Privacy Interest Group Teleconference

26 Feb 2015

See also: IRC log


npdoty, christine, tara, Wendy, Kepeng, Katie_Haritos-Shea, Charles, karen_oDonoghue, Mike_O_Neill, dsinger, +1.202.407.aaaa, JoeHall, chaals, HadleyBeeman, terri, fjh


<trackbot> Date: 26 February 2015

<dsinger> zakimn, who is here?

Welcome and Introductions for new people

<npdoty> christine: any first-timers to the call? please introduce yourself

<dsinger> I am pretty rare. David Singer, Apple.


<Kepeng> Kepeng Li from Alibaba

missed that last one, sorry

<npdoty> scribenick: JoeHallCDT

Kepeng: has interests about privacy interests, not particularly familiar with PING

Hadleybee joining as one of the chairs of Data on the Web working group, just lurking

<srice> Simon Rice - Information Commissioner's Office (UK) - https://ico.org.uk

christine: anyone on the phone who is not on IRC?

Persona idea (Charles and David)

christine: let's talk about personas!

dsinger: read a paper recently that 25% of people using privacy browsing mode thinks that this keeps them private from servers

… privacy browsing mode (PBM) actually starts a separate session on the local UA, and is then discarded

… can we tweak PBM such that it better separates different modes of use?

… privacy is not always about secrecy, sometimes it's about context

… e.g., if you meet your bank manager at a party, you don't discuss an overdraft you just worked through because you're at a party, not the bank!

… people want to do things that don't hinge on secrecy online but still have some distinct privacy

… proposal is to send a flag that says "at the moment, I'm using a particular persona"

… such that one persona will be kept logically separate on the server between various persona identifiers

… this is in some sense a rquest to the servers to respect context

… this is instead of treating the world as hostile toward you, requesting help for segregation from the servers

… persona header asks sthe servers to keep the records from different personas separated

<Mike_O_Neill> +q

Mike_O_Neill: I can see where in persona where you have different identities that you might want to switch between

… question: on privacy mode, you have a whole set of new cookies each time you go in there

… so how does the serach history get preserved

dsinger: sandbox is initialized from the current state, and any changes are discarded

<npdoty> because you were logged in to your search engine provider when you entered private browsing mode?

<npdoty> or you logged in after entering private browsing mode?

Mike_O_Neill: ff has a mode where the UA puts up a whole set of different cookies, etc.

… we don't have a session layer defined that allows for privacy with context

christine: are the profiels that you can set up in ff, are those similar to persona or different?

dsinger: don't know enough about ff profiles

<Zakim> wseltzer, you wanted to comment on complexity and buckets

Mike_O_Neill: talk abaout having banks of cookies to switch between

wseltzer: something that we've been encountering frequently is the challenge of putting features in buckets that the user can understand and have control over

… persona seems like a very interesting concept here.

… what other things can we bundle here so that the choices are meaningful but that it's not too large?

dsinger: not sure… the idea is an enhancement of privacy browsing mode

<npdoty> when TAG has talked about standardizing private browsing modes, they've discussed the difference between client-side clearing and server-side clearing

… a follow-on would be some signal from the server acknowledging the separation

christine: very interested in the core idea here of preference expression

<Zakim> chaals, you wanted to note that people aren't always inherently concerned with whether they are being tracked, but with what happens as a result of that tracking…

chaals: in essense, you called out a bunch of complexity and features behind this

… most obvious one: to be able to manage different personas in a granular fashion

… in the Yandex browser you can change who you are in the browser

… can essentially change the user for the browser

… this is linked up to code on the server so that it follows the change in users

… the point about how this works with private modes is very interesting

… the current private mode is make me look anonymous and the same as everyone else

… if you offer the server a reason to respect your persona, quid pro quo is that you give them your data

… most people don't give a fig that they are being tracked

… what they care about is how that tracking information is used

<Mike_O_Neill> +q

… for example, if a bank manager at a party and gets angry about your overdraft, that's problematic

… if the bank manager is just partying, there's no problem

… the idea is that you can have 2 personalities… and then maybe you can have 3 beause what if 2 isn't enough

… a clear use case is managing cookies (UA side identifiers)

<fjh> “people” are becoming aware of consequences of information collection , 1 million in MA with Anthem breach for example

