W3C Workshop on Privacy and User–Centric Controls

21 Nov 2014


See also: IRC log


rigo, GökhanBal, MatthiasSchunter, FrederickBorgesius, MeikoJensen, DominicBattré, FrankWagner, Chaals, FrederickHirsch, SebastianAmorim, VolkerBirk, ChristosPerentis, ChristianFuhrhop, RobertBrauer, AxelNennker, JörgHeuer, AndreasKuehne, ChristineRunnegar, KarimaBoudaoud, FrederikBraun, MartinKurze, JohannesLandstorfer, EroBalsa, ReubenBinns, DavidSinger, SörenPreibusch, MartaPiekarska, MarkusTschersich, AlinaHua, IstvanLajtos, HaakonBratsberg, SigbjørnVik, AngeloReale, Carlos
NinjaMarnau, SurangaSeneviratne
FrederickHirsch MatthiasSchunter
Chaals, ReubenBinns, ChristianFuhrhop, HaakonBratsberg, Rigo


<rigo> scribe:Chaals

<rigo> scribenick:chaals

GSMA Privacy Guidelines

… Looking at what it would mean for Operators to provide identity management etc.

… among other things we need to do.

… Mobile privacy: it's complicated (we can say that now facebook joined).

… Since 2010 we have made some good progress.

… Main points [slide] basically looking for a baseline.

<Volker> .oO( privacy is nothing you can add to your system – it's data sparingness in the first place )

… One challenge is the number of guidelines being developed around the world - it is a pretty fragmented space.

… Weare trying to get our members to adopt our guidelines - with some success.

… [less than half the users who are worried about privacy say they will do something about it if they are unsure what will happen to their information]

<rigo> chaals: if you do international guidelines. To what extend do you respect national restrictions

<Zakim> chaals, you wanted to ask about international applicability...

<christine> +q

Istvan: That's the challenge. We look for the lowest common denominator across different jurisdictions, and draw a line there. Above it is good, below it is clearly bad.

Soren: Do you come with a carrot or stick or?

Istvan: This is a guideline, not a standard. It's a set of Recommendations. We have seen fragmentation as operators try to follow the minimum standard.

Soren: You have a stick… you can block things…

Istvan: Not really.

… we can make recommendations.

Matthias: No enforcement power?

Istvan: Not really.

RobVE: What is the scope? If developers use a framework for ads, is that addressed?

Istvan: Implicitly. It's difficult to pick it out, and is mentioned in guidelines e.g. in use cases and examples.

RVE: Does that trigger developers to understand it?

… It's a stretch...

Istvan: Right.

Christine: Guidelines have been there for 4 years. Do you have examples of how practice has changed in response?

Istvan: No. I'll take the question away. We have operators who have worked on developing communities and follow things. Our biggest challenge is to work with platform vendors and handset manufacturers.

… I've only been in this area for 6 months, I need to talk to people who are closer and can answer the question.

<rigo> ack gö

<Preibusch> ack (

Gökhan: Do you have feedback from app developers on adoption?

Istvan: Challenge we are facing is that we don't have direct contact with developers.

<Zakim> rigo, you wanted to ask about conformance procedures

… We work through our members to reach their communities of developers.

Rigo: If the guidelines are not as precise as a specification, they can be complemented by an in- or outhouse procedure to check if someone claiming compliance really is compliant.

… do you have such procedures, or are you just in the encouragement phase?

Istvan: The latter.

Martin: Did you talk to carriers and OEMs about including your guidelines in their requirements etc?

Istvan: Yes
... This is the way we are trying to promote the guidelines in practice

Martin: In DT we are inserting privacy requirements in our terminal requirements that manufacturers need to meet. Then things might get to app developers.

Istvan: We're working in that way now. Other opportunity is to work with W3C to promote the work - we're interested in looking at the opportunities.
... Don't think there is any plan to collate requirements globally.

Martin: So privacy depends on the country?

Istvan: Yes.

<Preibusch> It's a different requirement.

[rathole on what operator requirements are and how much they matter]

Martin: GSMA requirements effectively provide the lowest common denominator - the intersection of requirements.

Frederik-AMS: Saw this map with different requirements in different parts of the world. I've spoken to US companies who say "we comply with EU law, and then we're good everywhere". Can you give examples where that isn't true?

Istvan: That's not really my department, but…

… There are minimum requirements that are common everywhere, but there is a lot of fragmentation. I could dig out some details if you're interested.

Soren: I thought your requirements are on the software side. But thinking of operator hardware requirements, if there is a pre-installed app that doesn't require consent and you say that won't meet requirements, OEM can't put things on the device.

Istvan: Yeah. But there ar only recommendations, I cannot force this to be followed.

<Zakim> rigo, you wanted to say that OEM guidelines and GSMA guidelines should provide the hooks for the interface

<fwagner> +

Rigo: The relation between OEM requirements and what we do here, the device gives an interface, and that's where you can do things. The device has to give the interface to understand what happens. So the GSMA role could be to coordinate with Telcos to put things in OEM guidelines

… We don't have unification to the point where we have everything already, do we?

Istvan: Right. We want to have guidelines for the industry to start at.

Rigo: I am looking for concrete leverage.

fwagner: We have internal requirements for app development, aligned with GSMA guidelines, a bit more detailed on a company / country level.

… Thinking about addressing privacy requirements in OEM requirements, on a more generic level, for example we might only want to get handsets that support privacy setup for the user.

Soren: Great.

Standardised privacy policies. Post-mortem, promising developments.

RB: A few reasons to be negative about previous attempts and why they failed, and why it might be possible to do it right.

… Example company policy. We started trying to standardise this in 1997 with P3P.

… The individual incentives aren't sufficient - standards work when they are adopted throughout the ecosystem.

… Moving from legalese to human readable to machine readable is a big challenge - it is hard to do it accurately.

<Preibusch> If the privacy policy reflects the actual process, as engineered, no translation from legalese to machine-readable format is necessary.

