15:59:20 <RRSAgent> RRSAgent has joined #privacy
15:59:20 <RRSAgent> logging to http://www.w3.org/2017/07/27-privacy-irc
15:59:22 <trackbot> RRSAgent, make logs 263
15:59:22 <Zakim> Zakim has joined #privacy
15:59:24 <trackbot> Zakim, this will be
15:59:24 <Zakim> I don't understand 'this will be', trackbot
15:59:25 <trackbot> Meeting: Privacy Interest Group Teleconference
15:59:25 <trackbot> Date: 27 July 2017
15:59:28 <npdoty> rrsagent, make logs public
16:00:15 <keiji> I think it opened already.
16:00:22 <nigel> nigel has joined #privacy
16:01:11 <weiler> still not working for me.
16:01:16 <weiler> others?
16:01:35 <keiji> https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648
16:01:52 <christine> christine has joined #privacy
16:01:58 <tara> Sorry, Nigel -- I had a problem this morning also.
16:02:11 <christine> hi are we talking about webex?
16:02:11 <keiji> Does this link work?
16:02:37 <chaals-o> chaals-o has joined #privacy
16:02:42 <tara> Sorry about that; I copied it from an earlier agenda but clearly something went wrong.
16:03:07 <npdoty> present+
16:03:14 <christine> link?
16:03:16 <tara> Good to hear!
16:03:30 <keiji> https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648
16:03:37 <weiler> present+ weiler
16:03:44 <nigel> Present+ Nigel
16:03:57 <keiji> Meeting number: 648 986 475
16:04:06 <tara> present+
16:04:18 <keiji> Present+ keiji
16:04:27 <tara> Welcome, Nigel!
16:04:37 <christine> hi, joined webex
16:05:04 <weiler> regrets+ leiba
16:05:19 <chaals-o> present+ chaals
16:06:24 <christine> thanks nigel
16:06:59 <npdoty> scribenick: npdoty
16:07:06 <npdoty> tara: introductions
16:07:20 <christine> thank you Nick!
16:07:46 <npdoty> Nigel Megitt, BBC, Chair of TTWG
16:07:57 <tara> Timed Text Markup Language 2 (TTML2)
16:08:03 <weiler> present+ christine
16:08:04 <tara> Working draft: https://www.w3.org/TR/2017/WD-ttml2-20170630/
16:08:12 <npdoty> nigel: update to TTML 2, currently in Working Draft, hoping to be last working draft before Candidate Rec, seeking wide review
16:08:26 <npdoty> Topic: TTML2
16:08:37 <nigel> -> https://www.w3.org/TR/ttml2/#security-and-privacy TTML2 Security and Privacy section
16:09:07 <nigel> -> https://lists.w3.org/Archives/Public/public-tt/2017Jul/0066.html Draft self-review questionnaire re security and privacy
16:10:37 <npdoty> nigel: reviewed the self-review questionnaire from the TAG, not a lot of privacy issues, but does have a privacy considerations section
16:10:58 <npdoty> ... external resources can be loaded (images, audio, etc.)
16:11:09 <npdoty> ... unlikely to reveal anything that isn't available through some other mechanism
16:11:19 <wseltzer> present+
16:11:20 <chaals-o> q+ to note that it reveals to the server which users appear to be using captions.
16:11:47 <npdoty> ... merely downloading a TTML document could reveal that the person needs the information in it, likely for subtitles or captions, which provides a hint as to the user's hearing ability
16:12:24 <npdoty> ... because a document format rather than API, not many privacy or security issues
16:12:29 <npdoty> ack chaals-o
16:12:29 <Zakim> chaals-o, you wanted to note that it reveals to the server which users appear to be using captions.
16:13:23 <npdoty> chaals-o: downloading reveals that you're using captions at all
16:14:04 <npdoty> nigel: if origin wants to track viewing habits of particular users, can do that already with different methods based on how the media is being distributed
16:14:06 <weiler> present+ MarkOblad
16:14:39 <npdoty> chaals-o: how much does it really expose that the user asked for the captions file?