… on the other hand, if you show people how they are being tracked and what cookies are providing what information

… then people can say, I don't really want that much information emanated

… what people can't do easily, for example, is to find how much backend aggregators know about them

… but it's definitely true that aggregators can segregate arbitrary personae

… the 90,000 mile view is that you can actually find out what backend servers know about a persona

… and conceivably you could ask them to forget

… the quid pro quo is that instead of showing up totally anonymous, the server can know what they already know

… in order to function at all, it has to have a mode that is super simple

… and offer something to both users and servers

… for users, you didn't loose some of the useful information (state) and for servers that they don't get tons of anonymous visitors

<Zakim> npdoty, you wanted to comment on cookie jars and server interest in a signal (if we have time)

npdoty: wanted to talk about the technical aspects

… some browsers already have a persona concept

… typically implemented through separate cookie jars

… maybe that implements most of the use cases we're talking about?

… does it? If it does, than we have some exitence proofs.

… if it doesn't… if we need server mojo… we need to know what they'd want in this kind of a construct

… whether if it should be client or server side

… want to see interest from servers

dsinger: servers can still work out that it's probably you via UA, IP address, etc.

… they are unaware that you're trying to keep your history segregated

… you do want it to be at sometimes still you, with some of the state stored in cookies

<chaals> [+1 that value for the servers is one of the critical pieces to the puzzle]

… don't think you can do this without servers being aware

… whole question of context is very important

<chaals> [+1 for the point that servers *knowing* that they are being asked to keep this persona away from that persona is part of the useful bit]

… what the hell were you doing showing me an ad for an embarassing medical thing when my boss is in the office?

<wseltzer> [and cleary explaining the limited purpose this is intended to serve, lets it do that minimal thing well.]

christine: when using Microsoft profiles, assumption is that my behavior in each profiles is segregated from sites I visit...

… but hadn't thought about how those sessions are treated by the browser

Mike_O_Neill: the point that david said about they know who you are anyway, not sure that's true

<npdoty> chaals, but do servers *want* that difference? while sites can re-connect you after you clear your cookies, if they do so when they notice cookies are cleared, is there some reason they won't if they see a Private Browsing Mode expression?

… many IP address contexts change, so not the best identifier

<dsinger> alas, DHCP and some NAT boxes try to maintain stable mappings…

<wseltzer> [ based on fingerprinting, they know who you are to a high degree ]

… don't think it's the case that the vast majority of people aren't privacy nuts

… you don't know who's out there tracking you

<dsinger> …and relying on that to ‘anonymize’ you is, I think, weak. the trackers are working out how to track you despite NAT and DHCP.

<npdoty> wseltzer, based on fingerprinting, it's possible for certain motivated servers to recognize you to a higher degree

… the reason that people have been relatively relaxed about it is that they don't know or understand what's going on

… agreeing with npdoty that this should be a client side

… don't think we have the infrastructure to do the server piece safely

dsinger: 1) currently in private browsing mode server is unaware of private browsing mode

… in terms of trust, if servers could signal "yes, we respect this"

… people may not agree if something is tracking, but if they lie to you, that's not acceptable to regulators

<christine> @wendy, yes we do need to wrap this up very soon

<wseltzer> [so they're unlikely to want to say anything...]

… agree that one of the problems with privacy online is that data is being collected

… but they don't understand either how it's being used, and it's being used out of context

<npdoty> indeed, we should ask if servers want to receive a signal and implement such a feature

<Zakim> chaals, you wanted to say that desegregating even anonymous users is pretty easy

chaals: a couple of things… based on fingerprinting of anonymous browsers and behavior, it is very easy to desegregate and identify users

<Mike_O_Neill> fingerprinting takes a rountrip (XHR)

… pretty clear that data about them is being picked up about them

… everyone knows that happens

<Mike_O_Neill> and we can block 3p XHR

<npdoty> dsinger, is the motivation "don't reflect this behavior back to me except when I'm using this persona"?

… still have 100s of millions of people using these services aware that they are giving away data

<Mike_O_Neill> +q

<dsinger> npdoty, roughly, yes. “please keep the personas segregated so that they don’t have any effect on each other. Trivially, you could treat them as seprate people.”

