active (ship code to the UA) fingerprinting
16:39:37 <JoeHallCDT> … then cookie-like fingerprinting that involves storing state in the UA
16:39:55 <JoeHallCDT> … passive fingerprinting are the most dangerous, hard to detect, block
16:40:07 <JoeHallCDT> … so we should avoid increasing this capability
16:40:32 <JoeHallCDT> … wrt to active, if you run enough code on the UA, you can do arbitrary fingerprinting
16:40:55 <npdoty> http://w3c.github.io/fingerprinting-guidance/#clearing-all-local-state
16:41:07 <JoeHallCDT> … have a new section that talks about clearing local state
16:41:25 <JoeHallCDT> …. any spec that enables setting and retrieving local state, needs to note that
16:41:45 <JoeHallCDT> … must call that out so that UAs can knowingly clear state with their mechanism
16:41:55 <JoeHallCDT> … UAs may not be able to clear all local state
16:42:17 <JoeHallCDT> … e.g., pre-specified keys, I may lose my ability to see netflix videos
16:42:38 <JoeHallCDT> q
16:44:08 <fjh> joeHallCDT: surprised passive mentioned as more dangerous, hard to detect but active can be amazing attacks
16:44:57 <JoeHallCDT> npdoty: when I say danger, danger! the height of the concern is related to prevention on the client and hard to externally detect
16:45:41 <JoeHallCDT> … the way to address this is to say that maybe the entropy is not as high and web specs should not increase the entropy unless not strictly necessary
16:46:13 <JoeHallCDT> … there may be mitigations for active fp that aren't as effective
16:46:36 <JoeHallCDT> … in part, what we're hearing that the attacks are so sophisticated that why should we deal with this at all in *our* spec?
16:47:42 <npdoty> yes, I'll help anyone who wants to contribute with pull requests on github
16:47:43 <christine> 4. Update re getUserMedia privacy review 5. Update re EME privacy review 6. AOB
16:48:09 <JoeHallCDT> christine: Hannes is leading getUserMedia and Frank has given input
16:48:17 <markw_> markw_ has joined #privacy
16:48:24 <JoeHallCDT> … also have EME privacy review and been tapped on the shoulder
16:48:33 <JoeHallCDT> … Joe has offered to help
16:48:48 <npdoty> q+ on EME
16:48:48 <JoeHallCDT> wseltzer: no update, but excitement!
16:49:12 <JoeHallCDT> ack rsleevi
16:49:15 <JoeHallCDT> ack npdoty
16:49:15 <Zakim> npdoty, you wanted to comment on EME
16:49:39 <markw_> Content Decryption Modules
16:49:40 <JoeHallCDT> npdoty: are we just talking about CDMs or other things
16:50:16 <JoeHallCDT> npdoty: is this review about CDMs or other parts that we're trying to review?
16:50:36 <JoeHallCDT> wseltzer: haven't scope it, but are looking for places that the use of EME could raise privacy concerns
16:50:58 <JoeHallCDT> … some of those could be outside EME per se, in CDMs, or in exchange of information described by EME specifically
16:51:34 <JoeHallCDT> christine: one problem is a lot of our privacy experts have been working in the TPW (DNT) WG
16:51:50 <JoeHallCDT> q+
16:52:51 <npdoty> JoeHallCDT: question for markw, are there places you would specifically like to see input in particular on EME? that mailing list has been on/off topic. what would you like to see from PING?
16:53:03 <JoeHallCDT> markw: probably not a great deal in the EME spec itself
16:53:22 <JoeHallCDT> … big question, providing constraints, guidances as to what CDMs should/shouldn't do wrt privacy
16:53:41 <JoeHallCDT> … we see it as what people do today with proprietary DRM and don't know what's going on
16:53:57 <JoeHallCDT> … but might we have some common constraints around them?
16:54:06 <christine> Note: it would also be useful to review the earlier PING discussion re EME in the informal chairs summary
16:54:22 <JoeHallCDT> … don't have a lot of suggestions, but there is quite a bit of conversation on that list about options.
16:54:55 <npdoty> this might be a chance for us to think about guidance for privacy guidelines for Web plugins in general
16:55:07 <npdoty> s/guidance for//
16:55:26 <JoeHallCDT> oh boy, no ambition, npdoty
16:55:41 <npdoty> why solve a problem when you can solve all problems simultaneously
16:55:47 <JoeHallCDT> punk
16:56:16 <christine> AOB - discovery of privacy policies
16:56:43 <karen_odonoghue> +q
16:56:47 <jeffh> jeffh has joined #privacy
16:57:06 <JoeHallCDT> ack
16:57:09 <npdoty> ack karen_odonoghue
16:57:12 <JoeHallCDT> ack JoeHallCDT
16:58:21 <wseltzer> [ http://tosback.org/ ]
16:58:23 <JoeHallCDT> ndoty: part of the impetus for the discussion of privacy policy discovery and simplification is to make those projects easier
16:58:27 <christine> examples of work - EFF TosBack and WSJ Data transparency hackathon
16:58:52 <JoeHallCDT> karen_odonoghue: we thought it would be helpful to separate the TOS archive and analysis, and standardize the interface
16:59:11 <JoeHallCDT> … if there were a way to create that interface/API, that would be neat
16:59:30 <JoeHallCDT> … Inet Soc. and EFF had discussed developing that API, but haven't made a lot of progress
16:59:50 <JoeHallCDT> npdoty: for this imagined API, what would the interaction be?
17:00:13 <JoeHallCDT> karen_odonoghue: this is more along the lines of analyzing changes over time and getting specific policies for a specific site
17:00:29 <JoeHallCDT> … as part of the data transparency hackathon, TOSback went from 50 to 500 policies
17:00:48 <JoeHallCDT> … as far as a standardized location for a PP on a site, that would be another aspect, not currently what we're looking at
17:01:06 <JoeHallCDT> npdoty: please put us in touch with TOSBack2 folks
17:01:18 <JoeHallCDT> karen_odonoghue: will send a note to the list
17:01:37 <JoeHallCDT> christine: adjorned
17:02:23 <Zakim> -JoeHallCDT
17:02:26 <Zakim> -christine
17:02:27 <Zakim> -Wendy
17:02:28 <Zakim> -fjh
17:02:29 <Zakim> -npdoty
17:02:29 <Zakim> -tara
17:02:30 <Zakim> -Virginie?
17:02:30 <Zakim> -markw
17:02:31 <npdoty> September 19th or October 3rd?
17:02:32 <Zakim> -kodonog
17:02:39 <npdoty> Zakim, list attendees
17:02:39 <Zakim> As of this point the attendees have been [IPcaller], npdoty, christine, fjh, [Microsoft], tara, Karen, JoeHallCDT, markw, +1.512.257.aaaa, Virginie?, kodonog, +1.650.275.aabb,
17:02:43 <Zakim> ... rsleevi, +358.504.87aacc, Wendy
17:02:46 <npdoty> rrsagent, please draft the minutes
17:02:46 <RRSAgent> I have made the request to generate http://www.w3.org/2013/08/22-privacy-minutes.html npdoty
17:02:50 <JoeHallCDT> can't attend 10/3 due to IAPP in WA
17:02:59 <JoeHallCDT> ttyl all
17:03:01 <JoeHallCDT> JoeHallCDT has left #privacy
17:03:02 <npdoty> oh, IAPP might be a common conflict
17:03:08 <npdoty> thanks all
17:03:10 <npdoty> rrsagent, bye
17:03:10 <RRSAgent> I see no action items