… The combination of skills required are actually quite rare

[http://xkcd.com/927 in text form]

RB: So why keep trying, what will make this work?

… Lots of small companies are trying to do this. There are databases of legal clauses that are the kind of standardisation we want to see - we got the need for individual lawyers each time we want to do something out of the equation

… People are making legal compliance tools

[Terms of Service: Didn't read]

… You don't need to ask permission, you just go around explaining what other people are doing until they decide to do it right. If you succeed you get companies coming forward to ask how to get it right.

… promising, but will only be a subset of what's out there - how do you scale it?

… Would it be possible to use this data to train machine learning on policies?

… e.g. Legalsifter has a bit of a look through freelance contracts that way. Natural Language processing.

… I've been looking at whether there are clauses we can detect easily and match to things we know.

… Important to be clear that something was done on best-guess statistics based on a human model, not an actual assessment by a real brain.

… Carnegie-Mellon are working on a similar question - can you find policies and determine automatically whether they are transparent? Some success. Can you delete your account? Couldn't figure it out.

… You need data to feed whatever user interface you decide to work on.

… These are ways to deal with a large corpus.

<Zakim> fjh, you wanted to ask about legalese

FJH: It's futile to translate a privacy policy into english. Lawyers are careful to deal with ambiguity. But interesting to see the simplification. Is it possible the policies get simpler and the nuances addressing corporate risk get thrown out?

RB: The question is whether they need to collect what they want? What's the business case - is there one?

FJH: You want to keep the doors open.

RB: OK. But if you provide pressure, you might get people to close off opportunities they think are unlikely

SP: I think the idea of turning a privacy policy into something simple is flawed. It is meant to describe what we do, rather than a lawyer write rules and engineers go code them.

… There is a reason why the policies are so long. It is better to make them specific to the website at hand. Just cobbling clauses together you get a simplistic policy - "we collect stuff and use it". And it is accurate.

<Volker> .oO( a text which is long and complicated is usually being written not to be understood )

RB: You could go looking at full legalese content and rate something, without simplifying. Or you could make a simpler explanation of what happens. I don't think every policy is long and covers everything. There are real differences in place. If we can uncover them, that is meaningful progress.

<Zakim> rigo, you wanted to ask about policies as a source for input into the metrics machine

… Agree there is a danger in over-simplifying legal text.

Rob: You showed some projects. Many are no longer active. Which of these would you pick as worthy of attention?

RB: I would say ToS:DR is the most promising. Doesn't require anyone to agree in order to rate them. Although there are possiblities for abuse. But it is open, ergo transparent.

… They are making it easier to submit things.

<Zakim> rigo, you wanted to ask about policies as a source for input into the metrics machine and to

Rigo: When we did P3P, we had a policy generator before it was even finished.

… questionnaire led to human- and machine-readable policy.

… We haven't looked at privacy policies in W3C for 10 years except in PrimeLife, which was inconclusive. I think policies merit their own workshop. But here, what can we draw from our interfaces from such policies

<Preibusch> Rigo calls for a Workshop dedicated to privacy policies.

… Most promising new approach is from Raggett. Let's throw away stuff that didn't work in P3P, and use a javascript library to connect to a Primelife form.

… [position paper, 2010 W3C privacy workshop]

RB: I'm not addressing the controls, but what goes intothem.

Rigo: DNT has policy - what we do...

Frederic: Don't see an easy solution, but reason for complexity of privacy policies is that they are kind of a contract, and american law makes that painful. In EU law, privacy policies are not contracts but serve another function: transparency. EU law requires firms, in short, to describe the goals for which it uses personal data, and other information that's required to ensure fairness.

… If you only had to have a EuropeWideWeb things would be a lot easier

<rigo> Paper from Dave Raggett: http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/

RB: In ToS:DR there is a tension between "what do they do" and "what are my rights"

DSinger: Problem - lawyers write policies so they could do more than they can. Because if they don't set the envelope wider, they are worried about getting caught out later.

… Some projects tried to explore the idea of making a library of common clauses.

<rigo> framework: http://www.w3.org/2010/policy-ws/

… Do you think that approach has any viability? Like Creative Commons?

Rigo: Short Notices - P3P for people who don't have a computer.

DS: Yes, a lego approach to privacy policies. Might help comprehensibility. Is that possible?

<Preibusch> Wider privacy policies allow for changes in the product functionality and service features. Otherwise, costly changes to the privacy policy would need to happen more often.

RB: You can see a convergence where crowd-sourcing pushes, but I don't see a lego approach working.

Rigo: Short notices didn't allow for edge cases companies wanted to keep open, so companies didn't go with it.

RB: It's an inefficient process if you try to get some icons and get lawyers to match them.

Soren: You always need lawyers

<Volker> .oO( but a Lego approach is the only way to make people understand legal texts, so this probably concludes to “it will never work” )

RB: Not neessarily.

fwagner: Who is reading actual privacy policies? Lawyers, privacy advocates, and nobody else.

… so who are they for? users, or contract requirements?

… When users come to privacy policies, they have concrete quetions. Why can't we write them in form of FAQ?

<fjh> nuance is essential to law

<fjh> is that true?

RB: They are written for lawyers, privacy advocates, and for regulators.

… would like to see the information collect to be shared

<Volker> .oO( the idea of a contract was two parties are agreeing on certain points at one point in time – if one party even does not understand, we shouldn't see that as a contract at all )

fjh: I think rigo said that we got a useful vocab out of P3P, a JS library would make them useful. Maybe Schema.org would be appropriate to that.

[as the only guy in the room who is part of schema.org directly, I'll notice it]

RB: That's the approach Creative Commons took. Didn't work out, but similar path.

