See also: IRC log
<trackbot> Date: 26 February 2015
<dsinger> zakimn, who is here?
<npdoty> christine: any first-timers to the call? please introduce yourself
<dsinger> I am pretty rare. David Singer, Apple.
ok!
<Kepeng> Kepeng Li from Alibaba
missed that last one, sorry
<npdoty> scribenick: JoeHallCDT
Kepeng: has interests about privacy interests, not particularly familiar with PING
Hadleybee joining as one of the chairs of Data on the Web working group, just lurking
<srice> Simon Rice - Information Commissioner's Office (UK) - https://ico.org.uk
christine: anyone on the phone who is not on IRC?
christine: let's talk about personas!
dsinger: read a paper recently that 25% of people using privacy browsing mode thinks that this keeps them private from servers
… privacy browsing mode (PBM) actually starts a separate session on the local UA, and is then discarded
… can we tweak PBM such that it better separates different modes of use?
… privacy is not always about secrecy, sometimes it's about context
… e.g., if you meet your bank manager at a party, you don't discuss an overdraft you just worked through because you're at a party, not the bank!
… people want to do things that don't hinge on secrecy online but still have some distinct privacy
… proposal is to send a flag that says "at the moment, I'm using a particular persona"
… such that one persona will be kept logically separate on the server between various persona identifiers
… this is in some sense a rquest to the servers to respect context
… this is instead of treating the world as hostile toward you, requesting help for segregation from the servers
… persona header asks sthe servers to keep the records from different personas separated
<Mike_O_Neill> +q
Mike_O_Neill: I can see where in persona where you have different identities that you might want to switch between
… question: on privacy mode, you have a whole set of new cookies each time you go in there
… so how does the serach history get preserved
dsinger: sandbox is initialized from the current state, and any changes are discarded
<npdoty> because you were logged in to your search engine provider when you entered private browsing mode?
<npdoty> or you logged in after entering private browsing mode?
Mike_O_Neill: ff has a mode where the UA puts up a whole set of different cookies, etc.
… we don't have a session layer defined that allows for privacy with context
christine: are the profiels that you can set up in ff, are those similar to persona or different?
dsinger: don't know enough about ff profiles
<Zakim> wseltzer, you wanted to comment on complexity and buckets
Mike_O_Neill: talk abaout having banks of cookies to switch between
wseltzer: something that we've been encountering frequently is the challenge of putting features in buckets that the user can understand and have control over
… persona seems like a very interesting concept here.
… what other things can we bundle here so that the choices are meaningful but that it's not too large?
dsinger: not sure… the idea is an enhancement of privacy browsing mode
<npdoty> when TAG has talked about standardizing private browsing modes, they've discussed the difference between client-side clearing and server-side clearing
… a follow-on would be some signal from the server acknowledging the separation
christine: very interested in the core idea here of preference expression
<Zakim> chaals, you wanted to note that people aren't always inherently concerned with whether they are being tracked, but with what happens as a result of that tracking…
chaals: in essense, you called out a bunch of complexity and features behind this
… most obvious one: to be able to manage different personas in a granular fashion
… in the Yandex browser you can change who you are in the browser
… can essentially change the user for the browser
… this is linked up to code on the server so that it follows the change in users
… the point about how this works with private modes is very interesting
… the current private mode is make me look anonymous and the same as everyone else
… if you offer the server a reason to respect your persona, quid pro quo is that you give them your data
… most people don't give a fig that they are being tracked
… what they care about is how that tracking information is used
<Mike_O_Neill> +q
… for example, if a bank manager at a party and gets angry about your overdraft, that's problematic
… if the bank manager is just partying, there's no problem
… the idea is that you can have 2 personalities… and then maybe you can have 3 beause what if 2 isn't enough
… a clear use case is managing cookies (UA side identifiers)
<fjh> “people” are becoming aware of consequences of information collection , 1 million in MA with Anthem breach for example
… on the other hand, if you show people how they are being tracked and what cookies are providing what information
… then people can say, I don't really want that much information emanated
… what people can't do easily, for example, is to find how much backend aggregators know about them
… but it's definitely true that aggregators can segregate arbitrary personae
… the 90,000 mile view is that you can actually find out what backend servers know about a persona
… and conceivably you could ask them to forget
… the quid pro quo is that instead of showing up totally anonymous, the server can know what they already know
… in order to function at all, it has to have a mode that is super simple
… and offer something to both users and servers
… for users, you didn't loose some of the useful information (state) and for servers that they don't get tons of anonymous visitors
<Zakim> npdoty, you wanted to comment on cookie jars and server interest in a signal (if we have time)
npdoty: wanted to talk about the technical aspects
… some browsers already have a persona concept
… typically implemented through separate cookie jars
… maybe that implements most of the use cases we're talking about?
