15:54:05 <RRSAgent> RRSAgent has joined #privacy
15:54:05 <RRSAgent> logging to http://www.w3.org/2014/04/24-privacy-irc
15:54:07 <trackbot> RRSAgent, make logs 263
15:54:09 <trackbot> Zakim, this will be
15:54:09 <Zakim> I don't understand 'this will be', trackbot
15:54:10 <trackbot> Meeting: Privacy Interest Group Teleconference
15:54:10 <trackbot> Date: 24 April 2014
15:54:12 <npdoty> rrsagent, make logs public
15:54:17 <npdoty> Zakim, this will be PING
15:54:17 <Zakim> ok, npdoty; I see Team_(privacy)16:00Z scheduled to start in 6 minutes
15:54:30 <tara> tara has joined #privacy
15:56:15 <rigo> rigo has joined #privacy
15:56:28 <rigo> zakim, code?
15:56:28 <Zakim> the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), rigo
15:57:40 <Zakim> Team_(privacy)16:00Z has now started
15:57:47 <Zakim> +[Microsoft]
15:57:58 <Zakim> +[Apple]
15:58:17 <tara> Zakim, [Apple} is me
15:58:17 <Zakim> sorry, tara, I do not recognize a party named '[Apple}'
15:58:25 <plh> plh has joined #privacy
15:58:26 <tara> Zakim, Apple is me
15:58:26 <Zakim> +tara; got it
15:59:21 <Zakim> +Wendy
15:59:27 <wseltzer> zakim, who is here?
15:59:27 <Zakim> On the phone I see [Microsoft], tara, Wendy
15:59:29 <Zakim> On IRC I see plh, rigo, tara, RRSAgent, tobint, Zakim, npdoty, TallTed, trackbot, wseltzer
15:59:38 <Zakim> +Plh
16:00:05 <wseltzer> zakim, Microsoft has tobint
16:00:05 <Zakim> +tobint; got it
16:00:07 <christine> christine has joined #privacy
16:00:45 <Zakim> +[IPcaller]
16:01:04 <christine> Zakim, IPcaller is me
16:01:04 <Zakim> +christine; got it
16:02:08 <erin_kenneally> erin_kenneally has joined #privacy
16:02:53 <Zakim> + +1.408.203.aaaa
16:02:58 <christine> 1. Welcome and introductions 2. Navigation Error Logging [1] 3. Web NFC API [2] (see ND's email at [3]) 4. Re-chartered Geolocation WG and privacy considerations 5. TPAC session? 6. Privacy guidance and process documents 7. AOB
16:03:06 <npdoty> npdoty has changed the topic to: http://lists.w3.org/Archives/Public/public-privacy/2014AprJun/0003.html
16:03:33 <Zakim> +Rigo
16:03:42 <rigo> zakim, mute me
16:03:42 <Zakim> Rigo should now be muted
16:03:46 <Zakim> +[IPcaller]
16:03:54 <plh> zakim, aaaa is Arvind
16:03:54 <Zakim> +Arvind; got it
16:04:01 <Zakim> +npdoty
16:04:07 <christine> We will be starting shortly.
16:04:30 <rigo> Agenda: http://lists.w3.org/Archives/Public/public-privacy/2014AprJun/0005.html
16:04:38 <plh> From Web Performance, we have plh, Tobin Titus, Alois Reitbauer, Arvind Jain
16:05:31 <plh> Editor's draft for Navigation Error Logging: https://w3c.github.io/web-performance/specs/NavigationErrorLogging/Overview.html
16:05:49 <Zakim> -Rigo
16:06:00 <npdoty> chair: tara
16:06:15 <npdoty> Zakim, who is on the phone?
