15:53:29 <RRSAgent> RRSAgent has joined #privacy
15:53:29 <RRSAgent> logging to http://www.w3.org/2014/10/02-privacy-irc
15:53:31 <trackbot> RRSAgent, make logs 263
15:53:31 <Zakim> Zakim has joined #privacy
15:53:33 <trackbot> Zakim, this will be
15:53:34 <trackbot> Meeting: Privacy Interest Group Teleconference
15:53:34 <trackbot> Date: 02 October 2014
15:53:34 <Zakim> I don't understand 'this will be', trackbot
15:53:42 <npdoty> Zakim, make logs public
15:53:42 <Zakim> I don't understand 'make logs public', npdoty
15:53:52 <npdoty> RRSagent, make logs public
15:53:57 <npdoty> Zakim, this will be 7464
15:53:57 <Zakim> ok, npdoty; I see Team_(privacy)16:00Z scheduled to start in 7 minutes
15:54:05 <npdoty> chair: runnegar, tara
15:56:24 <christine> christine has joined #privacy
15:59:56 <npdoty> Zakim, code?
15:59:56 <Zakim> the conference code is 7464 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), npdoty
16:00:35 <npdoty> npdoty has changed the topic to: agenda October 2: http://www.w3.org/mid/58A49C3B-F4CE-4B40-9998-A63AFA3A2D25@isoc.org
16:01:17 <Joanne> Joanne has joined #privacy
16:01:31 <npdoty> Zakim, who is on the phone?
16:01:31 <Zakim> Team_(privacy)16:00Z has not yet started, npdoty
16:01:33 <Zakim> On IRC I see Joanne, christine, Zakim, RRSAgent, npdoty, tara, yrlesru, TallTed, fjh, schuki, hiro, terri, wseltzer, trackbot
16:01:42 <npdoty> Zakim, bye
16:01:42 <Zakim> Zakim has left #privacy
16:01:44 <Zakim> Zakim has joined #privacy
16:01:48 <npdoty> Zakim, this is 7464
16:01:48 <Zakim> ok, npdoty; that matches Team_(privacy)16:00Z
16:01:55 <npdoty> Zakim, who is on the phone?
16:01:56 <Zakim> On the phone I see +1.650.618.aaaa, [IPcaller], ??P13, +1.613.304.aacc, npdoty, +1.510.701.aadd
16:02:24 <christine> Zakim, IPcaller is me
16:02:24 <Zakim> +christine; got it
16:02:32 <tara> Zakim, aacc is me.
16:02:32 <Zakim> +tara; got it
16:02:41 <yrlesru> Hei Nick. I think I am the 650 number.
16:02:48 <npdoty> Zakim, aadd is maryhodder
16:02:49 <Zakim> +maryhodder; got it
16:02:54 <npdoty> Zakim, aaaa is yrlesru
16:02:55 <Zakim> +yrlesru; got it
16:03:05 <Zakim> +Katie_Haritos-Shea
16:03:12 <npdoty> regrets+ wseltzer
16:03:55 <Ryladog_> Ryladog_ has joined #privacy
16:04:03 <npdoty> present+ tara
16:04:23 <tara> 1. Welcome and introductions 2. PING @ TPAC 3. Updates on current work/action items 4. Web privacy news/issues 5. AOB
16:04:47 <christine> Agenda item 1 - Welcome and introductions
16:04:54 <npdoty> scribenick: npdoty
16:05:01 <npdoty> Topic: Introductions
16:05:06 <tara> Thanks, Nick!
16:05:12 <christine> Would someone be kind enough to volunteer to scribe?
16:05:18 <christine> Thanks Nick!
16:05:45 <npdoty> Steve @@, Internet Society, work in privacy and security. met f2f at an IETF BOF
16:05:59 <christine> Steve Olshansky
16:06:16 <npdoty> Mary Hodder, joined one early call but haven't been back because of schedule conflicts
16:06:23 <npdoty> s/@@/Olshansky/
16:06:49 <npdoty> maryhodder: have been following mailing lists and attending workshops. working now on Open Notice and Consent Receipts
16:07:12 <npdoty> ... IDESG, working on NSTIC for Department of Commerce
16:07:49 <npdoty> Topic: TPAC
16:08:08 <npdoty> tara: PING planning to meet at TPAC at the end of October
16:08:28 <npdoty> ... reminder, again, to register. will follow up on the mailing list.
