20:11:09 RRSAgent has joined #privacy 20:11:09 logging to http://www.w3.org/2014/10/29-privacy-irc 20:11:11 RRSAgent, make logs 263 20:11:11 Zakim has joined #privacy 20:11:13 Zakim, this will be 20:11:13 I don't understand 'this will be', trackbot 20:11:14 Meeting: Privacy Interest Group Teleconference 20:11:14 Date: 29 October 2014 20:11:39 s/Interest Group Teleconference/Breakout/ 20:14:06 BillHofmann has joined #privacy 20:14:19 bhill2 has joined #privacy 20:15:04 scribenick: bhill2 20:16:00 adrianba has joined #privacy 20:17:53 nvdbleek has joined #privacy 20:18:03 rigo has joined #privacy 20:18:17 AxelPolleres has joined #privacy 20:18:32 jeremie has joined #privacy 20:19:14 Ryladog has joined #privacy 20:19:53 colin has joined #privacy 20:20:11 fabien-gandon has joined #privacy 20:20:18 dbaron has joined #privacy 20:20:20 npdoty has joined #privacy 20:20:21 haakonfb has joined #privacy 20:20:23 Engelke has joined #privacy 20:21:26 Bart_van_Leeuwen has joined #privacy 20:21:26 bhill2 has joined #privacy 20:21:31 ... other areas of privacy that need focus 20:21:32 laufer has joined #privacy 20:21:40 ... I worked on the data minimization draft on the TAG 20:21:51 npdoty has changed the topic to: Privacy and Openness breakout session 20:21:54 ... APIs should only expose required information to applications using them 20:22:05 ... e.g. geolocation only to the accuracy required (city vs. square meter) 20:22:37 ... earlier this year hosted STRING workshop joint w/ IETF + W3C about protecting web against pervasive monitoring 20:22:47 ... that's about bad government or other network actors 20:23:00 ... ignores whole other angle which is commercial privacy in context of tracking networks, how users use the web 20:23:03 ... this is a complex beast 20:23:26 ... in tag we are thinking about private browsing modes, have become a feature of all major browsers but work differently 20:23:40 ... not good user understanding of when what they do is private and when they should seek additional privacy 20:24:11 ... for what kinds of web usage they should think about privacy 20:24:54 ... e.g. researching medial information, political topics, - might want to use private browsing or TOR 20:24:54 ... also need to understand what privacy they are giving up when they use the web in general and what the transaction is 20:24:55 rrsagent, pointer? 20:24:55 See http://www.w3.org/2014/10/29-privacy-irc#T20-24-55 20:25:05 ... search for a washing machine, they will follow you around the web for a week 20:25:20 rrsagent, make logs public 20:25:22 ... working on both education and outreach and what we can socialize with the browser community 20:25:40 s/STRING/STRINT/g 20:26:24 JacquesD has joined #privacy 20:27:21 http://www.w3.org/Privacy/ <- Privacy Interest Group (PING) home page 20:28:08 nvdbleek3 has joined #privacy 20:28:09 runnegar: talk about the Privacy Interest Group and what we are doing 20:28:16 ... develop guidance for web spec authors 20:28:21 jmr has joined #privacy 20:28:39 ... 1) what are the known privacy vulnerabilities and risks associated with web standards? 20:28:43 ... 2) what privacy design principles make sense for the Web? 20:28:55 ... 3) how do we make sure privacy concerns are raised early? 20:29:14 ... 4) how should privacy reviews be conducted? 20:29:32 ... 5) how should conflicts between privacy and functionality be resolved? 20:29:42 runnegar: what's the problem space / threat model? 20:29:42 jmr has joined #privacy 20:29:51 ... and process: how do we do this in the W3C community? 20:29:56 olivier has joined #privacy 20:30:12 tara: maybe you've done reviews, or solicited reviews, or would like to get privacy reviews 20:30:32 ... how do you think we could be of benefit to that community? 