<rigo> scribenick: alina
<rigo> scribe:AlinaHua
Welcome!
Welcome remarks from Christoph Peylo
T-Labs is part of vibrant digital community in Berlin
<fjh> scribe:fjh
<scribe> scribenick:fjh
h: introduction to T-Labs, in Berlin, Israel, Mountain View
introduction/
… reasons - support and challenge business units, focus on disruption
… linkage to universities
see slides
… half researchers, others are telecom experts, combining
… linked into Berlin digital economy
Claus-Dieter Ulmer, Group Data Protection Officer speaks
privacy is strategic to us
… relevant to board, have advisory board
… creating unit, market security
<rigo> scribe: alina
<rigo> scribenick: alina
Privacy is an integrated part of DT's strategy
Dr. Ulmer heads the governance unit
<rigo> ulmer: private button in professional cars stops fleet management
<rigo> ... a feature we are able to sell to others
Dr. Ulmer's personal belief -- to have a lasting relationship with customers is to care for them
<chaals> Meeting: W3C Privacy and User Interfaces workshop
must rethink and look for alternative solutions - a call to action to those of us in the industry
<fwagner> Future of mobile privacy: common project of DT and Mozilla to give smartphone users more control in handling personal data on smartphones
Please announce your name when you speak
Round of intros to all in the room...
Focus of workshop should be on discussions. Talks were kept short intentionally.
Matthias: Anyone can add notes to the minutes
First speaker: Frederick Hirsch, Nokia - "User choice vs. Protecting users by default"
<chaals> s/First Speaker/Topic/
<chaals> [Loves FJH's xkcd slides]
Must connect with user - central to everything
<rigo> simple use case: getting weather turns into a complex system the user cannot see, where their data is being passed around lots of other services without the user understanding or knowing
<rigo> ... apps are the same
app world has similar issues to the web
reality: no one is responsible for anything. user doesn't see this as an end-user.
key point: this is all a system
it is pretty unclear how to implement privacy by design if no visibility or control of the entire system
As Hal Abelson has repeatedly said, what is important is that people should be accountable for what they do
is the browser just a pipe? are they accountable? no one knows
now, user can be uniquely identified at the network layer they don't know about
where does this leave us? you can minimize data, reduce what you use, nip it in the bud at the start
retention, secondary use and purpose, etc
Consent - is it meaningful? timely? implicit? feasible?
<rigo> Rob: should name it "meaningful interaction"
<Preibusch> Rigo suggest that onsent will be replaced by "foo" from now onwards.
'implicit consent' is a contentious term
<Preibusch> "implicit foo"?
<rigo> yep
<rigo> Rob: choice and is not visible. People are not conscious
<rigo> FredB: legal, it is not consent ...
problem of privacy having a cumulative effect over a longer period - because there is a system, whether they know it or not
issue: whether a user understands what they're doing
<Preibusch> There is a risk of a "consent fatigue": users bombarded over and over again with consent popups will no longer truly consider the question.
is the user competent enough to decide?
<rigo> Carlo: users are often not informed enough to make a decision
<rigo> fjh: rather deal it as exception if the system goes wrong and does something unexpected
<rigo> fjh: user choice vs protecting the user by default
end of talk by fjh
next talk: Google Privacy & Security interfaces, Dominic Battre and Robert Brauer
<rigo> RRSAgent: please draft minutes
google's privacy principles reflected in their products, specifically for this talk, in account management, 3rd party permissions and Chrome
matthias: what is account management?
it's from the time a user signs up for a google service
DSinger: There are many people who use Google services without an account
<fjh> account dashboard, account history
with question - what does google know about me? - google started curating information - things you search for, places you've been, your YouTube searches and views, etc.
<rigo> ulmer: can you also show the analytics and conclusions you draw in your dashboard?
<fjh> derived data
advertisements get the search terms
<rigo> DominicB: difference between account and ad-profile. Those worlds are separated. Clearing cookies is killing the ad profile
google wants to capture people interests
unclear to people that YT is owned by google
<frederikb> robert brauer: this talk's scope is only about privacy & google accounts. information kept for users without an account is out of scope.
<rigo> markus: is there also an option that my data is not collected?
<rigo> DominicB: yes
clarification: i'm scribing until 10am and have not been able to capture names of people who have been speaking.
<chaals> [+1 to the idea that privacy often matters to people after they have given away the information]
<rigo> DominicB: also serves people that only now start to think about data collection after having used their account for years
<fjh> note that interest in privacy may change when value is recognized, even long after initial decisions
if user doesn't want to use google anymore, they can close the account, take the info where they want
<fjh> slide notes - make chrome the most privacy aware browser in the world
DominicB: Past privacy work: extension APIs, content settings, Click to Play, DNT. Present privacy work: identity management, incognito mode, W3C WebAppSec
people don't understand incognito mode
end of google talk
<rigo> if you twitter, please use hashtag #privacyws
<gbal> DSinger: how do you handle people's perception of Google's business model is based on collecting as much user data as possible?
