W3C

Privacy Interest Group kickoff teleconference

19 Apr 2012

Agenda

See also: IRC log

Attendees

Present
+1.508.380.aaaa, +358.504.83aabb, +1.613.304.aacc, +1.650.353.aadd, +358.504.83aaee, TrentAdams, justin, +1.949.483.aaff, +1.215.286.aagg, +44.208.123.aahh, [Microsoft], +358.504.83aaii, +1.613.513.aajj, Joseph_Scheuhammer, Ashok_Malhotra, +33.4.92.96.aakk, tara, +1.920.912.aall, spreibus, +1.202.695.aamm, WileyS, bilcorry, +358.504.87aann, +1.310.597.aaoo, +1.415.520.aapp, Joanne, +358.504.87aaqq, npdoty, fwagner, +1.978.944.aarr, IanOliver, FrankWagner, JamesBrentano, JC_Cannon, AlissaCooper, kboudaou, rvaneijk, SusanIsrael, ErinKenneally, MarkLizar, HannesTschofenig
Regrets
DavidSinger
Chair
Christine and twhalen
Scribe
WileyS, npdoty

Contents


<npdoty> we also have a VOIP call-in option

<npdoty> http://www.w3.org/2006/tools/wiki/Zakim-SIP

<Joanne> I won't be able to dial in but will watch on IRC. Have a great kick-off call.

<npdoty> apologies for the bad link on /Privacy, will fix for future calls

Introductions

<npdoty> scribenick: WileyS

tara: We have a number of people on the call - are you also on IRC? Trying to get a sense of who is on what side.
... one person announced they are not on IRC yet
... encouraging people to join the IRC to more formalize our activities

<spreibus> Tara, not sure I'm in the group.

<npdoty> details about joining the group here: http://www.w3.org/Privacy/

Tara: any new agenda items beyond the ones on the agenda that was sent around?

<npdoty> reminder of the agenda: http://lists.w3.org/Archives/Public/public-privacy/2012AprJun/0041.html

Tara: not hearing any new items - will jump in with what we have so far
... start with introductions
... Co-chair, Canadian, works with the Privacy Commission, pro-privacy standards in place, IAB and ISO activities as well

Christine: already have our email introductions, Australian/Swiss

Nick: W3C staff contact, any issues contact me, also at UC Berkeley working on privacy standards

James: Bluecava, device identification, doing the right thing by the right people

JC: MSFT, Bing & MSFT Advertising, learn more about online privacy from the group

TrentAdams: Used to work with Christine, now at PayPal, Internet Governance Group, new initiative is privacy work, glad to be back, also part of the IAB privacy program

AlissaCooper: CDT, lead the Privacy program at the IETF, standards activities for quite some time

Rob: A29WP

KarimaBoudaoud: South of France, Security Management, goal of research is how to change the way mobile apps that allow the end user to control their data, fine granularity of control

<rvaneijk> Rob: ph.d student university of leiden (not representing employer or A29 WP) in this working group.

Susan: Comcast, attorney working on privacy issues, supporting their policy group

ErinKenneally: privacy strategist, research realm, information security at UC San Diego

AshokMalhotra: Oracle, also part of the TAG

MarkLizar: consultant, working on privacy frameworks

IanOliver: principle architect at Nokia, engineering privacy, developing tools.

<spreibus> Sören Preibusch, U Cambridge, was in W3C groups P3P, PLING etc.; I'm conducting large-scale user experiments on consumer privacy, willingness to pay for privacy and general privacy preferences in ecommerce and social networking.

<Lia> Having some phone trouble- Lia Sheena, a fellow at the Future of Privacy Forum working on online and mobile privacy issues.

<IanO> Ian Oliver

<IanO> Principal Architect for Privacy at Nokia Location and Services

<IanO> working on engineering privacy into our products, tools, techniques and architectural

<IanO> support for our developers development,

<IanO> particular interest into

<IanO> ontologies, taxonomies, data classification, information analysis and ultimately

<IanO> a formalisation of or formal framework for privacy @i_j_oliver

<npdoty> WileyS: help inform from an industry perspective

ShaneWiley: VP, Privacy & Data Governance at Yahoo!

