W3C

- DRAFT -

Privacy Interest Group teleconference

23 Aug 2012

Agenda

See also: IRC log

Attendees

Present
wseltzer_away
Regrets
karima, erink
Chair
christine, tara
Scribe
tara

Contents


<christine> regrets Karima Boudaoud, Erin Kennedy and maybe JC Cannon

<christine> thanks nick

<christine> Please volunteer to scribe.

<rigo> tara?

<rigo> tara, can you scribe?

<npdoty> christine: get things started, trying to pick a scribe beyond just nick

Do my best!

<npdoty> ... also, introductions

<rigo> we will fill in

<npdoty> ... Dave Singer from Apple, have been on the list for a while but joining the call for the first time

<scribe> New person: David Singer (sp?) from Apple.

<npdoty> ... multimedia standards at Apple, but now working on privacy as well, co-editing in DNT group

Rigo Wenning, Legal Counsel for W3C, longtime privacy staff (P3P & privacy research), now doing Do Not Track

<npdoty> scribenick: tara

Privacy Considerations

Have been trying to move forward on guidance document for web standards development, like IAB program

But tailored for W3C context

So: how do we move this work forward?

Nick: can start work by looking at specific topics, like data minimization.

Different stakeholders have different approaches.

So: what might work for different WGs.

Hannes: In the IAB work, we reviewed protocols from different groups. These efforts go on for a long time - but what specific form should the guidance take?

<rigo> hannes: mentioned topic, we went through IAB privacy consideration, activities go on for a long time, realized that people are doing zigzag kind of design, Perhaps need more guidance, what direction should the guidance go? Current guidance has strong focus on data minimization

Hannes: Example - data minimization may work for IAB but not W3C.

Rigo: two directions this group can take. Look at the technical implications of specifications for privacy implications. OneL can wait for specs to come and then review them and create a solution.

Then try to generalize from that work. Or: we can create rough guidance for web stuff, and then we can measure the spec against the guidance and evaluate it on those grounds.

Rigo: concerned about top-down approach (everyone having to follow our guidance). EU has many laws and directives that are impractical and were ignored. Would rather be practical.

<npdoty> yay for pragmatism! :)

<MacTed> +1 practicality, examine several until a larger pattern emerges, which gives shape to a general guidance

Christine: If we do the practical side, how would we do that (Rigo)?

Rigo: There are at least a dozen specs in development in W3C; start w/geolocation people. Get them to present it and tell us where the privacy sensitivities are and what they should do.

We can discuss this and perhaps learn and also instruct them on possible solutions.

<Kasey> perhaps look at past specs as well to see where problems arose?

<npdoty> +1 Kasey, we can review existing documents as well, finding both problems and solutions

Christine: Rigo, that is what we are doing. We had geo-loc people on previous call. We offered ourselves as a locus for discussion.
... Also had other groups, like Crypto group, and made suggestions. Also Device API group, who got guidance on fingerprinting.

Hannes: if there is no harm identified in the spec, then doubt that privacy solutions will arise either.

<npdoty> hannes: IAB we tried to learn from the security work, identifying threats, as a model

<npdoty> ... experience with the security considerations after guidance in IETF

<npdoty> ... early on the Security Considerations sections tended to be boilerplate/checkbox

<npdoty> ... but then got better over time

<npdoty> npdoty: yes, that was our finding

<npdoty> Kasey: a lot of overlap between DAP folks and the Vodafone-hosted workshop a couple years back

<npdoty> ... a lot of discussion then that we needed a higher-level overarching framework

<npdoty> ... worth looking back at that meeting and DAP discussions to identify what should be raised to a higher level

<npdoty> http://www.w3.org/2010/api-privacy-ws/

<npdoty> rigo: I worry that API development will be finished before we develop guidance if we're starting too high-level

<npdoty> ... need another API privacy workshop where those people can talk again about their pain points

Sorry - my wifi just died so I missed about five min.

<npdoty> christine: looking to add value to privacy in the development of W3C standards

<npdoty> ... idea that a workshop could be a useful forum for moving this discussion forward

Am on cell now to listen but might not be best scribe!