<fjh> JSON-LD would also bring the privacy vocabularity into linked data etc

<fjh> sounds like a great idea to me

Angelo: Suggest building on convergence. Would be interesting to gnerate multimedia output from each paragraph - animation, audio, flashing lights…

<rigo> you wanted to say, sounds like a great semantic web project

<scribe> ACTION: chaals to talk to schema.org about privacy policies. [recorded in http://www.w3.org/2014/11/21-privacyws-minutes.html#action01]

<fjh> no, JSON-LD means nobody knows about semantic web but mechanisms can work

… devise a sequence hierarchy to generate videos for an entire contract - build-your-own Contract: The Movie

<fjh> a beautiful thing

RB: There have been a lot of intersting approaches to do that.

Markus: 1/3 of apps analysed in a project actually have a privacy policy. The reading level required is very high to understand it. Important to reduce complexity, and provide enforcement of the requirement that everyone has a policy.

… App stores should enforce that.

RB: Maybe GSMA could enforce that…

Sigbjørn: Most apps either get sold, or go bankrupt (and are required to sell their user data in liquidation). Can you avoid this in any way?

RB: There are some ToS that deal with liquidation. But not generally.

<MarkusT> Link to the publication: http://jamia.bmj.com/content/early/2014/08/21/amiajnl-2013-002605.abstract

<fjh> are contracts void upon bankruptcy ?

<Preibusch> A good example I've seen recently is McAfee's (Intel) privacy policy: the full notice or a cartoon-style walkthrough that explains the most important concepts: http://www.mcafee.com/common/privacy/english/index.htm

Martin: Apps can provide 2 kinds of policy. The full legal document, and a simple non-legally-binding but legible version.

RB: Right.

Empowerment and Protection

FB: I'm a legal researcher, not a computer scientist.

… In law you can empower people, or protect them.

… (to defend privacy).

… e.g. every law I know requires data holders to keep it secure. Whatever users do.

… An example of empowerment is food labeling requirements.

… Example of protection is banning certain ingredients. Or requiring safety standards in cars.

… Some of the problems might not be best solved by empowerment. On a website for debt problems, every social media site knows I was looking, and zillions of general trackng sites.

… I am not sure this CAN be made transparent enough to allow empowerment to be useful. We should consider protection here.

… But then, I also don't think protection alone is going to solve our problems.

… How do we translate this? We want transparency and informed consent. But what about actually securing communications authomatically?

… Services that are frugal with data and don't store it mitigate risk.

Rigo: Auto-secured data - we have seen interfaces using metrics to display a colour or icon. You can use them to trigger a reaction of the browser - switch off javascript when things look shaky.

… I suggested making data protection a function of the entropy of data. And it got the response I deserved as a person, rather than what the idea deserved.

… You can be wrong in calculating risk, but it isn't obviously destined to fail.

<Zakim> rigo, you wanted to talk about automatically securing

Volker: Basic problem with protection is that the custodians have no way to enforce the rules.

… if people ignore the law, there are no consequences. So protection is chimerical. Can we change that?

<rigo> my suggestion is to take the metrics we saw in the opera presentation, use those metrics to calculate the level of risk and make the software react on the threat - level by switching off functionality selectively

FB: Important remark. There is hope in Europe that a new regulation will introduce serious penalties.

… We'll have to see how that plays out.

… We could look at building class-action systems for teh case where the individual damage is low but the overall damage is high.

… (probably for lawyers, not W3C)

VB: Don't agree on kicking away the legal idea. Empowerment is not failing because people don't *want* privacy, nor because people are stupid, but because people are unaware that they have to think before they act about privacy.

<fjh> I hypothesize people have greater trust on online activities based on trust on physical activities due to consumer protection laws

… With icons or something similar, you can raise awareness.

… What can be done in empowerment to create awareness in the actual situation of users?

FB: Agree people care, but it is hard to act according to your preferences. Analagously I am against child labour, but don't know how to act effectively on that.

… We haven't *seriously* tried empowerment - we still accept that nobody will read a privacy policy.

FB: At some point lawyers say "no, we are just going to ban things, whatever the user does".

… maybe something like that works.

Angelo: Important to facilitate display of metrics, but also encourage companies to protect by default.

… prompting user first time is common, but simplify updating of settings.

FB: Agree.

Soren: Follow suggestion to make software more aware of the environment, to support the user make good privacy choices. I am sceptical that software has all the information to make the optimal choice, but we can go in that direction to have a big 80/20 impact.

… This is where security and privacy can go hand in hand, especially with personal devices like mobiles. We could have a privacy-aware personal assistant based on machine learning…

Markus: You talk about defending privacy. So there is a need for regulation. EU is working in this area.

… there are companies not willing to accept regulation. So what is the basis for making policies??

FB: Fundamental rights are important, and another good reason is market failure. There is a clear market failure to protect user privacy, transparency requirements are not working.

… If there is a market failure and no market-based answer, we use market intervention.

Markus: The good guys say "we have a decntralised architecture, the bad guys have a centralised one. But the bad guys are winning in the market. Why should regulators push the market to do privacy if peopleare not choosing the privacy-friendly providers anyway?

FB: Hope privacy becomes a competitive argument, but information asymmetry means there is no need to actually compete

[why information asymmetry breaks markets…]

… the way to solve that is through regulation

<Volker> .oO( Critical mass: if your friends are all on Facebook, you'll join in wether you find another SN ways better or not )

[volker - right]

FB: If the market solves the problem, the regulator should stay out. But otherwise...

<angeloreale> Volker: not necessarily, if some of your best friends are on a better SN you might find it more interesting

<Volker> angeloreale: if

FJH: Agree that the answer may be regulation to improve things. Food regulation means people trust it. People have transferred that trust to the internet, where the same principles don't apply.

[repeating what rigo was suggesting]

Dominic: About icons. Google is criticised for sharing anonymised 3rd-party data. How can I get rid of that criticism in the context of the Chrome product?

… users who opt into metrics share anonymised aggregated information about the web that is shared with the community to help develop the web, or to detect malware and warn others.

… Both of these are good for the world, but we get criticised.

