W3C

- DRAFT -

Privacy Interest Group Teleconference

02 Oct 2014

See also: IRC log

Attendees

Present
+1.650.618.aaaa, +1.613.304.aabb, +1.613.304.aacc, npdoty, +1.510.701.aadd, christine, tara, maryhodder, yrlesru, Katie_Haritos-Shea, Joanne
Regrets
wseltzer
Chair
runnegar, tara
Scribe
npdoty

Contents


<trackbot> Date: 02 October 2014

<yrlesru> Hei Nick. I think I am the 650 number.

<tara> 1. Welcome and introductions 2. PING @ TPAC 3. Updates on current work/action items 4. Web privacy news/issues 5. AOB

<christine> Agenda item 1 - Welcome and introductions

<scribe> scribenick: npdoty

Introductions

<tara> Thanks, Nick!

<christine> Would someone be kind enough to volunteer to scribe?

<christine> Thanks Nick!

Steve Olshansky, Internet Society, work in privacy and security. met f2f at an IETF BOF

<christine> Steve Olshansky

Mary Hodder, joined one early call but haven't been back because of schedule conflicts

maryhodder: have been following mailing lists and attending workshops. working now on Open Notice and Consent Receipts
... IDESG, working on NSTIC for Department of Commerce

TPAC

tara: PING planning to meet at TPAC at the end of October
... reminder, again, to register. will follow up on the mailing list.

<yrlesru> Are Halloween costumes required?

christine: we have time set aside on October 31st, costume optional

<yrlesru> Some of us are sufficiently spooky...

christine: look at the guidance documents
... have asked for a bit of time at the chairs meeting to let them know about PING work
... and can have a breakout session during the unconference time on Wednesday
... should put together a snazzy description and title so that we'll have lots of participation
... would appreciate some creative volunteer to help with that description

tara: hoping to see a number of you at TPAC meetings

<christine> Is anyone on the call planning to be at TPAC?

Work Item updates

<christine> Nick gave some preliminary results of his research into privacy reviews in IETF and W3C at the Telecommunications Policy Research Conference recently

still early in that work, but hopefully I can share some results with you all

https://npdoty.name/tprc42/

<christine> Thanks Nick

katie: took the recommendation to review IETF documents on webrtc, and then look at the media streams documents directly
... 1) was there a ping review in the first place that covered the media capture and streams draft itself?
... the specific one was mediastream recording, a recording API to be used for media streams
... media capture task force asked for a privacy review. not sure if it was specifically about technical details of that spec, or concerns about surveillance/video capture in general
... so I did the more specific review of the spec for privacy and security vulnerabilities
... 1) having a common privacy and security considerations sections added to the spec
... these specs are APIs, to enable scripting
... 2) what the recommendations would be if this API/stream were accessed over the web? vs. using the API between devices within a firewalled network?
... assuming it would be used over the Web generally, what is the level of security or privacy we would want there

<christine> Is Frederick on the call?

Katie's email: http://lists.w3.org/Archives/Public/public-privacy/2014OctDec/0004.html

Katie: would be far fewer considerations if this wasn't Internet/Web-accessible
... would want to ensure that only authenticated entities could access the data
... ensure that it was delivered only over HTTPS
... authentication of the servers (TLS)
... identity providers
... peer connection (RTC) to allow binding identity but also to allow anonymous communication
... clients should treat HTTP and HTTPS origins as different
... implementations should get explicit user consent

<tara> The "Media Capture and Streams" used to be called GetUserMedia, yes?

Katie: IP location privacy

<tara> That was definitely reviewed.

Katie: individual consent vs. cryptographic consent

<Zakim> npdoty, you wanted to agree on Web-access

npdoty: +1 on Web access
... and an active point of discussion about HTTPS-origin requirement for certain sensitive APIs
... including geolocation. would be good to coordinate discussion

tara: will find the getUserMedia review to share (name change)

<yrlesru> +1 to kudos to Katie

christine: a big thank you to Katie!