20:30:32 ... suggestions welcome both now and later 20:31:17 katiehs: Process document is being re-written. should immediately have a privacy/security section, someone to contact to get that conversation started 20:31:18 ... one other thing - STRINT workshop was a call for additional encryption 20:31:18 ... more TLS is part of mitigation strategy 20:31:18 ... also about other features including HTTP/2, only implementing in secure mode 20:31:18 Christine and Tara 20:31:18 Christine Runegar 20:31:19 christine: there are two sessions combined here 20:31:19 ... rist - talk about PING and what we are doing 20:31:19 s/rist/first/ 20:31:20 ... develop guidance for web spec authors on privacy 20:31:20 ... run through questions for discussions 20:31:21 ... 1st question: What are the known privacy vulnerabilities and risks associated with web standards? 20:31:21 ... 2nd: what are the relevant privacy questions for the web? 20:31:22 .2nd: what privacy design principles make sense for the web? 20:31:22 ... how do we make sure privacy concerns are raised early? 20:31:22 ... how should privacy reviews be conducted? 20:31:23 ... how will conflicts between privacy and functionality be resolved? 20:31:23 ... What is the threat model, what can we do about it at the spec layer, what is the process in W3C community? 20:31:24 Tara Whalen 20:31:24 ... how do you feel a group like PING could be of benefit? 20:31:24 Katie: process document is being rewritten, some mention in template of a security/privacy section 20:31:28 Katie Horito Shea (spelling?) 20:31:37 adrianba has joined #privacy 20:31:54 s/Katie Horito Shea (spelling?)/Katie Haritos-Shea/ 20:32:16 christine: documents we are working on: one is guidance on fingerprinting 20:32:28 privacy considerations section should be in the boilerplate? 20:32:29 ... second is general privacy guidance for web standards 20:32:40 ... third is guidance for how to conduct a privacy review 20:32:41 I think it's a cool idea, torgo 20:32:43 ericstephan has joined #privacy 20:32:52 Specification Privacy Assessment 20:33:36 http://yrlesru.github.io/SPA/ 20:34:28 TAG, Privacy Interest Group and Web Security Interest Group might all be doing similar types of reviews 20:35:00 BillHofmann has joined #privacy 20:36:28 Dan, note that STRINT also callled for data minimization 20:36:55 nvdbleek has joined #privacy 20:37:25 [some extra handles: affordances, defaults] 20:41:04 mnot: +1 wseltzer 20:41:04 mnot: privacy, more than many things, is complex and subtle 20:41:04 ... we need a mental model for users 20:41:04 ... communicate a complex thing to them in as a simple way as possible 20:41:04 q+ rigo 20:41:04 q+ npdoty 20:41:32 katie: we have an opportunity to create an international standard, as opposed to country-by-country regulation 20:41:38 ... would make everyone's life easier on the Web 20:42:29 simonstey has joined #privacy 20:43:13 bhill2 has joined #privacy 20:43:15 ... building those capabilities into specs is important. don't let specs decide for users that a given level of privacy is not important 20:43:25 MarkNottingham: Wendy said it well, thank you. Privacy is subtle and complex, need a mental model for users to understand. 20:43:26 ... be as simple but truthful as possible 20:43:26 Hadley: UX or education? 20:43:28 Mark: Both 20:43:29 Katie: being an intl stds org, we do have oppty, if ambitious to create an international standard 20:43:31 ... everyone had different rules and authorities, if there was a standard that makes sense 20:43:34 ... would make everyone's life on the web easier and better 20:43:37 ... world has a standard in accessiblity space that we have given them 20:43:38 ... that's the win we have there, much broader interest 20:43:39 ... seems to me companies are interested 20:43:41 hadley: yes, much easier to make policy on something new 20:43:43 FredrickHirsch: get worried when we say we need to educate users 20:43:45 ... indicates a design or usability problem, can't boil the ocean 20:43:47 ack rigo 20:43:48 Rigo: hint to Adrian Bateman : workshop on policy