Privacy Interest Group Teleconference

21 Jan 2016

See also: IRC log


npdoty, gnorcie, tara, plh, yoav, toddreifsteck, igrigorik, keiji, christine, Chaals, Charles_L_Perkins


<gnorcie> ok im in

<gnorcie> ob speakerphone in joe's office

<npd> sorry, I don't know the room number or the password for the room number that keiji just listed

<gnorcie> it's the same room #

<gnorcie> think just different PW?

<gnorcie> PW 648 680 693

<npd> thanks!

<gnorcie> err wait

<keiji> https://mit.webex.com/mit/e.php?MTID=m6715d68b491a1a3eecc18f700b294bd5

<christine> perhaps a meeting link might help

present=npdoty,gnorcie,tara,plh,yoav, toddreifsteck, igrigorik

<npd> yay, thanks keiji

<keiji> Thank you npd.

<scribe> scribenick: wseltzer

Welcome and introductions

toddreifsteck: Todd Reifsteck, co-chair of WebPerf WG
... along with Ilya Grigorik

plh: Philippe Le Hegaret, team contact for WebPerf

yoav: Yoav Weiss, also in the Web Perf WG

Charles_L._Perkins: Charles L Perkins, Virtual Rendezvous

<christine> Let's switch and do web performance first

<VirtualRendezvous> I tried with the port number, I think I am in IRC now, this is Charles L. Perkins, from do not track years back

<toddreifsteck> HR-Time Spec Link--https://w3c.github.io/hr-time/

<VirtualRendezvous> Thanks Wendy

Web Performance

<npd> does anyone have a link handy to the paper or presentation?

<plh> https://lists.w3.org/Archives/Public/public-privacy/2015OctDec/0134.html

plh: mid-November, I sent a request ot the group because we wanted to push High Res Time version 2
... we already published v1
... 2 goals: define "time" when used in performance timeline
... and second, how to access it
... a minimalist API, concept reused across performance specs
... Our goal was to get time as accurate as possible in our measurements
... APIs to let you measure hwo your app is doing on the web from PoV of user

<scribe> ... new in v2 is not highly sinister

UNKNOWN_SPEAKER: we allow you to get the time in workers
... so we had to define time precisely
... some questions remain on the need to compare timelines across contexts
... method in the ED, translate time, not yet ready for v2
... One thing that came up last year was that our spec could be used for timing attacks.
... we were forced to reduce accuracy of timer to prevent timing attacks.
... based on research papers.

<VirtualRendezvous> What about non streaming time, like DIS in late 90s, time reveal, scrolling thru time, etc.

UNKNOWN_SPEAKER: More recently, another reported attack
... exploit not yet complete in JS, and we talked with researcher, who said there was nothing that we could do to prevent it
... even a more granular accuracy wouldn't stop it

<VirtualRendezvous> time reversal, seeing time as not just present limited for larger time definition

<npd> is there a link to the paper for that more recent attack?

<npd> that was the March 2015 paper

<VirtualRendezvous> (likely irrelevant today, maybe useful in future specs, getting up to speed here)

<plh> https://github.com/w3c/hr-time/issues/4

-> http://www.rowhammer.com/ the underlying attack, with reference to the JS

plh: Questions or concerns from PING?

<christine> +Q

<VirtualRendezvous> +Q

christine: is the access to timing data secure?

plh: It
... It's JS, we don't control the origin of the JS
... it follows the same-origin policy and CORS, etc.
... we didn't introduce new restrictions

<npd> wseltzer: secure contexts or powerful features restriction. is it considered a "powerful feature"?

plh: not sure. Chairs?

toddreifsteck: original performance.now was implemented before powerful features

<plh> https://www.w3.org/TR/powerful-features/

toddreifsteck: hr2, just an update to enable workers, we didn't add the restriction

wseltzer: some discussion whether workers themselves shoudl be considered powerful features

tara: we'll want to watch that

VirtualRendezvous: very high performance measurement, DIS, attacks on jet missiles
... there was work on interaction of 4-dimensional streams 3D+time

<npd> does the draft mark that translateTime is not going to be continued in this version?

plh: pointer to the research?

VirtualRendezvous: Warren Katz, MAK is an expert in the area

<Zakim> npd, you wanted to ask if the attack is detectable, the way that repeated attacks for timing caching would typically be

npd: as I understand, rowhammer is different from cache timing

plh: it depends on cache timing, deducing the location in memory in order to attack it
... by using timing attacks on CPU caching, they got physical addressess of memory
... and then overwrite it with bit-flip attacks.
... it's a hw issue, a flaw in the underlying OS and memory mapping, and the underlying chipsets
... but since people won't update hw and BIOS soon, they need to update OS. It's not web platform-specific.

npd: trying to understand mitigations
... at least an attack that has to be repeated multiple times is observable
... is rowhammer repeated multiple times?

plh: not sure how many times it's called
... author said even if we reduce accuracy of timer, you can still use JS data object

npd: what if you limited how often the function could be called?

