17:00:18 <RRSAgent> RRSAgent has joined #privacy
17:00:18 <RRSAgent> logging to http://www.w3.org/2013/12/05-privacy-irc
17:00:20 <trackbot> RRSAgent, make logs 263
17:00:22 <trackbot> Zakim, this will be
17:00:22 <Zakim> I don't understand 'this will be', trackbot
17:00:23 <trackbot> Meeting: Privacy Interest Group Teleconference
17:00:23 <trackbot> Date: 05 December 2013
17:00:30 <christine> Zakim, [IPcaller] is me
17:00:30 <Zakim> +christine; got it
17:00:37 <npdoty> rrsagent, make logs public
17:01:03 <christine> Agenda:
17:01:07 <christine> 1. Welcome and introductions 2. Fingerprinting Guidance for Web Specification Authors 3. Privacy reviews 4. Privacy Considerations and SPA 5. Web standards and surveillance (what can PING do?) 6. AOB
17:01:08 <Zakim> +npdoty
17:01:59 <christine> Regrets - Erin and Joe
17:02:12 <npdoty> Zakim, aaaa is yrlesru
17:02:13 <Zakim> +yrlesru; got it
17:03:13 <christine> 2. Fingerprinting Guidance for Web Specification Authors
17:03:26 <npdoty> http://w3c.github.io/fingerprinting-guidance/
17:04:11 <fjh> fjh has joined #privacy
17:04:24 <fjh> zakim, who is here?
17:04:24 <Zakim> On the phone I see yrlesru, FabGandon, christine, tara, npdoty
17:04:26 <Zakim> On IRC I see fjh, RRSAgent, Zakim, npdoty, yrlesru, tara, christine, Karima, TallTed, wseltzer, trackbot
17:04:29 <fjh> zakim, code?
17:04:29 <Zakim> the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), fjh
17:05:42 <Zakim> +Wendy
17:05:55 <christine> Nick: outling changes to fingerprinting guidance
17:06:31 <christine> Nick: hearing some skeptism whether it is actually feasible to address active fingerprinting
17:06:43 <christine> q+
17:07:15 <Zakim> + +1.781.362.aabb
17:07:24 <yrlesru> q+
17:07:26 <tara> in transition...
17:07:30 <fjh> zakim, aabb is me
17:07:30 <Zakim> +fjh; got it
17:07:34 <christine> Nick: guidance is less prescriptive for the active case but also new text that talks about detectability
17:07:38 <fjh> Present+ Frederick_Hirsch
17:08:23 <npdoty> christine: curious about text on Do Not Track, if sites are complying with DNT preference, what does it mean for fingerprinting?
17:08:45 <christine> Nick: hard to give a complete answer before specfications are finished
17:09:19 <christine> Nick: might still do fingerprinting if needed for security purpose or during the request (but would not keep data and correlate the requests)
17:09:50 <christine> Nick: mitigitation mainly on the implications - won't prevent Javascript from running but might prevent the activities that the users is worried about
17:10:09 <npdoty> ack christine
17:10:14 <npdoty> ack yrlesru
17:10:51 <christine> Frank: what is your intention? would this be a living working group note? or a specification? duplicate into Internet Draft in IETF?
17:11:09 <christine> Nick: if we could get support, pblish as an interest group note
17:11:37 <christine> Nick: it might need to be updated from time to time as technology changes, so we would want to publish updates and errata
17:11:53 <tara_> tara_ has joined #privacy
17:11:59 <christine> Nick: Useful to do the same at the IETF but considerations are probably different becuase they are lowere down the stakc
17:12:41 <christine> Karima, could you take over scribing?
17:12:45 <tara_> I can take over scribing now. (Made it to keyboard and stable network.)
17:13:03 <christine> Frank: Interest Group note sounds good - like the idea of a living document
17:13:07 <christine> Thanks tara!
17:13:19 <tara_> Frank Dawson: likes idea of living document because of moving technology.
17:14:13 <tara_> Christine: internal approval process for internal group notes is simpler than for specification. Seems that if we want to update document, can do so easily once first version is published.
17:14:51 <tara_> Nick: yes, is up to us, I think. But also would like to get some feedback from external group before we assume the note is relevant.