+1 from the scribe, great work

<tara> Yes, thanks!

scribe: thoughtful and lots of effort
... would be good to connect with fjh
... could invite Media Capture Task Force folks to a call, so we can iteratively talk these through

katie: that works for me

yrlesru: +1 on good work on review
... have provided the recommendations/finding. could you walk us through the steps you went through in the analysis?
... re: getUserMedia, wasn't an expert in webrtc to begin with, the approach I took was a la a Privacy Impact Assessment
... scope what doing, summarized a description of what the spec does, looked at the privacy data lifecycle (collection, processing, storage, maintain)
... for each of those, looked for gaps or vulnerabilities
... ended with recommendations. (that's what you have provided on this spec.)

katie: in lieu of completed guidance, I didn't take a full privacy impact assessment approach. I'm used to reviewing specs for accessibility
... wanted to find out the basic requirements for security/privacy
... read the original spec, and then the sub-spec
... would be nice to see something else that we've done to use as a model

<yrlesru> Well, I bet you get more feedback than I did :-)

katie: have been involved in maybe 20 reviews at w3c in the past, but very different audience

<yrlesru> Thanks.

tara: would like to be helpful where we can, since you've clearly done a lot of useful work here

Status of reviews

christine: two other outstanding, IndieUI with Katie and Joe
... other was Encrypted Media Extensions, with Wendy (also regrets for this call)

katie: no progress with Joe on the IndieUI, need to follow up

could potentially talk at TPAC

katie: would really like the external review on IndieUI, I may be too close to it to be objective

News and events

summary of some recent events

email from Frank re: IPEN, http://lists.w3.org/Archives/Public/public-privacy/2014OctDec/0003.html

yrlesru: just before, there was an IAPP / NIST workshop in San Jose, their second in a series
... they have a set of questions asking for feedback on their approach to privacy
... Nokia has put together a whitepaper of recommendations of "privacy engineering and assurance"
... not just about engineering, baking it into the product, but, like security, requires steps to make sure they have been implemented
... sent the whitepaper to public-privacy, so you can review as well
... some resonance at IPEN workshop (European audience)
... IPEN met at the historic Berlin state parliament building
... audience many European Data Protection Supervisors, and some academics
... some NGOs/consumer advocates in Europe. a few industry folks
... support for the idea of privacy engineering, but not a lot of concrete details about how to do it
... Data Protection Supervisors are starting to build technology shops internally. becoming privacy engineers on their own side
... CNIL wanted to measure which features are applications using and whether it's part of the primary use
... ... e.g. the flashlight app that gathers and shares lots of data
... ... technical work that included engineering. privacy penetration testing, essentially
... ... or privacy forensics
... OWASP talking about top ten privacy risks, an analog from their security list
... Hannes gave a good presentation on doing privacy considerations of Internet protocols
... I presented Nokia's work on trying to make a systematic approach
... pressure in both EU and US to do something on privacy engineering
... need to do this engineering with privacy and security taken into account

tara: thanks, great to hear that feedback
... NIST is having a webcast (just in a couple hours) to present their overview again of privacy engineering
... asking for comments until October 10

http://lists.w3.org/Archives/Public/public-privacy/2014JulSep/0045.html

http://www.w3.org/2014/privacyws/

<yrlesru> Can we pole for participants at TPAC? I will be there Wed & Fri.

<tara> I will be there those days, too.

<yrlesru> Air Berlin...

katie: wish there were a cheaper way to get to Berlin :)

<yrlesru> Yes.

<yrlesru> Also make sure to take a currywurst at WITTY'S

christine: reminders: input on the privacy guidance documents
... following TPAC, there will be an IETF meeting and will try to organize a PING at IETF meeting

<yrlesru> Right across from KaDeWe department store with gourmet food court on top floor. Wirttenberg Platz.

christine: schedule our next call

<yrlesru> +1 November early

<yrlesru> -1 Right TPAC

December 4?

<yrlesru> +1 4.12

tentatively, December 4th. will check for conflicts.

yes, please register for TPAC if you haven't already: http://www.w3.org/2014/11/TPAC/

<yrlesru> Christine & Tara. For TPAC, I wonder if we can have a single graphic of W3C spec process and underneath the activities and processes...

<Ryladog> I will be at TPAC

<yrlesru> ... That ought to be done at those stages.

<yrlesru> I can assist Nick + Chairs to develop

Nick: sounds good to me.

<Ryladog> Next Call is December 4th or 14th?

yrlesru: what should you think about at each stage of the spec development process?

<yrlesru> Great call this month!

tara: if nothing else, adjourned.

trackbot, end meeting

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014/10/02 16:59:00 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/@@/Olshansky/
Found ScribeNick: npdoty
Inferring Scribes: npdoty
Default Present: +1.650.618.aaaa, +1.613.304.aabb, +1.613.304.aacc, npdoty, +1.510.701.aadd, christine, tara, maryhodder, yrlesru, Katie_Haritos-Shea, Joanne
Present: +1.650.618.aaaa +1.613.304.aabb +1.613.304.aacc npdoty +1.510.701.aadd christine tara maryhodder yrlesru Katie_Haritos-Shea Joanne
Regrets: wseltzer
Found Date: 02 Oct 2014
Guessing minutes URL: http://www.w3.org/2014/10/02-privacy-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]