<npdoty> hannes: rigo is suggesting a workshop which always sounds nice, but what would such a workshop do specifically?

<npdoty> Kasey: looking at notes from previous workshops might help us identify those pain points

<npdoty> ... I can do that, with some help from someone who remembers more

<Kasey> +1 Nick

<npdoty> npdoty: think we can build on existing workshop and existing info that we've gathered from other groups... can start on guidance now from what we've learned

<npdoty> rigo: we can decide whether to split documents or have sections in a single document

<npdoty> ... everybody needs guidance, and can pool resources into this

<rigo> :-P

<npdoty> ... for PLING, eventually gave up for lack of input, need commitment of time to the document

<npdoty> consensus that dave singer is the best editor ever :)

<npdoty> dsinger: we all appreciate the goal, but in a way it's a thankless job; puzzled on how to get the scrutiny that these documents deserve

<npdoty> hannes: it is indeed tough; if you'd like to improve the security model, it's very difficult, and security is a subset of the privacy concept

<npdoty> ... no shortage of solutions, but providing guidance that is generic enough to be useful is difficult

<npdoty> christine: one idea: many people in the PING who also participate in other WGs that have privacy implications to them

<npdoty> ... can those people take responsibility to look at those issues and bring them forward to PING?

<npdoty> ... bring solutions, but also identify risks, threats, vulnerabilities

<npdoty> rigo: this is the consulting approach; could invite others doing horizontal work (richard, in i18n)

<npdoty> ... prefer other groups come to us for advice and sharing their pain, rather than our pushing privacy as a top-down model

<npdoty> "nobody likes to be told to eat their broccoli"

<npdoty> christine: +1 on i18n as someone to learn from

<dsinger> i18n is also good

<npdoty> npdoty: accessibility also a good horizontal model to learn from

<npdoty> hannes: agree that top-down is not preferred, but with some groups who don't have that interest, what mechanism should we use as a check/balance for such a group?

<npdoty> ... do we have external people who review documents for i18n?

<npdoty> rigo: if there are no pain points, then coming in with a requirement is just a nuisance

<npdoty> ... but that pain can come from regulators, consumer protection, or possibly from the Director who can add a step

<npdoty> ... but this is a dangerous pain point (industry can pop up new consortia any time)

Hey! :-)

<npdoty> ... existing regulator pain is most useful for security and privacy

<npdoty> <debate about regulatory effectiveness>

<npdoty> rigo: it may be that we can convince the overall organization that they must have this as a process step, but thinking in pain points is already good

<npdoty> MacTed: neither purely bottom-up or top-down will work here. regulators don't fully understand the technology and the engineers don't necessarily understand the law

<npdoty> ... something from this group can identify where technology is necessary and note that technology can't solve the problem perfectly

<npdoty> ... some privacy concerns without being tied to real problems

<npdoty> ... people are not always aware of the pain points, like the potential conflicts with regulation

<npdoty> MacTed: may be useful to pull what we can from the regulatory bodies

<npdoty> ... tech folks really don't understand the regulations that are there

<Kasey> cough - we have a few regulatory experts here ;-)

<npdoty> ... as a search engine provider, I need to track more data in order to provide a better service

<Kasey> +1

<npdoty> christine: is it useful to have those discussions in this group?

<npdoty> MacTed: yes, and useful to the group itself

<npdoty> tara: I'm a technologist as a regulator, so I might be a useful contact in determining those overlaps

Okay, sorry.

Just really backing up earlier comments on the value of docs for regulation.

Being a technologist at a regulator!

<npdoty> Kasey: maybe it would be useful to identify potential conflicts with regulation and raise those questions here; some of us who are experts in that area can help

So - we do have some expertise to draw on.

<npdoty> christine: sounds like a good idea!

And - there are some regulators who really need the help.

Will move to IRC.

(Apologies for terrible audio today.)

<npdoty> rigo: have a meeting, a possibility to brainstorm [missed some detail here, please fill in]

<npdoty> ... in some jurisdictions, everything is regulated

<npdoty> ... do this at a pointed basis in doing workshops

<npdoty> hannes: when inviting regulators, do you mean DPAs or legislators or others?

