17:04:31 <RRSAgent> RRSAgent has joined #privacy
17:04:31 <RRSAgent> logging to http://www.w3.org/2016/12/01-privacy-irc
17:04:33 <trackbot> RRSAgent, make logs 263
17:04:33 <Zakim> Zakim has joined #privacy
17:04:35 <trackbot> Zakim, this will be
17:04:35 <Zakim> I don't understand 'this will be', trackbot
17:04:36 <trackbot> Meeting: Privacy Interest Group Teleconference
17:04:36 <trackbot> Date: 01 December 2016
17:04:40 <npdoty> rrsagent, make logs public
17:05:18 <wseltzer> present+
17:05:24 <wseltzer> zakim, who is here?
17:05:25 <Zakim> Present: wseltzer
17:05:26 <Zakim> On IRC I see RRSAgent, npdoty, tara, weiler, LCPolan, Andrey_Logvinov, dveditz, yoav, plinss, mounir, rrware, mkwst, adrianba, hadleybeeman, jyasskin, terri, schuki, dustinm,
17:05:26 <Zakim> ... lukasz, Mek, wseltzer, trackbot
17:05:39 <wseltzer> present+ tara, npdoty
17:05:44 <weiler> present+
17:06:06 <tara> Oops - somehow WebEx kicked me off!
17:06:07 <tara> That is not helpful!
17:06:33 <tara> Ah - okay now.
17:06:37 <tara> present+
17:06:50 <npdoty> present+ jim_lim
17:06:58 <npdoty> present+ lake_polan
17:08:17 <npdoty> scribenick: npdoty
17:08:32 <tara> Requests for reviews:
17:08:41 <tara> Screen Orientation API
17:08:56 <tara> https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0030.html
17:09:29 <npdoty> agenda: https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0048.html
17:09:31 <npdoty> chair: tara
17:09:41 <tara> IndexedDB API
17:09:48 <tara> https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0031.html
17:09:49 <wseltzer> warning, danger lies there
17:09:57 <weiler> present+ mary_hodder
17:10:12 <tara> WebPref: https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0035.html
17:10:24 <tara> q?
17:10:58 <npdoty> wseltzer: brainstorming on how can we get the privacy reviews done for these specs
17:11:17 <npdoty> ... have talked to a few groups that need a real privacy/security considerations explanation in their specs
17:11:35 <npdoty> ... that is, not just "there are no privacy or security considerations"
17:11:50 <npdoty> ... as a small group, we have trouble keeping up with all the specs
17:12:30 <npdoty> ... working on self-review guidelines and then review that just focus on their answers to those questions, could be a more rapid response
17:13:02 <npdoty> ... and start talking with the person who did that self-review and knows the spec technically
17:13:18 <npdoty> ... so that we can get into more detailed questions about cross-origin or sensors with that person
17:14:26 <npdoty> tara: 1) some specs we are getting people who provide the answers to the self-review questionnaire but more of that could improve the review; 2) late-stage specs that haven't looked at the questionnaire may be an issue
17:14:42 <npdoty> wseltzer: sure, 2) is more on W3C, and is getting spread with education and tooling
17:15:10 <npdoty> ... for our reviews on these calls, could we get champions of issues to take the next step of reading and highlighting anything htat looks concerning
17:15:40 <npdoty> tara: we had tried to identify an individual who would solicit comments and move things forward
17:16:03 <npdoty> q+
17:16:18 <tara> ack np
17:16:39 <tara> nick: it helps to have the groups fill out the questionnaire but there is more work to be done.
17:17:04 <tara> nick: reviewer does have to review the spec in some detail to find the relevant info
17:17:38 <npdoty> tara: +1, reviewer has to look at the spec itself, not just self-review responses
17:17:47 <npdoty> ... to add their own level of analysis or catch issues
17:18:16 <wseltzer> q+
17:18:25 <tara> nick: when we have assigned people, have we followed up?
17:19:19 <npdoty> tara: we have had people who would manage responses, but had more of a problem that the group itself didn't contribute answers to compile
17:19:53 <npdoty> wseltzer: can we use Github issues as a way to put pressure on both the WGs and PING?
