07:28:53 RRSAgent has joined #privacy 07:28:53 logging to http://www.w3.org/2016/09/20-privacy-irc 07:29:50 FYI, I am at the Chairs' Breakfast, finishing at 8:30 and will be at the PING room shortly. 07:31:06 Meeting: PING meeting at TPAC2016 07:31:37 JoeHallCDT has joined #privacy 07:32:19 present + 07:34:42 christine has joined #privacy 07:36:03 moneill2 has joined #privacy 07:36:53 For locals in Lisbon: room is 1.13 07:37:47 We are getting the WebEx set up - bear with us! 07:40:11 That did not seem to be working, sorry! 07:40:28 Can you hear me at all? 07:41:55 is someone there taking minutes? 07:42:07 weiler has joined #privacy 07:42:11 happy to scribe 07:42:34 barryleiba has joined #privacy 07:42:41 npdoty: UC Berkeley I School 07:42:49 schunter has joined #privacy 07:42:53 present+ npdoty 07:43:07 keiji: W3M contact for PING 07:43:08 Karima has joined #privacy 07:43:39 anssik has joined #privacy 07:43:40 Martha: from blockstream, chair of blockchain wg 07:43:46 barry leiba 07:44:22 David Singer 07:44:29 Mike O'Niell 07:44:30 present+ tara 07:44:43 mattias schunter 07:44:50 present+ 07:44:56 present+ 07:45:00 present+ Christine Runnegar 07:45:06 dsinger has joined #privacy 07:45:12 present+ 07:45:12 present+ 07:45:20 present+ 07:45:24 I'm Karima Boudaoud from University of Nice Sophia Antipolis. Interests: User-centric Security and Privacy Management 07:45:26 Gloria has joined #privacy 07:45:28 present+ 07:45:30 moving on to first agenda item on fingerprinting guidance 07:45:47 Is there a URL for the document? 07:45:49 http://w3c.github.io/fingerprinting-guidance/ 07:45:54 marta has joined #privacy 07:46:26 Marta Piekarska, Blockstream. Security Architect & Standards, AC Rep. 07:46:48 ...co-chair of Blockchain CG 07:46:48 RRSagent, make minutes 07:46:48 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 07:48:30 this is a guidance document, intended to be a group note 07:48:57 shepazu has joined #privacy 07:49:01 the idea would be to have specification authors (and implementors) read this and be able to incorporate the ideas here into their work 07:49:10 will go over the motivation and structure of the document 07:49:41 growing concern about inference and leakage based on configuration settings or other aspects of the browser 07:49:51 allows for tracking and ident. in ways that are not expected 07:50:11 e.g., you can clear cookies in your device, but there are no (or few) controls for fingerprinting 07:50:22 scribe: JoeHallCDT 07:50:24 has a number of privacy impacts described in Section 1.2 07:50:41 RRSAgent, make logs member 07:50:43 some feel that this whole area is a bit of a lost cause 07:51:00 however, we do illustrate how to mitigate the privacy risks here 07:51:13 : RRSagent, make minutes 07:51:15 we can make it difficult or at least observable so that the user can figure out when fingerprinting is going on 07:51:17 RRSagent, make minutes 07:51:17 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 07:51:26 RRSAgent, make logs team 07:51:33 there is a list of 9 best practices currently in the document 07:51:45 section 4 on feasibility 07:52:05 describes various levels of success in terms of mitigations 07:52:30 rest of the document focuses on the mitigations, using examples as we have them 07:52:59 questions? 07:53:07 about the purpose or structure of the document 07:53:18 https://github.com/w3c/fingerprinting-guidance/issues 07:53:22 moving on to open issues 07:53:40 feedback from the TAG and from the PING list 07:53:51 many are currently marked "pending review" 07:53:58 please check those and we can try to close those out 07:54:04 https://github.com/w3c/fingerprinting-guidance/issues/13 07:54:05 https://github.com/w3c/fingerprinting-guidance/issues/13 07:54:09 https://github.com/w3c/fingerprinting-guidance/issues/11 07:56:49 ok, we are back! 07:56:55 yay technology! 07:57:53 11 is about providing hooks for instrumentation 07:58:43 make it easier for browser extensions to list the things a website is doing 07:59:07 it's very cumbersome process to do this kind of detection… essentially have to write your own browser 07:59:23 npdoty gets the impression that there is not a whole lot we can do about this in the document 07:59:24 Implementers can facilitate detectability by providing or enabling instrumentation so that users or third parties are able to calculate when fingerprinting surface is being accessed. Of particular importance for instrumentation are: access to all the different sources of fingerprinting surface; identification of the originating script; avoiding exposure that instrumentation is taking place. Beyond the minimization practice described above, these are[CUT] 07:59:25 implementation-specific (rather than Web specification) features. 08:00:11 dsinger asks: "wonders how I can tell when e.g. a site asks about my fonts, whether it truly cares about fonts or is ‘just’ fingerprinting me?" 08:00:33 npdoty: there are gross kinds of distinctions 08:00:42 … e.g., if a site is enumerating all fonts, not good 08:00:58 another big issue is actionability (issue 13) 08:01:16 … how do we make the document more actionable… through an explicit decision tree, for example 08:01:38 … even with best practices in the document, how does a team figure out what they should do when? 08:01:57 … what we've done is asked people to attempt to use the document in their work 08:02:06 … that feedback is very useful 08:02:20 … one thing we might do is identify fingerprinting surface 08:02:28 Present: keiji, tara, JoeHallCDT, npdoty, barryleiba, moneill2, schunter, dsinger 08:02:39 … which would be helpful to figure out when a spec is increasing fingerprinting surface 08:02:43 RRSagent, make minutes 08:02:43 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 08:03:11 … data sources that could increase fingerprinting… add a new header? look at mitigation number 1 (this is just an example) 08:03:20 … very unclear how to make it more actionable 08:03:27 Chair: tara 08:03:37 … very much would like the feedback from others as to how could this document be made useful 08:03:43 q+ 08:03:44 … thoughts? 08:03:50 What is the incentive for (non privacy) chairs to care about fingerprinting? 