17:15:42 <tara_> Christine: we want to get doc moving forward. Is now mature enough to move it perhaps to draft group note? Then we can get broader W3C input as well as IETF and other relevant groups.
17:16:31 <tara_> Nick: sounds good, will check to see if there are formatting standards. Frederick?
17:16:54 <tara_> Frederick: use "working draft." Possibly "working draft-note"?
17:17:14 <fjh> appropriate respec configuration option pretty clear, not sure of current list
17:17:22 <tara_> Action item: Nick wil figure out how to present the document and add link to home page.
17:17:22 <trackbot> Error finding 'item'. You can review and register nicknames at <http://www.w3.org/Privacy/track/users>.
17:17:37 <tara_> Christine will work out how to promote/disseminate document.
17:18:38 <tara_> Frederick: send to TAG. Can also send to chairs-list.
17:19:04 <npdoty> I like the TAG and the Web Security IG suggestions, and early enough that not sending to the full chairs list would be fine by me :)
17:19:12 <fjh> ReSpec documentation is here: http://www.w3.org/respec/
17:19:18 <tara_> Thanks, Nick, for great document!
17:19:29 <christine> 3. Privacy reviews
17:19:43 <npdoty> action: doty to update formatting of fingerprinting document, link from Privacy group home page
17:19:44 <trackbot> Created ACTION-5 - Update formatting of fingerprinting document, link from privacy group home page [on Nick Doty - due 2013-12-12].
17:19:51 <tara_> Note on mailing list - Joe Hall sent out comments on EME.
17:19:51 <fjh> ReSpec status list: http://www.w3.org/respec/ref.html#specstatus
17:20:19 <tara_> Would be helpful to have more reviewers on this document so we can clue up this item (hopefully) by end of year.
17:20:29 <fjh> FPWD-NOTE and WD seem appropriate
17:20:45 <fjh> unless publishing a final NOTE which can always be changed
17:20:47 <tara_> Please help Wendy out with reviews! Especially as they have been asked for security review as well.
17:21:29 <tara_> Comments from anyone on call on EME? No comments raised.
17:21:41 <tara_> Nick: what was the security review issue?
17:22:24 <tara_> Wendy: because there is a history of doing security considerations in the privacy reviews [tw: if I have that right?] - would be great to apply this expertise to EME.
17:22:34 <npdoty> wseltzer, is Web Security IG trying to set up security reviews?
17:22:36 <tara_> Deadline? By the end of the year.
17:23:02 <npdoty> wseltzer: since a large set of security/privacy considerations have been raised, it would be important to actually do a security review.
17:23:09 <tara_> Other open review: getUserMedia.
17:23:26 <tara_> Frank did work on this, Hannes led review.
17:24:11 <tara_> Frank: Hannes is changing jobs, Frank unclear about his new role but hopes he can contribute in future.
17:24:48 <tara_> Christine: Frank, what is the best way to wrap this item up and deliver to the group?
17:25:54 <tara_> Frank: used it as an opportunity to update SPA; sent around on mailing list some time ago...but other than feedback from chairs, did not get any comments on usefulness of the approach.
17:26:38 <tara_> Frank: others have used guiding principles (e.g., data minimization). But I needed more product-unit-focused approach.
17:27:05 <npdoty> yrlesru, apologies that I realize I didn't follow up on that (I'm seeing this from June now that I search)
17:27:08 <npdoty> http://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0051.html
17:27:08 <tara_> Christine: thanks very much, Frank, for all your work.
17:27:14 <tara_> (Also thanks from Tara!)
17:27:37 <tara_> Christine: we need more people to look at getUserMedia and Frank's analysis - who might be the right volunteers?
17:28:25 <tara_> Please reach out to potential reviewers, if possible.
17:29:00 <tara_> Nick: we could take an expert (e.g., on API) and see if the analysis makes sense from that person's perspective.
17:29:28 <tara_> We sent Robin Wilton's analysis to WebCrypto WG.
17:29:53 <christine> 4. Privacy Considerations and SPA
17:29:53 <npdoty> npdoty has joined #privacy
17:30:18 <tara_> Hannes not on the call, but has done a lot of work on this document.
17:30:47 <tara_> Christine: how can we encourage feedback from within PING and eventually, from other groups?
