Privacy Interest Group Teleconference -- 26 Jun 2014

<trackbot> Date: 26 June 2014

<npdoty> chair: christine, tara

<npdoty> volunteers to scribe?

i can

<tara> Thanks!

<tara> Phone is very quiet today...

<Hannes_Tschofenig> Nick, did you notice that I sent you a pull request?

thanks for coming!

<tara> http://www.w3.org/Privacy/

the privacy activity page for PING has been updated!

woo! thanks, Nick

<npdoty> (rebeccapurple logo for the time being)

<tara> https://w3c.github.io/privacy-considerations/

let the chairs know if you see things missing or that should be there

privacy considerations document is now in github

<npdoty> Hannes_Tschofenig, no, I didn't notice! sorry I missed that

Hannes, Nick, Joe and Christine will work in a privacy task force to hammer out this document over the year

year

Christine: please volunteer to join this task force to work on this document

… will be helpful to get your views now in the next couple of weeks

Tara: question about the SPA document

<npdoty> yes,Frank's SPA document is on Github, fwiw: http://yrlesru.github.io/SPA/

hannes: a way to make these not overlap… one on process and one on substance

<npdoty> JoeHallCDT: one potentially confusing thing is that Frank's document is out there and Hannes's is out there too and not clear on the overlap

… this might be a useful separation

… mimics the approach of IETF, with a privacy considerations document and a process document

<tara> ack

<npdoty> Hannes_Tschofenig, which is the IETF-specific process document related to privacy?

Christine: in the Task Force on privacy considerations in the meeting at IETF we should try to triage these two documents...

… and figure out what should go where

<npdoty> +1, sounds good

<christine> Next agenda item - browser fingerprinting guidance

Nick: no updates right now… getting feedback from experts on fingerprinting

… if you know specific people that might want to talk with me (Nick) please reach out

ack

Christine: wanted to ask about who could help… sounds like experts can

… would there be any of those people at the IETF… would it be worthwhile to set up a coffee meeting?

Nick: maybe so. the few people I've talked to, some of them are IETF security people.

<npdoty> JoeHallCDT: Keaton Mowery doing his thesis, might be a good person to connect to

<npdoty> ... DKG, technologist at ACLU, may be at IETF

<npdoty> ... have been talking with Tom Ritter about SNI in TLS, and a concern about fingerprinting there

<christine> Hi. Joe please type in the names after you finishing speaking so we know who to follow up with, thanks

<tara> http://www.w3.org/TR/2014/WD-indie-ui-context-20140626/

<christine> next agenda ite - IndieUI

and DKG of the ACLU and Tom Ritter of iSec Partners (have been working with then on SNI in TLS and fingerprinting/censorship

<npdoty> JoeHallCDT: at STRINT workshop, discussion about engineers and technical mechanisms for censorship

<npdoty> ... working on an I-D that might be relevant

<Hannes_Tschofenig> I would find it interesting to take a look at it

<npdoty> yeah, I'm interested!

<tara> Me too!

<npdoty> JoeHallCDT: guidance on the ways that these things have resulted in censorship, etc.

<christine> please do share on the list

cool!

<christine> next agenda item - IndieUI

We will share the draft for comment on PING list

IindieUI has proceeded to FPWD

… has anyone looked at this or provided privacy feedback to them?

Christine: would like someone to volunteer to look at this.

… 1) we want to do more privacy reviews…

… 2) this group is specifically interested in getting privacy issues right.

… James Craig posted a message on Geoloc and IndieUI WG email lists and continued the conversation we had

<tara> IndieUI email: http://lists.w3.org/Archives/Public/public-indie-ui/2014May/0045.html

… Geoloc API currently lacks the ability to specify why a geoloc data point is needed

… one of the concerns that was raised was a potential snooping risk and how do we know if the string comes from the right source

Tara: someone please volunteer!

I would be willing to take a shot at it… but not by myself

Nick: two thoughts

<tara> Thanks, Joe!

<tara> Let's see if we can get you some extra hands.

… one it might be useful to keep track somewhere… a list of documents we're working on and the relevant timeline and people

… the other thing, Christine brought up the geoloc debate

… Nick had this debate on the Geloc list 5 years ago

… Nick et al. had even done some research

… this seems to keep on coming up

is there any difference between now and then? Still no motivation to fix this?

… we should expect the same pushback when we talk about some of these recurring issues

<npdoty> I think there are some differences, like some OS/platforms have implemented this feature in their native APIs

Tara: maybe have answers to provide on these questions? or is there a process you might recommend for de-ratholing?

… Joe has tentatively volunteered to work on the IndieUI review

<npdoty> JoeHallCDT: having had these discussions over time... how have things changed?