<npdoty> Kasey: on the EU front, some organizations play multiple roles, like the Article 29 WP, made up of DPAs, advise on interpretation and additional legislation

<npdoty> hannes: some regulators are not scoped with reaching out to technical groups; technologists only find out later that this is a big privacy violation and need to change a design around

<npdoty> Kasey: not necessarily talk to regulators about this, but we can identify places where we think the tech and regulation conflict

<npdoty> ... and then we can address those conflicts with regulators or in our considerations document

<npdoty> rigo: w3c does talk to regulators, EC, parliament, FTC, Japan, Australia; not unusual for us to go there, invite them to a meeting

<npdoty> ... really not a problem at all

<npdoty> ... Article 29 now has an official representative in the Do Not Track work

<npdoty> ... and we have regulators (including tara!) who we can really cooperate with

<Kasey> +1 Nick

<Kasey> very important role too, for us

<rigo> +1 and worthwhile contribution

<npdoty> npdoty: one other role we (PING) can play, help identify where a technical standard can help address a regulatory concern

<npdoty> christine: a very fruitful discussion, multiple possibilities that are not exclusive

<dsinger> thx!

<npdoty> ... suggest that we continue this discussion on the email list

Thanks!

<rigo> and Christine, thanks for chairing!

<MacTed> ah, we should invite trackbot next time. it takes care of attendee lists and such...

<MacTed> present robsherman, npdoty, Rigo, Narm_Gadiraju, robsherman, Ashok_Malhotra, narm, Kasey, dsinger, christine, tara, MacTed, matt, wseltzer_away

<MacTed> rrs, draft minutes

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2012/08/23 17:08:32 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.136  of Date: 2011/05/12 12:01:43  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Found ScribeNick: tara
Inferring Scribes: tara
Default Present: +358.504.87aaaa, npdoty, +1.613.304.aabb, christine?, dsinger, MacTed, +44.163.551.aacc, Kasey?, Narm_Gadiraju, Rigo, tara, robsherman, +1.212.508.aadd, Ashok_Malhotra, +1.650.283.aaee, +1.613.304.aaff, +1.613.304.aagg

WARNING: Replacing previous Present list. (Old list: robsherman, npdoty, Rigo, Narm_Gadiraju, robsherman, Ashok_Malhotra, narm, Kasey, dsinger, christine, tara, MacTed, matt, wseltzer_away)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ Ashok_Malhotra


WARNING: Replacing previous Present list. (Old list: Ashok_Malhotra)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ Hannes


WARNING: Replacing previous Present list. (Old list: Hannes)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ Kasey


WARNING: Replacing previous Present list. (Old list: Kasey)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ MacTed


WARNING: Replacing previous Present list. (Old list: MacTed)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ Narm_Gadiraju


WARNING: Replacing previous Present list. (Old list: Narm_Gadiraju)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ Nick


WARNING: Replacing previous Present list. (Old list: Nick)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ Rigo


WARNING: Replacing previous Present list. (Old list: Rigo)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ christine


WARNING: Replacing previous Present list. (Old list: christine)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ dsinger


WARNING: Replacing previous Present list. (Old list: dsinger)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ matt


WARNING: Replacing previous Present list. (Old list: matt)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ narm


WARNING: Replacing previous Present list. (Old list: narm)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ npdoty


WARNING: Replacing previous Present list. (Old list: npdoty)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ robsherman


WARNING: Replacing previous Present list. (Old list: robsherman)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ tara


WARNING: Replacing previous Present list. (Old list: tara)
Use 'Present+ ... ' if you meant to add people without replacing the list,
such as: <dbooth> Present+ wseltzer_away

Present: wseltzer_away

WARNING: Fewer than 3 people found for Present list!

Regrets: karima erink
Agenda: http://lists.w3.org/Archives/Public/public-privacy/2012JulSep/0027.html
Got date from IRC log name: 23 Aug 2012
Guessing minutes URL: http://www.w3.org/2012/08/23-privacy-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


[End of scribe.perl diagnostic output]