<npdoty> dsinger, otherwise, I struggle to understand the implications for what the signal should indicate when you're logged in with a known account in multiple personas

… in this proposal, it's very much not about providing perfect privacy or security, but it does provide somehting that could give value to both sides of the equation

<npdoty> "don't have any effect" seems very difficult when we talk about being logged in (as in your search engine or buying gifts example)

<dsinger> npdoty, so for example, search or other activity records are segregated; adverts and interests are segregated; and so on

<npdoty> servers aren't going to stop recording credit card transactions :)

christine: what would you like PING to do? don't have to answer now, let's discuss on email list

dsinger: exactly what we'd like to happen

<npdoty> I could drop agendum 5

christine: of our agenda items, does anyone wish to express a view as to what is most pressing?

<npdoty> I think 3 is important for now

<Mike_O_Neill> webrtc

WebRTC local IP address disclosure (Wendy)

christine: focusing on 3 and 6

… Don was unable to join the call

<wseltzer> WebRTC

wseltzer: wiki page on privacy and webRTC

<Mike_O_Neill> +q

… the WebRTC group has asked us for guidance on the sensitivity of local IP addresses

… reacting to news stories concerned about WebRTC exposing real IP address locally instead of how you appear to the internet (eg, VPN)

… because WebRTC is peer-to-peer, that IP address is necessary to communicate

… what user controls should exist?

… in what circumstances should WebRTC have access to those?

… when should it not?

… thought PING could help enumerate the concerns about local IP addresses

… local IP might differ from global IP if you're behind a NAT, VPN, using Tor

… users might have different expectations and needs of the privacy of that address

… suggests we simply add to the wiki about these concerns

christine: how much time do we have to do this?

wseltzer: like anything the sooner the better… not aware of specific deadlines

<wseltzer> Please add to the wiki: https://www.w3.org/wiki/Privacy/IPAddresses

Mike_O_Neill: the issue here is that this happening

<tara_> Yes, please volunteer to add to the wiki!

… basically, you execute a bit of JS on the page and that tells you the IP address

<npdoty> are there any other APIs that are giving access to local IP address?

… very simply way to do fingerprinting

… e.g., behind a NAT can segregate users

<npdoty> we discussed it in Network Service Discovery (though I'm not sure that's implemented). but are there any other features?

… think something should be done about it

… presume WebRTC is a TCP/IP level communication

I think it's DTLS

<wseltzer> JoeHallCDT: How would an adversary use this? As Mike said, if you get a piece of JS to run

<wseltzer> ... I'll add to the wiki

<npdoty> in current test implementations, is it gated by some user interaction?

<wseltzer> no

I don't recall

wseltzer: one of the concerns in the reporting is that this was available even in cases where the user was not engage in WebRTC comms.

<npdoty> wow, good to know, thanks wseltzer

christine: please volunteer to add to the wiki

<npdoty> wseltzer, is there a deadline?

… if you're too shy, ask an extrovert like Christine or Tara

<wseltzer> npdoty, I'll ask dom

<Mike_O_Neill> ok

christine: let's aim to add content to the wiki before our next call


… share your views on the email list as well

… there was a request to cover agenda 6 and 7

… going to swap them

npdoty: on 7...

<npdoty> https://www.w3.org/wiki/Privacy/Privacy_Reviews

… this is the idea of doing privacy reviews

… we have done them when requested

… maybe we should keep track of a list

… npdoty has started one (above)

… what the doc is, status, and when they want that feedback

… it's a wiki! edit it

<npdoty> http://www.w3.org/TR/2015/WD-appmanifest-20150212/

… prompted by the manifest for web applications draft is looking for wide review

… want feedback on privacy and security considerations

… in particular, things about navigation…

… a downloadable web app vs. web interaction

… if you're interested in installable web apps, you'll be interested

… want feedback by the end of next week

… need volunteers for 2 roles

npdoty: can you clarify both the roles?

