See also: IRC log
<trackbot> Date: 10 October 2013
<rigo> bad line, too much NSA loopback echo, trying again
<christine> Regrets from Joe and Hannes
<christine> Agenda: 1. Welcome and introductions 2. Discussion of the privacy reviews of the draft Web Cryptography API [1] and the draft WebCrypto Key Discovery [2] 3. Update re privacy guidance documents (Privacy Considerations; Fingerprinting; Process) 4. Update re getUserMedia privacy review 5. Update re EME privacy review 6. AOB
<christine> Regrets Robin
<tara> Getting started in a moment...
<christine> thanks, I will try to remember that
<christine> We need a scribe
<christine> Thank you Nick
<scribe> scribenick: npdoty
<christine> Agenda item 2 - Discussion of the privacy reviews of the draft Web Cryptography API [1] and the draft WebCrypto Key Discovery [2]
<christine> Many thanks to Robin for providing a privacy review
Robin sent comments to the list about it
<tara> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
<tara> http://www.w3.org/TR/webcrypto-key-discovery/
<wseltzer> Robin Wilton's review
christine: last call we had
guests from Web Crypto to discuss their privacy conversations;
Robin provided a privacy review, but haven't received comments
on the list
... Web Crypto is anxious to get their review
... follow up with Crypto WG, noting that they want something
in a couple of weeks
tara: useful to get some comments in at this stage, let them see a draft
npdoty: concern that most UAs couldn't implement it because of privacy concerns. should that be a blocking concern?
wseltzer: pre-provisioned keys spec split off because of implementer concerns
npdoty: if implementations can't be built, should that be a blocker? what does w3c typically do in that situation?
wseltzer: let it go for a while
through the process; at some point should PING give a comment,
might eventually go to the Director, based on whether
implementations can be made
... could do privacy reviews at the implementation stage to see
if concerns really were addressed
christine: typically would think we would focus on specification rather than implementation, but could maybe give advance guidance on implementation/results
wseltzer: easy to give advice on
individual specs, but privacy concerns will be noted for the
point of implementations and interactions between
features
... could note it earlier just to compare our expectations to
the actual real world experience
npdoty: question about
implementers
... could note about feature-at-risk or risk of
non-implementation
tara: privacy considerations; fingerprinting; SPA
<wseltzer> ACTION christine to share draft review of WebCrypto with Virginie Galindo
<trackbot> Created ACTION-4 - Share draft review of webcrypto with virginie galindo [on Christine Runnegar - due 2013-10-17].
tara: missing Frank and Hannes today, as an Interest Group, what should be done with the documents at this stage?
<wseltzer> http://www.w3.org/2005/10/Process-20051014/process.html#ig-cg-notes
<rigo> nick, do you have the link for the charter
http://www.w3.org/2011/07/privacy-ig-charter.html
npdoty: expectation was to publish a Group Note, not sure if we have draft/review requirements in the meantime
<tara> ack
rigo: per the charter, we're allowed to make Group Notes
<christine> So does that mean we call it Draft Group Note as at x date?
<rigo> yep
npdoty: suggest we publish Editors' Drafts now, and internally decide on what level of review we're going to have within PING or based on feedback from other groups before we published a finalized Note
tara: if other Interest Groups have gone through this, happy to hear feedback
<rigo> look at http://www.w3.org/TR/app-privacy-bp/
tara: not complex, but happy to hear we can move these forward without a formal process
<rigo> and ask Frederick how he got there
christine: happy to hear
suggestions on how we can encourage contributions to these
privacy documents
... suffering a little bit from divided time, with TPWG taking
a lot of focus
<fjh> we got there through the work in DAP at the time, including CDT input, discussions, items that involved applications
christine: this is important work for W3C, enough so to charter work, if you have ideas on how to go faster, please let me know
npdoty: we've had success with individual volunteers doing privacy reviews, maybe we should ask individuals to do reviews of each guidance document
rigo: input can be driven by process requirements
christine: IETF is taking a much
more obvious and active interest in data security
... gives a lot of support to their ongoing privacy work
<christine> thank you for joining us
npdoty: based on our use of "fingerprinting" term in other privacy reviews, we might want to update the definition or recommend using a different term
christine: reminded hannes on getusermedia review
wseltzer: joe and I still planning to do privacy review on EME
christine: there may have been
some uncertainty about the forward progress/scope of EME
... how would it fit into their schedule? do they have a
particular deadline?
wseltzer: they have published Working Drafts, it would be useful to have privacy review now
christine: might be able to capitalize on the recent press coverage, reminder that wseltzer is managing a privacy review of this spec
wseltzer: would be happy to forward that email to the restricted media community group
npdoty: what should we do in response to reports of sabotage of security standards? know IETF/IAB is working on some privacy-related rfcs
christine: know it's been an
active topic of discussion in internet governance
... don't want to comment on what w3c is doing internally
tara: on a broader scale, what can we do to provide transparency around process to address that concern
wseltzer: one statement has been from OpenStand, open standards process to resist that kind of infiltration, a very high-level response
<christine> http://open-stand.org/
http://open-stand.org/statement-from-openstand-on-the-strengths-of-the-openstand-principles/
wseltzer: what should we do now
that we know more about this kind of threat?
... TAG (technical architecture group) and domain talking about
what responses are necessary on security in standards
development
<wseltzer> OpenStand statement
tara: will this be a topic at TPAC?
wseltzer: it should be discussed there, yes. we should propose it on the unconference day if it's not already on the schedule
<wseltzer> TPAC Wiki
npdoty: can also talk at IETF in Vancouver, good for coordinating between w3c and ietf
<christine> agree with Nick
tara: hearing general support for making statements. is there anything on the other side, concerns against making a statement?
fjh: might be a w3c thing, not a PING thing
<Karima> I think it is a PING thing
npdoty: organizations as a whole can make larger statements, but PING or IAB privacy program can publish documents that would actually implement those priorities
christine: had hoped to have
further progress on privacy considerations, but glad we've been
doing privacy reviews
... still maturing, but hope we can get to the point where we
can say, there is a group that is developing guidance and
coordinating privacy reviews of specifications
... question may be asked of standards bodies: what are you
doing to protect us?
Karima: congress on privacy,
launch debate on what happens at the NSA; videos have been
posted, including a discussion of standardization
... could be helpful in making a responsible statement
<christine> +q
christine: pointing out charter date inconsistency
<christine> christine will be
<tara> I will not be, sadly.
npdoty: my fault, will follow up internally
tara: if you'll be in Vancouver, let us know, so we can get together and discuss
<christine> when is thanksgiving?
us thanksgiving is thursday the 28th of November
<christine> I can't do 21
<rigo> all W3C will be absent for TPAC until 19 Nov
<christine> first week of dec?
<christine> I will be hoping outstanding privacy reviews are completed by then - 5 dec
<christine> thank you tara
<christine> and nick and all
December 5th likely works for next call
<rigo> regrets on 5 th of December, conflicting meeting
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/CDC/CDT/ Found ScribeNick: npdoty Inferring Scribes: npdoty Default Present: npdoty, tara, Rigo, christine, Wendy, Karima, fjh Present: npdoty tara Rigo christine Wendy Karima fjh Regrets: JoeHall Hannes Robin Found Date: 10 Oct 2013 Guessing minutes URL: http://www.w3.org/2013/10/10-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]