15:59:25 <RRSAgent> RRSAgent has joined #privacy
15:59:25 <RRSAgent> logging to http://www.w3.org/2017/03/23-privacy-irc
16:00:25 <tara> Hullo folks; giving people a chance to join WebEx
16:00:42 <npdoty> npdoty has joined #privacy
16:00:44 <keiji> present+
16:00:52 <tara> present+
16:01:05 <christine> christine has joined #privacy
16:01:22 <tara> WebEx meeting - https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648
16:01:34 <wseltzer> present+
16:02:07 <christine> hello, just have some issues getting webex up
16:02:49 <chaals> present+
16:03:42 <npdoty> present+
16:05:11 <tara> Sorry for AV difficulties today...
16:06:03 <Simon_R> Simon_R has joined #privacy
16:06:06 <tara> Any scribe volunteers?
16:07:57 <christine> I can scribe
16:08:14 <npdoty> scribenick: npdoty
16:08:39 <npdoty> anything to add to the agenda?
16:09:04 <npdoty> christine: IETF meeting next week, so planning a privacy get-together
16:09:44 <npdoty> ... Payments is meeting again (now), will check in with them on status
16:10:31 <tara> UI Events KeyboardEvents Code Values [1] (comments due 10 April)
16:10:35 <npdoty> Topic: Review requests - UI Events
16:10:41 <tara>  https://w3c.github.io/uievents-code
16:10:52 <tara> UI Events KeyboardEvents Key Values [2] (comments due 10 April)
16:11:02 <tara>  https://w3c.github.io/uievents-key
16:11:10 <npdoty> tara: asking for events on these docs by 10 April
16:11:35 <npdoty> ... anyone with knowledge of these specs?
16:12:02 <npdoty> chaals: a stack of events related to your keyboard
16:12:14 <npdoty> ... so it could reveal how your system is laid out (what keys, etc.)
16:12:19 <npdoty> ... so a potential fingerprinting vector
16:12:22 <christine> q+
16:12:51 <Zakim> Zakim has joined #privacy
16:12:55 <tara> ack chr
16:13:02 <wseltzer> q+
16:13:50 <npdoty> christine: have we heard from a11y? often a privacy concern about revealing an ability or disability
16:13:58 <JP_Abello> JP_Abello has joined #privacy
16:14:06 <npdoty> chaals: makes sense as a concern, but haven't received those comments yet
16:14:11 <npdoty> q+
16:14:14 <tara> (based on layout, etc of keyboard -choice mades)
16:14:21 <chaals> s/haven't/don't know if we have/
16:15:12 <wseltzer> q- later
16:15:19 <chaals> ack np
16:15:26 <chaals> scribe: chaals:
16:15:38 <Ben_Hayes> Ben_Hayes has joined #privacy
16:15:39 <chaals> NPD: how is this different from existing keyboard events?
16:15:47 <chaals> s/chaals:/chaals/
16:15:59 <chaals> CMN: This is just an actual specification for that…
16:16:20 <tara> chaals: this is specifying what the codes and values are
16:16:54 <tara> Fingerprinting is "what keys does a user use, when"
16:17:12 <tara> Can tell "where on the keyboard is the key"
16:17:33 <tara> You would have to track user's activity to get more info
16:18:06 <wseltzer> https://www.w3.org/TR/uievents/#security-considerations
16:18:11 <tara> wseltzer: typing patterns also good source of fingerprinting
16:18:26 <chaals> WS: Note the parent spec - the UIEvents spec - has a security considerations section but no mention o fprivacy
16:19:11 <chaals> … and some of the things listed under security are probably properly privacy considerations. In any event that is the document to review. Propose not to move the document forward without adding something on privacy considerations.
16:19:30 <chaals> TW: So we should go up one level and look there for most of the issues?
16:19:46 <chaals> WS: that would be my approach.