16:08:39 <yrlesru> Are Halloween costumes required?
16:08:39 <maryhodder> maryhodder has joined #privacy
16:08:52 <npdoty> christine: we have time set aside on October 31st, costume optional
16:08:56 <yrlesru> Some of us are sufficiently spooky...
16:09:06 <npdoty> ... look at the guidance documents
16:09:41 <npdoty> ... have asked for a bit of time at the chairs meeting to let them know about PING work
16:10:02 <npdoty> ... and can have a breakout session during the unconference time on Wednesday
16:10:20 <npdoty> ... should put together a snazzy description and title so that we'll have lots of participation
16:10:35 <npdoty> ... would appreciate some creative volunteer to help with that description
16:11:04 <npdoty> tara: hoping to see a number of you at TPAC meetings
16:11:09 <christine> Is anyone on the call planning to be at TPAC?
16:11:24 <npdoty> Topic: Work Item updates
16:12:57 <christine> Nick gave some preliminary results of his research into privacy reviews in IETF and W3C at the Telecommunications Policy Research Conference recently
16:13:22 <christine> q+
16:13:32 <npdoty> still early in that work, but hopefully I can share some results with you all
16:14:01 <npdoty> ack christine
16:14:04 <tara> ack christine
16:14:25 <npdoty> https://npdoty.name/tprc42/
16:14:32 <christine> Thanks Nick
16:15:45 <npdoty> katie: took the recommendation to review IETF documents on webrtc, and then look at the media streams documents directly
16:16:12 <npdoty> ... 1) was there a ping review in the first place that covered the media capture and streams draft itself?
16:16:25 <christine> q+
16:16:51 <christine> q-
16:17:01 <npdoty> ... the specific one was mediastream recording, a recording API to be used for media streams
16:17:37 <npdoty> ... media capture task force asked for a privacy review. not sure if it was specifically about technical details of that spec, or concerns about surveillance/video capture in general
16:17:50 <Zakim> +Joanne
16:17:57 <npdoty> ... so I did the more specific review of the spec for privacy and security vulnerabilities
16:18:34 <npdoty> ... 1) having a common privacy and security considerations sections added to the spec
16:18:47 <npdoty> ... these specs are APIs, to enable scripting
16:19:43 <npdoty> ... 2) what the recommendations would be if this API/stream were accessed over the web? vs. using the API between devices within a firewalled network?
16:20:06 <npdoty> ... assuming it would be used over the Web generally, what is the level of security or privacy we would want there
16:20:23 <npdoty> q+ to agree on Web-access
16:20:30 <christine> Is Frederick on the call?
16:21:04 <npdoty> Katie's email: http://lists.w3.org/Archives/Public/public-privacy/2014OctDec/0004.html
16:21:56 <npdoty> Katie: would be far fewer considerations if this wasn't Internet/Web-accessible
16:22:13 <npdoty> ... would want to ensure that only authenticated entities could access the data
16:22:28 <npdoty> ... ensure that it was delivered only over HTTPS
16:22:44 <npdoty> ... authentication of the servers (TLS)
16:23:00 <npdoty> ... identity providers
16:23:25 <npdoty> ... peer connection (RTC) to allow binding identity but also to allow anonymous communication
16:23:43 <npdoty> ... clients should treat HTTP and HTTPS origins as different
16:23:52 <npdoty> ... implementations should get explicit user consent
16:24:02 <tara> The "Media Capture and Streams" used to be called GetUserMedia, yes?
16:24:21 <npdoty> ... IP location privacy
16:24:25 <tara> That was definitely reviewed.
16:24:42 <npdoty> ... individual consent vs. cryptographic consent
16:24:44 <christine> q+
16:25:38 <tara> ack npdoty
16:25:38 <Zakim> npdoty, you wanted to agree on Web-access
16:26:57 <yrlesru> q+
16:27:03 <npdoty> npdoty: +1 on Web access
16:27:19 <npdoty> ... and an active point of discussion about HTTPS-origin requirement for certain sensitive APIs
16:27:30 <npdoty> ... including geolocation. would be good to coordinate discussion
16:27:44 <tara> ack christine
16:27:51 <npdoty> tara: will find the getUserMedia review to share (name change)
16:28:04 <yrlesru> +1 to kudos to Katie
16:28:04 <npdoty> christine: a big thank you to Katie!