<rigo> DominicB: we try to be good stewards, we don't do everything that makes money
<gbal> dominic: we do safe harbour compliance and stuff like that
<gbal> dominic: we try to make the UI of a browser as simple as possible, but everything that is important should be there
<fjh> do we dare mention fingerprinting?
<fjh> probably not google specific, but question as to where this would be user visible
<gbal> we make sure that there is no stable identifier to identify users in chrome
<rigo> DominicB: we make sure that there is no stable identifier that you can't reset
<fjh> chaals: google and yandex large enough to collect data and provide service as well, unlike smaller orgs
<dsinger> my question was more ‘global’: how do companies like Google, that make money from advertising based in free services, and therefore appear to havce an interest in gathering as much data as possible, balance that interest with a desire to ‘respect privacy’?
chaals: there are lot of small sites on the web in the position of providing one service and rely on the web to provide those services. what happens when you have web-like services and you pass data? how do you get it to be forgotten?
<gbal> chaals: how do you get data to be forgotten if you DON't have your closed empire...to be thought of
who is scribing next?
<rigo> gökhan
<fjh> Scribe: GökhanBal
<fjh> scribenick: gbal
<inserted> Karima: Do you actually delete everything from your servers, or does it just disappear from user visibility
<rigo> RobertB: you can delete everything. but it is difficult to delete data on the server
<inserted> DominicB: The infrstructure queues information for deletion, so it takes a certain amount of time, but eventually it is *gone*.
<chaals> Karima: Can you get a notification of when the data is actually deleted from the system?
<chaals> RobertB: Probably not, with our infrastructure currently.
christin: chrome has an interesting UI for dealing with permission
Dominic: we want to improve this UI. also a kind of permission-use history could be added.
<rigo> DominicB: split permissions by domains, when where those permissions used the last time. Service workers
we want to tell users: "this application uses your geolocation once per day". to make it more transparent
<chaals> s/my nick is gbal//
<rigo> .. service workers may check location once a days
<rigo> Carlo: can you access permissions by javascript, can be used for fingerprinting
<rigo> DominicB: no, but by flash
<rigo> MTS: fingerprinting is a general concern
Carlo: it's not much about identifying the users. Rather about identifying fonts that are used on specific website (e.g. online casinos).
<rigo> Carlo: some fonts only used by casino sites, reveals players, has impact on credit etc
dominik: Larry Page rejected a lot of stuff because he thought it would not be the right thing to do (to their users)
-- coffee break ---
<rigo> scribenick:rigo
<scribe> scribe:rigo
<gbal> next presenter: Haakon from Opera on Privacy & Security Interfaces
<gbal> rigo, are you taking over already?
yep
<gbal> thx
<chaals> HFB: Lawyers shouldn't do UI
<inserted> ScribeNick: rigo
<fjh> As if it weren’t hard enough, UI could be spoofed
<fjh> why would anyone want to spoof a privacy interface?
<fjh> continue anyway
sören: if I'm unsure, what can I do, can I open another window?
HB: no, you have to make the decision
<chaals> [/me is interested in thinking about FJH's question - are there reasons to spoof a privacy interface. (My default assumption is that you can find an exploit anywhere, so it is better to start being paranoid. But it is useful to discover where there isn't a problem and you can relax the constraints)]
DominicB: people will always say "continue" because they have made their decision already anyway
Rob: Do you include the cache in the scope of your question "what does the browser know?"?
<Meiko> [a malicious app vendor wants to hide the fact that its app has maximum rights, wants to be displayed as having no critical permissions though. That's the best argument I could come up with]
<fjh> believe answer was , yes caching is included
<chaals> FHB: Yes, scope of the question is open
<fjh> UI shows circles with color and circumference showing value, amount around circle
<fjh> thus key is definition of meters used to generate UI values
<chaals> FHB: In the Coast browser, we provide an aggregated message
<inserted> … based on various factors, including WoT-provided reputation, encryption information, certificate info, ...
fjh: key is metering. assume this is life
... how much went into metering?
Sigbjørn: it is encryption, third party metrics for WOT, history, look the same
fjh: is it public?
Sigbjørn: javascript is open, can re-engineer
scribe: but not written down
<fjh> it would be helpful to see more about these metrics, might help community
DominicB: what metrics again
Sigbjørn: if there is credit cards, we require higher metrics
Sören: is it per device or per user?