16:19:49 <chaals> q+
16:20:00 <tara> ack ws
16:20:07 <wseltzer> https://www.w3.org/TR/uievents/#relationship-between-key-code
16:20:23 <chaals> NPD: Seems like the values coming in the specs are the kind of document you refer to when doing the implementation, the design issues might be more appropriate in the parent spec.
16:21:18 <chaals> CMN: Web platform wants to move the UI evnt key codes/values specs to CR, waiting for signoff.
16:21:48 <tara> ack ch
16:22:18 <chaals> CMN: These are things that have been implemented for 2 decades, we're just trying to get decent specs for them.
16:22:27 <chaals> TW: OK, so we should go through this quickly.
16:22:37 <tara> ARIA in HTML [3] (comments due 30 April)
16:22:47 <tara> https://www.w3.org/TR/html-aria/
16:22:49 <chaals> Topic: ARIA in HTML
16:23:05 <chaals> TW: No time to discuss in last call.
16:23:43 <christine> note from christine - sound keeps cutting in and out for me
16:25:42 <tara> CMN: tells authors how to use ARIA
16:25:57 <tara> CMN: you could give different information to people with, say, screen readers
16:26:14 <tara> CMN: can find out whether a targetted subset responds
16:26:42 <tara> 'NPD: is there any automatic content -- automatically fetched - because of an ARIA role?
16:26:53 <tara> CMN: the upstream spec may be more relevant in this case
16:27:13 <tara> CMN: content isn't fetched in current ARIA (unless introduced in ARIA 1.1?) -- is what is in existing page
16:27:19 <tara> q?
16:28:15 <npdoty> in general it seems like markup should have fewer privacy implications than many specs
16:28:31 <tara> CMN: would we want to put an outline of an attack in a privacy section?
16:28:54 <wseltzer> q+
16:28:59 <tara> CMN: in the authoring guidance, seems odd to demonstrate *how* to exploit.
16:29:25 <tara> WS: privacy by obscurity not helpful, so...yes, such a note would help
16:29:42 <tara> ack ws
16:30:19 <tara> NPD: sometimes it's helpful to describe attacks if there might be a mitigation...so you can tell implementors how to help
16:30:28 <wseltzer> q+
16:30:29 <tara> CMN: there is not much mitigation here.
16:31:06 <wseltzer> q-
16:31:33 <npdoty> wseltzer: at least a note for authors that a11y information is sensitive and shouldn't be collected or shouldn't be exposed if inferred
16:32:12 <chaals> Topic: ODRL
16:32:15 <tara> ODRL Information Model [4] (comments due 30 April)
16:32:31 <tara> https://www.w3.org/TR/odrl-model/
16:32:40 <tara> ODRL Vocabulary & Expression [5] (comments due 30 April)
16:32:48 <tara> https://www.w3.org/TR/odrl-vocab/
16:36:35 <tara> CMN: could maybe fingerprint based on intersection of policy settings
16:36:58 <tara> NPD: not sure how this is being used/implemented
16:37:05 <christine_> christine_ has joined #privacy
16:37:12 <wseltzer> q+
16:37:19 <christine_> note from Christine: apologies, back online now
16:37:28 <wseltzer> [The purpose value is taken from the P3P privacy purpose vocabulary]
16:37:35 <tara> ack ws
16:37:56 <tara> P3P vocab about to be deprecated
16:38:27 <tara> W3C recently added "deprecation" powers...
16:38:39 <tara> "obsoletion", sorry
16:38:40 <wseltzer> "Obsolete"
16:39:11 <tara> WS: ODRL - have not reviewed in detail; noted it was scoped to be "not DRM"
16:39:11 <npdoty> (recalls that P3P has quite a few implementations, even if it's not the ubiquity of implementation that we might have liked)
16:39:59 <chaals> [there is plenty of implementation of P3P. But it doesn't work, in the sense of "people actually negotiate or set things to protect their privacy"]
16:40:17 <chaals> -> http://w3.org/TR/input-events
16:40:18 <wseltzer> [right, there's implementatoin, but not adoption]
16:40:24 <wseltzer> [or use]
16:41:10 <wseltzer> q+
16:41:14 <wseltzer> q+ re input events
16:42:35 <tara> CMN: anything where you can see how users act (e.g., how they manipulate text) then there is a fingerprinting vector
16:43:14 <tara> WS: is it visible to the user that Input Events is active, or could this be used to capture keystroke secretly?
