W3C

- DRAFT -

Privacy Interest Group Teleconference

10 Oct 2013

See also: IRC log

Attendees

Present
npdoty, tara, Rigo, christine, Wendy, Karima, fjh
Regrets
JoeHall, Hannes, Robin
Chair
tara
Scribe
npdoty

Contents


<trackbot> Date: 10 October 2013

<rigo> bad line, too much NSA loopback echo, trying again

<christine> Regrets from Joe and Hannes

<christine> Agenda: 1. Welcome and introductions 2. Discussion of the privacy reviews of the draft Web Cryptography API [1] and the draft WebCrypto Key Discovery [2] 3. Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process) 4. Update re getUserMedia privacy review 5. Update re EME privacy review 6. AOB

<christine> Regrets Robin

<tara> Getting started in a moment...

<christine> thanks, I will try to remember that

<christine> We need a scribe

<christine> Thank you Nick

<scribe> scribenick: npdoty

Web Cryptography review

<christine> Agenda item 2 - Discussion of the privacy reviews of the draft Web Cryptography API [1] and the draft WebCrypto Key Discovery [2]

<christine> Many thanks to Robin for providing a privacy review

Robin sent comments to the list about it

<tara> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html

<tara> http://www.w3.org/TR/webcrypto-key-discovery/

<wseltzer> Robin Wilton's review

christine: last call we had guests from Web Crypto to discuss their privacy conversations; Robin provided a privacy review, but haven't received comments on the list
... Web Crypto is anxious to get their review
... follow up with Crypto WG, noting that they want something in a couple of weeks

tara: useful to get some comments in at this stage, let them see a draft

npdoty: concern that most UAs couldn't implement it because of privacy concerns. should that be a blocking concern?

wseltzer: pre-provisioned keys spec split off because of implementer concerns

npdoty: if implementations can't be built, should that be a blocker? what does w3c typically do in that situation?

wseltzer: let it go for a while through the process; at some point should PING give a comment, might eventually go to the Director, based on whether implementations can be made
... could do privacy reviews at the implementation stage to see if concerns really were addressed

christine: typically would think we would focus on specification rather than implementation, but could maybe give advance guidance on implementation/results

wseltzer: easy to give advice on individual specs, but privacy concerns will be noted for the point of implementations and interactions between features
... could note it earlier just to compare our expectations to the actual real world experience

npdoty: question about implementers
... could note about feature-at-risk or risk of non-implementation

privacy guidance documents

tara: privacy considerations; fingerprinting; SPA

<wseltzer> ACTION christine to share draft review of WebCrypto with Virginie Galindo

<trackbot> Created ACTION-4 - Share draft review of webcrypto with virginie galindo [on Christine Runnegar - due 2013-10-17].

tara: missing Frank and Hannes today, as an Interest Group, what should be done with the documents at this stage?

<wseltzer> http://www.w3.org/2005/10/Process-20051014/process.html#ig-cg-notes

<rigo> nick, do you have the link for the charter

http://www.w3.org/2011/07/privacy-ig-charter.html

npdoty: expectation was to publish a Group Note, not sure if we have draft/review requirements in the meantime

<tara> ack

rigo: per the charter, we're allowed to make Group Notes

<christine> So does that mean we call it Draft Group Note as at x date?

<rigo> yep

npdoty: suggest we publish Editors' Drafts now, and internally decide on what level of review we're going to have within PING or based on feedback from other groups before we published a finalized Note

tara: if other Interest Groups have gone through this, happy to hear feedback

<rigo> look at http://www.w3.org/TR/app-privacy-bp/

tara: not complex, but happy to hear we can move these forward without a formal process

<rigo> and ask Frederick how he got there

christine: happy to hear suggestions on how we can encourage contributions to these privacy documents
... suffering a little bit from divided time, with TPWG taking a lot of focus

<fjh> we got there through the work in DAP at the time, including CDT input, discussions, items that involved applications

christine: this is important work for W3C, enough so to charter work, if you have ideas on how to go faster, please let me know

npdoty: we've had success with individual volunteers doing privacy reviews, maybe we should ask individuals to do reviews of each guidance document

rigo: input can be driven by process requirements

christine: IETF is taking a much more obvious and active interest in data security
... gives a lot of support to their ongoing privacy work

<christine> thank you for joining us

npdoty: based on our use of "fingerprinting" term in other privacy reviews, we might want to update the definition or recommend using a different term

christine: reminded hannes on getusermedia review

wseltzer: joe and I still planning to do privacy review on EME

christine: there may have been some uncertainty about the forward progress/scope of EME
... how would it fit into their schedule? do they have a particular deadline?

wseltzer: they have published Working Drafts, it would be useful to have privacy review now

christine: might be able to capitalize on the recent press coverage, reminder that wseltzer is managing a privacy review of this spec

wseltzer: would be happy to forward that email to the restricted media community group

standards and surveillance concerns

npdoty: what should we do in response to reports of sabotage of security standards? know IETF/IAB is working on some privacy-related rfcs

christine: know it's been an active topic of discussion in internet governance
... don't want to comment on what w3c is doing internally

tara: on a broader scale, what can we do to provide transparency around process to address that concern

wseltzer: one statement has been from OpenStand, open standards process to resist that kind of infiltration, a very high-level response

<christine> http://open-stand.org/

http://open-stand.org/statement-from-openstand-on-the-strengths-of-the-openstand-principles/

wseltzer: what should we do now that we know more about this kind of threat?
... TAG (technical architecture group) and domain talking about what responses are necessary on security in standards development

<wseltzer> OpenStand statement

tara: will this be a topic at TPAC?

wseltzer: it should be discussed there, yes. we should propose it on the unconference day if it's not already on the schedule

<wseltzer> TPAC Wiki

npdoty: can also talk at IETF in Vancouver, good for coordinating between w3c and ietf

<christine> agree with Nick

tara: hearing general support for making statements. is there anything on the other side, concerns against making a statement?

fjh: might be a w3c thing, not a PING thing

<Karima> I think it is a PING thing

npdoty: organizations as a whole can make larger statements, but PING or IAB privacy program can publish documents that would actually implement those priorities

christine: had hoped to have further progress on privacy considerations, but glad we've been doing privacy reviews
... still maturing, but hope we can get to the point where we can say, there is a group that is developing guidance and coordinating privacy reviews of specifications
... question may be asked of standards bodies: what are you doing to protect us?

Karima: congress on privacy, launch debate on what happens at the NSA; videos have been posted, including a discussion of standardization
... could be helpful in making a responsible statement

<christine> +q

christine: pointing out charter date inconsistency

<christine> christine will be

<tara> I will not be, sadly.

npdoty: my fault, will follow up internally

tara: if you'll be in Vancouver, let us know, so we can get together and discuss

<christine> when is thanksgiving?

us thanksgiving is thursday the 28th of November

<christine> I can't do 21

<rigo> all W3C will be absent for TPAC until 19 Nov

<christine> first week of dec?

<christine> I will be hoping outstanding privacy reviews are completed by then - 5 dec

<christine> thank you tara

<christine> and nick and all

December 5th likely works for next call

<rigo> regrets on 5 th of December, conflicting meeting

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013/10/10 17:00:52 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/CDC/CDT/
Found ScribeNick: npdoty
Inferring Scribes: npdoty
Default Present: npdoty, tara, Rigo, christine, Wendy, Karima, fjh
Present: npdoty tara Rigo christine Wendy Karima fjh
Regrets: JoeHall Hannes Robin
Found Date: 10 Oct 2013
Guessing minutes URL: http://www.w3.org/2013/10/10-privacy-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]