HB: per device, but can be synced with opera link
chaals: no real barrier
<Preibusch> Haakon: it's per device; previously visited sites are not synced across devices per user
VB: different value for user. Not only where it comes from
... trust signals, algos and be transparent on how the trust was generated
kbouaou: [Karima] some users don't care and don't know anything about. After Snowden, more people try to understand what the techno does
... could be good to have multiple interfaces depending on the interest of the users
HB: echoes my understanding post snowden, but devs said too complex for users, will not understand it ...
<fjh> answer - product positioning is part of deciding what to display
HB: not for mass market, only few people understand the complex market
Preibusch: do you have premium privacy features in the browser?
HB: not for the moment
<Zakim> dsinger, you wanted to ask about ‘rational’ and ‘common sense’
dsinger: rational choice, common sense. But don't understand what it means in a given situation
... we are obscuring the issue
HB: conscious choice confronted with information
Alina presents Lightbeam
evolved from collusion
--> addon in firefox
larger nodes are first parties, smaller ones are third parties. Helps them to understand who is watching and connecting
can look at relations between first/third parties, where the server location is, how many connections those 3rd parties have
<fjh> https://www.mozilla.org/en-US/lightbeam/
alina: over time you see the number increase, third party sites following
martha giving a demonstration on third party sites
how to visualize trackers
addon called lightbeam.
Braun: New project polaris with do not track, it blocks tracking once you put do not track on
... only those explicitly allowed will work, Some features of sites may not work
alina: this is not a product, but a project, so we are looking for cooperation with others
... only enabled in nightly build
<fjh> https://disconnect.me
alina: under Polaris also looking at TOR reaching more users, all at very early state, just announced last week
chaals: explained problem, turn all on, web stops working. Do you have any sense of turning the web sites because of changes in the browser
alina: we just try to give more transparency in the browser, understanding what's happening
... they can chose ot block certain sites, leave it open
... available in the market
martha: you can see how facebook has changed, Apple also changed with iOS8, people become much more privacy aware
... people report incidents, people start caring, changes this entire ecosystem
alina: it is a bit intangible. If it starts to feel creepy, people want to take action, we try to enable that
<chaals> [/me wonders if the goal is to make things look creepy...]
<christine> +q
alina: follow or stop certain trackers
... many others have also addons, so lots of privacy addons (citing lots of addons)
Meiko: how do you identify the tracker?
Braun: we have some metrics and algos, but it is not very reliable yet, not done yet, based on origins
... some clear trackers, some hybrid
Meiko: users have to always be master of who is blocked
Johannes-IXDS: is tracking protection workable
... polaris, tracking protection
<fjh> rigo: in prime life project david raggett did user dashboard, we have list of trackers
<Preibusch> that list is from 2011, though
Braun: we partnered with someone with tracking list.
<fjh> disposable identities is another solution, suggested by Volker?
Volker: in PEP we call them identities and create a new identity. Privacy aware windows, just create new identies on the fly to give them to trackers
<fjh> the dual solution
Volker: how to identifies people is only about what is persistent. Not only has id, but local storage etc...
... tor project modified mozilla browser to address the issue
DominicB: it creates new security problems
Rob: lightbeam project, details ...
... false positives and false negatives
... figuring out who is on that list could help determine
... difficulty not to interfere with functionality. EFF tried to feed that back into the dialog
<Meiko> [If it were so easy to separate the good services from the bad trackers, we would have no problem.]
Rob: if people can block traffic, there will be incidences, give people controls
<chaals> [agree with Meiko]
Rob: links explicit, but also lots of referrals, traces may be trackers, but may facilitate service.
... make transparent the blocking
... more balanced discussion about whether the granularity of blocking (by origin) makes sense
alina: this is just a starting point, to get discussion going. Understand what is going on is central first
... false negatives. We had discussions and tried to have the least false positives possible. Not fully baked. What is the best blocking list.
martha: all the things we did were to start the discussion
<schunter> rvaneijk: 4 remarks on the aproach of tracking protection lists and visualising data flows
Christine: what does this change? Gives visibility and opportunity for enforcement. Tracability helps here
martha: users are more afraid of government than companies
<schunter> rvaneijk: (1) granulatity in blocking. there is a scale blocking whole domain <> blocking the UID
alina: PEW said 90% of US citizens think they have no control
fjh: they are right => laughter
<schunter> rvaneijk: (2) the problem of dealing with false positives and negatives
<reuben> coverage of the PEW study http://techcrunch.com/2014/11/12/pew-study-finds-huge-concern-about-personal-data-privacy-online/
<schunter> rvaneijk: (3) not breaking functionality and the effect of blocking on the services provided
Preibusch: what is the difference to the tracking protection list in IE?
... tracking protection lists is not new
<schunter> rvaneijk: (4) being transparent on the imlicit or explicit relation to the visited site (e.g., referrer link (implcit), get request domain (explicit))
<reuben> Rigo: we tried to get investment in tracking lists, but there was opposition
chaals: what if people don't want to give info to mozilla, what about taking it to a W3C level discussion
<Preibusch> http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#list-format/
chaals: there are certain tracking services that are combined with useful services. Distinction between good sites and bad sites is not good idea...
