16:50:44 <RRSAgent> RRSAgent has joined #privacy
16:50:44 <RRSAgent> logging to http://www.w3.org/2014/12/04-privacy-irc
16:50:46 <trackbot> RRSAgent, make logs 263
16:50:46 <Zakim> Zakim has joined #privacy
16:50:48 <trackbot> Zakim, this will be
16:50:49 <trackbot> Meeting: Privacy Interest Group Teleconference
16:50:49 <trackbot> Date: 04 December 2014
16:50:50 <Zakim> I don't understand 'this will be', trackbot
16:50:56 <npdoty> Zakim, this will be PING
16:50:57 <Zakim> ok, npdoty; I see Team_(privacy)17:00Z scheduled to start in 10 minutes
16:50:59 <npdoty> rrsagent, make logs public
16:56:00 <christine> christine has joined #privacy
16:56:25 <npdoty> chair: christine, tara
16:56:48 <Zakim> Team_(privacy)17:00Z has now started
16:56:55 <Zakim> +[IPcaller]
16:57:14 <christine> Zakim, IPcaller is me
16:57:14 <Zakim> +christine; got it
16:58:01 <bhill2> bhill2 has joined #privacy
16:58:02 <Zakim> + +1.650.944.aaaa
16:58:06 <Zakim> +npdoty
16:58:09 <wseltzer> regrets+ wseltzer
16:58:18 <tara> tara has joined #privacy
16:58:32 <christine> regrets+ fjh, frank
16:58:42 <Zakim> +Katie_Haritos-Shea
16:58:43 <npdoty> npdoty has changed the topic to: Privacy Interest Group; agenda, December 4: http://lists.w3.org/Archives/Public/public-privacy/2014OctDec/0042.html
16:58:52 <Ryladog> Ryladog has joined #privacy
16:59:14 <Zakim> +BHill
16:59:14 <npdoty> regrets+ karima
17:00:59 <Zakim> +[IPcaller]
17:01:10 <kodonog> kodonog has joined #privacy
17:01:11 <melinda> melinda has joined #privacy
17:01:13 <npdoty> Zakim, who is on the phone?
17:01:13 <Zakim> On the phone I see christine, +1.650.944.aaaa, npdoty, Katie_Haritos-Shea, BHill, [IPcaller]
17:01:35 <npdoty> Zakim, aaaa is maybe tara
17:01:35 <Zakim> I don't understand 'aaaa is maybe tara', npdoty
17:01:41 <npdoty> Zakim, aaaa may be tara
17:01:41 <Zakim> +tara?; got it
17:01:43 <Zakim> + +1.857.209.aabb
17:01:52 <tara> Yes, that is right, Nick.
17:01:56 <Zakim> +karen_oDonoghue
17:02:15 <Christian> Christian has joined #privacy
17:02:55 <christine> Agenda item 1 - Welcome and Introductions
17:03:04 <christine> Christine Runnegar, co-chair
17:03:08 <npdoty> christine, tara -- in AOB, I can talk briefly about charter extension approved by w3c
17:03:48 <tara> In AOB I have a item from Mike West on spec review.
17:04:02 <tara> Tara Whalen, co-chair
17:04:03 <Zakim> + +44.793.550.aacc
17:04:05 <npdoty> scribenick: npdoty
17:04:17 <npdoty> tara: any newcomers to our Privacy Interest Group calls?
17:04:25 <Zakim> +Joanne
17:04:59 <npdoty> melinda: Melinda Shore, consultant for Verisign on DNS projects; active in IETF. was at STRINT workshop in London
17:05:23 <JoeHallCDT> JoeHallCDT has joined #privacy
17:05:28 <Joanne> Joanne has joined #privacy
17:05:38 <npdoty> Christian: Christian Hague, student at Harvard University, studying computer science and privacy; Berkman Center
17:05:47 <npdoty> ... looking at privacy and online education platform
17:05:59 <Zakim> + +1.202.407.aadd
17:06:19 <npdoty> kodonog: Karen Donoghue, ISOC, might be new or not. active in Web Crypto and IETF work
17:06:25 <npdoty> Zakim, aadd is JoeHallCDT
17:06:25 <Zakim> +JoeHallCDT; got it
17:06:50 <npdoty> hannes: not new, but welcome back.
