See also: IRC log
<fjh> yes,
Ted Thibodeau, OpenLink Software, semantic web technologies, including access control
Frederick Hirsch, Nokia, DAP and XML Security and working more on privacy
<MacTed> we make the Virtuoso Universal Server (http://virtuoso.openlinksw.com/), OpenLink Data Spaces (http://ods.openlinksw.com/), and various other data access, management, and integration tools
<Christine> Virginie G will be joining us shortly
Wendy Seltzer, Web Cryptography working group and outside research on privacy and security
<peacekeep3r> Markus Sabadello of the Personal Data Ecosystem Consortium (http://personaldataecosystem.org/)
<scribe> scribenick: npdoty
Virginie Galindo, Gemalto, company delivering digital security solutions, chair of Web Crypto WG
tara: overview of the
agenda
... any other business to add?
... Privacy Considerations doc, want to take some first steps
towards that outline
fjh: Device APIs WG, co-chaired
with Robin Berjon
... JavaScript device APIs that are related to HTML5, though
not Geolocation
... media capture from a device, for example; a variety of
sensors (proximity, battery status, network info)
... actuators (like vibration)
... information (gallery, contacts, calendar)
... a variety of information sources and actuators
... several privacy issues
... access to the info, unexpected actions, fingerprinting
(like which codecs, etc.)
... a mobile phone/device and a Web application (not
necessarily through the browser) that legitimately wants to
access a contact from your device's address book
... an additional model of a device, a web page and then a
third-party service somewhere on the Internet
... maybe you want to edit your photos on another site, as a
service; JavaScript mashups
... did document requirements, principles and concerns related
to privacy
http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/
scribe: some things can be handled by an API, some things really can't (like the secondary use or later distribution)
fjh: what I keep saying, and this
keeps coming up in W3C workshops, that we don't have the entire
system which makes it difficult to address privacy
... wrote a Web Application Privacy Best Practices, wanted to
note privacy best practices that the application itself can
handle (that we can't control in the API itself)
... think this is all obvious to people on the call ;)
http://www.w3.org/TR/2011/WD-app-privacy-bp-20110804/
fjh: we also had an effort, via
Alissa and John Morris, for users to communicate their privacy
concerns to a site
... we had a simple, clear list of rulesets, to be shared from
the user to the server
... don't expect it to progress in the Working Group because of
a variety of concerns
... potential liability, practical issues; not necessarily good
or bad
... an easier thing to do is minimization: design the API to
return the minimum amount
... you could with any system get more than you should by
trying, but don't by default
... should be a general practice, localized and doable
... fingerprinting is a real trade-off, we don't have answers
to that, I'm hearing that there's a tradeoff between privacy
and utility and people tend towards utility
... Web Intents Task Force and Media Task Force (joint with
WebApps WG)
... constraints to specify parameters for certain media
(codecs, etc.)
... all of those constraints taken together can perform a
fingerprinting function, but having them helps provide the
service in the appropriate way
... can accrete a lot of minor pieces and in the aggregate have
a substantial impact on privacy
... can't really have policy per se because who would determine
the policy in the decentralized system
... so we'll have user interaction instead (transparent, user
will have a choice, which may be persisted)
... do not mandate any user interface (a generally accepted
principle), or even mandate a particular interaction, which is
left to the implementation
... relying on the market to decide, or legislation, or best
practices or competition; not in the spec itself
... on the UI question, mandating that is a mistake, makes more
sense to insist on a particular UI paradigm
... Web Intents (also Web Activities from Mozilla): the user
mediates the selection of a service with some controls
... in some cases we don't need the user interaction? leads to
a potential privacy issue
... will go to FPWD soon, doesn't have a privacy considerations
section yet
... our group handles only the Device APIs segment of an entire
system which is a fundamental problem
... but at least hope to alert people to the privacy issues at
hand
<Christine> +q
Kasey: what is it that we can provide here? are there open issues we can advise on?
fjh: I was just coming today to
inform on this. any input or help is welcome, although I don't
want us to repeat any long debates.
... the rulesets there's not much we can do with at this point,
but any other suggestions are welcome
... the political aspect we wore ourselves out over the course
of a year. user mediation and then minimization and practical
things
... an approach across all of W3C, but we need help with
specifics
... a way to handle fingerprinting, or balance against the
usefulness
wseltzer: work with Tor, which specifically works on preventing fingerprinting
wseltzer: a standardized profile if you want to avoid fingerprinting, even across browsers, a larger anonymity set
fjh: why not, even in the media case, just define profiles, a great idea
<wseltzer> [perhaps offer a standard "anonymity profile"]
npd: can we help a little with fingerprinting by making it easier for the browser (or a researcher) to detect?
fjh: do we have that documented somewhere to follow up? (not that I know of)
<fjh> thanks for the various ideas
virginie_galindo: started the Cryptography WG recently
<fjh> I will share profile idea on the media task force list, also follow up on fingerprinting detection. Can follow up on PING list if that helps
<wseltzer> [note Panopticlick, re fingerprinting detection: https://panopticlick.eff.org/ ]
virginie_galindo: some ideas
inside W3C on Identity with a wide variety of topics, our scope
is to develop APIs, cryptographic tools for developers
... create key, encrypt/decrypt, sign/check signature, anything
a developer needs to add cryptography to their application
(end-to-end security)
... developers using the Crypto API should be able to provide
privacy, but we do not give one solution, just tools for
developers to build their own solution
... currently discussing the JavaScript API, how to handle the
secrets, make sure that when the user generates a secret they
won't be tracked by that secret
... when you generate identifiers, shouldn't be associated with
a particular user, a problem we are trying to solve
tara: looking for starting points to help with this problem?
fjh: sometime you want to know who the counterparty is (use a PKI), but for confidentiality you want to do key management in a way.... would think you would want to use symmetric keys
virginie_galindo: want to build the basic tools to use any model that they want
Kasey: can we circulate documents and get back to you with comments?