<VirtualRendezvous> (if anyone needs to follow up on 4D time, DIS, find me via Gplus.to/4VR) --clp, Charles

plh: we're not aware of type that gives row access in JS

npd: in combination with native access to run code

yoav: If an attacker has access to run arbitrary binaries on the machine, they don't really need performance.now to attack

<gnorcie> hey just a reminder we're 40 in, would like to discuss privacy qs if there is time

keiji: also consider threat of leakage of browser history by time measurement

<npd> I'd be curious to talk to security folks about the risks, if there are any, of revealing the memory addresses even if the javascript code can't execute natively on the machine. in addition, is there a cross-origin privacy risk to detecting these addresses?

plh: time is in relation to the navigation of the page, not between pages

keiji: justification of 5us?

plh: it was implemented in all browsers and believed to be enough

<npd> and finally, would use of time.now for this rowhammer-style attack be detectable?

tara: plh, next steps?

plh: we're moving this to CR
... to get v2 out
... thank you.
... If rowhammer gets to full force, we'll re-open the question.

Moving forward with the Privacy Questionnaire

<toddreifsteck> thanks, all!

gnorcie: putting the questionnaire from wiki to github

<npd> yay for github, but yes it can be a little confusing at first

<npd> or github issues too

gnorcie: hoping pull requests can be better for feedback

<npd> wseltzer: there is a #git channel on W3C IRC, which people who use git for W3C specs to get help

gnorcie: I also want to send feedback to the TAG on their security questionnaire

<VirtualRendezvous> I've also used GO=IThub and have time for help if you need it, I am also a privacy advocate from way back, can give other feedback later --clp

<VirtualRendezvous> GIThub

<christine> @greg- yes I totally agree - discuss individual points on email

gnorcie: proposed putting an issue per thread

<npd> sure, whatever gets the feedback moving, one piece at a time is great

<chaals> +1

<VirtualRendezvous> +q

npd: when we have new privacy problems, do we think there are sufficient questions in the questionnaire?

<christine> +Q

<npd> wseltzer: what's our process for adding privacy issues to a questionnaire when we identify a privacy issue during a spec review?

VirtualRendezvous: have you thought about how abstract UIs make privacy problems even more challenging?
... e.g. in mobile apps, VR

<npd> I think there may be interesting problems regarding when people know they're in a browser, or what scope an in-app browser has, but that this will mostly fall in to UI

christine: Web apps are in-scope for PING; other challenges may be further from scope

<npd> I think the most straightforward case we have related to that is things like the fullscreen api

<npd> +1 to christine on raising issues in github whenever something comes up

christine: suggest using github issue tracking when we see new privacy anti-patterns

tara: +1
... and thanks to gnorcie

<npd> in fact, people are already doing this with the fingerprinting document. someone has started raising just other web privacy issues there

keiji: suggest that we periodically review questionnaire; e.g. at TPAC, or more frequently
... to review and update

npd: yes, gh issues work well
... people are already opening issues on fingerprinting doc that arent' directly fingerprinting related, so it will be useful to have a more direct channel

chaals: +1 to gh issues
... We can usefully look at other domains to see how they've addressed issues that we see on the Web
... our scope is Web, but other domains may offer pointers to problems and solutions

<VirtualRendezvous> Thanks everyone, wonderful to be back at W3 privacy world again, hope to be able to contribute in Virtual Reality and native Apps soon. *waves* bye

tara: thanks all!
... see you on the mailing list


tara: Next call? end of February

npd: FYIs. on Fingerprinting, the TAG has some feedback
... I'll be talking to them
... Also, WebPerf has been working on Beacon, whcih we discussed.
... They have a new doc. I've opened some issues, will discuss.

tara: Thanks Nick for doing these reviews!

<christine> Hi. I have to drop off the call. Could we do 18 instead?

tara: We'll work out the date and send something to the list.

<keiji> npd?


<keiji> Thank you

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/01/21 18:01:49 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/the problem/privacy problems/
Succeeded: s/the me/them/
Found ScribeNick: wseltzer
Inferring Scribes: wseltzer

WARNING: Replacing previous Present list. (Old list: npdoty, christine, gnorcie, tidoust, mfoltzgoogle, wseltzer, tara, plh, yoav, toddreifsteck, igrigorik, keiji)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ npdoty, gnorcie, tara, plh, yoav, toddreifsteck, igrigorik, keiji

Present: npdoty gnorcie tara plh yoav toddreifsteck igrigorik keiji christine Chaals Charles_L_Perkins

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 21 Jan 2016
Guessing minutes URL: http://www.w3.org/2016/01/21-privacy-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]