and user controls 20:43:49 ... have to be more intelligent on what we ask the user 20:43:50 ack npdoty 20:43:51 ... the world has an Accessibility standard because of our work, that gets modified only slightly in different countries 20:43:51 ... a big win 20:43:51 hadley: easier to make policy based on existing practices rather than entirely new 20:43:51 fjh: I'm concerned about educating users, seems like a sign of a usability problem 20:43:52 ... deadline for position papers for this workshop is friday 20:43:54 NickDoty: push back on concept of balance 20:43:54 rigo: Workshop on User-Centric Controls is intended to address user interface 20:43:54 ... there is research present on user understanding and user experience 20:43:54 https://www.w3.org/2014/privacyws/ 20:44:00 ... can be tempting to think we have to give up functionality to get privacy 20:44:26 ... in much larger number of cases you don't. data minimization is good engineering practice for interop, future proofing, extensibility, performancenot just privacy 20:44:43 ... don't need to have privacy duke it out with other things 20:44:47 dbaron has joined #privacy 20:45:04 dan: I meant, e.g. if you turn on private browsing mode then you won't be able to have WebGL or XYZ technology 20:45:12 ... we already do have a push pull here 20:45:26 ... that's part of user education piece 20:45:47 ... when I explain to non-technical people about private browsing mode, they ask why its not always on? 20:46:06 ... functionality gets taken away when you turn that on 20:47:27 @@: private browsing mode is about tracks on client, not server, many do not understand that 20:47:33 s/@@:/ddorwin:/ 20:47:49 fjh: users are saying what they want - not another mode, just things to be private by default 20:47:55 Adrian Bateman: people want magic 20:48:10 ... nobody wants to make the investment in learning but the world is a complex place 20:48:16 ... shouldn't write off ability to educate people 20:48:26 ... is possible for people to learn but we need to think about how to simplify 20:48:43 BillHofmann has joined #privacy 20:48:53 ... how much of this should we be working on together, while also allowing different groups to compete on privacy 20:49:06 ... a more competitive landscape might drive innovation and incentivize improvements 20:49:18 hadley: we could also have governments impose this on technology being built 20:49:40 @@: fingerprinting: isn't a problem that we are behaviorial animals with routines 20:49:48 ... hard to be completely private 20:50:34 christine: not a magic bullet, but about fingerprinting, in an ideal world I could have the default vanilla browser fingerprint 20:50:34 ... lots of issues but its an idea 20:50:40 ... also hear "its too late" but nick has some ideas on how you could improve the situation 20:50:41 s/behaviorial/behavioral/ 20:51:12 ... put aside user education, there are things the w3c community could do to improve user privacy when they use the web that they don't need to fully understand 20:51:12 ... data minimization is a classic example 20:51:16 q+ 20:51:19 katie: or tokenizing it 20:51:31 steven: one word: whisper 20:51:39 fjh has joined #privacy 20:51:51 ... how would that have undone what whisper was doing? selling itself as anonymous and then tracking users 20:52:06 christine: guardian was able to discover it and then there is possibility of enforcement 20:52:26 s/@@/Bart_van_Leeuwen/ 20:52:49 steven: not sure how we can help when companies break their promises 20:52:49 hadley: certification? 