… What do I do?

CMN: Go to ToSDR, and argue your case.

<lynXintl> makes sense to come to the irc chan 1.2 days late ;) hi everyone

RB: Was there a negative judgement?

DB: The icons incentivise poor decisions - stop helping the web, to make ourselves look better?

<lynXintl> i haven't ever heard the room laugh because of a joke on irc… or maybe i was distracted?

<angeloreale> Volker: true, but sometimes the critical mass premise keeps people from believing / investing or devising better solutions for SNing when it shouldn't be seen as definitive. Markets are not bound to fb for eternity and even though it's not easy (i.e. g+) there might be some technological / philosophical (privacy and security?) upgrades that shall retake their market. (I personally wouldn't...

<angeloreale> ...think twice to leave fb if I would know at least 1 friend is using a SN that feels better by using it)

<Volker> angeloreale: my personal hope is that teenagers don't wanna use what their parents use.

<fjh> chaals: legal protection is important , relates to expectations

<Preibusch> chaals: Why Rigo's technology idea is important. In some countries, changing regulation is difficult. Working for Yandex, I can say that technology could help where the law cannot be changed for the befit of the user.

<lynXintl> i love how this debate is obsoleting many of my slides… because i have 20 for 20 minutes, so i can skip at least 6 or 7

<lynXintl> yes i am afraid… i hope your upload channels are still fresh and open :)

<Preibusch> chaals: "Let's build systems that can support users that can support users". Protection can be combined with empowerment when thresholds are user-adjustable.

<lynXintl> diaspora doesn't scale

<lynXintl> otherwise it would have had its chance

<rigo> convenience vs privacy discussion

<Preibusch> chaals: People care about privacy, but it isn't a binary proposition. They will generally trade it for convenience (see yesterday's discussion about the difficulty of predicting long-term cumulative consequences of immediate atomic decisions).

<reuben> scribenick: reuben

<scribe> scribe: ReubenBinns

A Web in Respect of the Constitution is Possible

<Volker> https://en.wikipedia.org/wiki/HBGary#Astroturfing

<chaals> [do you want to send a packet back from an intermediate transit point?]

<Preibusch> BTW, Facebook has an .onion address now.

<chaals> [yeah, a nice one...]

<Volker> p≡p is based on GnuNet

<Volker> rigo: micropayments are actually possible with cryptocurrencies, that's why I'm waiting if someone starts doing

<rigo> Volker: 2015 will be the year of micropayments

Soren: Just because you can do something doesn't mean you should. I'm somewhat sympathetic to radical innovation, but much disruption of the web has given has come from market forces. There's low chance of working against the market forces

<Volker> rigo: or 2115.

Carlo: The idea is to fix the protocols, and then allow the marketplace to return on this new playing field (with users protected)
... we have to offer an alternative approach - an internet that respects rights and privacies, and on top of that companies can compete

Frederik(K): Public keys can be identified...?

Carlos: But everyone can have multiple public keys. A new one generated every time a user has a new interaction with a company

chaals: the more p2p you use, the more you pay. How do you transfer that cost?

<fjh> s/Frederick(k):/fjh:/

lynXintl: networks will need more relay nodes than ever seen with Tor. We'd need data centres in every city with relay nodes, providing a back-end.

chaals: How do you build them - they're not free.

lynXintl: Telecoms will be incentivised because they will be paid. Oriented towards charging by use

chaals: If telco's can't predict there income, they won't invest

<Volker> https://gnunet.org/compare

lynXintl: the political will is needed

chaals: Is the government going to pay for it?

lynXintl: the first step is political decision, and general consciousness is that 'we can't continue without seatbelts'.
... We change architecture, and we create slightly different jobs - software on devices.

marta: Open hardware or free hardware?

lynXintl: free as in Stallman

<christine> re hardware, pointer to http://wiki.cryptech.is/

marta: you're not talking about baseband and simcards - the basement is not open.

lynXintl: that closed hardware would be history

marta: also concerns about security - you need a very good design

lynXintl: it doesn't matter because we'll design it from scratch

<Preibusch> "GSM? Sins of the past!"

Istvan: GSM dead in 10 years?
... i don't believe it's just going to dissapear like that

lynXintl: there is plan to allow GSM to work alongside for compatibility

Istvan: 2 billion machine-to-machine devices which won't go away
... I'm talking about long timescale here

marta: 3g requires connection to chip? there are huge bugs in the design of the basband e.g. qualcom chips - very easy to hack into it if open source

lynXintl: security by obscurity not good...

<Volker> .oO( security by obscurity never worx and is a Chimera )

s/Istvan lynXintl

chaals: if this happens, people will go and keep on using the big company services - how do you stop them from re-aggregating the data

lynXintl: this proposal has seen cryptographers, lawyers, policymakers involved
... the internet itself stops being a product and more of a common good for everyone - products happen over it. if you try to monopolise, it wouldn't work or it would be illegal

<Zakim> rigo, you wanted to ask about "on top"

rigo: can you imagie a gateway between the alternative internet and the existing 'evil' internet? e.g. public key routing could be tried in a university context. we could have an ipv4/6 gateway...

<chaals> [Actually, security by obscurity works a lot, if you apply it with a certain tolerance for failure]

lynXintl: i2p already does public key routing

<chaals> [And most real people have a certain tolerance for security failure]

rigo: the problem with those technologies - even as a fundamentalist i find them too slow - a quarter of my usual output

lynXintl: but e.g. tor's speed has increased dramatically recently, you can change tor settings. I use it for everything.

fjh: is it easy to configure / tune

lynXintl: i'm not advocating tor for this project, but is a prototype - not necessarily what we need to runa telephone network

<fjh> s;is it easy to configure / tune;;

<lynXintl> Volker: if the packet is encrypted for a certain public key, it shouldnt be visible which public key sent it…by not putting the source we reduce the necessity for onion routing because any packet forward helps anonymize the communication

<lynXintl> Preibusch: IPv6 does not fix most of the problems we are facing

<lynXintl> chaals: how does something get easier to inspect for NSA?