17:31:20 <tara_> Frank: for SPA, I received comments from Art Barstow. More formatting than content. But no further feedback since then.
17:31:28 <npdoty> I have some comments on content written down on paper, but haven't crossed into electronic
17:32:00 <tara_> Frank: using Nick's approach, will turn PrivConsiderations and SPA into working group note. (Hosted on GitHub).
17:32:20 <tara_> Christine: could send a "last call for comments" to the mailing list.
17:33:04 <tara_> Nick: sounds reasonable, can get bit more feedback before declaring these done (just like the fingerprinting doc). But can make draft and link from main page.
17:33:35 <tara_> Christine: Nick and I need to check on forting reqs, etc for these items.
17:34:12 <tara_> Frederick: you can send a "call for consensus" on the mailing list, with deadline. If no objections, can go ahead.
17:34:53 <fjh> the text of CfC can say what you plan and that lack of response implies agreement, but explicit agreement is preferred
17:34:58 <tara_> Frank: for timing--I don't what January date is for PING call...but for last call, want to use period between now and next call to get revision out. Then if people on next call agree, we can publish after that.
17:35:29 <tara_> Frank: holidays and such will slow things down between now and January, in all likelihood.
17:36:02 <tara_> Christine: Nick will provide you with his comments, Frank updates, sends out, we send call for consensus after next call.
17:36:11 <fjh> example : http://lists.w3.org/Archives/Public/public-device-apis/2013Aug/0054.html
17:36:36 <fjh> s/example/CfC example/
17:37:07 <tara_> Can use same basic process for now across these drafts/working group notes.
17:37:41 <tara_> Nick would still like more feedback before going for consensus...but the basic process sounds good.
17:37:55 <fjh> process -> http://www.w3.org/2005/10/Process-20051014/tr.html#q78
17:38:03 <tara_> Christine: Nick, would you like to get expert review in next phase?
17:38:34 <tara_> Next Jan: we assume drafts are ready for discussion in Jan call.
17:38:56 <tara_> Privacy Considerations -- our "homework": read drafts and provide feedback!
17:39:11 <npdoty> I have notes on paper on that one as well, which I'll send around to Hannes and public-privacy.
17:39:18 <tara_> Chairs strongly encourage you to comment.
17:39:18 <fjh> q+
17:39:31 <npdoty> ack fjh
17:39:56 <tara_> fjh: discussion of Network Service Discovery draft on January call?
17:40:25 <tara_> Fjh: would like editor to come to that call to give overview.
17:40:39 <christine> 5. Web standards and surveillance (what can PING do?)
17:40:39 <tara_> Christine: yes, sounds good, will be on agenda.
17:40:59 <tara_> Let's talk about surveillance!
17:41:19 <tara_> W3C recently announced workshop w/IAB: STRINT.
17:41:42 <wseltzer> https://www.w3.org/2014/strint/
17:42:13 <tara_> Nick, any comments from IETF meeting on this topic?
17:42:49 <tara_> Nick: there was major plenary on surveillance at IETF, plus meetings during the week on this.
17:43:24 <tara_> Nick: IETF has taken seriously the notion that pervasive monitoring is a threat to be addressed formally.
17:43:37 <tara_> So many working groups have taken this on as a task.
17:44:12 <tara_> Also - how to handle this in reviews. Especially after the NIST issue, there was discussion about how much review is necessary to try to avoid subversion in standards process.
17:44:56 <tara_> Might need to increase the reviews. And might now be able to assume that these types of attacks are present - not a hypothetical anymore.
17:45:13 <npdoty> IETF consensus hums: http://www.ietf.org/mail-archive/web/ietf/current/msg83857.html
17:45:20 <tara_> Christine: agrees with overview of the tone at the IETF meeting.
17:46:14 <tara_> Christine: wanted to ensure that the protocols were getting sufficient expert review. The web also a juicy target full of data. So is opportunity for PING & W3C to take active steps to improve robustness of standards against surveillance threat.
17:46:31 <tara_> Underscores importance of privacy reviews in standards bodies such as ours.
17:46:43 <wseltzer> q+
17:47:01 <tara_> Lot of experts putting thought into how to improve protocol and give protection against monitoring/interception.