16:06:15 <Zakim> On the phone I see [Microsoft], tara, Wendy, Plh, christine, Arvind, [IPcaller], npdoty
16:06:17 <Zakim> [Microsoft] has tobint
16:06:21 <christine> christine has joined #privacy
16:06:37 <npdoty> scribenick: npdoty
16:07:00 <erin_kenneally_> erin_kenneally_ has joined #privacy
16:07:10 <npdoty> tara: welcome all new folks
16:07:28 <christine> http://www.w3.org/TR/2014/WD-navigation-error-logging-20140211/
16:07:30 <npdoty> Topic: Navigation Error Logging
16:07:31 <Zakim> +[Microsoft.a]
16:08:34 <christine> +q
16:08:39 <npdoty> Arvind: chair of the task force on this WG
16:08:45 <terri> terri has joined #privacy
16:09:04 <plh> ack ch
16:09:36 <Zakim> +terri
16:09:47 <npdoty> christine: a fairly general introduction is useful, as many of the PING folks aren't subject matter experts
16:10:01 <npdoty> ... and talk about any privacy questions that have already come up (existing text on privacy and security)
16:10:09 <npdoty> ... and people can jump in with questions
16:10:35 <npdoty> Arvind: what the specification is trying to do
16:11:02 <npdoty> ... providing a way for a Web developer to track any navigation errors their users have experienced in the past going to these pages
16:11:42 <npdoty> ... user visits CNN.com, but for some reason can't reach the page, will store the error
16:12:10 <npdoty> ... later, the CNN.com developer can query on the client-side for those past errors (and if she wants, send those back to the server)
16:12:28 <npdoty> ... making past errors available to a web page on the same origin
16:12:47 <npdoty> ... currently a high-level type of error: network connection, dns resolution, http error
16:13:00 <npdoty> ... no details within those categories yet, but may want to
16:13:56 <npdoty> @@@: no concern with the behavior as you've described it, but what happens with what origin means in the mashup environment?
16:14:12 <Zakim> +[CDT]
16:14:26 <plh> s/@@@/Forbes Higman?/
16:14:35 <npdoty> ... how strict is the origin? what flexibility is there in retrieving errors?
16:14:52 <JoeHallCDT> JoeHallCDT has joined #privacy
16:14:57 <npdoty> Arvind: as a web developer, you have access to navigations made to your origin (hostname-level) in the past
16:15:14 <wseltzer> q+
16:15:16 <npdoty> q+
16:16:45 <christine> +q
16:17:10 <npdoty> q+ about "top-level", different users within an origin, reporting url
16:17:30 <npdoty> Arvind: server would have already had access to it when you tried to access the server before
16:17:36 <Zakim> -npdoty
16:17:40 <npdoty> forbes: might still have a spoofing-type scenario
16:17:48 <tara> q?
16:18:14 <tara> ack wseltzer
16:18:16 <Zakim> +npdoty
16:18:44 <npdoty> Arvind: performance information, don't need to know user configuration
16:19:18 <npdoty> wseltzer: if the user wants to do some client-side transformation of the page (which might cause errors), the user might not want them sent back to the server, like proxy information
16:19:40 <wseltzer> [What would this reveal about a Tor browser user?]
16:19:51 <npdoty> Arvind: for transformation, the navigation would have succeeded anyway, right?
16:20:13 <Zakim> + +44.793.550.aabb
16:21:04 <npdoty> wseltzer: I might not be able to connect, because I explicitly tried to prevent connections for privacy purposes, like not loading scripts as a Tor browser bundle user -- it would be unfortunate if that were undone after I turned off that mode
16:21:31 <npdoty> Arvind: interesting. are there other use cases like that?
16:21:49 <npdoty> wseltzer: thanks for the introduction. how will this interact with Content Security Policy?
16:22:56 <npdoty> Arvind: we haven't talked about CSP as much; others should feel free to jump in
16:23:09 <npdoty> ... CSP takes effect after the page is successfully navigated to
16:23:11 <tobint> q+ Forbes has a question about the nature of the data returned.
16:23:19 <tobint> q+
16:23:39 <npdoty> wseltzer: will invite for some follow-up discussion. does this expand attack surfaces?
16:24:07 <tara> ack npdoty
16:24:51 <tara> Q: does full URL get logged, or just domain?
16:24:55 <christine> Nick: Does the specification reveal the URL that failed to load?
16:25:00 <wseltzer> npdoty: three things; we talked about top-level navigation, you'd know the URL that failed to load?
16:25:15 <christine> (Thanks Wendy)
16:25:31 <christine> Arvind: yes
16:26:46 <christine> Nick: Cases where origin does not match up - possible attack
16:27:02 <christine> Arvind: Our assumption is to follow the standard origin concept
16:27:27 <christine> Nick: I don't have an answer yet, just raising the problem
16:27:44 <christine> Nick: Actively "phone-home" when an error occurs?
16:28:12 <Zakim> +Rigo
16:28:23 <christine> Arvind: Yes. Real-time is possible via the reporting mechanism. Follows the model of the CSP/same mechanism.
16:29:56 <christine> Nick: If someone visits my webpage on the uni domain, use some javascript, I could have repots backs from anyone who visits a university webpage?
16:30:40 <christine> Nick: I could watch someone browsing pages
16:31:23 <christine> Nick: Is there a use case for a cofigurable URL?
16:32:07 <christine> Nick: /wellknown?