<lynXintl> Preibusch: eye-tracking is welcome, but it needs to go through the defender chip ;)

<lynXintl> Preibusch: in total i expect less need for relay nodes than the absurd number of servers that are bored by their job to accept one useful mail and 70 spam mails an hour

<lynXintl> btw, in the GNU internet spam is no longer possible… sorry for that business model going downhill

<lynXintl> horse correct battery staple

<rigo> for earlier: GSMA Privacy guidelines http://www.gsma.com/publicpolicy/mobile-and-privacy/gsma-mobile-privacy-initiative

p≡p position paper

<fjh> Volker notes theme of privacy by default

Preibusch: I support the pragmatism of working with existing infrastructure. A comment: there is a the simplysecure foundation that are trying to make platforms more secure

Volker: I tried to to speak to them, but they didn't respond.

<Zakim> chaals, you wanted to nitpick on interfaces

chaals: little buttons that are all the same apart from colors is not a good UI.

<Preibusch> https://simplysecure.org/what-we-do/

Volker: we are working on icons, including for those who are colorblind. I agree, but we need more time to work on this. I could get 30 design people, but have no funding. We won't move to silicon valley for funding, in my experience there ain't no [expletive] VC in Europe.

<Zakim> rigo, you wanted to ask whether we can apply this to web crypto

Volker: we have some fortune 500 companies interested, this may enable us to earn some revenue

rigo: i agree that the CA system is broken. We have the web crypto thing going on. Could the things you are doing here lead to an e2e encryption of web pages?

Volker: yes you could use http

<rigo> could use safe roots in combination with web crypto

<lynXintl> Volker: I think we can merge pEp and secushare into a single project… :)

Volker: we support the web of trust for compatibility reasons, use gpg, otr etc. But you could use safe routes too. the database of P=P stores trust info, we move trust from key to key if we can guarantee that makes sense. if keys are renewed trust is transfered - unless you lost of compromised your keys

Preibusch: outsourcing?

<lynXintl> btw, that was me talking to Volker, not Volker saying that.. there has been some quoting on this channel which collides with IRC addressing culture

Volker: the idea was to allow in the LAN a box that will implement P=P

Preibusch: can you P=P in the cloud?

Volker: yes

fjh: revocation is not a problem here because you manage your own keys, is that right?

Volker: well revocation is still necessary, but simplified in operation and supported in pEp

??: how to synchronise across devices?

Volker: we send what changed as a diff SQL insert in an attachement in an email.
... if you have a new device P=P automatically notices
... with that trick we're doing the organisation of device groups

erobalsa: there is no recovery?

Volker: there is, you put a device in a device group, sends mesage to others, then a private key sent to the new one, then the user acepts whether or not it is a safe group, then the private key is replicated on every device. if you lose your device, we recommend encryption e.g. truecrypt

<cf> scribenick: cf

<scribe> scribe: ChristianFuhrhop

Ero Balsa - Why can't online networks encrypt?

<Volker> p≡p unfortunately cannot recommend TrueCrypt any more, so we're waiting how this develops

<angeloreale> Volker: what about implementing pep on a web level? or ist only meant for device / browser implementation

<Volker> It is an issue for consumer versions of Windows only, because all other systems have ready made solutions for device encryption and we're recommending them

<Volker> angeloreale: it is meant to be on web level, too.

<Volker> angeloreale: unfortunately, my budget is 0 + my own time. So feature by feature by feature ;-)

<angeloreale> Volker: i could use s/pep/p≡p to fetch all bunch of sources for messaging in one service?

<angeloreale> Volker: later

<lynXintl> is it stalin to the right?

<Volker> lynXintl: leutenant Uhura communicating with Stalin

<lynXintl> lol perfect

<Volker> lynXintl: because she is communication officer

<angeloreale> lol

<lynXintl> she's got that thing in the ear

<Volker> .oO( Stalin was a Klingon

<Volker> )

<lynXintl> she's a traitor then

<lynXintl> then again, who knows.. the federation may be communist

<MarkusT> there's no money in the federation ... so, they are cloae to communism ;)

<lynXintl> Model 1 is no end-to-end encryption

<lynXintl> Model 2 requires client side software, so it might as well be p≡p

<lynXintl> Model 3, OSN can MITM easily unless the UI is provided by the add-on rather than the web page

<lynXintl> as long as the cleartext appears in the facebook page, it is unsafe

<rigo> ack ;

<lynXintl> oh sorry, didnt know it's a bot :D

<angeloreale> hi Zakim hows it going?

<lynXintl> it uses /me – so my work wasn't all useless ;)

<angeloreale> ^_^

lynXintl: Some tools for end-to-end encryption already exist.

Some of them are based on Jabber

There are also some end-to-end add-ons.

Problem with that approach - the moment you have clear text on web page,

it can be stolen/copied unless it is only shown in the UI of the

add-on, which is ugly and unpopolar.

Is there a new idea that is different from what I enumerated?

<Volker> W3C could offer “clear text field”, which is accessable by ECMAScript by handle only, and can be given to a crypto plugin

<rigo> use post

Ero: yes, some tools have lots of UI problems. They need to,

but can be improved, but main issue behind is key management.

lznXintl: But that clashes with web architecture.

<Volker> cf: that's why p≡p started as a keymanagement project

<Volker> cf: agree

<Volker> cf: see proposal two lines above

Everyone is hungry, so the discussion ends...

<haakonfb> scribenick: haakonfb

<scribe> scribe: HaakonBratsberg

schunter: welcome back to last afternoon session - chairs has collected issues.


… Frederik will walk us through the questions

… we have to plan some actions - what needs to be done by whom?

… identifying concrete next steps

Frederik: introduction - break into groups and discuss user control, metrics and architecture

… report from groups

… user centric controls - what do we mean when we say that the user is in control

… is it consent or is it choice

… is it more than control?