08:04:04 q- 08:04:06 ack christine 08:04:33 JoeHallCDT: we asked people to look at the privacy questionnaire for the specifications they're working on, did we do that with fingerprinting doc? 08:04:33 in best practice 8 could add that apis should be available for extensions to deal with identifiers, There are APIs to deal with cookies if identifiers are origin specific then ther should be ways to make them visible to extensions(SO THEY CAN BE MADE MORE VISIBLE AND ACTIONABLE BY USERS) 08:05:42 npdoty: we have had occasional people that have referenced the document 08:05:46 … we could ask explicitly more 08:05:54 q+ 08:06:24 christine: what are the incentives for non-privacy folks to care about fingerprinting? 08:06:29 q- 08:06:31 q? 08:06:35 q+ to ask about vanilla and fuzz 08:06:53 … the answer is partly: we can't make all w3c specs fingerprinting proof 08:07:04 … but we can try to not make them worse by increasing fingerprinting surface 08:07:08 Thanks! 08:08:06 … do you really need to add this thing that increases surface? and at what level of granularity do you need it? 08:08:34 How about a team of white hat fingerprinting exploiters to look at new APIs to see how they can be exploited by bad guys 08:08:40 I think the most direct incentive for any given team is: you don't want to deal much later on in the process with privacy/security teams restricting implementation of your feature because it has this substantial privacy cost 08:08:53 … detectability is an important element, especially for keeping web actors accountable (through DPA, etc. enforcement) 08:09:21 … asks npdoty: would you like help in terms of creating a decision tree? 08:09:39 Kepeng has joined #privacy 08:09:44 mschunter: thinks the privacy questionaire is a good place to tie in the actionability 08:09:44 I said: Good job! 08:09:50 Great job, actually... 08:10:05 chaals has joined #privacy 08:10:43 npdoty: we've talked a number of times about whether or not these should be two documents or one 08:10:50 … but this sounds like a great idea 08:10:51 q+ to suggest looking into WebDriver as an automation mechanism. 08:10:55 Example question: Does your working group define or change the user agent behavior in any way? (no -> no fingerprinting impact?). 08:11:04 … happy to have those questions in the questionaire or vice-versa 08:11:28 … would love some help. npdoty is not in the best position to do this as he's not as close to spec authors 08:11:34 … so think about this this week 08:11:48 dsinger: split section 2? 08:12:14 agenda: https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0043.html 08:12:46 … fuzzing data to make less identifiable and vanilla response for a feature are great 08:12:57 npdoty: we actually prefer the "vanilla" style 08:13:07 ack ds 08:13:07 dsinger, you wanted to ask about vanilla and fuzz 08:13:22 http://w3c.github.io/fingerprinting-guidance/#a_standardized_profile 08:13:45 dsinger: we should say explicitly "you must define the vanilla response for your feature" 08:13:57 … should we be documenting what is vanilla for older specifications? 08:14:21 … vanilla response = first sentence in 6.2 now: "Specifications can mitigate against fingerprintability through standardization; by defining a consistent behavior, conformant implementations won't have variations that can be used for browser fingerprinting. " 08:14:31 npdoty: e.g., ordering of fonts 08:15:02 dsinger: we could even specify what is the "lie" a browser would have to give (e.g., fake list of fonts) 08:15:24 … maybe here we could actually try and document what the vanilla response should be for existing specs? 08:15:57 npdoty: hmmm, what would the form of a vanilla response take? 08:16:11 dsinger: maybe just say "you should define a vanilla response" 08:16:21 dsinger, if we had a specific example of that, of what it would look for a certain spec, that would be helpful 08:16:27 mike: some things may not be fuzzable 08:16:55 mkwest: you were talking early about hooks into the browser that would allow you detect 08:16:55 ack mk 08:16:55 mkwst, you wanted to suggest looking into WebDriver as an automation mechanism. 08:17:03 … might want to look into the WebDriver specification 08:17:07 present+ mkwst 08:17:16 … allows more control than what you would have in a normal browser 08:17:28 … you could get events back that might be useful for this 08:17:43 … should also talk to those folks about requirements for this kind of use case 08:17:50 yoav has joined #privacy 08:18:00 … APIs that you have via WebDriver are going to be more powerful than via the web 08:18:36 npdoty: when researchers test these things, they are trying to instrument such that a headless browser gets some stuff 08:18:52 mkwest: I think we're on the same page… it's a bit like a debugging interface 08:19:03 q? 08:19:10 https://www.w3.org/TR/2013/WD-webdriver-20130117/ 08:19:35 mattias: Web Driver won't allow you to do automatic discovery 08:21:01 npdoty to follow up with Princeton, FPDetective folks on whether WebDriver would be a useful area for them to look re instrumentation 08:21:05 Mike: You can script web-driver and (if you got the script right) then it will collect sufficient information to determine whether a site tried to fingerprint you. 08:21:29 mike: origin-policy API, where the site can send down an arbitrary string (like cookies), could be a good place to think about fingerprinting analysis 08:21:32 (= my assumption that Webdriver cannot be scripted seemed to be wrong ;-) 08:21:38 :) 08:22:06 mkwest: cookies are not fingerprinting… very explicit tracking, under user control. much less dangerous (not dangerous) to users 08:22:29 … canvas, on the other hand, is more of the fingerprinting in terms of lack of discoverability 08:22:45 +1 that I'm less concerned about cookies 08:22:52 … more concerned about things that are outside of the user control 08:23:00 and the main things we recommend in this is just that you should treat it exactly like cookies, like clearing it at the same time 08:23:34 (discussion about clearing site data and media stream ID) 08:23:53 mkwest: >10% of users clearing cookies on a weekly basis 08:24:14 … ff has a "forget this site", Chrome is going to have it soon 08:24:34 … we can certainly look at applying this document to any and all of WebAppSec specs 08:24:58 we include "cookie-like fingerprinting" in this document largely for the "evercookie" risk identified in the past 08:25:07 3 levels of data: 08:25:08 mattias: the explicitness of a data source is important… cookies, super explicit. other things like media streams ID, not explicity. 08:25:14 1. Cookies (explicit, visible, deletable) 08:25:22 q? 08:25:30 q+ on permanent 08:25:38 2. Web-site data that is stored in a user agent and that can be erased (by clearing web-site data) 08:26:04 3. Any user agent data / characteristics/ data that cannot be erased (this is the surface for fingerprinting). 