17:07:25 <JoeHallCDT> Heard through the grapevine that Tara's at Google now… :)
17:07:37 <christine> 2. Moving the work on the privacy considerations document forward - topic for discussion: data minimisation and identifiers'
17:07:52 <npdoty> Topic: privacy considerations: data minimisation and identifiers
17:07:55 <Hannes_Tschofenig> Hannes_Tschofenig has joined #privacy
17:08:04 <npdoty> christine: I'm responsible for putting this one on the agenda
17:08:19 <npdoty> ... had a useful and robust discussion at the TPAC f2f meeting, about the privacy considerations work
17:08:32 <npdoty> ... we all still think it's very important and want to progress it
17:08:59 <Hannes_Tschofenig> how do I put myself on the speaker queue?
17:09:06 <npdoty> ... but it's a big piece of work. could try breaking down into smaller areas, with discussion and raising points, and then add to the privacy considerations
17:09:12 <npdoty> q-
17:09:15 <Hannes_Tschofenig> q+
17:09:32 <Hannes_Tschofenig> (Did I ever mention that I don't like IRC?)
17:09:33 <npdoty> christine: what are the privacy risks or vulnerabilities that might be addressed by web specifications?
17:09:44 <npdoty> ... what are the better ways for using identifiers in web specifications?
17:09:52 <npdoty> ack Hannes_Tschofenig
17:10:07 <npdoty> Hannes_Tschofenig: mentioned interesting discussion at TPAC. are there notes on that discussion?
17:10:09 <npdoty> q+
17:10:44 <npdoty> q-
17:10:56 <npdoty> npdoty: forgot to send around minutes from the f2f meeting (though I did for the breakouts)
17:11:09 <npdoty> action: doty to clean up and send around PING TPAC friday minutes
17:11:10 <trackbot> Created ACTION-11 - Clean up and send around ping tpac friday minutes [on Nick Doty - due 2014-12-11].
17:11:29 <npdoty> christine: identifiers
17:11:47 <npdoty> ... an understanding of how we see identifiers working in the web space, risks/vulnerabilities around those, and how we can do better
17:12:12 <npdoty> q+
17:13:30 <Hannes_Tschofenig> q+
17:13:37 <npdoty> q-
17:14:01 <npdoty> npdoty: should document current state on identifiers, scope and clearing, so that new specifications don't extend that functionality
17:14:04 <npdoty> ack Hannes_Tschofenig
17:14:45 <npdoty> Hannes_Tschofenig: two different audiences. 1) looks at the considerations as a way to improve privacy; 2) those trying to use as much data as possible.
17:15:06 <npdoty> ... for the former group, document details about data minimization are useful
17:15:30 <npdoty> ... document what identifiers there are in the document. WebCrypto identifies a really strong identifier and linkage back to a user identifier
17:15:45 <npdoty> ... data minimization, and documenting what identifiers you pass around and under what circumstances
17:16:39 <npdoty> christine: +1 on usefulness for documenting. re WebCrypto are you mostly talking about key discovery?
17:17:29 <npdoty> Hannes_Tschofenig: the process from FIDO about identifying what data is present in the protocols, how much identification is allowed
17:17:35 <npdoty> ... and specifically biometrics
17:18:12 <npdoty> ... make the right trade-off decisions
17:19:20 <npdoty> christine: one topic we looked at at TPAC, could take general guidance from Privacy Considerations, and other guidance already given: for example, Device APIs document, other documentation from TAG etc.
17:19:51 <npdoty> ... and thinking whether we could as a group and go further than "data minimization is generally good" and give specific guidance about how to implement it for web specifications
17:20:35 <christine> Idea: Specifications SHOULD make it easy for developers and implementers to request as little information data as needed for the intended use (“the minimal data necessary for use”).
17:21:03 <Hannes_Tschofenig> q+
17:22:12 <npdoty> Hannes_Tschofenig: examples from other specifications. for example, FIDO doesn't ever send biometric data to the server, a design decision that rules out certain solutions, but very positive from a data minimization point of view
17:23:04 <npdoty> christine: suggesting a principle about where possible data is stored locally, not shared beyond the UA ..?
17:23:45 <npdoty> Hannes_Tschofenig: in geolocation, API would need to accomodate for users who only want city-level granularity, not just always sharing the highest resolution
17:24:09 <npdoty> q+
17:24:32 <npdoty> christine: does the proposed text cover that case?