... disposable identies can be overcome with fingerprinting, because humans are unique
<fjh> and behaviour is regular
chaals: becoming split personalities is not something that is usable to normal people
... work out how people can make decsisions and not who is bad and who is not
<Zakim> fjh, you wanted to ask volker about implmentation
<Volker> do not agree - using fake accounts is what everyone does
<Preibusch> @Volker: faje accounts put the burden on the user
<Volker> Preibusch: this is what they're already doing
<Volker> Preibusch: didn't recommend that
fjh: what does it change: used collusion years ago. had massive graph. Just turned off the thing and looked at the news
... trying to get the things done
<Volker> have to remind that tracking can be done inline, too. Options to cut tracking lines in Lightbeam will be countered by making it more inline
martha: you're already working on improving things,
fjh: great tool but what the next steps are is unclear
... agree with chaals on fake id's
DominicB: brief note: always incognito does not make sense. Cookies have security function. We are creating cost if we start from scratch every few hours
<Volker> maybe I have to explain the idea of “identities” more clearly, it was not meant to be “always start from scratch”
<Meiko> [Having to manage multiple ids myself is a last-resort self-defense weapon that shoots once per id swap. I'd personally prefer a "machine gun" id swap tool leased to me by a nice guy.]
<Preibusch> Cookies have a convenience function as well!
angelo: very nice tools. helps users to manage resources in environments with limited bandwidth
MTS: cookies are random id's and are on dual use, Good cookie or bad cookie? In theory servers should cooperate, but in practice are just ID's
... did studies on malware in mobile phones. Different companies have apps - lists that do not intersect. Various criteria for putting on a list
<Volker> Maybe we should handle session, authentication and $REST different then in cookies/web technology in the future
MTS: people do care for privacy, 12-20% of people are browsing with DNT on
<Zakim> dsinger, you wanted to talk of consensual and hostile measures
martha: I really believe that people care, but DNT is super hard to turn on, people don't have tools and knowledge
<chaals> [caring about something is not (in any useful sense) a binary decision…]
dsinger: hope of DNT was that it was consensual to avoid the hostile measures. Can we avoid this escalation?
alina: we are trying to figure it out
<reuben> tracking protection lists creates hostile measure/counter-measure scenario, but DNT was an attempt to create a consensual alternative
martha: one way to do it is to anonymize the data for statistical purposes. It is hard
RW: it is a mixture, blocking and giving a means to open up again if good behavior
FredB: is there a way the legislator can help
fjh: wrapping up
... bunch of sessions from browser vendors telling what abilities for privacy
... google has tools that can handle data
... opera have metrics to steer interface, to boil it down to a level that people can understand
... mozilla has projects going on, polaris and lightbeam.
... did not see a lot of commonality between the discussions
martha: ability, make users understand what is going on, visibility to the user, transparency and education
chaals: educating them by exposing them to the complexity
... what is the motivation for servers to negotiate and for users to negotiate
... how do users understand the quid pro quo, they block or don't block
fjh: how does the business model of negotiation
Preibusch: big browser vendors in the room saying, we care
<Preibusch> We are talking about privacy negotiations now.
<chaals> [/me thinks big browsers have cared for a long time - as Claus-Dieter said, the way to keep customers is to look after them, and let them know that you do]
<Preibusch> Privacy negotiations between Websites and their customers
<Volker> .oO( “intuitive” mainly means “it's like it was before” )
<chaals> Rigo: It is important to work out what are the pieces of interface that should be really common to help people actually use them "intuitively", and what are the pieces that it is worth competing on difference
martha: being pragmatic is key
<Preibusch> Privacy is being shaped as a competitive advantage.
<Preibusch> @rigo: I think the variability in UI's happens because wea are still in the trial phase-
<Preibusch> Reuben Binns
== lunch break ==
<Preibusch> Cookies for lunch?
<cf> seems like soeren is set as scribe for this session, but he's giving the presentation...
<chaals> scribe: chaals
SP: Eye-tracking has a lot of uses, and is pretty solid technically
<fjh> eye-tracking takes ‘creepy’ to a whole new level
… There are a number of web uses - seeing what people are looking at for relevance measurement - did they look at the ad, … but also, input mechanisms for disabled people, kiosks, ...
… We get data on various things, and can use that to de-anonymise users...
[example: picture of a woman. Men and women look at different parts of the image (men at the chest, women to see if she has a wedding ring]
SP: How do people stop being tracked? You can put a sticker over something, but that may cause other problems - even if you know where to put it
… and people without tinfoil hats don't put stickers on their phone camera.
… We need to understand that eye-tracking data is sensitive, and should be recognised and regulated as such.