08:26:24 q? 08:26:29 ack np 08:26:29 npdoty, you wanted to comment on permanent 08:26:38 mkwest: it's unlikely no document will pose zero problems, but "this is like cookies" would be a good place to end 08:27:01 npdoty: there are things that are like cookies in terms of explicit, and there are others 08:27:07 http://w3c.github.io/fingerprinting-guidance/#clearing-all-local-state 08:27:21 … we are coming across functionality where we might need permanent or persistent identifiers 08:27:44 … and in the document ^^^ we say we should have no permanent or persistent identifiers 08:28:01 mkwest: alas, many groups want to do the exact opposite of this 08:28:13 … look at WebAuth and the smartcard keying stuff 08:28:16 [Hardware-Based Secure Services: https://rawgit.com/w3c/websec/gh-pages/hbss.html ] 08:28:24 … those are much more persistent notions of identifiers 08:28:39 … agree with the sentiment, but that there are important use cases for more persistence 08:28:50 … orgin-locking, etc. can be recommended here 08:29:29 mike: origin locking is not as helpful as discoverability 08:29:39 the paragraph I currently have mentions origin-locking, user permission and user clearing, but I guess I'm asking whether this is the place to include that advice, or how amenable people would be to it 08:29:46 q? 08:29:52 mkwest: origin locking is the foundation (doesn't make much sense to have discoverable but not locked) 08:30:32 npdoty: on scheduling, it would be useful to close out the things that are marked pending-review 08:30:48 … and get some feedback/interaction from other groups 08:30:56 … goal is to get this document in a note by the end of the year 08:31:13 tara_: thanks for joining us in Lisboa! 08:31:13 goodnight! 08:31:42 topic: PING privacy questionnaire 08:31:47 christine: let's talk privacy questionnaire 08:31:51 https://github.com/w3c/ping/blob/master/privacy-questions.html 08:31:53 Privacy Questionnaire: http://htmlpreview.github.io/?https://github.com/w3c/ping/blob/master/privacy-questions.html 08:32:14 christine: core piece of work is to produce an annotated privacy questionnaire 08:32:20 RRSagent, make minutes 08:32:20 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 08:32:39 … the origin of this is mkwest's TAG-adopted security questionnaire 08:32:44 moneill2 has joined #privacy 08:33:03 … the idea is to have a set of questions that spec authors can work through and minimize privacy implications of their specs 08:34:34 … many thanks to greg norcie and CDT for curating this 08:35:07 … let's use the hour to walk through the document, see where it stands, and set up some homework assignments 08:35:28 … work on refining the questions and calibrate the level of detail for the addendum 08:35:33 q+ 08:35:35 … questions? 08:35:54 ack kepeng 08:35:57 kepeng: we have some differing formats across questions 08:36:07 … 2 starts with an explanation 08:36:15 … we need to make the structure of each question consistent 08:36:30 … also 13 isn't as detailed as 11 and 12 08:36:42 christine: what you see before you is very much still a draft 08:36:53 … we have bascially put all the current thinking here in this place 08:37:17 … when we clean up the document, we definitely want good consistency! 08:37:33 … there are some WG members who need details, and there are others that just want the questions 08:37:56 … why is this an issue? what are ways of mitigating this issue? can we make something more detectable? 08:38:13 … this is very much a draft, need to work on together as a group to get in a better state 08:38:20 Is there an URL for this questionaire? 08:38:27 … need to make sure that we keep this moving 08:38:42 … goal would be to have a working draft by the end of the year 08:39:03 … I don't think in our privacy guidance we should attempt to define privacy 08:39:26 … perhaps do it more like what IETF did… explain issues in terms that spec authors/imps can understand 08:39:49 q? 08:40:32 present+ kepeng 08:40:52 Original Security & Privacy questionnaire: https://www.w3.org/TR/security-privacy-questionnaire/ 08:40:56 kepeng: what is the difference between this and that TAG one? 08:41:09 joehallcdt: we can't remember 08:41:18 weiler_ has joined #privacy 08:41:20 mkwest: the TAG document has either too much detail or not enough detail 08:41:48 … either the questions are too detailed to give a high-level overview or not 08:41:54 moneill2_ has joined #privacy 08:42:02 q+ 08:42:08 … preference here would be to have a high-level document that points to more detailed guidance 08:42:21 … would love to trim down the TAG document 08:42:36 … we could merge the two to make a super document 08:42:46 … but that would make it less likely that anyone would use it 08:43:03 … maybe make the TAG document smaller and this one longer 08:43:19 kepeng: what is the security equivalent of the privacy questionairre? 08:43:25 mkwest: there isn't something that detailed 08:43:38 dsinger: why do you think two documents are useful? 08:43:52 mkwest: it could be different sections of the same document 08:44:09 … the PING document is more of a deep-dive, and we could use that for security 08:44:39 christine: thanks to mkwest for getting the TAG document out there 08:44:41 ack chr 08:45:02 … we can ultimately decide what to do with the document 08:45:17 … would be good to walk through the document. What's missing? homework on existing items? 08:45:58 q+ on PING developing a security document too 08:46:30 dsinger: "what do you need to think about to write the privacy considerations section of your spec?" 08:46:45 mkwest: there is a balance between covering everything and being usable 08:47:29 … from internal uses at Google, an expando-type document works well (expando: deeper heirarchy can be exposed from a high-level document) 08:47:37 … is important to have as much detail as possble 08:47:53 … practically, people get sad when they see a 30-page document 08:48:11 q?? 08:48:25 tara_: practical question: likes the expando 08:48:43 … or will we end up with a tiny questionairre and a very long one 08:48:57 I would like to see the meta-question added “are there privacy aspects of your specification that the preceding questions did not pull out?” 08:49:19 q+ 08:50:43 yoav has joined #privacy 08:51:09 barryleiba1 has joined #privacy 08:54:14 keiji_ has joined #privacy 08:54:39 JoeHallCDT has joined #privacy 08:54:43 ok back! 08:55:18 dsinger: questions 2, 7, 8 (?) clearly need work 08:55:51 q+ 08:55:54 weiler_ has joined #privacy 08:55:59 mattias: what do we think the process is to produce a w3c spec that has a good privacy considerations section? 