17:24:46 <Ryladog> q+
17:24:50 <Hannes_Tschofenig> The text proposed by Christine earlier works for me.
17:25:58 <npdoty> q-
17:26:01 <npdoty> q- Hannes_Tschofenig
17:26:23 <npdoty> npdoty: make it possible, and make it easy, as separate steps
17:26:29 <npdoty> ack Ryladog
17:26:32 <JoeHallCDT> it would be great if whomever is making those noises could stop
17:26:39 <JoeHallCDT> tyvm
17:26:54 <JoeHallCDT> ah, it's a keyboard
17:27:18 <npdoty> Ryladog: regarding accessibility, it's very useful to have geofencing to help users with visibility issues
17:27:22 <npdoty> Zakim, who is making noise?
17:27:33 <Zakim> npdoty, listening for 10 seconds I heard sound from the following: +1.857.209.aabb (20%)
17:27:34 <npdoty> ... need very granular geolocation information, but also want control
17:27:48 <npdoty> Zakim, aabb may be Ryladog
17:27:48 <Zakim> +Ryladog?; got it
17:28:08 <npdoty> christine: any ideas for how to achieve that with architectural design, that would be helpful
17:28:12 <npdoty> q?
17:29:02 <npdoty> christine: have talked about data minimization, please share thoughts on the mailing list.
17:29:14 <npdoty> ... continuing on identifiers
17:29:33 <christine> Ideas: 1.	Specifications MUST use non-persistent identifiers unless a persistent identifier is required for their functionality (“non-persistent identifiers”).  2.	Specifications that require identifiers for their functionality SHOULD use randomly generated identifiers (“randomly generated identifiers”).
17:29:45 <npdoty> q+
17:29:45 <JoeHallCDT> woo!
17:30:30 <Ryladog> Thanks Nick, for further clarification users with disabilities who use geolocation information for transversing roooms and obsticals their home and neighborhoods would want to able to be offered the choice of GepFencing options
17:31:32 <tara> ack npdoty
17:31:48 <Hannes_Tschofenig> q+
17:31:50 <npdoty> npdoty: 3 questions I think tend to come up when we're talking about identifiers in a protocol
17:32:01 <npdoty> ... 1) how unique (across all users, or just per window, or whatever)
17:32:10 <npdoty> ... 2) how persistent (can they be changed)
17:32:26 <npdoty> ... 3) who can access (is it tied to a specific origin, or is it available elsewhere)
17:32:42 <npdoty> ack Hannes_Tschofenig
17:33:19 <npdoty> Hannes_Tschofenig: identification at the transport layer or above, via encrypted communications. may be difficult to address at the Web layer
17:33:28 <npdoty> ... not that many that use identifiers to begin with at w3c, right?
17:33:30 <npdoty> q+
17:34:49 <npdoty> q-
17:35:19 <JoeHallCDT> there is an issue here that is an analog of one we're dealing with in the IETF IAB privacy and security program: we have been thinking about correlation across network layers of communications… that is, encryption must fire in a coordinated manner or an observer with access to each layer may see some leakage of cleartext.
17:35:34 <npdoty> npdoty: I see lots of identifiers in W3C specifications, to identify cameras, microphones, game controllers, configured geofences
17:35:42 <JoeHallCDT> It seems that this might work with identifiers across layers too… if you randomize one in the web but a lower identifier persists, boo!
17:35:57 <npdoty> Hannes_Tschofenig: need to catch up on W3C work, but see issues regarding authenticated origins or authenticated identifiers
17:36:49 <npdoty> christine: topic of authenticated/secure origins for certain features, like geolocation access
17:36:53 <npdoty> ... TAG might be looking at this
17:37:27 <bhill2> sorry getting off mute
17:37:41 <Hannes_Tschofenig> Whenever work spawns across working groups and organizations (IETF/W3C/FIDO/etc.) these cross layer problems are likely going to show up with less than ideal consequences for privacy. I just wanted to raise that issue since I see a lot of work going on in that area right now.
17:37:45 <Ryladog> URL?