… You can build APIs to use the eye-tracking data.
… There are ways to get consent for various features. Here we try to abstract data so the website doesn't get raw data, but can find out e.g. when people look at or away from a region, we give a rough heatmap without providing the detailed data.
… Should we have status indicators, do they provide enough infrmation about what is happening?
RW: I have difficulty imagining that I would allow someone to track me when I am looking at the web.
MS: Some phones are doing this to support eg autoscroll
CPeyto: Interesting. Even if I opt in to camera, for tracking (there are use cases), what about others that can be seen in the background.
<rigo> Christof: i can opt in, but what about other people in the background?
… it can violate privacy of bystanders.
SP: Now we have the inferred data on top of what we inherit for cameras.
<rigo> Sören: we have webcams and not we have eye-tracking on top
CP: But that already has problems.
<scribe> scribe: rigo
UNKNOWN_SPEAKER: good thing, it is a proximity issue
<scribe> scribenick: rigo
fjh: how to link to our discussion: "get user media" How do we inform the user?
... can you separate controls
Sören: some of it in the paper, look into how permissions are done, camera, location, screeenshot. All of them are different
scribe: first is give access to device
... second gives access to the screen with a preview
... and location is type of data
<fjh> soren notes that can offer to ask user for permission to use device (camera), kind of data (location), or preview (eg section of screen to share or heat map)
christine: is there any plan to develop W3C standard for eye tracking. Second the problem, how do you prevent injection of malicious javascript code? What would provide user control?
Sören: on second question, different modilities, some of it may be recycled from DAP for example
chaals: camera is not tracking. Who is watching what is an aspect of privacy. Where is this data go and what will people do with it
answering christine, the main challenge for a W3C spec on eye-tracking would be the privacy bit
Sören: cinect can track stuff and browse web sites. Can measure heart beat. Website would be rather heatmap API
Martin: Sunglasses is the best defense against eye-tracking
<fjh> seems wrong to start now with local individual countermeasures
Martin: what is the benefit of eye-tracking to the end user? Should be made transparent to the end-user
<fjh> for a broader concern
Sören: agree, mainstream users improve browsing experience, for better gaming, for accessibility... but good idea to say this is what you gain, what you lose,, also security gain
scribe: if you read, screen lock: avoids having to buy a mouse jiggler
angeloreale: We had the same kind of project at MIT and the result was the same. The more people control the more they share
<DominicB> Proposal to support some kind of mechanism that only one party - the visited websites - gets the data
dsinger: we could design API that could inform the user, but can we ask what use it is of web-site to track eyes. And distinguish from local tracking (for scrolling)
Sören: or not making an API and only doing local
<dsinger> is there ANY API design that would enable useful cases without causing significant privacy and other problems?
scribe: every website has unlimited access to your mouse movement. eye-tracking is similar
<Volker> as a privacy activist I can guarantee that privacy activists will fight eyetracking with everything they have, probably regardless from how it is designed
fjh: defense measures (do I need a space suit), focusing on UI issues.
angeloreale: not avoid techno, but about privacy of technology. Allow the user when to use the techno
Volker: on the record with earlier remark in irc
<fjh> is convenience worth the risk, especially with something like eye tracking
<Meiko> [/me thinks it sounds like "We just propose the nuclear bomb, and then let the users decide on whether they want to use it or not". Yeah, that'll free you from accountability, for sure ;) ]
Volker: entire techno has so little benefits to the user, but so many risks that the privacy advocat community
<fjh> I was thinking exactly that case Meiko but did not say it
Volker: expect major political activity against
Sigbjørn: time vs resolution, how to determine?
<angeloreale> it's a short life technology anyway. if you understand that bionic eyes will come to earth sooner than expected, it's not too hard to imagine 360-angular eyes replacing organic eyes very soon.
sören: depends on whether it is high end
scribe: inexpensive is 100€
<angeloreale> then what is to track if you look every where?
<fjh> can fuzz time to reduce data granularity, similar principle here as in other case
Sigbjørn: if you limit granularity.
chaals: you still do the data analysis
<fjh> example is geolocation
sören: like DVD region lock
scribe: could help, but shaky interim solution
<fjh> Thanks for a very thought provoking paper and presentation
<chaals> [+1 - good stuff to think about]
<Preibusch> scribenick:Preibusch
<scribe> scribe:SörenPreibusch
<DominicB> https://mikewest.github.io/spec-questionnaire/security-privacy/ is a strawman proposal about reviewing specifications for privacy from mkwst@google.com
<DominicB> looking for input
<chaals> [I guess the patent that kept negotiation out of P3P doesn't last forever…]
DominicB: each spec by W3C should go through 15 self-assessment security / privacy questions by Mike West
Johannes: negotiation is most interesting
... because it is difficult for users to make privacy decisions; it should be built into how services are presented on the Internet; communicate privacy implications along with price data (free of charge). Should be made more transparent.