08:56:07 … when do we want to see specs do what? 08:56:24 … our goal is to have specs in w3c to have good privacy considerations sections 08:56:58 barryleiba1: this might be difficult, what kind of guidance can we give them? Think about it as soon as possible? 08:57:14 dsinger: we maybe should be looking for FPWD that do not have privacy considerations 08:57:33 … we should explicitly say FPWD is the point in time for this 08:59:40 RRSagent, make minutes 08:59:40 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji_ 09:01:06 present+ wseltzer 09:01:40 JoeHallCDT has joined #privacy 09:02:13 dsinger: perhaps the document could capture some of this meta conversation? 09:02:32 … e.g., why do you need to think about privacy considerations earlier? 09:03:42 JoeHallCDT1 has joined #privacy 09:03:50 mkwest: the TAG document tries to go in that direction… maybe doesn't do a great job 09:04:37 q? 09:05:16 schunter_ has joined #privacy 09:05:24 weiler has joined #privacy 09:05:30 ack sch 09:05:50 JoeHallCDT has joined #privacy 09:06:05 q- 09:06:26 dsinger: questions 2, 3, 7 all sound very similar, need to fix that 09:06:28 q- 09:06:47 … and add "are there questions about your spec that we didn't ask that we should have?" 09:08:14 [break: return at 11 Lisbon] 09:08:30 RRSagent, make minutes 09:08:30 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 09:13:44 schunter1 has joined #privacy 09:18:28 weiler has joined #privacy 09:21:25 yoav has joined #privacy 09:21:46 chaals has joined #privacy 09:32:52 barryleiba has joined #privacy 09:33:43 barryleiba has joined #privacy 09:33:46 chaals has joined #privacy 09:34:37 shepazu has joined #privacy 09:34:46 yoav has joined #privacy 09:35:13 JoeHallCDT has joined #privacy 09:36:49 JoeHallCDT1 has joined #privacy 09:40:48 keiji has joined #privacy 09:41:09 : RRSagent, make minutes 09:45:24 dsinger has joined #privacy 09:48:03 RRSagent, make minutes 09:48:03 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 09:49:06 present+ mattias, martha, christine 09:49:12 RRSagent, make minutes 09:49:12 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 09:57:22 tara has joined #privacy 09:57:44 We seem to have the network and WebEx back, for those who got cut off... 10:03:06 Okay, let's get going again... 10:03:15 Here is a pile of notes from my offline scribbles 10:03:39 Context - begins from the discussion of the Privacy & Security Questionnaire 10:03:53 Karima has joined #privacy 10:04:33 JoeHall: those of us with security expertise could try to make a draft questionnaire Would likely not be good but would provide something to correct 10:04:41 Joe volunteers to do this 10:04:47 Kepeng also volunteers 10:05:19 Marta: maybe we could try some kind of flowchart model 10:05:32 David Singer: Q 2,3, and 7 need work 10:05:39 Matthias: having a checklist of questions is helpful to avoid overlooking anything 10:06:05 David Singer: do we expect to see Priv Considerations at some stage of the doc? Do we give people the short questionnaire for CR, or at earlier step? -- good for this group to lay out a process for this -- e.g. "can you do a CR transition if this section is not filled out"? 10:06:28 BarryL - going to vary depending on the context as to what would work best 10:06:36 DaveS: much better to do it earlier in the process -- first public working draft might be a better stage (not checkbox for last step in the process) 10:06:55 MikeW: experience in practice has shown that doing security & privacy late in the process has been a mistake so this was my motivation for making the original questionnaire MW: it would be nice if there were requirements to do Priv Considerations MW: first public working draft -- has "human review"; might be a good place to already have Privacy Considerations section in place, or start the discussion MW: use ReSpec or BikeShed -- will warn if you don't have se[CUT] 10:07:04 WendyS: we have Ralph Swick whose function is to coordinate those reviews. We can give him guidance on this process. We could recommend that this be included in first public working draft. 10:07:11 BarryL - IAB has discussed this. Security Considerations is required -- it's a placeholder, not always populated. IAB did not mandate Privacy Considerations (cannot mandate anything); did not define privacy, either. Community would have to have consensus to require Privacy Considerations. In practice, IESG will bring up these issues regardless. 10:07:20 dsinger has joined #privacy 10:07:24 DavidS: we did have a spec here that asked if you could even begin this work without having serious privacy implications? Would be better to find that out well before CR. 10:07:32 MikeW: the TAG document tried to go in this direction. Started with general threat and then go into more detail about specifics of a given threat. Note: documents are limited in their ability to support interaction. Unclear how to best structure something to make it effective. 10:07:38 MikeW: it's okay to have the section assert that there are "no problems." 10:07:46 TaraW: we should break up the document into sections to work on to make concrete progress. Also welcome suggestions for additions. 10:08:02 dsinger: suggests looking at 2, 3, and 7. 10:08:10 TaraW: ** we're breaking at 10 instead of 11 -- to deal with the wifi (and coffee) 10:08:16 And now we're back into the agenda 10:09:55 scribe: tara 10:09:58 RRSagent, make minutes 10:09:58 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 10:10:06 scribe: joehallcdt 10:10:21 dsinger has joined #privacy 10:11:00 Andrew: works for financial times, member from TAG (5% of time on standards work) 10:11:06 … interest in privacy 10:11:16 ??? also on the TAG 10:11:34 … had advised the UK cabinet on privacy issues, etc. 10:11:47 … interested in how the connections we build here impacts life outside 10:11:50 s/???/hadleybeeman 10:11:57 ???? from GPRS, working on domain registry 10:12:09 s/on privacy issues/on technology and privacy/policy issues 10:12:11 … lots of user data, want to make sure it is informed by privacy 10:12:14 s/????/yoshiro/ 10:12:28 Jeff Jaffe: needs no intro! 