… does it? If it does, than we have some exitence proofs.
… if it doesn't… if we need server mojo… we need to know what they'd want in this kind of a construct
… whether if it should be client or server side
… want to see interest from servers
dsinger: servers can still work out that it's probably you via UA, IP address, etc.
… they are unaware that you're trying to keep your history segregated
… you do want it to be at sometimes still you, with some of the state stored in cookies
<chaals> [+1 that value for the servers is one of the critical pieces to the puzzle]
… don't think you can do this without servers being aware
… whole question of context is very important
<chaals> [+1 for the point that servers *knowing* that they are being asked to keep this persona away from that persona is part of the useful bit]
… what the hell were you doing showing me an ad for an embarassing medical thing when my boss is in the office?
<wseltzer> [and cleary explaining the limited purpose this is intended to serve, lets it do that minimal thing well.]
christine: when using Microsoft profiles, assumption is that my behavior in each profiles is segregated from sites I visit...
… but hadn't thought about how those sessions are treated by the browser
Mike_O_Neill: the point that david said about they know who you are anyway, not sure that's true
<npdoty> chaals, but do servers *want* that difference? while sites can re-connect you after you clear your cookies, if they do so when they notice cookies are cleared, is there some reason they won't if they see a Private Browsing Mode expression?
… many IP address contexts change, so not the best identifier
<dsinger> alas, DHCP and some NAT boxes try to maintain stable mappings…
<wseltzer> [ based on fingerprinting, they know who you are to a high degree ]
… don't think it's the case that the vast majority of people aren't privacy nuts
… you don't know who's out there tracking you
<dsinger> …and relying on that to ‘anonymize’ you is, I think, weak. the trackers are working out how to track you despite NAT and DHCP.
<npdoty> wseltzer, based on fingerprinting, it's possible for certain motivated servers to recognize you to a higher degree
… the reason that people have been relatively relaxed about it is that they don't know or understand what's going on
… agreeing with npdoty that this should be a client side
… don't think we have the infrastructure to do the server piece safely
dsinger: 1) currently in private browsing mode server is unaware of private browsing mode
… in terms of trust, if servers could signal "yes, we respect this"
… people may not agree if something is tracking, but if they lie to you, that's not acceptable to regulators
<christine> @wendy, yes we do need to wrap this up very soon
<wseltzer> [so they're unlikely to want to say anything...]
… agree that one of the problems with privacy online is that data is being collected
… but they don't understand either how it's being used, and it's being used out of context
<npdoty> indeed, we should ask if servers want to receive a signal and implement such a feature
<Zakim> chaals, you wanted to say that desegregating even anonymous users is pretty easy
chaals: a couple of things… based on fingerprinting of anonymous browsers and behavior, it is very easy to desegregate and identify users
<Mike_O_Neill> fingerprinting takes a rountrip (XHR)
… pretty clear that data about them is being picked up about them
… everyone knows that happens
<Mike_O_Neill> and we can block 3p XHR
<npdoty> dsinger, is the motivation "don't reflect this behavior back to me except when I'm using this persona"?
… still have 100s of millions of people using these services aware that they are giving away data
<Mike_O_Neill> +q
<dsinger> npdoty, roughly, yes. “please keep the personas segregated so that they don’t have any effect on each other. Trivially, you could treat them as seprate people.”