<fwagner> Frank Wagner, Deutsche Telekom, Group Privacy, responsible for defining privacy requirements in the product development processes, looking forward to exchange best practice between developers, providers and users

Joanne: Truste, developing certification standards across their products

<npdoty> HannesTschofenig: interested in designing privacy into architectures

Goals

<npdoty> Charter: http://www.w3.org/2011/07/privacy-ig-charter.html

Tara: We welcome feedback on the mission at any time
... we may publish a privacy framework document
... these documents may provide beneficial guidance
... Any thoughts on the list of deliverables?

<npdoty> any other deliverables or goals we'd like to see from the group?

Tara: you can all jump in at once...(silence)

<npdoty> FrankWagner: would be useful to have a best practice paper, could it be useful to have a document on best practices for mobile phones?

<npdoty> scribenick: npdoty

<Ashok_Malhotra> A best practices paper would be very useful

Hannes: a best practices paper would be useful, but is just re-iterating them in a different fashion going to change anything differently

IanOliver: not sure a best practices document would be useful
... a whole host of terminology that's very, very vague
... push somewhere on terminology, security terminology, identity terminology, work by Solove
... what terminology do we have on use of information? Nissenbaum and data flows
... happy to put forward some of our proposals on terminology

Hannes: before you start spending years on terminology, there is prior work on that
... at IAB, we looked around at other engineers and what they had produced, doc from Marit Hansen, re-write as too complex for our particular audience
... maybe you would find that work useful
... might be misunderstood, a difference in considerations needed for those who develop applications and the protocol engineer

Frank: way to discuss building privacy into products, understand internationally our requirements, can do a best practice paper

JC: would like to see us respond to different regulations that come out
... best practices or ways to implement for specific regulations, examples, like with the cookie directive

@@: +1 as a case study, what guidelines might be recommended

<spreibus> I would caution not to go down the road specifying what data items are sensitive. Privacy preferences are too diverse to say that a give data item is sensitive. Similar for usage. This is a per user pref.

WileyS: would like to see w3c focus on open standards for technical issues, like Tracking Protection Working Group
... technically centric like fingerprinting, de-identification
... broad issues that would be beneficial to consumers, business and regulators alike
... avoid becoming another generic policy discussion, rather ground deliverables in open technical standards

<JC> +1

<james> +1

spreibus: not as helpful to nail down specific sensitive terms, since it varies so much between users
... instead developing something that addresses this with user preferences

Christine: hope Alissa can give us the wisdom from the IAB Privacy Program side and the need for that document
... agree that we need targeted scope of work, so that we get something done
... insert the demands we see from outside of the group, what would people ideally like the Privacy Interest Group to do
... I've heard people say that in an ideal world, would like the group to develop a privacy considerations document specific for W3C protocol designers

<alissa> IAB priv considerations draft is here: http://tools.ietf.org/html/draft-iab-privacy-considerations-02

Christine: when we have the expertise that we need, could also work like the Internationalization and Accessibility groups who conduct reviews of specs from other groups about privacy issues
... identify the privacy issues early on

alissa: what is the scope of the work? start with a small scope, continue to add on as you have success, to me, it would be preferable if we keep the scope small at the beginning

<Christine> My futher point is that this group does not need to do all the work; we can help/work with other W3C groups

<kboudaou> +1

alissa: Shane raised this idea of doing actually technical standardization, less likely to do Recommendation-track standardization work

<npdoty_> (regarding scope in the charter: "Where appropriate, the Interest Group will recommend areas where W3C should begin recommendation-track standards work on privacy issues and may prototype or initiate such work within the group.")

alissa: first, developing some guidance for participants in the W3C to incorporate privacy-thinking in the standards development, exactly what we're doing with the IAB privacy considerations document

http://tools.ietf.org/html/draft-iab-privacy-considerations-02

<IanO> +1

alissa: from my experience in Geolocation, DAP, etc., not everyone knows everything that we know, how we can give guidelines, about identifiers, data flows