10:12:54 tara_: left off with how to deal with the privacy questionairre 10:13:00 … mkwest was here earlier 10:13:01 q+ 10:13:19 present+ andrew, hadleybeeman, yoshiro 10:13:29 … he was interested in making sure we had high-level guidance and deeper guidance that flows from that 10:13:44 … right now our privacy document is in between 10:14:01 … seems like we were moving towards consensus to take this document and turn it into the detailed version 10:14:10 … and produce something more high-level from it 10:14:22 … we would need to start carving out particular things 10:14:31 moneill2 has joined #privacy 10:14:32 present+ jeff 10:14:40 … christine offered to shepheard that work, but we need to do that work. 10:14:44 q? 10:14:45 present+ 10:14:57 present+ hadleybeeman, andrew.betts 10:15:13 jeff has joined #privacy 10:15:21 Joe: how about we set up scaffolding with both security & privacy parts? 10:15:46 q+ 10:15:53 Combine TAG & PING questionnaire in one doc -- can start off with the high-level part that mkwest recommended 10:16:31 This could satisfy the need to have high-level guidance and also the details as required. 10:16:51 Need to consider limits of the usual W3C document style 10:16:51 q+ 10:17:13 ack joe 10:17:32 ack joehallcdt 10:17:41 JoeHall: this is in recognition of the fact that the Security part hasn't has much uptake to date 10:17:51 jeff jaffe: thinking about privacy and security considerations. good idea! 10:18:05 schunter has joined #privacy 10:18:07 … then looked at this document that says it's important that the user can spoof 10:18:18 … maybe great for privacy but that might be bad for security 10:18:31 ack jeff 10:18:34 Gloria has joined #privacy 10:18:38 … can we work with the security folks to make sure that this isn't a problem 10:19:06 hadleybeeman: there will be tension coming from both perspectives 10:19:16 … and we'll need to work through that 10:19:36 mattias: we do recognize that things like UA strings will be important to spoof 10:20:19 jeff: was just wondering if there would be contradicting guidance here… one says "support spoofing" and the other says "don't spoof" 10:20:46 mattias: if you reword it so that "users can make a free choice as to what to send" it would be more palatable. 10:21:42 hadleybeeman: from a TAG perspective, we are interested in making sure spec authors are thinking about things that may not be their particular interest or focus in a spec 10:22:00 … security and privacy are separate thought processes, have to put yourself in the position of thinking like that 10:22:02 q+ 10:22:32 ack had 10:22:32 ack me 10:22:34 … one of the benefits of having something written, is not just to have an author go through a process, but to nudge them into thinking about different elements of the spec. 10:23:30 andrew: organizations could really benefit from seeing this written down well 10:23:41 ack kei 10:23:53 … trying to fight against the instincts to build tech that compromises privacy is a good feature of this kind of effort 10:24:02 Yoshiro has joined #privacy 10:24:20 keiji: the base of the web is that people are anonymous 10:25:05 tara_: clearly we have some issues with spoofing data 10:26:05 dsinger: can we at least decide on what "spoofing" "fuzzing" and "randomization" mean for PING? 10:26:21 tara_: yes, there is a thing in our agenda for that after lunch 10:26:52 dsinger: and 2, 3, 7 questions in the spec need to be closer together and likely consolidated? 10:27:25 q+ 10:27:27 … one question at the end: "If you answered these questions like a lawyer, only answering what was asked, are there questions we should have asked?" 10:27:40 ack had 10:27:46 … and having an introduction that set expectations of when to use this thing could work 10:28:15 hadleybeeman: TBL talked about recently "what are the policy considerations we should consider?" 10:28:51 … e.g., we could have included a section in the email spec that notes there could be potential problems in the future (e.g., spam) 10:29:06 I would like a section on the steps to follow that will result in a quality privacy considerations section. What do you need to do at FPWD? How do you get a privacy review? Which questions help at which stage? and so on 10:29:24 JoeHall: talking about issues that *others* might wish to know about that are not dealt with in the spec 10:29:34 barrylieba: so write down, "here are things we though about and either cannot do anything about or will not do anything about" 10:29:50 hadleybeeman: if we decided this is something to do, we'd need to make it explicit 10:30:03 … maybe we need s privacy issues or policy issues sections of specs 10:31:04 tara_: any volunteers interested in editing or doing something with specific sections of the document? 10:31:15 bob has joined #privacy 10:31:53 Kepeng has joined #privacy 10:31:55 hi. Is webex up? 10:32:04 Should be. If it's not. let me know! 10:32:13 Try calling in. 10:32:18 We think we're dialled in. 10:32:23 It says host has not yet joined. Is there a new link? 10:32:53 give one sec, Keiji needs to join as host 10:32:58 Seems to be fine now 10:34:11 Hi! 10:34:51 tara_: anyting on questionairre for the good of the order? 10:34:59 christine: no, will look 10:35:13 now on Kepeng on his new document: https://www.w3.org/wiki/Privacy/Privacy_protection_principles 10:35:19 RRSagent, make minutes 10:35:19 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 10:35:30 Topic: Privacy Protection Principles 10:35:41 Privacy Protection Principles: https://www.w3.org/wiki/Privacy/Privacy_protection_principles 10:36:39 kepeng: sent the link to the list two days ago 10:36:46 … it's about privacy protection principles 10:37:12 … on the list, there has been discussion about privacy principles being defined/described in a number of other places 10:37:20 … OECD, etc. 10:37:35 … my intent is to make this specific to the Web 10:38:11 … I have a specification in Chinese similar to this 10:38:25 … we can make it applicable to the w3c 10:38:37 tara_: what was the rationale for creating the document in the first place? 10:38:48 kepeng: I just wanted to contribute! 10:39:05 … in China, we are defining a national standard similar to this 10:39:15 … and it may be useful to bring it to the W3C 10:39:45 … has 9 principles in the current document 10:39:46 schunter1 has joined #privacy 10:40:10 … subissues are mostly not developed as don't want to spend a lot of time on this if it gets refactored or reorganized 10:41:06 joehallcdt1: the "agreement" principle is usually called "transparency" in other similar work 10:41:36 agreement here seems to be notice & consent? 