<npdoty> dsinger, otherwise, I struggle to understand the implications for what the signal should indicate when you're logged in with a known account in multiple personas
… in this proposal, it's very much not about providing perfect privacy or security, but it does provide somehting that could give value to both sides of the equation
<npdoty> "don't have any effect" seems very difficult when we talk about being logged in (as in your search engine or buying gifts example)
<dsinger> npdoty, so for example, search or other activity records are segregated; adverts and interests are segregated; and so on
<npdoty> servers aren't going to stop recording credit card transactions :)
christine: what would you like PING to do? don't have to answer now, let's discuss on email list
dsinger: exactly what we'd like to happen
<npdoty> I could drop agendum 5
christine: of our agenda items, does anyone wish to express a view as to what is most pressing?
<npdoty> I think 3 is important for now
<Mike_O_Neill> webrtc
christine: focusing on 3 and 6
… Don was unable to join the call
<wseltzer> WebRTC
wseltzer: wiki page on privacy and webRTC
<Mike_O_Neill> +q
… the WebRTC group has asked us for guidance on the sensitivity of local IP addresses
… reacting to news stories concerned about WebRTC exposing real IP address locally instead of how you appear to the internet (eg, VPN)
… because WebRTC is peer-to-peer, that IP address is necessary to communicate
… what user controls should exist?
… in what circumstances should WebRTC have access to those?
… when should it not?
… thought PING could help enumerate the concerns about local IP addresses
… local IP might differ from global IP if you're behind a NAT, VPN, using Tor
… users might have different expectations and needs of the privacy of that address
… suggests we simply add to the wiki about these concerns
christine: how much time do we have to do this?
wseltzer: like anything the sooner the better… not aware of specific deadlines
<wseltzer> Please add to the wiki: https://www.w3.org/wiki/Privacy/IPAddresses
Mike_O_Neill: the issue here is that this happening
<tara_> Yes, please volunteer to add to the wiki!
… basically, you execute a bit of JS on the page and that tells you the IP address
<npdoty> are there any other APIs that are giving access to local IP address?
… very simply way to do fingerprinting
… e.g., behind a NAT can segregate users
<npdoty> we discussed it in Network Service Discovery (though I'm not sure that's implemented). but are there any other features?
… think something should be done about it
… presume WebRTC is a TCP/IP level communication
I think it's DTLS
<wseltzer> JoeHallCDT: How would an adversary use this? As Mike said, if you get a piece of JS to run
<wseltzer> ... I'll add to the wiki
<npdoty> in current test implementations, is it gated by some user interaction?
<wseltzer> no
I don't recall
wseltzer: one of the concerns in the reporting is that this was available even in cases where the user was not engage in WebRTC comms.
<npdoty> wow, good to know, thanks wseltzer
christine: please volunteer to add to the wiki
<npdoty> wseltzer, is there a deadline?
… if you're too shy, ask an extrovert like Christine or Tara
<wseltzer> npdoty, I'll ask dom
<Mike_O_Neill> ok
christine: let's aim to add content to the wiki before our next call
sure
… share your views on the email list as well
… there was a request to cover agenda 6 and 7
… going to swap them
npdoty: on 7...
<npdoty> https://www.w3.org/wiki/Privacy/Privacy_Reviews
… this is the idea of doing privacy reviews
… we have done them when requested
… maybe we should keep track of a list
… npdoty has started one (above)
… what the doc is, status, and when they want that feedback
… it's a wiki! edit it
<npdoty> http://www.w3.org/TR/2015/WD-appmanifest-20150212/
… prompted by the manifest for web applications draft is looking for wide review
… want feedback on privacy and security considerations
… in particular, things about navigation…
… a downloadable web app vs. web interaction
… if you're interested in installable web apps, you'll be interested
… want feedback by the end of next week
… need volunteers for 2 roles
npdoty: can you clarify both the roles?