20:52:54 steven: don't know, just panicing 20:53:14 wseltzer: some things w3c cannot address, some we have tools at hand 20:53:26 ... tools for spec authors 20:53:26 ... guidance to implementers on privacy considerations 20:53:42 ... web platform docs can give guidance to developers 20:53:51 ... can create background for regulators 20:54:24 ... e.g. to step in in cases of clear violation and abuse vs implementing a spec as written with no privacy guidance 20:54:33 Steven has joined #privacy 20:54:59 @@: maybe we should not hope to avoid tracking but we should invest in making it possible to track being tracked 20:55:16 ... transparency, accountability are important 20:55:29 dan: mozilla tool? 20:55:37 room: "Collusion" was the name of the tool 20:55:59 s/@@/AxelPolleres/ 20:56:03 Here are the slides from this morning's credentials for the web session - http://opencreds.org/presentations/2014/tpac-credentials/index.html#slide1 20:56:04 katie: even though it is an awesome idea, someone in security will work around 20:56:06 Q+ 20:56:11 q- 20:56:18 q+ fjh 20:56:23 q+ npdoty 20:56:24 fjh: important to ask the right questions 20:56:26 q+ hadley 20:56:26 ack fjh 20:56:46 ... MIT has done work.. on this, accountability, consequences 20:57:00 q? 20:57:25 bhill2: If we make privacy/security investmets that are trivial to work around, we haven't accomplished much 20:57:35 ... make sure our investments are meaningful 20:58:00 bhill: we should invest in things that we can accomplish and make a difference 20:58:06 ... rather than putting limited engergy of community into reducing the temperature of lava from 1m degrees by 10 20:58:13 ack np 20:58:16 ack bh 20:58:19 engelke has joined #privacy 20:58:40 npdoty: fingerprinting, lots of research on detecting heuristics, we have a choice about what we put into http headers 20:58:43 s/MIT has/Hal Abelson and DJW at MIT have/ 20:58:47 ... vs putting things into javascript where it is easier to detect fingerprinting 20:58:56 ... just by being observable we can make progress 20:58:59 q? 20:59:04 ack ha 20:59:18 ack hadley 20:59:24 hadley: we can easily be obsessive and build isolated boxes but that is not what users need and want 20:59:43 ... if it's not usable, users will go elsewhere where there are no protections 21:00:13 dan: if you ask users of nytimes about facebook integration, they might say yes... but you need tracking to have that 21:00:41 katie: we want to provide tools for devs, orgs and governments to make this happen, not be the police 21:00:53 hadley: for the record not the only member of UK government here 21:01:46 Charles_Engelke: wouldn't we need to go beyond the user agent to transports, etc. eg. ISP interference like Verizion 21:01:54 ... has been found to do 21:02:07 [use Tor] 21:02:10 mnot: ISPs can do this even over HTTPS at TCP layer, etc 21:02:26 hadley: one purpose of govt is to protect people with little power from those with lots of power 21:02:42 adrianba has joined #privacy 21:02:51 ... e.g. with cookies, sites can be forced to interrupt users to inform them of use of cookies 21:03:03 ... govt could protect individuals from intermediaries 21:03:21 @@: Deutche Telecom has been doing lots of work and is privacy aware 21:03:33 s/@@/Joerg_Heuer/ 21:03:42 ... one thing that frightens us is not knowing if what we do is legal or not or will become illegal after we have built it 21:03:56 ... need tools to give services and users a way to communicate in a way which is almost guaranteed to be OK 21:04:08 s/Deutche/Deutsche 21:04:11 ... rather than ex-post-facto discovering they are breaking the law 21:04:33 ... idea of a security tool that holds your identities, with a profile implementation bound to virtual cards 21:04:43 JMR has joined #privacy 21:04:47 ... always convey my profile information with customer card and service could decide to never store it 21:04:57 ... so I could decentralize services, have data portability 21:05:09 fjh_ has joined #privacy 21:05:22 ... would be one tool, if acceptable, that would relieve companies of burden of holding profile data, data breaches, illegal processes 21:05:38 ... we can't avoid IP addresses, tracks from user agent 21:05:47 http://thenextweb.com/apps/2013/10/25/mozillas-lightbeam-firefox-add-lets-users-visualize-sites-tracking/ 