… can we use the approach that is in Firefox - if you don't consent it just goes away

… how to control privacy

… Google privacy settings - but what if you want to agree to the privacy policy - can you control the settings while being anonymous

… Architecture: Can one address systematic issues one step at a time?

… business models and privacy at the same time? Is it possible

<lynXintl> Volker: a write-only textarea would actually still not be safe since there is no guarantee the server delivers such html

… Awareness and metrics: Interest in developing common metrics. Server side - visibility into sharing, re-use etc

<Volker> lynXintl: but this would guarantee that server will deliver what user types or something completely different

… is it possible to have metrics for privacy policies.

<Volker> lynXintl: so the attack vectors of compromizing confidentially as well as slighter manipulations could be closed with that

schunter: Three topics - awareness, architecture and control - three groups?

… it seems like we have three groups (after raise of hands)

dsinger: do we need to split up?

<lynXintl> volker, i don't see how you can integrate input/output controls in a web page that could be at any time replaced with tradtional server-centric html

schunter: We have 15 minutes per topic

… big issue - should we do something or not - if do, then something concrete

frederik: not deep dive into conclusions

schunter: pin-point some next steps

<lynXintl> dsinger, it is dangerous to make false promises…

<lynXintl> i mean.. to the masses they would start using the stuff expecting it to be safe

<christine> Re topic 1: There has been discussion in the W3C (e.g. in the Web and Mobile IG - http://www.w3.org/2013/07/webmobile-ig-charter.html - exploring the possibility of a "nice" Permissions API

<lynXintl> and bulk surveillance is still technically possible… whenever somebody in charge decides it has to happen

Karima: two important aspects

… we all agree from traditional technology to user-centric approaches

<lynXintl> no, we don't agree

… 1) education and 2) UI design

<Zakim> schunter, you wanted to discuss testing

<lynXintl> (it may sometimes be the wrong way to go… sometimes)

… we have tried to educate - but it is important to continue to educate people, the next generation. their behaviour is different from us

… must be optimistic about educating people. We can't make people responsible without teaching them

<Volker> .oO( don't educate people not requesting that, it never works )

… UI design. People don't really understand privacy. They need simple UI, but after Snowden they want to learn more.

<Volker> to awareness: first time in history of FsA demonstration, Berlin, we nowhere heared again “I have nothing to hide”.

… must take into account two groups: 1) don't know much - need simple UI and 2) who want to know more - different UI needs

… it is important to listen and adapt

<lynXintl> yes, we made progress… we moved from "i have nothing to hide" to "but what can i do?" which is something we can work with

Frederik: Like to structure the discussion - let's go to the que

<Zakim> Volker, you wanted to “bring user into control” means identify all things which can be automated, and asking questions ONLY for things where user decision is necessary

Volker: I want to remark that getting user control is identifying where the control is relevant. if you have a lot of options - does not bring user into control

… must reduce to one or two questions

<Zakim> MarkusT, you wanted to Show consequences of Privacy by Default

MarkusT: What are the consequences by privacy by default?

<rigo> Volker: want to have most situative things done by algorithms and only ask the user where the user can add value

… study of effect of default settings - restrictive vs permissive

… what you can learn: people tend to keep default settings. This is good if privacy by default

… the service provider has to make it attractive + consequences and risks to get users' permission

<Volker> rigo, it's less about adding value than deciding the important big picture. I have to recommend apples solution in “Security Settings” on MacOS X as a positive example

schunter: Your comment is that privacy by default is good.

<Volker> .oO( privacy must be the new default )

<rigo> schunter: you mean you want to encourage people and companies to use privacy friendly controls

frederik: should we talk about how to give users more control?

<Zakim> Frederik-Amsterdam, you wanted to Regarding privacy: What do the W3C (or computer scientists generally) need (i) from lawmakers or from (ii) legal researchers, if anything?

<christine> re question - mechanisms which allow the user to express preference are useful

Frederik-Amsterdam: Can the lawmakers or legal researchers be of any help?

rigo: What we need in the european context is to make room technical innovation and a process that allows us, once we have made an enhancement, to get supported by the legal system

… technical spec like DNT the DPAs can approve the spec so everyone who uses it are in compliance

<Zakim> dsinger, you wanted to respond to Frederik

dsinger: we have the ugly situation that regulators and politicians try to regulate something they don't understand

… technologists thinks about philosophical issues. Both sides are bad at it

… we lack a definition of what we mean by "online privacy"

Frank: The user is confused by the law and the collecting practices. Is there room for a standard or recommendations. It is difficult to bring legal, tech and user perspectives together

fjh: What can people who are interessted in control issue - what should we do next?

<Zakim> chaals, you wanted to suggest that actually "privacy" is about finding out it got "violated", and work out what you can do

chaals: one of the things we can do is look at what controls users use effectively.

… best practice sort of guideline

<rigo> chaals: guidelines & best practices for user controls and name dead ends to avoid

<rigo> christine: WAI people may have good ideas too

marta: Study about what people understand about privacy? How do people want to protect it?

chaals: People's real definition is that someone knows someone knows something about me and I don't like it

… I know it when I lose it

… lost control of their information. Is there a way to bring it back under their control

Frederik: how much interest to standardise UI for controls in the browsers?