17:37:49 <npdoty> bhill2: a concept that was recently published under the mixed content draft
17:37:50 <npdoty> http://www.w3.org/TR/2014/WD-powerful-features-20141204/
17:38:19 <npdoty> bhill2: mixed content had gone to Last Call, but split off this discussion into a separate spec
17:38:48 <npdoty> ... features that require a certain identifier should go over a secure transport, to prevent leaking a persistent identifier, for example with EME
17:39:19 <npdoty> bhill2: just published a First Public Working Draft today
17:39:42 <npdoty> ... can take it to Last Call fairly rapidly, depending on public comment. much of the work has already been done
17:39:57 <npdoty> christine: yes, worth looking at that, everyone
17:40:25 <npdoty> christine: please share your thoughts on the email list so that we can keep the discussion going
17:40:35 <tara> http://mikewest.github.io/spec-questionnaire/security-privacy/
17:41:01 <npdoty> tara: mkwest working on a document independently, for a checklist of questions for putting together a first draft of a spec
17:41:12 <Hannes_Tschofenig> +q
17:41:27 <christine> q+
17:41:39 <npdoty> ... figuring out whether this is useful for w3c. should this be standalone or combined? work with other groups?
17:41:45 <npdoty> ... share with the group and see whether it would be useful
17:42:01 <npdoty> ack Hannes_Tschofenig
17:42:21 <npdoty> Hannes_Tschofenig: thanks for the pointer. what triggered work on this?
17:42:52 <npdoty> tara: via WebApps WG discussion, and repeated internal questions
17:43:52 <npdoty> Hannes_Tschofenig: sounds similar to the discussion of same-origin policy questions in charters
17:44:13 <npdoty> christine: scheduling difficulties about getting him present on the call
17:44:24 <tara> Article 29 WP Opinion regarding device fingerprinting
17:44:25 <christine> 3 Article 29 WP Opinion regarding device fingerprinting
17:44:50 <npdoty> not-scribe: npdoty: I think the mike west checklist looks great, though I need to read in more detail. it sounds very much of a kind with other work we've been doing here.
17:45:14 <npdoty> s/3 Article/Topic: Article/
17:45:18 <christine> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf
17:45:58 <npdoty> Hannes_Tschofenig: could we invite some Art 29 folks to present or discuss?
17:46:08 <npdoty> christine: yes, can ask Rob.
17:46:10 <npdoty> +1s
17:47:12 <npdoty> npdoty: a summary or particularly important issues we should be looking at?
17:47:22 <npdoty> christine: definition comes from rfc6973 :)
17:48:21 <npdoty> christine: document is mostly directed at websites that might use fingerprinting, and legal status of whether fingerprinting fits under the EU Cookie directive
17:48:29 <Hannes_Tschofenig> Great to hear that they reference RFC 6973!
17:48:40 <npdoty> christine: refers to expressed DNT preferences
17:48:48 <npdoty> ... so would be relevant to Do Not Track work
17:49:33 <npdoty> ... documents different use cases (including first-party analytics, online behavioral advertising, security, etc.)
17:50:24 <npdoty> christine: useful for us to look at the technical background from a Web perspective
17:50:33 <npdoty> ... if there are improvements, we could let them know.
17:50:45 <npdoty> ... and worth reading, if fairly dense
17:50:57 <npdoty> thanks
17:51:31 <npdoty> Hannes_Tschofenig: we should definitely drop them a note if we have any disagreements. our interests may align, and they would appreciate feedback from a technical community
17:51:49 <npdoty> christine: can collect comments here and then see how to get them back
17:52:21 <npdoty> ... just know that public-privacy can be a much wider mailing list, including people involved in this work
17:52:27 <tara> 4. Web Security Interest Group
17:52:43 <npdoty> s/4. Web/Topic: Web/
17:52:59 <npdoty> tara: had discussions with Virginie about possible coordination with the Web Security Interest Group
17:53:24 <npdoty> ... our intention would be a conference call between the two groups to talk about how to do that work
17:53:26 <tara> 5. W3C workshop on Privacy and User-Centric Controls
17:53:43 <npdoty> s/5. W3C workshop/Topic: W3C workshop/
17:53:56 <npdoty> attendees at that workshop?
17:54:14 <npdoty> christine: rigo will be producing a full report, and unfortunately I missed the session of conclusions
17:54:28 <npdoty> ... very interesting discussions, and very broad representation from the browser vendors
17:54:51 <npdoty> ... lots of comments that PING would be the place to do something, and as a result have some new organizations formally joining PING
17:55:18 <tara> Hooray for new PING members coming from that workshop!