16:32:19 <npdoty> this could be mitigated if there were a single well-known reporting URL at the domain level, rather than configurable by JavaScript
16:32:21 <JoeHallCDT> JoeHallCDT has joined #privacy
16:32:22 <christine> Arvind: can restrict the report URI to the specific report pattern
16:32:28 <npdoty> like under /.well-known
16:32:39 <christine> Arvind: Are there other examples where this has been done?
16:33:14 <npdoty> rfc 5785
16:33:36 <christine> Arvind we send out an informal chairs summary - we'll include a link
16:33:41 <npdoty> https://tools.ietf.org/html/rfc5785 is the RFC for well-known
16:34:11 <tara> ack christine
16:35:07 <npdoty> christine: in case of error, do you just learn the page that the error was on or other header information?
16:35:17 <npdoty> arvind: just the page and type of error, not the Referer, for example
16:35:52 <tara> ack tobint
16:35:59 <JoeHallCDT> JoeHallCDT has joined #privacy
16:36:07 <npdoty> [setting a reportUrl also allows you to include a unique number in order to re-identify a user on a future visit]
16:36:25 <npdoty> forbes: is anything revealed about the network configuration of the user agent?
16:36:50 <plh> q+
16:37:15 <npdoty> arvind: currently just an enum of high-level types (ssl error, dns error) -- could we additionally include more detail about why the DNS failed, the error code, say
16:38:00 <npdoty> forbes: just wanted to confirm that that wasn't currently included. would be an interesting set of additional discussions
16:38:04 <tara> ack plh
16:38:30 <tobint> q+
16:38:40 <npdoty> plh: anne reported specifically not giving more detailed error information on exit for privacy/security reasons, but not sure of the detailed reasoning
16:38:50 <Zakim> -Arvind
16:39:21 <npdoty> forbes: the conclusion we came to was that's an involved discussion for each error type, in case there was sensitive information in a particular error type
16:39:43 <npdoty> ... certainly something we would want to help with
16:40:22 <npdoty> tobint: errors just on the initial document, or also on subresources? like a CORS error in loading/not loading a javascript file
16:40:43 <Zakim> + +1.650.253.aacc
16:40:53 <christine> q+
16:41:13 <npdoty> ack tobint
16:41:40 <npdoty> arvind: only the root page
16:41:46 <rigo> q+
16:42:04 <rigo> ack christine
16:42:05 <npdoty> [also didn't understand that from the spec, so thanks for clarifying. I'm curious how "root page" is defined]
16:42:07 <plh> from this discussion, I raised two issues so far: https://www.w3.org/2010/webperf/track/products/12
16:42:30 <npdoty> christine: thanks Web Performance folks for coming and talking
16:43:03 <npdoty> ... just raising some questions here, but I think a lot of us would like to think more about it. what would be the best way to communicate going forward?
16:43:32 <npdoty> plh: raised a couple issues in webperf tracker already, we can discuss in WG and come back
16:43:51 <npdoty> ... didn't raise one on CSP yet, but maybe after Wendy has more details
16:44:28 <npdoty> christine: Web Perf can discuss internally and come back, and we can think more in parallel and compare notes
16:44:30 <Zakim> - +1.650.253.aacc
16:44:31 <wseltzer> thanks Arvind and web-perf team
16:44:49 <tara> Yes, thanks very much!
16:45:18 <npdoty> rigo: numerous cases where error reports have been included and the application phones home -- have been privacy/security incidents
16:45:30 <npdoty> ... phoning home without user knowledge often causes pushback
16:45:47 <npdoty> ... description or best practice on getting permission from the user to phone home with the error
16:46:12 <plh> isn't that issue 15 now: https://www.w3.org/2010/webperf/track/issues/15 ?
16:46:14 <npdoty> ... an API that doesn't have a way to ask for permission could create problems in legal areas
16:46:56 <npdoty> plh: similar to wseltzer earlier on giving a user a way to block error reporting; have an issue on that now
16:47:34 <npdoty> rigo: not just a user capability of blocking, but in EU would have to make people aware that it's active;
16:47:41 <npdoty> ... might be up to the UA implementer
16:47:49 <npdoty> ... should at least give developers a hint that this is an issue
16:48:30 <npdoty> plh: will talk within Web Perf. already have the case where a UA loads a page and then subresources from around the Web
16:49:11 <npdoty> Topic: NFC
16:49:14 <Zakim> -Plh
16:49:20 <Zakim> -[Microsoft.a]
16:49:35 <npdoty> http://www.w3.org/TR/2014/WD-nfc-20140114/
16:49:37 <christine> +q
16:49:51 <wseltzer>  ack rigo
16:50:00 <Zakim> -[Microsoft]
16:51:43 <tara> ack christine
16:52:11 <npdoty> npdoty: just noting that this API exists and might have interesting privacy questions
16:52:21 <npdoty> christine: Hannes, have you been looking at NFC tech?