<npdoty> shepherd makes sure a consolidated email actually gets sent by the deadline :)

christine: shepherd is the one that chases the people that have volunteered to provide comments and synthesize that feedback to the group that requested review

… anyone willing to be shepherd or comments

I have a staffer starting next week that will be doing w3c stuff, but this is too short a fuse, I suspect

… very important that PING provides privacy guidance to these groups

<npdoty> I'll also add Wendy's IP address thing to that list, with the hope that we find out the deadline

christine: next item 3, TAG finding on securing the web

W3C TAG Finding - Securing the Web

… had hoped to get mnot here, but he lives in crazy place

<wseltzer> http://www.w3.org/2001/tag/doc/web-https

… asked him to come to the PING-at-IETF side meeting

<wseltzer> TAG Finding on Securing the Web

wseltzer: TAG finding is that sites should be secure for their users

… they make some notes about concerns about https

… but conclude ultimately that we should get there, using https

<npdoty> there is something of a to-do list in that document: http://www.w3.org/2001/tag/doc/web-https#building-a-secure-web-with-w3c-standards

christine: is there going to be any follow-on work from the TAG here?

wseltzer: in Web App Sec, we're doing work on features that require a privileged context (powerful features)

… you don't want a random injection into an insecure website

<npdoty> there has been some discussion in TAG on certificates and HTTPS, about HTTPS as a three-party protocol

… geoloc has sent us a ping about this kind of question

… what is a secure context and how does a feature figure out if it is indeed operating in a secure context

… TAG will help to identify these features for a secure context

… relevant to privacy as many of the features could reveal sensitive or personal information

christine: do want to follow this work and get involved

… follow up on the next call

… mnot will be there in Dallas at IETF 92

<Zakim> JoeHallCDT, you wanted to comment on how it differs from the IAB confidentiality statement

<npdoty> JoeHallCDT: I'm showrunner for IAB Priv & Sec Program statement on confidentiality

<npdoty> ... a document ultimately published by the IAB

<npdoty> http://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/

<npdoty> JoeHallCDT: the integrity piece: importance of people on-path not being able to change code on its way to the user

<Mike_O_Neill> +q

<npdoty> ... to the extent there are differences between the IAB and W3C TAG statements, what motivates those?

<npdoty> ... CDT (and many of you others) work at both IETF and W3C

<npdoty> ... bringing on new staff to help, including with W3C work

<npdoty> ... can follow up about trust and resiliency work also done at IAB Priv & Sec Program

yes, I'll be there!

christine: we can talk about this nexus at IETF

Mike_O_Neill: don't know all the detail, but the problem with HTTPS seems to be scaling...

… lots of http urls out there, how to you convert

… mixed content breaks many UAs

<npdoty> I've certainly struggled with implementations because of mixed content restrictions

<wseltzer> [incidentally, WebAppSec has a draft coming out today on "upgrade insecure requests": http://www.w3.org/TR/2015/WD-upgrade-insecure-requests-20150226/ ]

… https is based on PKI such that you have to trust that the keys you are getting are not bad

… another problem is that if you have a secure context, you don't have a transparent set of relationships

<tara_> (Need to drop off phone but will be on irc...)

<tara_> Things are quiet since scribe departed.

<Mike_O_Neill> where is that?

<wseltzer> IETF is in Dallas in mid-March

<christine> Thank you all. Details about next call on email.

<npdoty> trackbot, end meeting

<tara_> Thanks, all!

<wseltzer> Mike_O_Neill, have you looked into some of WebAppSec's recent work on mixed content?

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.140 (CVS log)
$Date: 2015-02-26 18:02:04 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.140  of Date: 2014-11-06 18:16:30  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/xxxx/Data on the Web/
Succeeded: s/PMD/PBM/
Succeeded: s/dsigner/dsinger/
Succeeded: s/dfifferent/different/
Succeeded: s/segretation/segregation/
Succeeded: s/christing/christine/
Succeeded: s/?me thanks Nick//
Succeeded: s/being able/not being able/
Found ScribeNick: JoeHallCDT
Inferring Scribes: JoeHallCDT
Default Present: npdoty, christine, tara, Wendy, Kepeng, Katie_Haritos-Shea, Charles, karen_oDonoghue, Mike_O_Neill, dsinger, +1.202.407.aaaa, JoeHall, chaals, HadleyBeeman, terri, fjh
Present: npdoty christine tara Wendy Kepeng Katie_Haritos-Shea Charles karen_oDonoghue Mike_O_Neill dsinger +1.202.407.aaaa JoeHall chaals HadleyBeeman terri fjh

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 26 Feb 2015
Guessing minutes URL: http://www.w3.org/2015/02/26-privacy-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

[End of scribe.perl diagnostic output]