<MarkusT> @Marta There are a lot of studies from the IS field about what users expect from privacy. A common problem is the Privacy Paradox

chaals: Best practice is more realistic

<Zakim> rigo, you wanted to talk about controls and suggest controls

dsinger: what does the sites I visit need to know about me? Not directly UI

<chaals> [agree with soren - it is hard to understand when you lost control given the invisibilty of data that is merged "server-side", until you see some clear consequence of that process]

rigo: certain controls can not be the way they are

… panic button

… control is not about privacy. in that case we need to read Westin

<angeloreale> lol

<Zakim> dsinger, you wanted to learn by doing, make incremental progress

DominicB: Should not standardise because we don't know what works

<Volker> David, Preipusch: Privacy, Anonymity, and Information Control – PANIC

<rigo> s/???/dsinger/

dsinger: incremental steps. Perfect must not stand in the way of good

<DominicB> Preibusch: I wonder whether a standard slows down improvements and experiments.

lynXintl: Share picture with friend - the bad that happens is outside user expectations

Frederik-Amsterdam: refers to the design principle - no sneaky stuff

Bal: Privacy should only be discussed in context - find concrete issues and look into these uses cases/scenarios. How to improve things in context

<Preibusch> DominicB: standards are one way of pooling empirical evidence and lessons learnt. Another way would be published peer-reviewed papers. Some experiments are obviously confidential and proprietary.

lynXintl: People just sees these machines, and don't expect that people can see whats inside

<Volker> privacy as default, privacy as default, … (mantra)

<chaals> CMN: a major constraint - any solution has to allow for what people actually want to do (e.g. sending naked pictures to their partner), otherwise people will ignore it.

Karima: Best practises and guidelines - need to bring in the users, but don't know if it is possible

marta: combine this: good practices for design

<fwagner> +1 to Karima: Best practice have to respect the understanding of users

… good practices for system design would be really useful

<chaals> [Use cases - what do people do, when do things go wrong, what would they like to do then?]

<MarkusT> Privacy by Design at least offers design principles

<MarkusT> www.privacybydesign.ca

<Volker> MarkusT: agree, i.e. data sparingness

<MarkusT> yes

<chaals> +1 to Karima too

<marta> @MarkusT yes, but it doesn't give simple design principles, should be worked on

<MarkusT> and do not forget ISO/IEC 29000 framework and

rigo: additional point (I didn't get Frederik's three points) - heard people say it was good to see what other people do

… W3C can host a workshop in a year

Frederik: Architecture: Can we do things incrementally?

… it is work going on.

<MarkusT> @marta not simple enough for end users, but PbD and ISO/IEC 29001 is general enough for developers and system engineers

… how could the community of W3C work on this or help the other communities

… what is the right question to ask to here?

CMN: Privacy is a business model

chaals: yes, it is a business model - but need to do be relevant for current business models to get support?

<marta> @MarkusT well, if it is simple and good enough why doesn't anyone take it into account?

<Preibusch> s/????/Preibusch/

<rigo> Dominic: differential privacy

Dominic: RAPPOR technology - only results about populations and not individuals


… each data point looks like random data

<MarkusT> @marta I don't think complexity is the obstacle - it is the consequence for their business model

<fwagner> @Marta, MarkusT: because PbD does not contain the user perspective in the meaning of understanding what is behind a setting or functionality, the aspect „educate the user is not direct part of PbD

… are there more architectures in the area of differential privacy

<MarkusT> @fwagner Isnt transparency part of Pbd?

lynXintl: if W3C thinks it is a good idea to research architectures, then W3C could help people who does it

… e.g. tell who in Brussel one should talk to

<marta> @fwagner, I absolutely agree with you. That's why I said it needs reworking. It is a good starting point, but since it was created, we have learned a bit

… write endorsments

chaals: this won't fly with W3C

rigo: W3C is limited to the web

… as soon as you go into reinvent the Internet it is out of scope for W3C

<chaals> [That said, you can always ask W3C individuals about people who you should talk to…]

<fwagner> @MarkusT: right, but how is this done: Privacy Policies, User Controls which are not beeing understood by the poor user….

<alina> @fwagner @marta - to be clear, you're referring to PbD as 'privacy by default'? this is confused with 'privacy by design' which does include transparency.

<marta> @alina, I am talkig about privacy by design. It does not really include a user-centric model

<MarkusT> @alina PbD = Privacy by Design, PbDef = Privacy by Default

<fwagner> @alina: PbD= privacy by design IMHO

<rigo> Volker: using web over all kinds of privacy protocols, even over GnuNet

<rigo> scribenick: rigo

<scribe> scribe: Rigo

<MarkusT> @marta it is not the purpose of PbD to have concrete model

<MarkusT> @marta it raise the issue to think about it

fjh: Volker, please share your information with the Technical Architecture Group (TAG)

<alina> for reference, Privacy by Design principles: http://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/

MarkusT: policy recommendation workshops from EC for architectures

<chaals> [group list is www-tag@w3.org - see http://www.w3.org/2001/tag/ for more]

MarkusT: business models, end users and some B2C, and there are policy makers
... for business models, what is my service models, to end users? to governments?

fjh: what is the action?

MarkusT: product to users directly or want to serve government?

chaals: action is to survey the business models and how privacy fits in
... also for W3C, think this fits W3C

<marta> @alina, MarkusT : the problem for me is lack of some better definition. How do I do user-centric privacy, how do I realize transparency. If I am a developer/designer what are the points I have to take into account?

Meiko: public gives us a lot of traction, we have an opportunity to get something going now

<DominicB> Information about RAPPOR: https://github.com/google/rappor

<haakonfb> [Rappor: http://googleresearch.blogspot.de/2014/10/learning-statistics-with-privacy-aided.html]

Meiko: how do we funnel it into action? We don't know about controls? We have seen many of them, we could standardize some of them, display the interaction model (like lightbeam), creating a community that works on this

<Zakim> angeloreale, you wanted to set to simple outputs for policies

<MarkusT> @marta IMHO PbD and ISO/IEC 29001 even more concrete gives the answer what fields to think about. The questions how to do it concrete is to context-driven to build general "rules". One can build a bouquet of PETs provers can choose from to fullfil the "rules"

angeloreale: encourage use the P3P model to create user friendly policies, simplify terms, make it easy for SMEs to address privacy

<chaals> [+1 to angelo - this is actually a concrete action that has real potential for use, and should be considered seriously]