16:28:12 <npdoty> +1 from the scribe, great work
16:28:12 <tara> Yes, thanks!
16:28:31 <npdoty> ... thoughtful and lots of effort
16:28:49 <npdoty> ... would be good to connect with fjh
16:29:07 <npdoty> ... could invite Media Capture Task Force folks to a call, so we can iteratively talk these through
16:29:33 <npdoty> katie: that works for me
16:29:41 <tara> ack yrlesru
16:29:48 <npdoty> yrlesru: +1 on good work on review
16:30:07 <npdoty> ... have provided the recommendations/finding. could you walk us through the steps you went through in the analysis?
16:30:55 <npdoty> ... re: getUserMedia, wasn't an expert in webrtc to begin with, the approach I took was a la a Privacy Impact Assessment
16:31:29 <npdoty> ... scope what doing, summarized a description of what the spec does, looked at the privacy data lifecycle (collection, processing, storage, maintain)
16:31:46 <npdoty> ... for each of those, looked for gaps or vulnerabilities
16:32:11 <npdoty> ... ended with recommendations. (that's what you have provided on this spec.)
16:32:53 <npdoty> katie: in lieu of completed guidance, I didn't take a full privacy impact assessment approach. I'm used to reviewing specs for accessibility
16:33:22 <npdoty> ... wanted to find out the basic requirements for security/privacy
16:33:22 <npdoty> ... read the original spec, and then the sub-spec
16:33:47 <npdoty> ... would be nice to see something else that we've done to use as a model
16:33:59 <yrlesru> Well, I bet you get more feedback than I did :-)
16:34:33 <npdoty> ... have been involved in maybe 20 reviews at w3c in the past, but very different audience
16:34:38 <yrlesru> Thanks.
16:35:58 <npdoty> tara: would like to be helpful where we can, since you've clearly done a lot of useful work here
16:36:19 <npdoty> Topic: Status of reviews
16:36:37 <npdoty> christine: two other outstanding, IndieUI with Katie and Joe
16:36:52 <npdoty> ... other was Encrypted Media Extensions, with Wendy (also regrets for this call)
16:37:17 <npdoty> katie: no progress with Joe on the IndieUI, need to follow up
16:37:34 <npdoty> could potentially talk at TPAC
16:38:20 <npdoty> katie: would really like the external review on IndieUI, I may be too close to it to be objective
16:39:05 <npdoty> Topic: News and events
16:39:18 <npdoty> summary of some recent events
16:39:44 <npdoty> email from Frank re: IPEN, http://lists.w3.org/Archives/Public/public-privacy/2014OctDec/0003.html
16:40:10 <npdoty> yrlesru: just before, there was an IAPP / NIST workshop in San Jose, their second in a series
16:40:25 <npdoty> ... they have a set of questions asking for feedback on their approach to privacy
16:40:56 <npdoty> ... Nokia has put together a whitepaper of recommendations of "privacy engineering and assurance"
16:41:26 <npdoty> ... not just about engineering, baking it into the product, but, like security, requires steps to make sure they have been implemented
16:41:44 <npdoty> ... sent the whitepaper to public-privacy, so you can review as well
16:41:56 <npdoty> ... some resonance at IPEN workshop (European audience)
16:42:31 <npdoty> ... IPEN met at the historic Berlin state parliament building
16:42:49 <npdoty> ... audience many European Data Protection Supervisors, and some academics
16:43:03 <npdoty> ... some NGOs/consumer advocates in Europe. a few industry folks
16:43:48 <npdoty> ... support for the idea of privacy engineering, but not a lot of concrete details about how to do it
16:44:07 <npdoty> ... Data Protection Supervisors are starting to build technology shops internally. becoming privacy engineers on their own side
16:44:51 <npdoty> ... CNIL wanted to measure which features are applications using and whether it's part of the primary use
16:45:04 <npdoty> ... ... e.g. the flashlight app that gathers and shares lots of data
16:45:20 <npdoty> ... ... technical work that included engineering. privacy penetration testing, essentially
16:45:39 <npdoty> ... ... or privacy forensics
16:46:23 <npdoty> ... OWASP talking about top ten privacy risks, an analog from their security list
16:46:49 <npdoty> ... Hannes gave a good presentation on doing privacy considerations of Internet protocols
16:47:17 <npdoty> ... I presented Nokia's work on trying to make a systematic approach
16:48:41 <npdoty> ... pressure in both EU and US to do something on privacy engineering
16:49:09 <npdoty> ... need to do this engineering with privacy and security taken into account
16:49:27 <npdoty> tara: thanks, great to hear that feedback
16:49:46 <npdoty> tara: NIST is having a webcast (just in a couple hours) to present their overview again of privacy engineering
16:50:00 <npdoty> ... asking for comments until October 10
16:50:22 <npdoty> q+ to mention workshop via Frederick
16:50:52 <npdoty> http://lists.w3.org/Archives/Public/public-privacy/2014JulSep/0045.html
16:50:53 <Ryladog> Ryladog has joined #privacy
16:50:57 <npdoty> http://www.w3.org/2014/privacyws/
16:51:17 <yrlesru> Can we pole for participants at TPAC? I will be there Wed & Fri.
