Privacy Interest Group teleconference -- 17 May 2012

<Christine> I am probably ??17

<Joanne> Nick - trying to dial in and I am getting a passcode not valid message

Hi Joanne, we had to change to 26631 today

<Joanne> is the passcode still PING?

<Joanne> thanks

tara: NB: If calling in, please use code 26631 (CONF1) today only.

<Joanne> akim, +1.415.520 is Joanne

<narm_gadiraju> Is the conference passcode working? it says invalid for me!

<robsherman> Trying to dial into Zakim and I'm getting a note that passcode 7464 doesn't work — can someone give me the right one?

NB: If calling in, please use code 26631 (CONF1) today only.

<robsherman> Thanks, Nick.

<Christine> Hi all. We received apologies from Sören Preibusch, Piero Bonatti, Wendy Seltzer, Rob van Eijk, Erin Kenneally.

<Christine> Apologies. Wendy I see you made it.

<scribe> scribenick: npdoty

Kasey Chapelle from Vodafone

Rob Sherman from the privacy team at Facebook

Walt __ from Nokia, working in our privacy group

<scribe> scribe: npdoty

<JC> I have to drop at 9:25

tara: had our first call already
... minutes available

http://www.w3.org/2012/04/19-privacy-minutes.html

scribe: corrections very much welcome

http://www.w3.org/mid/68A163C8C36B4E44889BE42C91053C4E6F2346270A@EX-OPC-V4.ad.privcom.gc.ca

tara: high level discussion of where we go
... a lot of people had different ideas about that
... now thinking about converting high level goals into manageable goals
... any additional agenda items?

npdoty: ideas about permissions on the Web for discussion at the end of the call

tara: Tara Whalen, co-chair of the PING

Joanne, TRUSTe

Julian, Future of Privacy Forum

JC from Microsoft

Alissa from CDT

Ashok from Oracle

<narm_gadiraju> Narm Gadiraju from Intel

we also have Christine Runnegar, our co-chair calling in from a crowded airport

tara: thank you and welcome

<kboudaou> Karima from university of nice sophia antipolis

<Christine> Hi everyone

plan of action for privacy considerations

tara: one of the points from last time
... how can we actually do/write the privacy considerations document
... saw an interest from last time for developing that document
... what are the next steps for creating it?

Ashok_Malhotra: already have a couple of documents
... privacy/policy considerations for Internet protocols
... how will this be different? what is the scope going to be?
... start with IETF stuff and build upon them?

Christine: thanks for bringing this up, IETF and IAB privacy program has already done a lot of work for guidance for Internet protocol designers
... envisaged in the charter is a similar document tailored to those developing W3C standards
... imagine there will be a lot of synergy, can learn a lot from the IETF experience
... have a number of people working in both places

Ashok_Malhotra: one document that is about privacy for Internet protocols, an overlap, I think

alissa: have been leading the privacy program and developing the documents there
... agree that there's a substantial amount of overlap, would be useful to discuss the aspects of standardization that happen in W3C
... API development, for example, more relevant at W3C
... at IETF don't think about user interface considerations whatsoever
... at W3C, a little bit more of an eye towards how specifications will effect user interface
... while considerations/terminology are generic and can inform, there's more that can be done

npdoty: agree on the differences that would be at the application layer (like UI)
... should we try applying the privacy considerations document to a W3C spec? or start a new, similar document at W3C?

alissa: we tried applying an early draft to reviews of several protocols
... helpful for identifying recurring themes
... often people didn't consider identifiers and how they can be correlated unexpectedly
... and so now have guidance particularly on identifiers and correlation

<Joanne> +q

alissa: might require reaching out to groups

<alissa> These were the reviews I mentioned. http://www.iab.org/activities/programs/privacy-program/privacy-reviews/

<tara> Joe Alhadeff

JoeAlhadeff: question of practical application, what needs the protocol is serving and how the protocol is used
... not sure we do a particularly good job of that anywhere at the moment

Joanne: IAB document is something we should draw from, identifying themes that the W3C groups have encountered would be helpful

JoeAlhadeff: one thing we've seen from advocates or privacy fundamentalists (as in Westin) often think about privacy without considering the actual context
... if the design is privacy-invasive from the start, then there's nothing you can do
... what information can be provided in a privacy-sensitive context
... analysis that takes need and use into account, as opposed to a neutral view of protocols

npdoty: are the questions of use for the protocol or for the application?