10:41:56 kepeng: minimization principle (minimum usage principle) 10:42:36 … clear communication principle is all about form of notice 10:43:35 q? 10:43:57 Q+ 10:44:25 kepeng: this is an early effort 10:44:42 … comments from chaals were helpful 10:45:02 … "What if the purpose is to collect long-term information about a user?" 10:45:32 … the website should tell the information subject before hand, and the user can reject it 10:45:52 … "What if the purpose is to monetize information about the user to fund service? 10:46:10 … we'll want to define some mechanism to avoid this kind of situation 10:46:58 q+ 10:47:14 christine: sound quality is difficult... 10:47:19 ack chr 10:47:30 … thanks for sharing this work you've been doing in China, and now this English version 10:47:43 … is this an extension of the APEC privacy principles work? 10:47:48 … this is interesting, but 10:47:51 yoav has joined #privacy 10:48:05 … it seems to be more of a policy document than a technical document 10:48:12 … PING might not be the best place for this 10:48:40 … a bit wary of developing a document that is similar but different from the universe of other privacy principle efforts 10:50:32 chaals has joined #privacy 10:50:32 … Fredrik (from the WG formerly known as DAP) did http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/ 10:51:12 kepeng: I will focus on privacy questionnaire 10:51:15 ack barry 10:51:27 barrylieba: christine said much of what I wanted to say 10:51:41 … most of this is not about protocols but about how site operators should act 10:51:56 … want to be very careful about saying anonymizing information helps 10:52:42 … i.e., enough pieces of anonymous information can be aggregated, may not be able to keep anonymious 10:53:13 … e.g., AOL search results release 10:54:16 (discussion about various reidentification attacks that have happened in the wild) 10:55:14 kepeng: maybe hold off on this and pull some of this into the privacy questionnaire 10:55:29 q+ 10:56:02 ack joe 10:56:12 JoeHallCDT1: I'm considering making a W3C Note on privacy, especially sensors (perhaps WoT)? We were discussing this at DAS 10:56:25 It is possible that there are gaps in the existing principles 10:56:43 Example: US revisiting FIPPs; looking at "respect for context" 10:56:53 So bear in mind that those external references change, too. 10:57:24 hadleybeeman: wrt context, could talk about search history 10:57:46 … useful to remember that the those governmental documents have political agendas 10:58:05 s/agendas/associations and baggage 10:58:12 dsinger: context is part of what I've been talking about in terms of cultural grounding of privacy issues 10:59:36 tara_: could be an issue to call out areas of a page/spec that might have cultural or national variance (?) 11:00:19 JoeHallCDT1: In some cultures, it's a compliment to say someone is fat. It signifies prosperity. In others, it's an insult. 11:01:19 tara_: sounds like we'll hold this and see if this can be applied (or part of it) on the questionnaire 11:01:41 dsinger: governments have been writing laws that are way to techincal, and we've been too philosophical 11:02:20 david rogers and paul bailey have joined the room in f2f 11:02:42 kepeng: how do I contribute to the PING questionnaire document? 11:02:53 tara_: we'll figure this out and get back to folks 11:03:40 breaking for lunch, back in an hour! 11:04:23 RRSagent, make minutes 11:04:23 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 11:04:54 Agenda for PM: 11:04:58 5. Terminology discussion [4] (13:00-13:30) 11:04:59 * Would a standardized privacy vocabulary be useful in our work? [Joe Hall] 11:05:00 6. Planning next year's work (13:30-15:00) 11:05:01 * discuss IETF F2F ideas [5] [Tara Whalen, Joe Hall] 11:05:02 * proposals for additional work items? 11:05:03 7. AOB/unstructured time (15:00 – 18:00) 11:14:41 marta_ has joined #privacy 11:15:34 at some point I was suggesting we should look into using flowchart style privacy questioner 11:22:18 yoav has joined #privacy 11:41:58 JoeHallCDT has joined #privacy 11:42:35 JoeHallCDT1 has joined #privacy 11:52:50 keiji has joined #privacy 11:57:27 barryleiba has joined #privacy 11:59:41 we should be starting soon (for any remotes) 12:00:25 JoeHallCDT has joined #privacy 12:02:20 weiler has joined #privacy 12:03:34 tara has joined #privacy 12:03:51 WebEx up for anyone who wants to call in. 12:04:14 Waiting for more folks to return from lunch before we jump in... 12:05:54 dsinger has joined #privacy 12:08:09 Karima has joined #privacy 12:09:46 Karima has joined #privacy 12:10:19 Karima has joined #privacy 12:11:14 https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0038.html 12:16:41 scribe: keiji 12:16:48 topic: Terminology discussion 12:17:11 dsinger has joined #privacy 12:17:23 tara: Here we would like to discuss on terminology around privacy. 12:18:28 JoeHallCDT1: We have many words to be defined cleary e.g. soof and randmize. 12:19:25 JoeHallCDT1: We should use certain words consistently. 12:20:24 … we have wiki but it may not be best way for standardization. 12:21:07 … e.g. spoofing has narrow meaning. 12:21:32 q? 12:21:41 q+ 12:22:21 … we should have defined terms to be used in our context. 12:22:23 ack barry 12:23:14 barryleiba: We should have consistent list of word for privacy. 12:23:16 fwagner has joined #privacy 12:23:29 +1 we should keep a list of terms (GitHub document, Wiki) 12:23:38 … we even shoud have definition of privacy. 12:23:42 +1 12:24:47 dsinger: agrees to have list of terms with GitHub or Wiki. 12:25:31 schunter has joined #privacy 12:25:43 notes that there is which I have never seen before… 12:26:24 mkwst: guidance definition of terms for standardization is helpful. 12:27:17 tara: list does not need to be exhaustive. 12:29:43 q? 12:31:12 JoeHallCDT1: We should have generic definition rather than specific. 12:31:27 yoav has joined #privacy 12:32:35 mkwst: We should have IDL to point similar term etc. 12:32:53 chaals has joined #privacy 12:33:20 barryleiba: about spoofing randomizing fuzzing 12:33:46 … obfuscating may be good to represent those things. 12:34:28 mkwst: we can write down those possible terms. 12:35:05 moneil2 has joined #privacy 12:36:16 topic: self introduction for PM 12:36:25 frank: 12:36:42 jason: web platform from microsoft 12:36:54 Item: Planning next year's work 12:37:04 * discuss IETF F2F ideas [5] [Tara Whalen, Joe Hall] 12:37:12 * proposals for additional work items? 