17:20:27 <npdoty> ... e.g. open a privacy review issue that can't be closed without conducting a privacy review (either by PING or someone else, like a WG member), and PING can point out with comments if a review is not sufficiently detailed
17:21:12 <npdoty> wseltzer: Github is where work is being moved. Director is asking for a disposition of issues at transitions, and groups typically point to their Github issue list
17:22:38 <npdoty> tara: in terms of getting the process happening earlier, is there anything formal / involved with Github, to get this to happen sooner?
17:22:50 <npdoty> wseltzer: having the questionnaires in better shape would help a lot
17:23:16 <npdoty> ... questionnaire should point out that you should have a priv/sec section and it should address your responses to this (per dsinger)
17:23:43 <tara> q?
17:23:46 <wseltzer> q-
17:23:47 <tara> ack ws
17:24:30 <npdoty> npdoty: I only see a timeline request on 1 of the 3 requests that we're looking at
17:25:06 <npdoty> npdoty: can someone follow-up with those groups to ask about their timeline?
17:25:34 <npdoty> tara: Web Payments likely to come back with a group of changes in January
17:25:57 <wseltzer> [for example, I note that Screen Orientation doesn't even mention "privacy". that should be an automatic push-back.]
17:26:20 <tara> I will go track down deadlines.
17:26:35 <npdoty> https://www.w3.org/wiki/Privacy/Privacy_Reviews
17:27:45 <npdoty> npdoty: wiki is out of date, but it's becoming clear that as the review requests come in more quickly, we either need more volunteers within PING, or need to find ways for reviews to happen within groups
17:27:49 <wseltzer> https://github.com/w3c/screen-orientation/issues/96
17:28:16 <weiler> q+
17:28:29 <npdoty> ack weiler
17:30:10 <npdoty> weiler: how likely are we to get effective reviews from the group itself?
17:30:49 <npdoty> npdoty: it might be rare to get comprehensive reviews from the author or someone in the group already, but could get quite detailed expertise if they're willing to recruit security/privacy people from their own organizations to conduct a review
17:31:21 <npdoty> weiler: that suggests that maybe we should mention in questionnaires that they may need to ask for expertise not already within the WG
17:31:49 <npdoty> wseltzer: Web Perf a particular area of privacy concern because the focus of the APIs is to gather very detailed data, which could be used for fingerprinting and the like
17:32:04 <npdoty> ... since they're currently revising lots of them, important that they at least have privacy considerations described
17:32:33 <npdoty> ... in some cases just describing features that are already implemented
17:32:55 <npdoty> ... privacy issues can either note that we can't recommend it as implemented, or note the privacy issues for potential implementers who can mitigate in some ways
17:33:44 <npdoty> ... can successfully point out research results that changed certain features
17:34:18 <tara> User Data Controls in Web Browsers
17:34:26 <tara> https://gist.github.com/mnot/96440a5ca74fcf328d23
17:35:00 <npdoty> i/certain features/Topic: User Data Controls in Web Browsers/
17:35:13 <npdoty> tara: additional context on mnot's shared doc on user data controls?