21:05:56 zakim, who is here? 21:05:56 sorry, fjh_, I don't know what conference this is 21:05:57 On IRC I see fjh_, JMR, adrianba, engelke, Steven, fjh, BillHofmann, dbaron, bhill2, nvdbleek, ericstephan, olivier, JacquesD, laufer, Bart_van_Leeuwen, fabien-gandon, colin, 21:05:57 ... jeremie, AxelPolleres, rigo, Zakim, RRSAgent, keiji, Ralph, TallTed, terri, wseltzer, trackbot 21:06:16 katie: the reason to start with principles is that's what all the laws are built off 21:06:26 ... so when you come up with something they can map to what you decide to do 21:06:48 ... want to add specific relevance to web content and environment, but legally speaking getting principles right is important 21:07:13 christine: remind everyone that Frederick and DAP did some trailblazing in this area for developing guidance in their space 21:07:34 ... we want to level that out to all w3c standards as much as possible and perhaps add new things 21:07:46 hadleybeeman has joined #privacy 21:07:50 ... come to PINGs meeting on friday where we will work through these various design principles 21:08:11 Is ‘lightbeam’ the Firefox extension Dan was thinking of? Builds graph of 3rd party connections from browsing 21:08:20 hadley: we are not only people who set standards for web, we are influential standards body among our peer orgs 21:08:51 dan: can we learn from history, web has become universal platform for banking and commerce, https got us here 21:08:53 ... design principle for https is getting people to spend money on the web according to PHB 21:09:07 ... now people are comfortable but also feel there is some level of security associated 21:09:26 ... certain websites people visit, e.g. when NHS put Facebook like buttons on their site, lots of outrage 21:09:38 ... didn't want facebook to know what they were viewing there 21:09:54 ... what can we learn from work web sites need to do, certification, regulation 21:10:06 ... this kind of website needs to implement these kinds of principles 21:10:33 hadley: useful on two levels - tangibly learn from the past, also really useful to use metaphors and previous stories to talk about things otherwise feel new and scary 21:10:46 ... explain to developers, policy makers, make it sound understandable and easier 21:11:00 fjh: wasn't just ssl that helped ecommerce, also regulation limiting liability 21:11:21 ... $50 limit to liability in US 21:11:46 rrsagent, make minutes 21:11:46 I have made the request to generate http://www.w3.org/2014/10/29-privacy-minutes.html bhill2 21:11:50 rrsagent, set logs public-visible 21:12:07 wseltzer: huge thanks to bhill for scribing, even through network outages! 21:21:25 nvdbleek has joined #privacy 21:26:46 AxelPolleres has joined #privacy 21:28:18 Ralph has left #privacy 21:35:23 nvdbleek has joined #privacy 21:45:34 nvdbleek has joined #privacy 21:49:46 haakonfb has joined #privacy 21:56:34 AxelPolleres has joined #privacy 21:57:58 haakonfb has left #privacy 22:02:47 fjh has joined #privacy 22:04:35 AxelPolleres has joined #privacy 22:07:07 AxelPolleres has joined #privacy 22:07:33 AxelPolleres has left #privacy 22:09:34 jeremie has joined #privacy 22:13:48 AxelPolleres has joined #privacy 22:23:22 fjh has joined #privacy 22:24:53 fjh_ has joined #privacy 22:32:10 AxelPolleres has joined #privacy 22:35:13 fjh has joined #privacy 22:36:01 nvdbleek has joined #privacy 22:36:17 AxelPolleres has joined #privacy 22:40:08 AxelPolleres has joined #privacy 22:48:57 fjh has joined #privacy 22:56:34 fjh has joined #privacy 23:05:42 fjh has joined #privacy 23:06:24 fjh has joined #privacy 23:09:40 fjh has joined #privacy 23:10:24 fjh has joined #privacy 23:12:00 AxelPolleres has joined #privacy 23:16:22 AxelPolleres has left #privacy 23:17:02 fjh has joined #privacy 23:20:45 fjh has joined #privacy 23:22:07 nvdbleek has joined #privacy 23:22:41 fjh has joined #privacy 23:55:21 nvdbleek has joined #privacy