<rvaneijk> I am looking forward to the discussions in this group. Got to leave now. 'till next time !

alissa: and once we have that guidance, it would be useful to be that early review team, evangelize based on this guidance about what we should think about early in the process

<WileyS> +1 on the "privacy best practices" in relation to W3C open standards - but this appears to be more "service" oriented so we would need WGs to come to us first

<WileyS> What do we want to accomplish proactively?

alissa: guidance for standards developers, and then the action item of getting that out in use

<alissa> disagree WileyS, we have plenty of experience to know where the common pitfalls are

<alissa> and some of that informs Robin's draft, Dan's draft before that

tara: have received a draft document specifically brought forward by Robin Berjon for feedback

<Christine> Link to document http://darobin.github.com/api-design-privacy/api-design-privacy.html

<alissa> the WGs are unlikely to come to us

<WileyS> Alissa, so are you suggesting review their work proactively as an "interest" group?

<Christine> Document Nick is referring to - http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629

<alissa> I'm suggesting developing a framework for doing reviews, and then using that to do them

<Ashok_Malhotra> Here is Robin's document: http://darobin.github.com/api-design-privacy/api-design-privacy.html

<WileyS> Alissa, thank you for the clarification, I see value in that approach.

alissa: privacy thinking in the Device APIs group gone through a number of iterations
... all separately standardizing access to different kinds of data on devices
... as it turns out, doing privacy API-by-API is complicated

<spreibus> privacy by API is better tg

alissa: like what if applications use many APIs, how do we handle permissions

<spreibus> than no privacy by API

spreibus: although api-by-api might be fragmented, better than nothing
... useful distinctions between microphone and camera

<spreibus> corresponding to mental model of users

<alissa> Dom's WWW2012 talk is relevant here: http://www.w3.org/2012/Talks/dhm-privacy-www/

<fwagner> API is not the only solution for privacy....

tara: also had a request for comments from the Common Terms project

<Christine> Link to Common Terms Project - http://www.commonterms.net/Solution.aspx

<WileyS> Yahoo! is reviewing the CommonTerms approach right now - no feedback just yet

soren: reviewing Common Terms now, but not sure what new about it

kboudaou: how the user will control the data, we need to consider the fact that we have different kinds of users
... privacy-by-design, but need to consider that should be respect the preferences of the user
... need to define best practices for developers who design mobile applications used by variety of end users

<alissa> +1 to what nick is saying about surveying what recommendations have been made as a good first step

npdoty: a lot of discussion about the best way to do permissions

<Christine> Re Alissa's comment - I also think it would be useful to identify privacy issues that have come up in different W3C groups

npdoty: could aggregate and compare different ways permissions have been done by APIs, best practices, considerations and concerns as a starting point for our Guidelines doc

IanO: permissions is more of a security issue (on which we have existing work), maybe we should concentrate on the nature of the data itself, how revealing is that information
... what are the privacy aspects, not just traditional security aspects (terms not too well-defined)

Next steps

<WileyS> Co-chairs, in the future could you please load the agenda into Zakim prior to the call?

tara: originally thinking monthly calls, next time would be May 17th at 16:00 UTC

<npdoty_> WileyS, my fault on that one, I'll handle it in future

<spreibus> monthly seems good

<WileyS> +1 for monthly

<fwagner> monthly would be useful - +1

tara: potential connections to other groups, a list in the charter, but might also add, as in the case of the Crypto WG

Christine: haven't nailed down a specific work item
... in the mean time we can continue discussions via email

<kboudaou> monthly fine for me too

Christine: TAG (Technical Architecture Group) has expressed interest in collaborating with us on privacy considerations as we go forward

tara: so much to talk about, but we've run out of time and have ourselves set up for the next call
... thanks for coming out!

<IanO> many thanks all

<james> thanks to the chairs

<fwagner> thanks to the chairs & nick !

<kboudaou> thanks to all !

<spreibus> thanks to our scribes!

Christine: thanks, I'm excited about our productive work

thanks all!

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2012/04/23 00:16:40 $