17:35:46 <npdoty> wseltzer: Mark shared this document as an evolution from previous conversations with PING
17:36:04 <npdoty> ... expanded from just private browsing modes to looking at different modes more generally
17:36:18 <npdoty> ... describe those modes so that other specs can reference how they should behave in those different modes
17:37:01 <npdoty> ... could adopt this as a PING note for ongoing work
17:37:17 <npdoty> ... and could modify questionnaires/reviews to refer to this document and these modes more specifically
17:37:55 <wseltzer> q+ with dsinger's note
17:38:01 <wseltzer> q- with
17:38:11 <npdoty> q=
17:38:17 <npdoty> queue=
17:38:41 <npdoty> wseltzer: another privacy review request from dsinger on VTT privacy/security considerations
17:38:56 <npdoty> q+
17:39:30 <tara> npdoty: looking at IndexDb spec
17:40:17 <npdoty> q-
17:40:36 <npdoty> npdoty: IndexedDB group refers to "clear browsing data" and how their spec's data should be handled
17:41:04 <npdoty> ... and I think it would be useful to have a formal description/categorization of the different features across browsers, as opposed to refering to a single name of a feature
17:41:39 <npdoty> Topic: Browser Fingerprinting
17:41:55 <npdoty> tara: nice seeing our group note out there in the wild, being pointed to by Princeton researchers
17:41:56 <npdoty> :)
17:42:23 <tara> 1. status of document
17:42:29 <tara> 2. met with EFF folks about directions
17:42:49 <tara> Status: needs revisions to make it more actionable for people writing browser specs
17:43:01 <tara> What are common sources of fingerprinting (so people can easily identify them)
17:43:23 <tara> May also need to weigh pros and cons -- explicitly note that *these* are the factors that are the most concerning, to go into the weighing process
17:43:34 <tara> Intend to add them by the end of the year and get PING feedback
17:43:40 <tara> EFF feedback:
17:43:57 <tara> 1. Some fingerprinting work could benefit from prioritizing how we fix those issues.
17:44:18 <tara> Since some fingerprinting happens at implementation, versus specs, we can ID the bugs
17:44:37 <tara> Making FP detectable is helpful (sometimes prevented)
17:44:46 <tara> 2. Sometimes we are getting into UI/UX issues
17:44:56 <tara> Like - how much information is overload?
17:45:20 <tara> Might be helpful to have a meeting to discuss these user-facing issues -- write up some advice
17:45:59 <tara> 3. Coordination -- we talk about clearing information (e.g., cookies...) but also there is a separate effort in IETF space, about rotation (e.g., of IP address)
17:46:08 <tara> We might want to talk about these things at the same time.
17:46:31 <weiler> q+
17:46:35 <tara> If your IP address rotates at same time at the cookie, then they can be tracked together, but otherwise it may be equivalent to clearing.
17:46:53 <tara> So this is a place where we could coordinate layers and groups.
17:46:56 <tara> ack sam
17:47:05 <weiler> ach weile
17:47:06 <tara> Sam: how might we cross that layer boundary?
17:47:15 <weiler> s/ach weiler//
17:47:29 <tara> npdoty: IAB folks had talked about number rotations; EFF can help link us up with folks working in that layer of the problem
17:47:38 <tara> Use our networks to connect these discussions.
17:47:50 <tara> q?
17:47:52 <tara> ack w
17:48:23 <weiler> s/ach weile//
17:48:46 <npdoty> tara: great, plenty of work to do there :)
17:49:19 <npdoty> tara: Privacy Questionnaire question out to Christine, who is currently managing that
17:49:23 <npdoty> Topic: AOB
17:50:08 <npdoty> npd has a workshop on January 12th
17:50:18 <weiler> Wendy and I are also busy on 12 Jan
17:50:25 <npdoty> q+
17:51:15 <tara> Tentatively Jan 19 but need to consult with Christine.
17:51:40 <npdoty> q-
17:52:11 <weiler> q+
17:52:30 <npdoty> ack weiler
17:53:24 <npdoty> npdoty: post-election responses?, besides our work still being important
17:53:51 <npdoty> weiler: might be a key recruitment point on encouraging participation in privacy/security and standardization
17:53:52 <npdoty> +1
17:55:31 <npdoty> tara will follow up on the list with decided time for next meeting
17:55:40 <npdoty> and follow-up on ongoing work items over the holiday
17:55:48 <npdoty> tara: thank you all for your hard work
17:56:07 <npdoty> trackbot, end meeting
17:56:07 <trackbot> Zakim, list attendees
17:56:07 <Zakim> As of this point the attendees have been wseltzer, tara, npdoty, weiler, jim_lim, lake_polan, mary_hodder
17:56:15 <trackbot> RRSAgent, please draft minutes
17:56:15 <RRSAgent> I have made the request to generate http://www.w3.org/2016/12/01-privacy-minutes.html trackbot
17:56:16 <trackbot> RRSAgent, bye
17:56:16 <RRSAgent> I see no action items