See also: IRC log
<trackbot> Date: 02 October 2014
<yrlesru> Hei Nick. I think I am the 650 number.
<tara> 1. Welcome and introductions 2. PING @ TPAC 3. Updates on current work/action items 4. Web privacy news/issues 5. AOB
<christine> Agenda item 1 - Welcome and introductions
<scribe> scribenick: npdoty
<tara> Thanks, Nick!
<christine> Would someone be kind enough to volunteer to scribe?
<christine> Thanks Nick!
Steve Olshansky, Internet Society, work in privacy and security. met f2f at an IETF BOF
<christine> Steve Olshansky
Mary Hodder, joined one early call but haven't been back because of schedule conflicts
maryhodder: have been following
mailing lists and attending workshops. working now on Open
Notice and Consent Receipts
... IDESG, working on NSTIC for Department of Commerce
tara: PING planning to meet at
TPAC at the end of October
... reminder, again, to register. will follow up on the mailing
list.
<yrlesru> Are Halloween costumes required?
christine: we have time set aside on October 31st, costume optional
<yrlesru> Some of us are sufficiently spooky...
christine: look at the guidance
documents
... have asked for a bit of time at the chairs meeting to let
them know about PING work
... and can have a breakout session during the unconference
time on Wednesday
... should put together a snazzy description and title so that
we'll have lots of participation
... would appreciate some creative volunteer to help with that
description
tara: hoping to see a number of you at TPAC meetings
<christine> Is anyone on the call planning to be at TPAC?
<christine> Nick gave some preliminary results of his research into privacy reviews in IETF and W3C at the Telecommunications Policy Research Conference recently
still early in that work, but hopefully I can share some results with you all
<christine> Thanks Nick
katie: took the recommendation to
review IETF documents on webrtc, and then look at the media
streams documents directly
... 1) was there a ping review in the first place that covered
the media capture and streams draft itself?
... the specific one was mediastream recording, a recording API
to be used for media streams
... media capture task force asked for a privacy review. not
sure if it was specifically about technical details of that
spec, or concerns about surveillance/video capture in
general
... so I did the more specific review of the spec for privacy
and security vulnerabilities
... 1) having a common privacy and security considerations
sections added to the spec
... these specs are APIs, to enable scripting
... 2) what the recommendations would be if this API/stream
were accessed over the web? vs. using the API between devices
within a firewalled network?
... assuming it would be used over the Web generally, what is
the level of security or privacy we would want there
<christine> Is Frederick on the call?
Katie's email: http://lists.w3.org/Archives/Public/public-privacy/2014OctDec/0004.html
Katie: would be far fewer
considerations if this wasn't Internet/Web-accessible
... would want to ensure that only authenticated entities could
access the data
... ensure that it was delivered only over HTTPS
... authentication of the servers (TLS)
... identity providers
... peer connection (RTC) to allow binding identity but also to
allow anonymous communication
... clients should treat HTTP and HTTPS origins as
different
... implementations should get explicit user consent
<tara> The "Media Capture and Streams" used to be called GetUserMedia, yes?
Katie: IP location privacy
<tara> That was definitely reviewed.
Katie: individual consent vs. cryptographic consent
<Zakim> npdoty, you wanted to agree on Web-access
npdoty: +1 on Web access
... and an active point of discussion about HTTPS-origin
requirement for certain sensitive APIs
... including geolocation. would be good to coordinate
discussion
tara: will find the getUserMedia review to share (name change)
<yrlesru> +1 to kudos to Katie
christine: a big thank you to Katie!
+1 from the scribe, great work
<tara> Yes, thanks!
scribe: thoughtful and lots of
effort
... would be good to connect with fjh
... could invite Media Capture Task Force folks to a call, so
we can iteratively talk these through
katie: that works for me
yrlesru: +1 on good work on
review
... have provided the recommendations/finding. could you walk
us through the steps you went through in the analysis?