16:43:52 <tara> CMN: can you use as keylogger you mean? No -- you would need the element that captures the keys
16:44:10 <wseltzer> [could you create a hidden input field, for example?]
16:44:51 <tara> CMN: does not log actual keys. Post-processing; events *after* text to add/remove has been generated
16:44:59 <tara> CMN: so I think the answer is "no"
16:45:19 <tara> NPD: if I indicate that I am about to paste text, is the JS going to handle insertion?
16:45:58 <tara> CMN: browser says "I am going to put this text in this place"; event is b/c JS rich text editor can say "no, I am going to do something else" -- inserting the text that the user wants...
16:46:09 <tara> CMN:...or putting it through the "undo"
16:46:34 <tara> CMN: you get a series of events of what user wants to achieve + possibility of preventing them
16:46:49 <tara> NPD: I know there are means for preventing pasting of text into pages
16:47:06 <tara> CMN: people who edit content on Github, blog etc - want to be able to do stuff like this
16:47:43 <tara> CMN: might be worth asking for a better overview with Johannes Wilm
16:47:57 <npdoty> I'm frustrated by web pages that inhibit password managers by preventing pasting into an input field
16:48:18 <npdoty> but I get the impression that this wouldn't be easier than current methods for doing that, so maybe not a significant impact
16:48:40 <tara> q?
16:48:46 <wseltzer> q-
16:48:46 <tara> ack ws
16:49:50 <chaals> ACTION: chaals to ask Johannes to join a call and present input events more intelligently
16:49:50 <trackbot> Created ACTION-15 - Ask johannes to join a call and present input events more intelligently [on Charles McCathie Nevile - due 2017-03-30].
16:50:21 <tara> Date for next call?
16:51:00 <npdoty> Thursday, April 20 or Thursday, April 27?
16:51:47 <tara> April 20 looks the most optimal
16:54:02 <tara> Giving comments to Web Payments is still useful but ASAP - they are meeting today and tomorrow
16:54:21 <tara> (And yes, comments after this point still useful too.)
16:55:32 <chaals> [thanks all]
16:56:50 <keiji> RRSagent, make minutes
16:56:50 <RRSAgent> I have made the request to generate http://www.w3.org/2017/03/23-privacy-minutes.html keiji
16:57:01 <keiji> RRSAgent, make logs team
16:57:33 <keiji> RRSagent, make minutes
16:57:33 <RRSAgent> I have made the request to generate http://www.w3.org/2017/03/23-privacy-minutes.html keiji
16:59:48 <keiji> present: christine
17:00:10 <keiji> RRSagent, make minutes
17:00:10 <RRSAgent> I have made the request to generate http://www.w3.org/2017/03/23-privacy-minutes.html keiji
17:00:48 <keiji> present: keiji, tara, wseltzer, chaals, npdoty, christine
17:00:56 <keiji> chair: tara
17:01:08 <keiji> RRSagent, make minutes
17:01:08 <RRSAgent> I have made the request to generate http://www.w3.org/2017/03/23-privacy-minutes.html keiji
17:02:13 <keiji> RRSAgent, make logs public
17:05:20 <keiji> Meeting: Privacy Interest Group Monthly Meeting March 2017
17:05:27 <keiji> : RRSagent, make minutes
17:06:54 <keiji> rrsagent, bye
17:06:54 <RRSAgent> I see 1 open action item saved in http://www.w3.org/2017/03/23-privacy-actions.rdf :
17:06:54 <RRSAgent> ACTION: chaals to ask Johannes to join a call and present input events more intelligently [1]
17:06:54 <RRSAgent>   recorded in http://www.w3.org/2017/03/23-privacy-irc#T16-49-50