16:51:27 <Ryladog> q+
16:51:35 <tara> I will be there those days, too.
16:51:36 <christine> q+
16:51:57 <npdoty> q-
16:52:02 <tara> ack npdoty
16:52:23 <npdoty> ack Ryladog
16:52:35 <yrlesru> Air Berlin...
16:52:39 <npdoty> katie: wish there were a cheaper way to get to Berlin :)
16:53:00 <yrlesru> Yes.
16:53:13 <tara> ack Ryladog
16:53:20 <yrlesru> Also make sure to take a currywurst at WITTY'S
16:53:31 <npdoty> christine: reminders: input on the privacy guidance documents
16:53:47 <npdoty> ... following TPAC, there will be an IETF meeting and will try to organize a PING at IETF meeting
16:53:55 <tara> ack christine
16:53:59 <yrlesru> Right across from KaDeWe department store with gourmet food court on top floor. Wirttenberg Platz.
16:54:01 <npdoty> ... schedule our next call
16:54:32 <yrlesru> +1 November early
16:54:48 <yrlesru> -1 Right TPAC
16:55:02 <npdoty> December 4?
16:55:17 <yrlesru> +1 4.12
16:55:38 <npdoty> tentatively, December 4th. will check for conflicts.
16:56:03 <Zakim> -??P13
16:56:09 <npdoty> yes, please register for TPAC if you haven't already: http://www.w3.org/2014/11/TPAC/
16:56:11 <yrlesru> Christine & Tara. For TPAC, I wonder if we can have a single graphic of W3C spec process and underneath the activities and processes...
16:56:16 <Ryladog> I will be at TPAC
16:56:22 <yrlesru> ... That ought to be done at those stages.
16:56:48 <yrlesru> I can assist Nick + Chairs to develop
16:56:59 <npdoty> Nick: sounds good to me.
16:57:03 <Ryladog> Next Call is December 4th or 14th?
16:57:58 <npdoty> yrlesru: what should you think about at each stage of the spec development process?
16:58:34 <yrlesru> Great call this month!
16:58:37 <Zakim> -christine
16:58:39 <Zakim> -Joanne
16:58:39 <Zakim> -Katie_Haritos-Shea
16:58:40 <Zakim> -maryhodder
16:58:42 <npdoty> tara: if nothing else, adjourned.
16:58:42 <Zakim> -npdoty
16:58:45 <Zakim> -tara
16:58:47 <npdoty> trackbot, end meeting
16:58:47 <trackbot> Zakim, list attendees
16:58:47 <Zakim> As of this point the attendees have been +1.650.618.aaaa, +1.613.304.aabb, +1.613.304.aacc, npdoty, +1.510.701.aadd, christine, tara, maryhodder, yrlesru, Katie_Haritos-Shea,
16:58:50 <Zakim> ... Joanne
16:58:55 <trackbot> RRSAgent, please draft minutes
16:58:55 <RRSAgent> I have made the request to generate http://www.w3.org/2014/10/02-privacy-minutes.html trackbot
16:58:56 <trackbot> RRSAgent, bye
16:58:56 <RRSAgent> I see no action items