<npdoty> shepherd makes sure a consolidated email actually gets sent by the deadline :)
christine: shepherd is the one that chases the people that have volunteered to provide comments and synthesize that feedback to the group that requested review
… anyone willing to be shepherd or comments
I have a staffer starting next week that will be doing w3c stuff, but this is too short a fuse, I suspect
… very important that PING provides privacy guidance to these groups
<npdoty> I'll also add Wendy's IP address thing to that list, with the hope that we find out the deadline
christine: next item 3, TAG finding on securing the web
… had hoped to get mnot here, but he lives in crazy place
<wseltzer> http://www.w3.org/2001/tag/doc/web-https
… asked him to come to the PING-at-IETF side meeting
<wseltzer> TAG Finding on Securing the Web
wseltzer: TAG finding is that sites should be secure for their users
… they make some notes about concerns about https
… but conclude ultimately that we should get there, using https
<npdoty> there is something of a to-do list in that document: http://www.w3.org/2001/tag/doc/web-https#building-a-secure-web-with-w3c-standards
christine: is there going to be any follow-on work from the TAG here?
wseltzer: in Web App Sec, we're doing work on features that require a privileged context (powerful features)
… you don't want a random injection into an insecure website
<npdoty> there has been some discussion in TAG on certificates and HTTPS, about HTTPS as a three-party protocol
… geoloc has sent us a ping about this kind of question
… what is a secure context and how does a feature figure out if it is indeed operating in a secure context
… TAG will help to identify these features for a secure context
… relevant to privacy as many of the features could reveal sensitive or personal information
christine: do want to follow this work and get involved
… follow up on the next call
… mnot will be there in Dallas at IETF 92
<Zakim> JoeHallCDT, you wanted to comment on how it differs from the IAB confidentiality statement
<npdoty> JoeHallCDT: I'm showrunner for IAB Priv & Sec Program statement on confidentiality
<npdoty> ... a document ultimately published by the IAB
<npdoty> http://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/
<npdoty> JoeHallCDT: the integrity piece: importance of people on-path not being able to change code on its way to the user
<Mike_O_Neill> +q
<npdoty> ... to the extent there are differences between the IAB and W3C TAG statements, what motivates those?
<npdoty> ... CDT (and many of you others) work at both IETF and W3C
<npdoty> ... bringing on new staff to help, including with W3C work
<npdoty> ... can follow up about trust and resiliency work also done at IAB Priv & Sec Program
yes, I'll be there!
christine: we can talk about this nexus at IETF
Mike_O_Neill: don't know all the detail, but the problem with HTTPS seems to be scaling...
… lots of http urls out there, how to you convert
… mixed content breaks many UAs
<npdoty> I've certainly struggled with implementations because of mixed content restrictions
<wseltzer> [incidentally, WebAppSec has a draft coming out today on "upgrade insecure requests": http://www.w3.org/TR/2015/WD-upgrade-insecure-requests-20150226/ ]
… https is based on PKI such that you have to trust that the keys you are getting are not bad
… another problem is that if you have a secure context, you don't have a transparent set of relationships
<tara_> (Need to drop off phone but will be on irc...)
<tara_> Things are quiet since scribe departed.
<Mike_O_Neill> where is that?
<wseltzer> IETF is in Dallas in mid-March
<christine> Thank you all. Details about next call on email.
<npdoty> trackbot, end meeting
<tara_> Thanks, all!
<wseltzer> Mike_O_Neill, have you looked into some of WebAppSec's recent work on mixed content?
This is scribe.perl Revision: 1.140 of Date: 2014-11-06 18:16:30 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/xxxx/Data on the Web/ Succeeded: s/PMD/PBM/ Succeeded: s/dsigner/dsinger/ Succeeded: s/dfifferent/different/ Succeeded: s/segretation/segregation/ Succeeded: s/christing/christine/ Succeeded: s/?me thanks Nick// Succeeded: s/being able/not being able/ Found ScribeNick: JoeHallCDT Inferring Scribes: JoeHallCDT Default Present: npdoty, christine, tara, Wendy, Kepeng, Katie_Haritos-Shea, Charles, karen_oDonoghue, Mike_O_Neill, dsinger, +1.202.407.aaaa, JoeHall, chaals, HadleyBeeman, terri, fjh Present: npdoty christine tara Wendy Kepeng Katie_Haritos-Shea Charles karen_oDonoghue Mike_O_Neill dsinger +1.202.407.aaaa JoeHall chaals HadleyBeeman terri fjh WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 26 Feb 2015 Guessing minutes URL: http://www.w3.org/2015/02/26-privacy-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]