<npdoty> ... having a resource to point to would be useful, but...

<npdoty> ... paper to be presented at USENIX, with Dan Boneh on using the accelerometer as a microphone

<npdoty> ... having a resource for recurring privacy debates is useful. but also, keeping a list of what needs to be changed for privacy issues to be improved

Nick: thanks, will think more

<christine> Web Security Interest Group

Tara: next agenda item, communications/contacts with Web Security Interest Group

Christine: the w3c has a super-group the Web Security Interest Group...

… in the process of trying to improve security in Web applications

<tara> Sister-group. :-)

… (missed some stuff there)

<christine> ➢ The W3C Web Security Interest Group reached out to PING to ask about our working methods. Christine reported that we are still developing our methodology and guidance documents. She also reported that calls with other WGs on particular specifications are very useful

<tara> Next item: Device APIs Working Group

Tara: LC WD of three specs

<tara> http://www.w3.org/TR/2014/WD-vibration-20140619/

<tara> http://www.w3.org/TR/2014/WD-ambient-light-20140619/

… vibration, ambient light event, html media catpure

<tara> http://www.w3.org/TR/2014/WD-html-media-capture-20140619/

… returning from CR to LC

… review period ends on 24 July

… we had feedback, at least, for ambient light events

… html-media-capture does have guidance for UA implementation around privacy

Christine: in case you're wondering why this on the agenda

… interesting to see how DAP has handled the privacy and security considerations in these documents

… we should try to take a look by the end of the review period

Nick: did any of our advice stick? We should check.

Christine: the privacy and security considerations for html-media-capture may have been normative...

… but a decision may have been made to make them non-normative

… would be useful to figure this out and figure out what happened.

… useful learning exercise.

… concerned personally about the privacy implications of media-capture, not sure what went on there.

<tara> Next item - TPAC

Tara: TPAC is upcoming and registration is open

<tara> http://www.w3.org/2014/11/TPAC/

… we do have a meeting slot arranged for Friday at TPAC

… please get in touch with chairs for agenda items

… similarly, with IETF 90, may want to do another informal face-to-face

+1 on IETF f2f

<tara> - The IAB has created a combined Privacy and Security Program [8]

<tara> http://www.iab.org/activities/programs/privacy-and-security-program/

Christine: the IAB already had a privacy program, which developed RFC 6973

… subsequently created a security program… decided to combine the two programs

<tara> https://datatracker.ietf.org/meeting/90/agenda.html

Tara: preliminary agenda for IETF 90 is available ^^^

<christine> Please send us an email if you would like to join a face-to-face at IETF

<npdoty> JoeHallCDT: Riley, 9-0, SCOTUS, yay!

<christine> Joe could you put a link to the judgment in IRC

<npdoty> "search incident to arrest"

<tara> This might help: http://www.scotusblog.com/2014/06/get-a-warrant-todays-cellphone-privacy-decision-in-plain-english/

and EPIC!

they were cited twice

us just once

thanks, Tara!

woo!

Npdoty: the Web Perf WG, announced LC on beacon

<npdoty> http://www.w3.org/TR/2014/WD-beacon-20140624/

… there are lots of analytics code that watches what a user does

… when you leave the page, they send that back to the server

… have been using ad-hoc thing to prevent page from closing

… they want a "send this at some point" kind of functionality

… rather just on page close

… seems likely to get implemented and be better than the hacks used now

… there are no privacy and security considerations, seems like there might be some

<npdoty> LC comments are open until 29 July

Christine: would you feel comfortable sending a pointer to the spec and your notes to the email list

… would be great to encourage PING discussion on this

npdoty: can do

Tara: defiinitely can encourage a bit more reflection and review

npdoty: html5 has gone back to LC

… was at LC, then they went to CR, now back to LC

… might be good to do a joint review with Web Security IG on this

Tara: how do we start to understand the HTML5?!

npdoty: it's big. there is a section on privacy concerns.

… start there

<npdoty> their "Privacy concerns" section: http://www.w3.org/TR/html5/introduction.html#fingerprint

<npdoty> as you can see from the fragment identifier, it refers a lot to fingerprinting considerations

<christine> Next call?

<christine> Could we do after IETF? 30 /7

7/20-7/25 is IETF

<npdoty> IETF 90 is July 20-25

<christine> Oops 31/7

CDT staff retreat on 31 July

but I can skip

this call

<npdoty> 31 July sounds good to me

::)

31 July at regular time

<christine> thanks, bye

<Karima> thanks bye !

<npdoty> trackbot, end meeting

- DRAFT -

Privacy Interest Group Teleconference

26 Jun 2014

Attendees

Contents

Summary of Action Items

Scribe.perl diagnostic output