Christine: What can we do at the standard level to enable Websites privacy negotiations?
... Can we build architectures and APIs for privacy negotiations?
... one of the key places to focus on is API-
angeloreale: we shall not see the user as a "database"; APIs should enable users to only share the data required for the task at hand.
... There are so many trackers on the popular Websites; they could for instance all track my eye-gaze.
dsinger: If we offered users a choice, they seem to typically prefer short-term over long-term and businesses seem to prefer profit-maximising.
<Johannes-IXDS> My point was less about negotiating privacy, but the economic aspect (privacy is then secondary it's something we could trade if we know that we /are/ in a trade situation - I think most users aren't aware they are)
Christine: Because there is so much asymmetry between the user and the service provider, we may need regulation-
... Improve users' understanding of their choices; in the UI working group, it is investigated why a data wants certain data. They have a particular use-case: users with disabilities.
... The geolocation API does not support this currently
chaals: We may need to look closer at revocability, which could help with users' focus on short-term benefits.
... can we build better technology for revocation and for users to get out, get back their data
... There are costs to wind back, get back the data we gave out-
Preibusch: I've done plenty of work on privacy negotiations and I still believe in their benefits.
<angeloreale> Preibusch: Great point, can we understand that individual consciousness can actually change beyond the sum of databases over a timeline? Is it accurate to label and profile a consciousness based on its data transactions from even years ago? Cognitive scientists might actually claim that human consciousness is but a big computer but shouldn't we also consider that the same way traumas can...
<angeloreale> ...block access to memory blocks in our brains, experience could do the same therefore re-shaping our personalities?
Christine: It's good to get positive feedback; we will persist in privacy negotiations.
<chaals> [+1 to Frank - granularity of data is something that could usefully be negotiable in various cases]
fwagner: In geolocation, the precise location is always returned regardless of purpose; a weather service does not need fine-grained lat/long.
<chaals> [But there are various ways of providing local weather forecast without getting permission to use the geolocation API…]
Christine: If we design the API in the first place to be privacy-invasive, we open the doors to privacy invasions; example: geofencing API
<marta> chaals, yes, but if we want to protect the user we should design solutions that account for that. Eg. hide/change the IP
Volker: advocates "data sparingness" in the spirit of a user-centric approach. How to empower the users the enforce their privacy? Service providers and device manufacturers can cheat about their privacy practices.
frederikB: Very much in favour of minimum safety standards for privacy, in analogy for automobiles.
<chaals> [Marta, sure. But people who look at weather services tend to want the information they are offering, and are happier if they don't have to describe where they are]
<marta> chaals, what, I'm saying it's not magic - we know exactly where the location can be figured from.
frederikB: The OECD guidelines could serve as a design principle.
<Volker> FTR: 1st design principle: data spearingness
<chaals> [marta, agree. THe point is that even tinfoil hat wearers are going to say where they are if they want a weather forecast. Although of course they may want a forecast for somewhere they are going instead of where they are]
<Volker> 2nd dp: split discussion into a) empower user b) not possible, give user's wishes to partner on the other side
<chaals> [i.e. if providing privacy means asking users to do extra work to give away information they *want* to give away, we're not looking at a case where there is an obvious benefit to the privacy…]
<Volker> :s/sparingness/sparingness/
<fjh> christine notes can ask questions re spec for privacy by design, can follow process, can consider best practices
<rigo> DAP Privacy Guidelines: http://www.w3.org/TR/dap-privacy-reqs/
<fjh> DAP Web Application Privacy Best Practices http://www.w3.org/TR/2012/NOTE-app-privacy-bp-20120703/
marta: We should not treat users as idiots; shall we educate them. chaals replies: We've tried educating them for decades.
<fjh> DAP Device API Privacy Requirements http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/
<fjh> DAP Privacy Rulesets http://dev.w3.org/2009/dap/privacy-rulesets/
<chaals> [People *DO* learn more and get better at managing privacy. But not as fast as people get better at wheedling more private information out of them]
Sigbjørn: User education abour privacy competes with education about other, maybe more important issues, and it competes with things people want to know.
<chaals> [i.e. it isn't a bad thing to teach people, but it also doesn't solve the problem]
Sigbjørn: Are there privacy certifiates. Christine: There are plenty, but how to compare apples and orangs.
<angeloreale> IOW Is it really accurate to predict misbehavior based on data storage solely? That's why I believe that it should be acknowledged as a principle that one can only truly understand status quo when analyzing the most information transactions happening at the present moment (means depth) rather than waste time matching past data-sets with statistics and speculating on one's behavioral...
<angeloreale> ...tendencies (means supposing).