... re: getUserMedia, wasn't an expert in webrtc to begin with,
the approach I took was a la a Privacy Impact Assessment
... scope what doing, summarized a description of what the spec
does, looked at the privacy data lifecycle (collection,
processing, storage, maintain)
... for each of those, looked for gaps or vulnerabilities
... ended with recommendations. (that's what you have provided
on this spec.)
katie: in lieu of completed
guidance, I didn't take a full privacy impact assessment
approach. I'm used to reviewing specs for accessibility
... wanted to find out the basic requirements for
security/privacy
... read the original spec, and then the sub-spec
... would be nice to see something else that we've done to use
as a model
<yrlesru> Well, I bet you get more feedback than I did :-)
katie: have been involved in maybe 20 reviews at w3c in the past, but very different audience
<yrlesru> Thanks.
tara: would like to be helpful where we can, since you've clearly done a lot of useful work here
christine: two other outstanding,
IndieUI with Katie and Joe
... other was Encrypted Media Extensions, with Wendy (also
regrets for this call)
katie: no progress with Joe on the IndieUI, need to follow up
could potentially talk at TPAC
katie: would really like the external review on IndieUI, I may be too close to it to be objective
summary of some recent events
email from Frank re: IPEN, http://lists.w3.org/Archives/Public/public-privacy/2014OctDec/0003.html
yrlesru: just before, there was
an IAPP / NIST workshop in San Jose, their second in a
series
... they have a set of questions asking for feedback on their
approach to privacy
... Nokia has put together a whitepaper of recommendations of
"privacy engineering and assurance"
... not just about engineering, baking it into the product,
but, like security, requires steps to make sure they have been
implemented
... sent the whitepaper to public-privacy, so you can review as
well
... some resonance at IPEN workshop (European audience)
... IPEN met at the historic Berlin state parliament
building
... audience many European Data Protection Supervisors, and
some academics
... some NGOs/consumer advocates in Europe. a few industry
folks
... support for the idea of privacy engineering, but not a lot
of concrete details about how to do it
... Data Protection Supervisors are starting to build
technology shops internally. becoming privacy engineers on
their own side
... CNIL wanted to measure which features are applications
using and whether it's part of the primary use
... ... e.g. the flashlight app that gathers and shares lots of
data
... ... technical work that included engineering. privacy
penetration testing, essentially
... ... or privacy forensics
... OWASP talking about top ten privacy risks, an analog from
their security list
... Hannes gave a good presentation on doing privacy
considerations of Internet protocols
... I presented Nokia's work on trying to make a systematic
approach
... pressure in both EU and US to do something on privacy
engineering
... need to do this engineering with privacy and security taken
into account
tara: thanks, great to hear that
feedback
... NIST is having a webcast (just in a couple hours) to
present their overview again of privacy engineering
... asking for comments until October 10
http://lists.w3.org/Archives/Public/public-privacy/2014JulSep/0045.html
http://www.w3.org/2014/privacyws/
<yrlesru> Can we pole for participants at TPAC? I will be there Wed & Fri.
<tara> I will be there those days, too.
<yrlesru> Air Berlin...
katie: wish there were a cheaper way to get to Berlin :)
<yrlesru> Yes.
<yrlesru> Also make sure to take a currywurst at WITTY'S
christine: reminders: input on
the privacy guidance documents
... following TPAC, there will be an IETF meeting and will try
to organize a PING at IETF meeting
<yrlesru> Right across from KaDeWe department store with gourmet food court on top floor. Wirttenberg Platz.
christine: schedule our next call
<yrlesru> +1 November early
<yrlesru> -1 Right TPAC
December 4?
<yrlesru> +1 4.12
tentatively, December 4th. will check for conflicts.
yes, please register for TPAC if you haven't already: http://www.w3.org/2014/11/TPAC/
<yrlesru> Christine & Tara. For TPAC, I wonder if we can have a single graphic of W3C spec process and underneath the activities and processes...
<Ryladog> I will be at TPAC
<yrlesru> ... That ought to be done at those stages.
<yrlesru> I can assist Nick + Chairs to develop
Nick: sounds good to me.
<Ryladog> Next Call is December 4th or 14th?
yrlesru: what should you think about at each stage of the spec development process?
<yrlesru> Great call this month!
tara: if nothing else, adjourned.
trackbot, end meeting
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/@@/Olshansky/ Found ScribeNick: npdoty Inferring Scribes: npdoty Default Present: +1.650.618.aaaa, +1.613.304.aabb, +1.613.304.aacc, npdoty, +1.510.701.aadd, christine, tara, maryhodder, yrlesru, Katie_Haritos-Shea, Joanne Present: +1.650.618.aaaa +1.613.304.aabb +1.613.304.aacc npdoty +1.510.701.aadd christine tara maryhodder yrlesru Katie_Haritos-Shea Joanne Regrets: wseltzer Found Date: 02 Oct 2014 Guessing minutes URL: http://www.w3.org/2014/10/02-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]