12:37:17 scribe: joehallcdt 12:37:33 topic: IETF F2F ideas 12:37:49 work items: improve questionnaire; how to develop the process for getting review at the right stage, right considerations; glossary development 12:38:04 Frank: Working for the Group Privacy Department of Deutsche Telekom, happy to be here 12:38:19 moving on 12:38:26 to how do we structure our work for 2017 12:38:45 tara_: want fingerprinting guidance to be at group note stage by the end of the year 12:38:54 IETF F2F ideas: https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0018.html 12:39:01 … but there are things we might want to work on that aren't on our radar 12:39:32 … privacy mode/incognito mode standards? 12:39:41 … data gathering on techniques used to violate privacy? 12:39:54 … guest researchers to come to PING and talk about web privacy? 12:40:08 q 12:40:45 joehallcdt: what's the status of privacy mode standards? 12:41:05 mkwest: mnot has put a document together about privacy mode consideration. not sure what the state of that is. 12:41:27 … there is a link from TAG work somewhere to a repo that does some of this 12:41:42 dsinger: informally floated this a year ago at last TPAC 12:41:51 May need to coordinate with TAG to see what work they are pursuing in this area 12:42:01 … users seem to misunderstand that privacy mode is a local version of protection 12:42:40 … tried to motivate a conversation about a UA-based signal that says, "Hey, I'd like to be private" 12:42:51 ??? we've been having some of those discussions at MSFT 12:43:14 … would be very interested in this 12:43:40 s/???/jason/ 12:43:51 mkwest: it's not clear that explaining to websites that a user wants to be private is a good thing, or in the interests of users 12:44:08 … we know that there are sites that are sniffing for incognito, and then don't show content based on that result 12:44:23 … don't want to minimize the use cases that came up with last year 12:44:47 … but it seems hard… explaining the difference between regular and private is hard enough 12:44:58 jason: feels like these are two separate conversations 12:45:09 … on is having multiple identities 12:45:28 … the other is privacy from some threat, local or network 12:45:58 mkwest: one problem is "I want to go to a website, but I want to open this again without it knowing who I am" 12:46:07 chaals has joined #privacy 12:46:21 … there's also the notion of ephemerality… "want to visit this site but want my browser state to remain clean of that interaction" 12:46:49 … for example, a woman's shelter wanted to force users into incognito mode. Very interesting use case. 12:47:03 … but a problem is that you got to that website somehow 12:47:26 … and you do a disservice if they think all of an interaction was erased, when it was just the middle part of the interaction and not how you got there 12:47:43 q? 12:48:00 dsinger: sounds like we'd want to collect use cases 12:48:42 mkwest: mnot's document ( https://gist.github.com/mnot/96440a5ca74fcf328d23 ) takes a first shot at considerations and controls 12:49:10 frank: what would the scope of a collection of uses cases be here 12:49:12 Yoshiro has joined #privacy 12:49:58 mkwest: we try to be very explicit in Chrome that incognito only protects the local 12:50:26 dsinger: we could go as far as saying "if you're in incognito, you want to be https" 12:50:42 mkwest: calling it privacy mode conflates a bunch of different use cases 12:51:05 frank: we've been working on something called a "privacy button" 12:51:26 … which allows forcing a new IP address 12:52:47 yoav_ has joined #privacy 12:53:08 dsigner: having a discussion document about the issues and advantages of a private browsing mode 12:53:26 jason: something that could be useful to come out of that would be a signal for user intent about privacy desires 12:54:09 dsinger will instigate this conversation on the ping list 12:54:39 tara: the next idea: data gathering on technique for violating privacy 12:55:25 action: disinger to instigate conversation on incognito mode on the ping list 12:55:26 Error finding 'disinger'. You can review and register nicknames at . 12:55:49 JoeHall: this was inspired by things like the Princeton (?) research on millions of websites, on fingerprinting techniques 12:55:56 action: dsinger to instigate conversation on incognito mode on the ping list 12:55:56 Created ACTION-13 - Instigate conversation on incognito mode on the ping list [on David Singer - due 2016-09-27]. 12:56:21 q? 12:56:27 action-113? 12:56:27 Sorry, but action-113 does not exist. 12:56:38 action-13? 12:56:38 action-13 -- David Singer to Instigate conversation on incognito mode on the ping list -- due 2016-09-27 -- OPEN 12:56:38 http://www.w3.org/Privacy/track/actions/13 13:01:30 JoeHallCDT: U.S. and E.U. have different concent requirements for use of fingerprinting. 13:01:38 jason: one concern that I have is that the web platform is so sophisticated... 13:01:44 … it's so easy to fingerprint 13:02:29 … e.g., displays running at 60Hz may be between 58.9 and 60.2 13:02:42 … and have seen statistics that browsing to just 10 pages can fingerprinting you 13:02:43 q+ 13:03:19 mike: don't think fingerprinting is that big of a deal 13:03:37 jason: but all the big players do some notion of fingerprinting (WebGL, etc.) 13:03:49 shepazu has joined #privacy 13:04:10 … requestAnimationFrame is a good example of this… the ad is just looking if you're running exactly at 60Hz 13:04:21 ack keiji 13:04:32 keiji: there was a discussion in this group in the past around Web Performance WG 13:04:45 … they tried to define a standard that would be useful for fingerprinting 13:05:18 … when users try to use incognito mode, we may be able to reduce the amount of information leaked 13:05:43 tara: npdoty had listed a bunch of research in fingerprinting area... 13:06:07 … he tries to keep that up to date 13:06:20 … we may be able to collect that in one place 13:06:58 … and that may not be the kind of research we are interested in (e.g., unpublishable things about what users are actually doing) 13:07:24 … would be interesting to have resources about what people are doing 13:09:01 jason: has this group thought about making recommendations for what sites should disclose about how the world works 13:09:20 q? 13:09:23 … e.g., fingerprinting, if sites are using that, you should disclose 13:09:44 mkwest: sites generally disclose this if they have a legal team 13:10:08 … TOS are actionable, which makes them a valuable place to put this 13:10:50 yoav has joined #privacy 13:11:45 dsinger: maybe flip the q upside down? web site says, "to do my function, I need this data. if you give me this data, I'll make these promisses" 13:12:06 … e.g., "actually do need to [list your fonts/canvas timing] and here's why" 13:12:23 … if they don't express a legit interest, don't give the data 13:12:48 barryleiba: this requires a machine readable format for that, hard... 13:13:11 … and [did not catch the second part] 13:14:34 mike: in the GDPR, Article 12, calls for machine-readable indications/icons… e.g., that information imparted should be made available in a machine-readable manner 13:14:47 keiji: in the past there was p3p, what's the difference here? 13:14:52 Second part was "huge incentive to lie", and third part was "who decides what's 'reasonable'?" 