<fjh> it seems that if you use public key crypto and PKI it might be hard to keep identity information secret?
virginie_galindo: can send you a link, but discussion ongoing very actively on the mailing list
<wseltzer> Web Cryptography WG
<wseltzer> Editor's Draft
<fjh> npdoty: why is there a privacy problem with crypto, what is the tracking problem?
<fjh> cviriginie_galindo:concern of leakage of service use through leakage of crypto key information - want to maintain privacy around use of service
<fjh> s/cvirginie/virginie/
<virginie_galindo> Web Crypto WG wiki is : http://www.w3.org/2012/webcrypto/
heard warnings from vendors (and from Wendy on fingerprinting)
<fjh> npdoty: tracking protection WG started in April
<wseltzer> Tracking Protection WG
<fjh> npdoty: web services can track user activity so do not track DNT which has been focus
<fjh> npdoty: user expresses preference then this is followed by service
<fjh> npdoty: not enforcement, user expressing preferences, service needs to respect it
<fjh> npdoty: new work in W3C on defining what it means to "comply"
<fjh> npdoty: heated debate
<fjh> npdoty: F2F next week, trying to get to last call
<tara> Thanks, Frederick!
<fjh> npdoty: focus is 3rd party tracking
http://www.w3.org/2011/tracking-protection/
<Christine> Thank you very much Frederick, Virginie, Nick.
npdoty: some challenges we've had with handling press coverage
+1, take it up next call
tara: needs to move forward
... lots of conversation last time what such a document might
entail
... sufficient interest to begin work on this
... need volunteers, people who are able to write text
... and content, what an outline would look like
<Christine> +q
Kasey: to what extent can we take into account prior art?
tara: yes, would certain like to coordinate with other groups' work
Kasey: happy to help
Christine: please bring what pieces are relevant to the table
<Joanne> happy to help where I can
Christine: keep in mind that this is for those who write W3C specifications in particular
<Christine> +q
<Christine> +q
Christine: can organize these resources on the wiki
http://www.w3.org/wiki/Privacy/Privacy_Considerations
Kasey: how are these usually structured? is there something else we can look at?
<tara> W3C document to use as model? Accessibility.
npdoty: Security Considerations at IETF, but also Accessibility work at W3C
tara: seeing some volunteers here, and will also canvass on the mailing list
<tara> See also IETF security considerations documents
tara: a subgroup that can compile those resources and start working on an outline
virginie_galindo: the privacy topic raised by the TAG as well, Robin Berjon and @torgo
<virginie_galindo> http://darobin.github.com/api-design-privacy/api-design-privacy.html
<alissa> IETF security considerations doc: http://tools.ietf.org/html/rfc3552
Christine: have been in conversation with the TAG, hope to sort out how the two groups can work together
<Christine> +1
July 19th, at the same time?
<Joanne> +1
works for me
<jtrentadams> conflicts with me, but not a deal-breaker
<erin> copy on my end
this time again on Thursday, July 19th
<Christine> AOB: Pär Lannerö would like comments on the Common Terms Project (see the email dated 19 April 2012).
tara: hope to have some progress on these documents to discuss next time
<Christine> Reports on OECD and APEC moved to next meeting
<MarkLizar> thanks,
This is scribe.perl Revision: 1.136 of Date: 2011/05/12 12:01:43 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Apologies from: Susan Israel, Karima Boudaoud, Sören Preibusch, JC Canon// Succeeded: s/Open Link Software/OpenLink Software/ Succeeded: s/DAP/DAP and XML Security/ Succeeded: s/ndoty/npdoty/ FAILED: s/cvirginie/virginie/ Succeeded: s/ oncern/concern/ Succeeded: s/key information/crypto key information/ Found ScribeNick: npdoty Inferring Scribes: npdoty Default Present: npdoty, fjh, +1.949.483.aacc, Christine, jtrentadams, +1.203.436.aadd, tara, wseltzer, +1.415.520.aaee, justin_, Joanne, MacTed, +358.504.87aaff, +44.163.551.aagg, +33.4.42.36.aahh, Narm_Gadiraju, virginie_galindo Present: npdoty fjh +1.949.483.aacc Christine jtrentadams +1.203.436.aadd tara wseltzer +1.415.520.aaee justin_ Joanne MacTed +358.504.87aaff +44.163.551.aagg +33.4.42.36.aahh Narm_Gadiraju virginie_galindo Frederick_Hirsch Kasey Regrets: Susan_Israel Karima_Boudaoud Sören_Preibusch JC_Canon Agenda: http://lists.w3.org/Archives/Public/public-privacy/2012AprJun/0090.html WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 14 Jun 2012 Guessing minutes URL: http://www.w3.org/2012/06/14-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]