<fjh> [issues with revocation and certification exist, are being dealt with]
<marta> [what is more my point is not only education, but giving them the intuition about the consequences of their decision. ]
Christine: Call for Help; volunteers needed for PING. Please help.
<fjh> potential cost to audit, sometimes compelled
<angeloreale> Preibusch: How can we help?
<rigo> angeloreale: by typing things in here, if Preibusch is missing them
<rigo> we do not minute presentations
<angeloreale> rigo: thanks
<chaals> [Marta, OK, that makes sense as a useful thing to do. Coast demonstrates that to a certain extent it can succeed - at the price of limiting itself. Could Coast offer user-tuning of the privacy protection? Sure, technically, but it is (counter-intuitively, but "generally demonstrated by experience") quite possible that this would *reduce* the effective privacy protection for everyone]
<Volker> *oops* – don't agree with the first point already: data sparingness means the opposite: not being aware in the first place, but having a good default
<fjh> awareness is necessary to undertstand risks which impacts user determination of risks/costs vs benefits in decisions
<Volker> hm... don't agree on the second one, too. Stopping here to comment. Too different views ;-)
<fjh> important that second order privacy risks are not visible to the user
<angeloreale> Imagine there is an ex preisidary in the room. You waste time paying attetion to him and you miss someone who is about to murder someone. Just an anecdote. Don't freak out.
What's a preisidary?
<angeloreale> Someone who left jail
<angeloreale> Not me fyi
<angeloreale> talking about security and how database + statistical model is not the best solution, as mentioned before
<rigo> frederikb: please use #privacyws for twitter
<angeloreale> chaals: ...and get the wrong picture ;)s, nice thanks that why i have my concerns with word counting methods and complexity theories sometimes. they might just waste too much resources
angeloreale: ...
Preibusch: based on recent evidence from a field studies, echoes gbal's point that privacy warnigns are more effective if they mention consequences and explain the risk or threat.
<chaals> [The fact that there are inaccuracies in tracking doesn't make them useless. For most use cases there is a tolerable level of error, so they can be *often* wrong and still very valuable to the people who use them]
<rigo> Preibusch: privacy warning. We gave warnings were more actionable when we explained the consequences
<Zakim> dsinger, you wanted to ask about explanations
dsinger: How to make warnings / explanations actionable?
... likes doughnuts.
rigo: contradicts that explanations are to be misused. Instead, they would help the honest sites.
<rigo> dsinger: wonder about long term consequences of the bad privacy environment
dsinger: Is there any way to make people aware of the negative long-term consequences from poor privacy pratcices.
<rigo> gbal: is very difficult to assess, but we can make aware at the concrete situation
reuben: Does the consequence-based approach work better if the app provider/developer gives the explanation or a third party like the browser.
<angeloreale> IOOW A friend asks me to help him out. If I google something on my mobile is it more relevant to know what I've used google for before or what apps are currently open on my mobile?
gbal: In a study, it was explained to users that their home address can be inferred.
DominicB: Wouldn't users be overwhelmed if all consequences are listed?
<schunter2> Marta i heard you
gbal: We need to solve that open challenge through abstraction, such as identfying classes of consequences.
<DominicB> yes, this is my point
Volker: there are computational limits in inferring bad consequences from data collected
<rigo> [I think there is some obvious conventional wisdom that we can exploit: A little calculator, why would it need full internet access?]
@rigo: Mathematica?
@rigo: A search engine is a cloud powered calculator
<rigo> [saying we can not predict things is clear, but we know what is dangerous in the combination of all markers/data we have]
<Meiko> [@rigo: looking for updates to itself?]
<chaals> [angelo, the point is that since statistically we believe you use your mobile more for things you do than for helping friends, in any given situation we're likely to work from what we already know about you - at least until we realise (based on looking at the current session) that this is an anamolous situation. Which we discover by comparing your current behaviour to what you usually do…]
<rigo> @meiko: issue is "I want internet" is not meaningful. "I want Internet because" is the right thing
marta: What if it's not the system that figures out what will be the consequences, but instead the developer should be responsible for that. In FirefoxOS, developers need to explain why they request certain permissions.
<rigo> Meiko, sometimes, this is obvious, sometimes it is less so
<Meiko> @rigo: agreed, but then it should just state the purpose, to be checked. You wouldn't need any "permissions" anymore :)
COFFEE BREAK -- thanks to the speakers and to all discussion participants!
Back at 15:30h
<Volker> scribenick: Volker
<scribe> scribe: VolkerBirk
<chaals> [you mean "if you lend your phone to friends" … (not borrow) </pedant>]
DominicB: using an SMS is the most insecure protocol for an location service?
marta: right, but you need a password
DominicB: replacing one registry with another one?
marta: oem already knows you
DominicB: location blurring, how does that work?