16:53:13 <npdoty> hannes: more interested in Bluetooth LE as it seems to have more uptake than NFC tags have had -- might be a place to focus our attention
16:53:49 <npdoty> christine: trying to find someone to be a champion
16:54:57 <npdoty> npdoty: could talk to sysapps group about what specifications are being worked on in that area
16:55:38 <npdoty> Topic: Geolocation
16:56:00 <npdoty> christine: didn't invite anyone yet, just asking what's the best next step
16:56:11 <npdoty> wseltzer: have just rechartered the geolocation WG
16:56:25 <npdoty> ... chair reached out to ask about working with PING on privacy considerations early on
16:56:43 <npdoty> ... inviting the chair and others to a call would be a good way to start
16:57:01 <wseltzer> -> https://www.w3.org/2014/04/geo-charter Geolocation WG Charter
16:57:08 <npdoty> christine: try to set it up for next call
16:57:14 <npdoty> tara: great to have the discussions early on!
16:57:43 <npdoty> Topic: Next meetings
16:57:49 <wseltzer> -> http://www.w3.org/2014/11/TPAC/ TPAC 2014
16:57:54 <npdoty> tara: we could meet at TPAC in Santa Clara in October
16:58:04 <wseltzer> q+
16:58:16 <tara> ack wseltzer
16:58:17 <npdoty> christine: either have a PING-sponsored session
16:58:58 <npdoty> wseltzer: TPAC is the last week of October. plenary day will have a Symposium (about anniversary) and open plenary discussions on Wednesday
16:59:22 <JoeHallCDT> I'm going to be looking at the guidance document in the next few weeks
16:59:27 <npdoty> tara: any urgent comments on documents?
16:59:32 <christine> +q
16:59:50 <JoeHallCDT> I have to leave this call immediately though, so maybe Hannes and I can talk with others?
16:59:53 <npdoty> JoeHallCDT, Hannes -- I'm overdue in sending my comments on guidance as well
16:59:59 <JoeHallCDT> sry, g2g
17:00:04 <Zakim> -[CDT]
17:00:06 <tara> Thanks, Joe!
17:00:29 <npdoty> christine: [relaying IRC comments]
17:00:47 <npdoty> ... add my hope to send some time in near future to review these documents. not forgotten!
17:01:13 <npdoty> ... small group to work on it?
17:01:27 <npdoty> tara: any conflicts for Thursdays at the end of May?
17:01:32 <christine> 22  or 29 okay, 29 better
17:01:47 <npdoty> May 29th tentatively our next meeting, let us know of any conflicts
17:02:03 <Zakim> -[IPcaller]
17:02:04 <Zakim> -Rigo
17:02:08 <Zakim> -Wendy
17:02:09 <Zakim> -npdoty
17:02:12 <Zakim> -christine
17:02:14 <Zakim> - +44.793.550.aabb
17:02:15 <Zakim> -tara
17:02:20 <npdoty> Zakim, list attendees
17:02:20 <Zakim> As of this point the attendees have been tara, Wendy, Plh, tobint, christine, +1.408.203.aaaa, Rigo, [IPcaller], Arvind, npdoty, [Microsoft], terri, [CDT], +44.793.550.aabb,
17:02:23 <Zakim> ... +1.650.253.aacc
17:02:25 <Zakim> -terri
17:02:26 <Zakim> Team_(privacy)16:00Z has ended
17:02:26 <Zakim> Attendees were tara, Wendy, Plh, tobint, christine, +1.408.203.aaaa, Rigo, [IPcaller], Arvind, npdoty, [Microsoft], terri, [CDT], +44.793.550.aabb, +1.650.253.aacc
17:02:29 <plh> plh has left #privacy
17:02:31 <npdoty> Present+ Hannes
17:02:34 <npdoty> Present+ Forbes
17:02:41 <npdoty> Zakim, list attendees
17:02:42 <Zakim> sorry, npdoty, I don't know what conference this is
17:02:47 <npdoty> rrsagent, please draft the minutes
17:02:47 <RRSAgent> I have made the request to generate http://www.w3.org/2014/04/24-privacy-minutes.html npdoty
17:03:18 <npdoty> Zakim, bye
17:03:18 <Zakim> Zakim has left #privacy
17:03:21 <npdoty> rrsagent, bye
17:03:21 <RRSAgent> I see no action items