JoeAlhadeff: I think it applies to both, need to think about the use scenarios even at the protocol layer
... in the context of the protocol building safeguards in

Christine: perhaps Joe what you're talking about would fit into a companion document, like a best practices document
... bridging the gap between standards design and application development

JoeAlhadeff: an outline that suggested data minimization (a fundamental principle, for example), data minimization without understanding use is difficult
... data should be minimized in accordance with its reasonable need and context

<alissa> +q

JoeAlhadeff: OECD-level guidelines may be useful, but
... the more we can get privacy wired in, the better

<kboudaou> +q

alissa: I don't think there was a laser focus on minimization (the draft that Dan Appelquist had started on)
... trying to deal broadly with all the aspects of privacy (from FIPPs and OECD)
... minimization in particular seemed like low-hanging fruit, directly applicable to API design
... in Device APIs giving access to these system-level properties, address book, etc.
... are you going to give access to the full address book or just parts of it? more granular capability
... the seed that was planted about minimization, a realization that the API can let applications minimize, might be as far as we can go with API specifications
... can give suggestions to application developers but they'll do what they're going to do, but definitely good to give tools that are useful

JoeAlhadeff: just saying that thinking about use cases is important in coming up with what minimization tools we should have and what functionality we should enable
... useful to look at the context of uses when you start to define the library of tools

<kboudaou> Sorry for the echoes

<kboudaou> I write on irc

<kboudaou> Regarding the fact focussing on protocol vs applications, from my point of view we should start with the application level to help developers to take into account when designing for example mobile web appl

npdoty: maybe we just give the advice to the api designers that we should often think about the potential applications in deciding exactly what kind of minimization/granularity

JoeAlhadeff: help the protocol designer to think beyond just how they themselves would use the API to avoid something overly burdensome
... get input of use cases from business perspectives which might otherwise be missed
... give the tools to enable compliance, not a handcuffing that would enforce compliance
... avoid developing protocols in just an academic space

tara: chairs will try to summarize and send this back to the group
... discussion on the mailing list since there's more than we can do in any single call
... think about what we can actually write down
... discussion on the mailing list or collecting documents/examples/use cases on the wiki

Dependencies and liaisons

tara: collection of other groups that we've identified in the charter
... if you're aware of any other groups we should liaise with, let us know

Christine: had a very useful discussion with the IAB Privacy Program last week
... keen to help us how they can, make sure both communities are aware of what's happening (alissa, feel free to add)
... Tara and I also reached out to Chairs of other groups in the W3C
... whether they've encountered privacy issues in their work, how they've handled privacy, views and advice on what works best
... in the charter we have a number of groups listed,
... if anyone in this PING group is participating in those groups, you can help keep us up to date on their activities
... Web Cryptography a new one to add the list

<kboudaou> +q

kboudaou: we have just started a new Working Group on Privacy and Security in the middle of June in Brussels, interdisciplinary working group to gather people from economics, pyschology, etc. to discuss privacy issues from different points of view
... not focus on privacy just from the technologist's point of view
... will keep you up to date on this group, give feedback
... link on the wiki

<tara> w?

npdoty: regarding liaisons, is it useful for us to look at privacy reviews of particular W3C specs
... for example, concretely I was involved in Geolocation and Device APIs with privacy issues
... should we look for people to have that conversation and do that review?

alissa: hard to find people, but can be substantively useful
... still talking about user interface concerns, normative requirements
... certainly want to do more than one, so that specifics of Geolocation don't override

Christine: challenge is always finding willing volunteers
... a precursor that would be useful would be scheduling a time to have one or more groups to discuss the work that they're doing

<kboudaou> +1

npdoty: +1, if we can find chairs or participants in other groups that would join us

Permissions on the Web

npdoty: noticing this as a common issue
... do we have substantive gains here? or a process to address this?

@@: certainly agree that it's important and need the right process

<Christine> Yes Joe speaking

<tara> Yes that is Joe (he is not on IRC)

Joe: permission certainly a very important issue right now in EU regarding questions of consent
... would be tremendously beneficial to have something consistent for getting informed consent

Christine: agree, maybe a case where knowing the use cases will be helpful

tara: from user experience, I hear this issue come up quite a lot as well
... getting a lot of these perspectives out in one space would be productive (regulatory space, user experience space, etc.)
... benefit of a workshop (though it takes time to organize), have to hammer some of these things out in a f2f meeting

<Christine> Would 14 June 2012 same time be okay?

npdoty: I'll follow up with TAG and others inside W3C and hopefully have something to discuss on the next call

<kboudaou> Fine foe me

<Joanne> DNT WG F2F is that week

tara: any objections for this timeslot in general? -- no objections

next tpwg f2f is June 20-22, at least as we've documented it as http://www.w3.org/2011/tracking-protection/

Christine: would like us to take on some concrete items before the next call
... please volunteer

<Joanne> nick - you are correct on DNT F2F

tara: would like to see some movement on these items, since we have enthusiasm

<Christine> Yes, second what Nick says.

<Mlizar> whats your email nick?

npdoty: happy to help, work with someone on even one section

I'm npdoty@w3.org

<Christine> Thanks Tara

<Mlizar> thanks

tara: thanks for joining the call, making good progress which makes me happy, looking forward to talking next time

adjourned.

- DRAFT -

Privacy Interest Group teleconference

17 May 2012

Attendees

Contents

plan of action for privacy considerations

Dependencies and liaisons

Permissions on the Web

Summary of Action Items

Scribe.perl diagnostic output