16:14:43 <npdoty> nigel: not very much
16:15:28 <npdoty> nigel: not included in privacy considerations section currently
16:15:31 <nigel> -> https://www.w3.org/TR/ttml-imsc1.0.1/#privacy-and-security-considerations-non-normative IMSC 1.0.1 profile of TTML1
16:16:43 <npdoty> nigel: might make sense to update privacy and preference and external images to include comments from TTML1 in TTML2
16:17:29 <npdoty> q+ does it reveal more than just wants-captions?
16:17:37 <npdoty> q+ to ask, does it reveal more than just wants-captions?
16:17:51 <npdoty> chaals-o: caching might limit the amount of information revealed here
16:18:46 <npdoty> nigel: typically there is some Javascript for the control (like the subtitles button)
16:18:58 <tara> ack np
16:18:58 <Zakim> npdoty, you wanted to ask, does it reveal more than just wants-captions?
16:19:33 <tara> npdoty: the fact that the user hit the button at all -- reveals that they are using captions for example
16:19:50 <tara> npdoty: but are there other things revealed? e.g., language prefs?
16:20:27 <tara> npdoty: are there conditional things, like audio if I can't read, or load Russian lang version if that's my preferred lang?
16:20:48 <tara> NIgel: yes and no - conditionals define semantic inclusion of that content as used for presentation
16:21:14 <tara> Nigel: implementation *could* only load the things that it needs - if there are external resources referenced at all
16:21:55 <tara> Nigel: could be done on demand, or up-front. Document defines, for example, five language tracks -- implementation could fetch all of them
16:22:10 <tara> Nigel: or could only fetch as required
16:22:42 <tara> npdoty: trying to consider the potential better or worse implementations - so, on-demand, for example, would reveal more information
16:23:02 <tara> Npdoty: so we would highlight this as an area of privacy consideration.
16:23:31 <tara> nigel: we could add a note to say there is an effect depending on whether or not you use on-demand approach
16:23:40 <tara> q?
16:23:57 <chaals-o> [By an large I think this work is good to go...]
16:24:19 <npdoty> q+ to ask about fetch and CORS
16:25:33 <tara> npdoty: in TTML 1 - there is discussion of cross-origin policy; TTML 2 says this is out of scope? Is this addressed elsewhere?
16:25:38 <terri> present+ terri
16:25:46 <tara> npdoty: there are security considerations
16:26:59 <tara> Nigel: embedded content - things can be referenced or included as binary; no, looks like there is nothing about fetch semantics at all
16:27:22 <tara> npdoty - mostly concerned about fetching external resources
16:28:18 <tara> Nigel - mostly talks about *impact* of CORS rejection but not about implementation; does this need to be part of the spec or "somebody else's problem"?
16:28:50 <tara> npdoty: I think that other doc markup specs are being specific about how content is fetched, primarily due to these security concerns, so should work here.
16:29:17 <tara> npdoty: if different implementation do different things, there may be false assumptions about what is in place (like following CORS)
16:29:43 <tara> nigel: that is an impact of preventing loading the resource, which *is* mentioned
16:30:25 <tara> nigel: because there is no specified way to get the TTML doc, you can't relate to any of the resources *in* it (URIs) - seem a bit separated?
16:31:27 <tara> nigel: there is nothing about origin of TTML doc so how do you enforce CORS?
16:31:45 <tara> ack np
16:31:45 <Zakim> npdoty, you wanted to ask about fetch and CORS
16:32:02 <npdoty> https://fetch.spec.whatwg.org/#goals
16:32:16 <tara> npdoty: may want to review the fetch spec (see link) to see if relevant
16:32:47 <tara> npdoty: this also considers things like service workers, etc that are relevant to sec & priv
16:33:17 <npdoty> nick: mixed content might also be relevant for privacy/security
16:33:56 <christine> yes, thanks
16:34:49 <npdoty> nigel: completed self-review questionnaire, should we send that to anyone?
16:34:57 <npdoty> tara: mostly just useful for review
16:35:28 <tara> Item: PING F2F at IETF 99
16:35:37 <npdoty> Topic: PING F2F at IETF 99
16:36:05 <npdoty> christine: small group at ietf, talked about ways to improve level of engagement in Interest Group, helping other groups to do privacy reviews
16:36:12 <npdoty> ... related efforts on improving security reviews
16:36:26 <npdoty> ... most effective way for this group is to have these discussions with editors/chairs
16:36:42 <npdoty> ... thanks for being persistent in asking group to send someone
16:36:47 <tara> Thanks, Sam, for your efforts!