17:55:29 <npdoty> ... I went to present PING, to convince of the importance and need for resources on doing privacy from an architectural perspective
17:55:44 <npdoty> ... should have the report and formal outcomes by the next meeting
17:55:50 <npdoty> minutes and papers are available
17:56:19 <npdoty> Topic: AOB
17:56:41 <JoeHallCDT> npdoty: nick's job is to deal with these little bureaucratic things...
17:56:51 <tara> Thank you for dealing with "bureaucratic things."
17:56:59 <JoeHallCDT> … wendy seltzer reported that w3c management supported extending version of current charter for two years
17:57:16 <JoeHallCDT> … mgmt thinks the work is important and wanted to continue it
17:57:27 <JoeHallCDT> … They are also very interested in increasing the breadth and depth of privacy work
17:57:41 <tara> Thanks, everyone, for making us an effective group!
17:57:44 <JoeHallCDT> … this includes privacy reviews work, but also privacy in general
17:57:57 <JoeHallCDT> … we should include wendy in these conversations
17:58:00 <JoeHallCDT> q+
17:58:12 <christine> q-
17:58:44 <tara> ack JoeHallCDT
17:59:02 <JoeHallCDT> npdoty: as a formal matter charter is extended for two years with minor changes
17:59:12 <JoeHallCDT> … that doesn't mean we couldn't recharter or make changes if we wanted to do that
17:59:23 <JoeHallCDT> to be clear I (Joe) wasn't suggesting we change it
18:00:19 <npdoty> January 8, 15, 22?
18:00:32 <npdoty> February 12?
18:01:32 <JoeHallCDT> unlikely
18:02:40 <Zakim> -Joanne
18:02:50 <npdoty> JoeHallCDT: could have more informal conversations, just to catch up on privacy and web issues
18:02:54 <christine> good idea Joe
18:03:18 <tara> (Have to drop off IRC...thanks!)
18:03:26 <npdoty> ... can have occasional calls that are less about detailed progress
18:03:59 <Zakim> -Katie_Haritos-Shea
18:04:00 <Zakim> -JoeHallCDT
18:04:02 <Zakim> -tara?
18:04:03 <Zakim> -christine
18:04:03 <melinda> melinda has left #privacy
18:04:04 <Zakim> -npdoty
18:04:06 <Zakim> - +44.793.550.aacc
18:04:06 <Zakim> -BHill
18:04:07 <Zakim> -[IPcaller]
18:04:10 <Zakim> -karen_oDonoghue
18:04:11 <npdoty> tara: placeholder for doing that in mid-January, and progress on work to be discussed 12 February
18:04:14 <Christian> Christian has left #privacy
18:04:16 <npdoty> have a great holiday
18:04:20 <npdoty> trackbot, end meeting
18:04:20 <trackbot> Zakim, list attendees
18:04:20 <Zakim> As of this point the attendees have been christine, +1.650.944.aaaa, npdoty, Katie_Haritos-Shea, BHill, [IPcaller], tara?, +1.857.209.aabb, karen_oDonoghue, +44.793.550.aacc,
18:04:23 <Zakim> ... Joanne, +1.202.407.aadd, JoeHallCDT, Ryladog?
18:04:28 <trackbot> RRSAgent, please draft minutes
18:04:28 <RRSAgent> I have made the request to generate http://www.w3.org/2014/12/04-privacy-minutes.html trackbot
18:04:29 <trackbot> RRSAgent, bye
18:04:29 <RRSAgent> I see 1 open action item saved in http://www.w3.org/2014/12/04-privacy-actions.rdf :
18:04:29 <RRSAgent> ACTION: doty to clean up and send around PING TPAC friday minutes [1]
18:04:29 <RRSAgent>   recorded in http://www.w3.org/2014/12/04-privacy-irc#T17-11-09
18:04:31 <Zakim> -Ryladog?
18:04:32 <Zakim> Team_(privacy)17:00Z has ended
18:04:32 <Zakim> Attendees were christine, +1.650.944.aaaa, npdoty, Katie_Haritos-Shea, BHill, [IPcaller], tara?, +1.857.209.aabb, karen_oDonoghue, +44.793.550.aacc, Joanne, +1.202.407.aadd,
18:04:32 <Zakim> ... JoeHallCDT, Ryladog?