13:16:08 mike: in DNT spec there is a tracking resource status, could be a perfect place for this 13:17:36 hadleybeeman: [back on TAG work on standards for private browsing mode] there has been no movement in TAG since that document 13:17:59 … TAG was interested in it becuase 1) users care; and 2) makes it much easier for other specs to have normative references to that 13:18:03 weiler has joined #privacy 13:18:37 … mnot was going to open it up again, but nor sure 13:19:35 s/nor sure/not sure/ 13:20:53 hadleybeeman: as theme of this week and the past year 13:21:01 … as the web and network stack gets more complex 13:21:17 … with more encryption and options about what is happening in a transaction and communication 13:21:26 … the more ways to surface this stuff to the user would be good 13:21:51 …. e.g., mkwest thought about default behavior that a UA would go red when communicating over HTTP rather than HTTPS 13:22:12 … are there areas that the w3c should be looking at that is the next version of user notice 13:22:30 barryleiba: do we have any sense that real users actually understand that? 13:22:48 hadleybeeman: there's a lot of research that talks about that, not at my fingertips 13:22:56 yoav has joined #privacy 13:23:13 mkwest: good person to talk to is Adrienne Porter-Felt on Chrome security team 13:23:24 … great work on usable security UI 13:23:37 … looking at the research of that team would be helpful 13:23:55 … also gave a great talk at the Enigma conference about treating UI as a science in security areas 13:25:00 q? 13:26:52 ADRIENNE PORTER FELT presentation can be seen on http://www.adrienneporterfelt.com/ 13:28:08 (lots of discussion about UI/UX and security) 13:28:53 tara: how do we get close to talking about UI and still recognize this is w3c and we don't do UI? 13:29:17 hadleybeeman: where there are opportunities for cross-browser standardization, this group can be informative 13:30:45 10-minute break 13:32:03 fwagner has joined #privacy 13:33:06 yoav has joined #privacy 13:33:37 RRSagent, make minutes 13:33:37 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 13:36:08 yoav has joined #privacy 13:40:17 Restarting 13:41:00 and… we're back 13:41:01 q? 13:42:57 joehallcdt: what about making privacy reviews more sysematic… how does TAG do it? 13:43:19 hadleybeeman: assigned by expertise… but bringing to the TAG varies quite a bit 13:43:39 christine has joined #privacy 13:43:48 tara: need to be more careful about agreeing to reviews and then not doing them 13:44:20 mkwest: if you want to ship a new feature in Blink, you have to have TAG review… that's increased the amount of reviews 13:44:35 … would be bad to have many many reviews 13:44:43 … would be nice to have one place to ask for reviews 13:45:05 … in Chrome… single bug with a bunch of tags that ask legal? security? and when all done, you can ship 13:46:32 hadleybeeman: TAG is trying to make itself much more scalable… so have been moving to WGs doing it themselves with detailed follow-up 13:46:55 s/have been moving to/prefer the approach of 13:47:34 mkwest: follow the repo for spec review… a low overhead way to keep track of what's going on in the spec 13:49:25 TAG spec review repo: https://github.com/w3ctag/spec-reviews/issues/ 13:49:30 … follow w3c tag spec review repo: https://github.com/w3ctag/spec-reviews 13:51:52 time for any other business (AOB) 13:52:12 Topic: AOB 13:52:55 frank: would like to remind you all that DNT will meet for tomorrow at 2p to talk about EU and DNT and consent 13:54:23 dsinger: the Advisory Board is interested in raising the level of activity on privacy 13:54:47 … so if you have any feedback on how we could increase the level of privacy activity at the w3c, please get in touch 13:55:09 mike: exposing more things for privacy instrumentation and notice would be great 13:55:14 barryleiba has left #privacy 13:55:30 JoeHallCDT has left #privacy 13:55:36 Yoshiro has left #privacy 13:56:21 RRSagent, make minutes 13:56:21 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 13:58:09 action: JoeHallCDT and kepeng to review privacy questionnaire. 13:58:09 Error finding 'JoeHallCDT'. You can review and register nicknames at . 14:00:55 Action: JoeHallCDT and kepeng to review privacy questionnaire 14:00:55 Created ACTION-14 - And kepeng to review privacy questionnaire [on Joseph Hall - due 2016-09-27]. 14:01:30 RRSagent, make minutes 14:01:30 I have made the request to generate http://www.w3.org/2016/09/20-privacy-minutes.html keiji 14:02:23 RRSAgent, make logs public 14:05:04 chaals has joined #privacy 14:06:31 schunter has joined #privacy 14:12:35 yoav has joined #privacy 14:15:23 dsinger has joined #privacy 14:15:38 dsinger has left #privacy 14:26:13 keiji has joined #privacy 14:26:45 Karima has joined #privacy 14:32:21 shepazu has joined #privacy 14:43:30 weiler has joined #privacy 14:54:37 schunter has joined #privacy 15:24:03 lukasz has joined #privacy 15:49:23 chaals has joined #privacy 15:50:42 schunter has joined #privacy 15:54:22 shepazu has joined #privacy 15:56:11 weiler has joined #privacy 16:11:43 weiler has joined #privacy 16:40:49 dlissfeld has joined #privacy 16:43:34 dlissfeld has joined #privacy 16:46:43 keiji has joined #privacy 16:47:59 dlissfeld: test 16:48:31 dlissfeld: 16:49:23 dlissfeld has left #privacy 16:52:04 weiler has joined #privacy 17:09:26 weiler has joined #privacy 17:42:44 schunter has joined #privacy 18:06:44 keiji has joined #privacy 18:11:55 keiji_ has joined #privacy 20:05:30 keiji has joined #privacy 20:15:00 keiji has joined #privacy 20:54:39 Karima has joined #privacy 20:56:40 keiji has joined #privacy 21:32:33 keiji has joined #privacy 22:21:02 yoav has joined #privacy