See also: IRC log
<keiji> prsent+ christine, joe, nick, tara, wendy
<keiji> present
<wseltzer> present_on_irc: wseltzer
Agenda item 1: welcome and introductions
No new attendees today
Agenda item 2: Vibration API
<tara> https://github.com/anssiko/vibration/commit/48489c54e0b7ed80900e0906fa79803c8fa77069
Tara providing background
<tara> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0061.html
Tara shared link of summary of issues discussed at the last PING call. There was support for updates to privacy and security considerations section.
<keiji> scribenick: christine
Discussed cross-tracking device threat - if you could use a vibration pattern to uniquely identify the device. We discussed in the context of Ambient Light spec
Also discussion about whether you could cause identify a device by forcing a vibration.
Possible mitigations are limited.
Issues with accessability - use of vibration to support accessability
On the mailing list, there have been further discussions - cross-devidce tracking vs. fingerprinting - is it a beacon?
CDT work on cross-device tracking
<npdoty> apologies, I hadn't followed this mailing list thread as closely. is fingerprinting of the vibration/gyroscope hardware a known problem?
Also LO forshadowed sharing a document
Joe speaking
Looking forward to seeing LO's longer document
I haven't seen anything on fingerprintability of specific hardware based on the virbaiton being unuqiely identifieable or a specific kind of vibration pattern
imagine phishing attack that sends to website and vibrates the phone so it can be identified
what if only a limited set of vibration patterns and have to call it successively
LO proposed to mitigate
also user control ...
Tara speaking
expand further re cross-device tracking?
Joe speaking
See CDT's comments to the FTC
<tara> https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf
2 notions: increasingly users are not using just one device - valuable to Web services to have insight into what devices are connected - device connection graph
the techniques we have seen are deterministic or probabilstic
re vibration API - if serialize milli-second vibrations could encode so a speaker on an external device could hear - are external side-channels within scope?
if people need granular vibration patterns this could be done by extension?
Nick speaking
curious about cross device - hope the will include at least as a concern, but also cross-origin attack could be easier to implment
if I am a server that serves ads in iframes across browsers might be difficult to sync cookies because different origins but if can trigger vibration can recognise the same user by a timing attack
Joe spekaing
do you know if access to javascript via accelarometer would allow?
<Zakim> npdoty, you wanted to comment on cross-origin/cross-browser (not cross-device) identification
Wendy speaking
seen research that that smart watch can reveal ATM pin .. vibration easier than that
plus one to thinking about cross device and cross origins issues
Joe speaking
<npdoty> we should maybe include something in the questionnaire to identify these side channel style issues
<wseltzer> +1 npdoty
in aduio beaconing .. the unsatisfactory answer is speaker permissions
<npdoty> does this spec allow for communicating outside of the web channel? does this spec allow for communication that could be detected in other origins?
Christine: +1 to Nick's suggestion
<JoeHallCDT> q
Joe speaking
question for Nick, did you just come up with that - the cross-origin tracking aspect? Good idea to get this to the group
Nick spekaing
not sure if we discussed last time, can send a message to the list
Keiji speaking
<npdoty> Nick will follow up with Vibration/public-privacy to make sure we've mentioned the cross-origin issue
similar for speakers?
Joe speaking'
<JoeHallCDT> kk
<npdoty> right, it's worth mentioning both on emitters and on detectors
<npdoty> we could add to the github issues list for the questionnaire greg is working on: https://github.com/gregnorc/ping-privacy-questions
<JoeHallCDT> ah yes
<JoeHallCDT> duh
scribe coming back
<wseltzer> ACTION: JoeHallCDT to add the cross-device/cross-origin emitter-sensor interaction to privacy questionnaire [recorded in http://www.w3.org/2016/03/24-privacy-minutes.html#action01]
<trackbot> Error finding 'JoeHallCDT'. You can review and register nicknames at <http://www.w3.org/Privacy/track/users>.
thanks nick
Agenda item - Media Capture Streams
Nick speaking
PING was asked for comments
<tara> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0075.html
we came up with some issues cookies like device identifiers and scope re permissions
<npdoty> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0085.html
we provided comments, they responded in detail
for almost all of them the issues are resolved
issues are documented, device identifiers are cleared like cookies
double-signed
CSP - they explained why not good
revocation - there is a pull request - that may already be resolved
<tara> https://github.com/w3c/mediacapture-main/issues/334
re event firing - similar to the cross origin issue that we discussed via vibration
they opened an issue on that
<tara> Devicechange event :https://github.com/w3c/mediacapture-main/issues/333
useful if someone can review that, particularly those who helped raise the issues in the first place - to be sure everyone agrees - will follow up persmissions api pull-request
<wseltzer> npdoty++
Joe speaking
looked at feedback
looks like it is moving along really well
given all the weird interacitons with other working groups .. is there a way to ...?
Stefan went above and beyond what other groups do to incorporate our feedback - really good story about privacy collabroation in W3C
what could we learn from this?
<tara> This is a great example of collaboration in the W3c - is almost a "case study" to show things going well.
how would we capture that and make more interacitons look like this
<Zakim> JoeHallCDT, you wanted to say that this interaction between PING and a WG was superb
Wendy speaking
thank you Nick for driving this!
WG commented how helpful you attended their meetings at TPAC! also from the performance group!
<tara> Lessons learned: Nick has been driving a lot of this forward; WG found it great that Nick attended their meetings at TPAC and kept following up with them (not appearing once and disappearing)
We need more people to follow issues like this
<tara> Followup is important!
<npdoty> awesome, glad that it was received positively
being able to write up a success story ...
might alos help motivate people to participate
<Zakim> JoeHallCDT, you wanted to ask Wendy an IETF question related to this topic
Joe speaking
RTCWeb at IETF - 20 min presentation on IP address stuff - any info?
<npdoty> at TPAC, I thought there was a conclusion about not sharing non-local IP addresses after all
<wseltzer> Justin Uberti's WebRTC IP Address Handling Recommendations
At IETF - christine plans to organise PING get-together
Wendy speaking
<npdoty> a non-Halloween TPAC?
TPAC in September in Lisbon - open questionnaire to chairs - do you plan to meet?
encourage you to meet then
discussion
good to have PING meeting
AOB - privacy questionnaire
Joe speaking
are there reviews that might be coming our way? having some specs to work with with the draft seems like a good idea
to ask ourselves, is this useful
Wendy spekaing
useful candidates likely to come - Web Payments API and Web Authentication re strong authentication for the Web
<JoeHallCDT> Permissions, what's going on there?
a good time for different kinds of specs to run against the questionnaire
<npdoty> we could try to keep this list up to date: https://www.w3.org/wiki/Privacy/Privacy_Reviews
<JoeHallCDT> yes!
<npdoty> yeah, JoeHallCDT, we should look at Permissions API as well, which is early and important
<JoeHallCDT> sounds like work some of us maybe should be directly involved in?
<npdoty> web app sec
<npdoty> https://w3c.github.io/permissions/
AOB. Would be good to have more privacy experts with tech expertise to review and more regularly part of PING
Joe speaking ... re cross-device apps tracking
maybe look at the people who express interest in this and have at least some Web knowledge - bring them in into this effot
maybe some from IAPP community, FTC PrivacyCon event
PING outreach when we can
laptop stickers
(for promotion and security)
next pING 28 April