16:36:58 <npdoty> ... getting up to speed on Github, to do more work on privacy questionnaire
16:37:17 <npdoty> ... use the mailing list for general discussion of web privacy issues that are coming up in research or news
16:37:51 <npdoty> ... put together in one place the privacy considerations in current specifications, catalog of what's been done
16:38:20 <npdoty> ... Niels from Article 19 expressed some interest in tools for doing that
16:38:50 <npdoty> ... at next IETF, could have a web privacy hackathon, as was done last time for HTTP Status 451
16:39:12 <npdoty> ... what are the privacy implications and considerations of the standard?
16:40:17 <npdoty> weiler: for IETF get-together, things that could use input from the masses, or just document work
16:40:58 <npdoty> ... privacy issues in the @@ spec via device identifiers
16:41:10 <npdoty> ... Web Authentication is a topic we should pay attention to
16:41:23 <weiler> a/@@/Web Authentication/
16:42:11 <npdoty> weiler: web privacy hackathon/meetup suggested for IETF 101 in London, March 2018 (not the next IETF, which is Singapore in November)
16:42:23 <npdoty> weiler: TPAC, book your hotel room now!
16:42:55 <weiler> q+ re: other specs that may need or want privacy reviews
16:43:16 <tara> ack wei
16:43:16 <Zakim> weiler, you wanted to discuss other specs that may need or want privacy reviews
16:43:22 <npdoty> tara: potential meeting conflicts at TPAC
16:43:42 <npdoty> weiler: trying to recruit security reviewers based on specific requests to Web Security Interest Group
16:45:25 <npdoty> ... Input Events?
16:45:32 <npdoty> npdoty: I think we did talk to Input Events
16:45:37 <npdoty> chaals: will follow up
16:45:49 <tara> https://www.w3.org/TR/push-api/
16:45:50 <npdoty> ... I think the editor already considered that feedback
16:45:57 <tara>  https://w3c.github.io/push-api/security-privacy-questionnaire.md
16:46:02 <tara> https://github.com/w3c/push-api/issues/
16:47:51 <npdoty> chaals-o: we discussed Push API at a recent meeting, there were some open questions where we expected them to come back to us, but they haven't
16:48:12 <npdoty> npdoty: it sounds like they are waiting for feedback from us, but we're also waiting for something from Push API editors
16:48:20 <chaals-o> s/haven't/haven't yet - as noted in a message to us a couple of days ago/
16:48:23 <npdoty> chaals-o: do we have a way to track past reviews/feedback?
16:48:47 <npdoty> christine: if we start a good practice today, we can go back and add others
16:48:59 <wseltzer> -> https://github.com/w3c/ping PING git repository
16:49:10 <npdoty> https://www.w3.org/wiki/Privacy/Privacy_Reviews
16:49:17 <wseltzer> q+
16:50:05 <wseltzer> ack ws
16:50:39 <npdoty> wseltzer: other groups (like i18n) have used cross-linking of issues in github, so that other groups can see issues and discussion in progress during a review
16:51:02 <npdoty> christine: will try to learn how to do that!
16:53:14 <npdoty> August 24th for next meeting
16:53:20 <tara> Arbitrarily picking Aug 24
16:54:21 <weiler> zakim, list participants
16:54:21 <Zakim> As of this point the attendees have been npdoty, weiler, Nigel, tara, keiji, chaals, christine, wseltzer, MarkOblad, terri
16:54:31 <weiler> rrsagent, draft minutes
16:54:31 <RRSAgent> I have made the request to generate http://www.w3.org/2017/07/27-privacy-minutes.html weiler
16:54:52 <weiler> rrsagent, make logs public
16:55:59 <keiji> This is for the next meeting https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648
16:56:11 <keiji> Meeting number: 648 986 475
16:56:51 <keiji> August 24, 2017  | 12:00 pm Eastern Daylight Time (GMT-04:00)
17:40:42 <weiler> weiler has joined #privacy
19:09:05 <weiler> weiler has joined #privacy
20:00:22 <Zakim> Zakim has left #privacy
22:54:21 <terri> terri has joined #privacy