17:47:14 <fjh> q?
17:47:35 <tara_> Wendy: the scale of surveillance is now known, so this changes assessment of threat and countermeasures.
17:48:16 <tara_> Things that would have been seen as overkill on a small-scale attack are now perhaps more relevant to stop large-scale threat.
17:48:46 <tara_> Making monitoring more evident, or making hidden monitoring less possible, are also necessary steps.
17:48:54 <npdoty> +1 for detectability
17:49:16 <tara_> Christine: NIck's fingerprinting work definitely relevant here.
17:49:36 <tara_> Christine: as a group, we need to be thinking (in general) about how to address these issues.
17:49:44 <tara_> Will be an ongoing conversation.
17:49:45 <wseltzer> q+
17:50:28 <christine> Questions for the workshop
17:50:31 <christine>      What are the pervasive monitoring threat models, and what is their effect on web and Internet protocol security and privacy?     What is needed so that web developers can better consider the pervasive monitoring context?     How are WebRTC and IoT impacted, and how can they be better protected? Are other key Internet and web technologies potentially impacted?     What gaps exist in current tool sets and operational best practices that could addr[CUT]
17:50:36 <christine> ....
17:50:39 <tara_> Wendy: workshop is part of EU project, so some of goals are to build some case studies on security (internet and web).
17:51:06 <tara_> Wendy: there's a technical mandate. One PING-relevant question would be "how do security and privacy relate?"
17:52:12 <tara_> Wendy: looking at a couple of different scales necessary...across specs, and also details in specific specs (eg. tweaks) to strengthen against attacks.
17:52:24 <tara_> Wendy: look it over. You are encouraged to submit a paper.
17:53:04 <tara_> Christine: privacy considerations work could feed into this process, of looking at design principles for pro-privacy web standards.
17:53:27 <npdoty> ack wseltzer
17:53:49 <npdoty> http://www.w3.org/Security/wiki/IG
17:53:50 <tara_> Wendy: if PING people are also interested in security and are not in Web Security Interest Group, there is a news chair - Virginie Galindo.
17:54:17 <wseltzer> -> http://www.w3.org/Security/wiki/IG WebSec Interest Group
17:54:23 <tara_> This group does security reviews, so PING members might be able to help out there as well, given their expertise.
17:54:51 <tara_> Christine: we might be able to find a way to dovetail the review process for privacy and security reviews?
17:55:06 <tara_> Will be an item for 2014 -- coordinating our work.
17:55:19 <wseltzer> fjh: https://www.w3.org/2014/strint/participate.html has participation info for the STRINT workshop
17:55:28 <wseltzer> s/fjh:/fjh,/
17:55:39 <npdoty> +1 on coordinating or combining security and privacy reviews, given the lack of resources
17:55:49 <christine> AOB?
17:56:31 <npdoty> January 23rd?
17:57:09 <tara_> Sounds like Jan 30th works best, at usual time.
17:57:10 <npdoty> January 30th, at the usual time
17:57:23 <tara_> Thanks, all!
17:57:43 <Zakim> -fjh
17:57:46 <Zakim> -yrlesru
17:57:46 <Karima> Thanks Christine buy !
17:57:47 <Zakim> -npdoty
17:57:48 <Zakim> -tara
17:57:49 <Zakim> -Wendy
17:57:51 <Zakim> -christine
17:57:56 <npdoty> Zakim, list attendees
17:57:56 <Zakim> As of this point the attendees have been +1.469.242.aaaa, FabGandon, tara, christine, npdoty, yrlesru, Wendy, +1.781.362.aabb, fjh
17:58:00 <npdoty> rrsagent, please draft the minutes
17:58:00 <RRSAgent> I have made the request to generate http://www.w3.org/2013/12/05-privacy-minutes.html npdoty
17:58:14 <yrlesru> yrlesru has joined #privacy
18:05:00 <Zakim> disconnecting the lone participant, FabGandon, in Team_(privacy)17:00Z
18:05:02 <Zakim> Team_(privacy)17:00Z has ended
18:05:02 <Zakim> Attendees were +1.469.242.aaaa, FabGandon, tara, christine, npdoty, yrlesru, Wendy, +1.781.362.aabb, fjh