<Preibusch> OEM = Original equipment manufacturer
marta: on/off, choosing your own location, adjusting granularity “the weather app does not need to know where you are exactly”
... more or less a diameter
... we have a static grid over time over the planet
<Zakim> fjh, you wanted to ask about open source
Mozilla / DT made everything open source already
marta: but these are still all prototype solutions
<rigo> alina: there is a laundry list of over 48 features. We had to dwindle down to 5 features for the prototype
alina: the idea is also to enable other platforms than Firefox
Meiko: is there an option “for that and that purpose I want id different”?
Frank: there are general settings and there are exceptions for each app
The information is not configured per purpose but per app, and therefore indirectly for the purpose of the app
<Johannes-IXDS> +q
Preibusch: What if the phone is out of battery?
Again, all is Open Source, so everyone can use it
marta: we want to cooperate
alina: it's all customizable, so the Telco can decide what to provide exactly
<reuben> Marta: Firefox OS customisations are allowed by the license, but may not all be endorsed by Mozilla
<Preibusch> The issue here is: will vendorisation result in removal of the privacy panel. This is not an issue of open or closed source.
marta: There is the possibility to have findmydevice using network instead of the SMS feature
<Preibusch> Device localisation based on SMS fails if no network coverage or out of battery.
<chaals> [Preibusch the answer is "of course it is possible" to remove the panel, if a vendor things they'll get more market that way. Which is almost the universal answer for this kind of question]
<Preibusch> I am interested to see telemetry data which of the two "find my device" features will be used.
<rigo> Johannes-IXDS: too much features and too much details will break the user experience
Johannes-IXDS: important learning from the project: don't offer too much choice or users get confused
marta: “I can share my privacy settings with you because we're connected”
<Preibusch> marta, what does that mean?
<chaals> [Preibusch I interpret it as "you can copy my privacy settings, instead of having to set up the same yourself, because you trust me and it is easier than inviting you to my house so you do the setup for me manually"]
<marta> Preibusch, it means that in the end users will be able to exchange the privacy settings
<marta> chaals, exactly
<Preibusch> @chaals, @marta: so do we tap phone and magic happens?
<chaals> [(If I am right, it's a good model. Not being able to do that for too many years made user CSS a failure)]
<marta> Preibusch, something like that
<marta> ;)
<Preibusch> Awesome!
<Meiko> Lawyer's nightmare, actually ;)
<fjh> MIT Kerberos and Internet Trust conference presentations on personal data and accountability, https://kit.mit.edu/conference-program
Preibusch: is all planned or running?
Christos: all running
chaals: with more control people share more data?
Christos: “you can give control, but you also can give the perception of control”
reuben: Is there collaboration of the MIT Media Lab and Telecom Italia around the MTL project? They have talked about a marketplace.
Christos: Yes, there is this concept of the marketplace in literature. Telecom Italia lab has not implemented such an experimentation of a marketplace, but focuses on sharing behavior and trusted applications.
reuben: marketplace for people selling their data?
Christos yes
reuben: there will be two competing economies, one where your data is robbed, second is where you offer your data
Christos: there's different mind sets in US and in Europe
... don't know if I would sell my data
fjh: look @presentation by Sandy Pentland!
... in MIT meeting (link already given)
Christos: there is preparing repeating the investigation with other demographic profile
Sigbjørn: What is the business case?
Christos: They could charge a fee
rigo: make trust
<reuben> There are many variations on the personal data store model with much experimentation on business models - see research from Ctrl-Shift https://www.ctrl-shift.co.uk/news/2014/11/10/can-pims-really-earn-their-keep/ (disclosure: I work there)
rigo: that means indirect benefits, not only direct
ones
<fjh> translation is could be small part of a big marketing budget
<fjh> could also charge directly
<Preibusch> Rigo: "The answer is no. Of course."
<fjh> rigo says - the web is going liquid, getting into everything
<Preibusch> "The Web is diluting."
http://www.w3.org/Icons/SVG/svg-w3c-h.svg
<reuben> Rigo: "The web is nothing more than people exploring a space"
<fjh> http://primelife.ercim.eu
<Preibusch> we don't scribe presentations
<fjh> rigo: security silos create a usuability problem, since the information can be contradictory, e.g. if different security layers disagree
<fjh> … example is SSL cert issues vs DNSSec
<fjh> rigo: need a unified UI
<fjh> rigo: need common privacy analytics
<schunter> Ack fünf
<fjh> rigo: build web of trust via reputation management, I visit site many times so friends can have trust in it
rigo: gives the “no 100% security” argument, which will be countered ;-)
... liability is not an issue, because $USER is always liable for $USER's decisions
fjh: we shouldn't have specific, but high-level regulations
... specifics will be decided @court
<DominicB> chrome://flags/#enable-password-generation
See Chrome solutions for passwords which will come soon into the public