<Meiko> +1 here, too

angeloreale: unified form to fill and generate multimedia file generated

<DominicB> consider user friendliness but also risk exposure for companies

<marta> @ MarkusT maybe we should simply design a privacy API the way we designed a crypto API? (although I know that privacy is much more vague then crypto, but I mean it as an inspiration)

<Zakim> dsinger, you wanted to ask about ‘threat models’ and ‘does the control/advice get to the right place?’

fjh: look into new P3P and make a new approach with jsonLD

<MarkusT> @marta sounds applicable

<chaals> [W3C is not going to make decent videos and icons. But they are a good place to sift through the policy pieces that you want to collect, so you can build videos on top]

dsinger: incremental architecture discussion, in PING, criticize and discover mistakes. We have to create privacy threat models like security attack models
... 20% of people thought they were not tracked in private browsing mode

<christine> @ david - TAG is looking a private browsing mode

<DominicB> about proposal to tell webserver that user is in private mode: keep in mind that this information may be used to discriminate against users

dsinger: should standardize private browsing and extend perhaps to remote private browsing

DT_Martin: revealing private browsing will reveal more information about me

<Preibusch> DominicB: mainstream browsers tell addons (= local) and explicitly do not tell Websites and prevent Websites from sniffing private browsing

DT_Martin: we also have no business model to make privacy
... our approach is to have strategy discussion
... business models is not destroying privacy, but helping

<chaals> [My experience in WAI (who spent a lot of time trying to explain business models for accessibility) is that W3C is not a good place to develop and promote business models. They have work to do just to understand business models people actually use]

kboudaou: standardizing interface, if we standardize interface now, would be against, becasue no feedback from user

fjh: problem is you need buy in to create a WG. Concerned that people say its premature.

<chaals> [Working groups that say "other people should…" fail.]

<dsinger> forming a WG before the general direction of the specification is evident is a recipe for frustration

fjh: business models, privacy is not something that you go and buy, it is something you expect, losses, it is not the happy one where you show revenue

rvaneijk: how ot get more people on board, in a community group

Preibusch: standardizing UI, some would fit into DAP, best practices on controls. Do you feel like you exhausted what was possible

fjh: it was a narrow case

<chaals> [I suspect pEp would do better in RFC track, although it isn't necessarily wrong to try and do stuff in a community group]


<chaals> [DAP looked closely at a very limited question, so could not have exhausted the general topic]

fjh: presenting Awareness and Metrics

rigo: start use cases, make requirements and identify streams of informations that controls and metrics need

<Volker> recommending depth of quad-tree for “blurring level of geographical information”

<Volker> metric

chaals: it is useful to collect the information we have in front of us. But you will need the use cases to identify the information streams that are helpful for metrices

Volker: not new in implementing; came up with metrics on location blur. finding metrics is also talking to people who have done it already.
... in PEP ratings goes beyond commercial CAs

<Zakim> dsinger, you wanted to suggest terms, metrics, and principles

dsinger: common terms, definitions, living document. We need common words

<Zakim> angeloreale, you wanted to propose users to expose their concerns by prividing means of engagement that is meaningful for research

angeloreale: important to propose that services who are privacy friendly have means to engage with the users
... services surveying hte users

<lynXintl> i actually liked that background picture…

<Zakim> Frederik-Amsterdam, you wanted to add something about problems and solutions. "Meaningful control and transparency for users about use of information regarding them" could be a

<lynXintl> did we decide not to do the 3 break out groups? :(

Frederik-Amsterdam: we have no idea what users what, but all we have discussed last two days was about lack of transparency and user control

<chaals> ACTION: fjh to remember that we need to keep the statement "Meaningful control and transparency for users about use of information regarding them" could be a rough, high-level, design goal. Almost every privacy problem entails a lack of control." [recorded in http://www.w3.org/2014/11/21-privacyws-minutes.html#action02]

dsinger: we can continue the discussion in PING, the Privacy Interest Group

<angeloreale> links to ping?

<MT> @dsinger So, PING is not the Music SNS from Apple ;)

<chaals> See http://www.w3.org/Privacy/ - join this group, charter, etc

<marta> how do I join PING?

<marta> @ chaals thx

<chaals> marta: ^^^^^

join PING using https://www.w3.org/2004/01/pp-impl/52497/join

<Volker> rigo: authentication required (which I don't have)

<angeloreale> http://www.w3.org/Consortium/application

<dsinger> You MIGHT be able to join the mailing list by using subscribe to public-privacy at http://lists.w3.org

<chaals> Joining PInG: If you work for a W3C member, then you should ask you W3C "AC" representative to sign you in using https://www.w3.org/2004/01/pp-impl/52497/join

<dsinger> If you are not in a W3C member org, I suspect the chairs would be happy to have invited experts

<chaals> … If you do not work for a W3C member, I believe you can join the mailing list by sending an email to public-privacy-request@w3.org with the subject "subscribe"

<chaals> "Participation in the Privacy Interest Group is open to the public."

<chaals> [If you want to contribute to the work of the group concretely, you will be asked to become an invited expert. Which is a 3 minute painless process]

<MT> I don't find the Ping Mailinglist


<chaals> it is public-privacy@w3.org - archives at http://lists.w3.org/Archives/Public/public-privacy/

MT, see Î

Summary of Action Items

[NEW] ACTION: chaals to talk to schema.org about privacy policies. [recorded in http://www.w3.org/2014/11/21-privacyws-minutes.html#action01]
[NEW] ACTION: fjh to remember that we need to keep the statement "Meaningful control and transparency for users about use of information regarding them" could be a rough, high-level, design goal. Almost every privacy problem entails a lack of control." [recorded in http://www.w3.org/2014/11/21-privacyws-minutes.html#action02]
[End of minutes]

Minutes of Day two of the Workshop on Privacy and User–Centric Controls
Last updated: $Id: 21-privacyws-minutes.html,v 1.8 2014-11-26 10:40:49 rigo Exp $