Privacy Interest Group Teleconference
24 Mar 2016

See also: IRC log


christine, joe, nick, tara, wendy, keiji


<keiji> prsent+ christine, joe, nick, tara, wendy

<keiji> present

<wseltzer> present_on_irc: wseltzer

Agenda item 1: welcome and introductions

No new attendees today

Agenda item 2: Vibration API

<tara> https://github.com/anssiko/vibration/commit/48489c54e0b7ed80900e0906fa79803c8fa77069

Tara providing background

<tara> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0061.html

Tara shared link of summary of issues discussed at the last PING call. There was support for updates to privacy and security considerations section.

<keiji> scribenick: christine

Discussed cross-tracking device threat - if you could use a vibration pattern to uniquely identify the device. We discussed in the context of Ambient Light spec

Also discussion about whether you could cause identify a device by forcing a vibration.

Possible mitigations are limited.

Issues with accessability - use of vibration to support accessability

On the mailing list, there have been further discussions - cross-devidce tracking vs. fingerprinting - is it a beacon?

CDT work on cross-device tracking

<npdoty> apologies, I hadn't followed this mailing list thread as closely. is fingerprinting of the vibration/gyroscope hardware a known problem?

Also LO forshadowed sharing a document

Joe speaking

Looking forward to seeing LO's longer document

I haven't seen anything on fingerprintability of specific hardware based on the virbaiton being unuqiely identifieable or a specific kind of vibration pattern

imagine phishing attack that sends to website and vibrates the phone so it can be identified

what if only a limited set of vibration patterns and have to call it successively

LO proposed to mitigate

also user control ...

Tara speaking

expand further re cross-device tracking?

Joe speaking

See CDT's comments to the FTC

<tara> https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf

2 notions: increasingly users are not using just one device - valuable to Web services to have insight into what devices are connected - device connection graph

the techniques we have seen are deterministic or probabilstic

re vibration API - if serialize milli-second vibrations could encode so a speaker on an external device could hear - are external side-channels within scope?

if people need granular vibration patterns this could be done by extension?

Nick speaking

curious about cross device - hope the will include at least as a concern, but also cross-origin attack could be easier to implment

if I am a server that serves ads in iframes across browsers might be difficult to sync cookies because different origins but if can trigger vibration can recognise the same user by a timing attack

Joe spekaing

do you know if access to javascript via accelarometer would allow?

<Zakim> npdoty, you wanted to comment on cross-origin/cross-browser (not cross-device) identification

Wendy speaking

seen research that that smart watch can reveal ATM pin .. vibration easier than that

plus one to thinking about cross device and cross origins issues

Joe speaking

<npdoty> we should maybe include something in the questionnaire to identify these side channel style issues

<wseltzer> +1 npdoty

in aduio beaconing .. the unsatisfactory answer is speaker permissions

<npdoty> does this spec allow for communicating outside of the web channel? does this spec allow for communication that could be detected in other origins?

Christine: +1 to Nick's suggestion

<JoeHallCDT> q

Joe speaking

question for Nick, did you just come up with that - the cross-origin tracking aspect? Good idea to get this to the group

Nick spekaing

not sure if we discussed last time, can send a message to the list

Keiji speaking

<npdoty> Nick will follow up with Vibration/public-privacy to make sure we've mentioned the cross-origin issue

similar for speakers?

Joe speaking'

<JoeHallCDT> kk

<npdoty> right, it's worth mentioning both on emitters and on detectors

<npdoty> we could add to the github issues list for the questionnaire greg is working on: https://github.com/gregnorc/ping-privacy-questions

<JoeHallCDT> ah yes

<JoeHallCDT> duh

scribe coming back

<wseltzer> ACTION: JoeHallCDT to add the cross-device/cross-origin emitter-sensor interaction to privacy questionnaire [recorded in http://www.w3.org/2016/03/24-privacy-minutes.html#action01]

<trackbot> Error finding 'JoeHallCDT'. You can review and register nicknames at <http://www.w3.org/Privacy/track/users>.

thanks nick

Agenda item - Media Capture Streams

Nick speaking

PING was asked for comments

<tara> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0075.html

we came up with some issues cookies like device identifiers and scope re permissions

<npdoty> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0085.html

we provided comments, they responded in detail

for almost all of them the issues are resolved

issues are documented, device identifiers are cleared like cookies


CSP - they explained why not good

revocation - there is a pull request - that may already be resolved

<tara> https://github.com/w3c/mediacapture-main/issues/334

re event firing - similar to the cross origin issue that we discussed via vibration

they opened an issue on that

<tara> Devicechange event :https://github.com/w3c/mediacapture-main/issues/333

useful if someone can review that, particularly those who helped raise the issues in the first place - to be sure everyone agrees - will follow up persmissions api pull-request

<wseltzer> npdoty++

Joe speaking

looked at feedback

looks like it is moving along really well

given all the weird interacitons with other working groups .. is there a way to ...?

Stefan went above and beyond what other groups do to incorporate our feedback - really good story about privacy collabroation in W3C

what could we learn from this?

<tara> This is a great example of collaboration in the W3c - is almost a "case study" to show things going well.

how would we capture that and make more interacitons look like this

<Zakim> JoeHallCDT, you wanted to say that this interaction between PING and a WG was superb

Wendy speaking

thank you Nick for driving this!

WG commented how helpful you attended their meetings at TPAC! also from the performance group!

<tara> Lessons learned: Nick has been driving a lot of this forward; WG found it great that Nick attended their meetings at TPAC and kept following up with them (not appearing once and disappearing)

We need more people to follow issues like this

<tara> Followup is important!

<npdoty> awesome, glad that it was received positively

being able to write up a success story ...

might alos help motivate people to participate

<Zakim> JoeHallCDT, you wanted to ask Wendy an IETF question related to this topic

Joe speaking

RTCWeb at IETF - 20 min presentation on IP address stuff - any info?

<npdoty> at TPAC, I thought there was a conclusion about not sharing non-local IP addresses after all

<wseltzer> Justin Uberti's WebRTC IP Address Handling Recommendations

At IETF - christine plans to organise PING get-together

Wendy speaking

<npdoty> a non-Halloween TPAC?

TPAC in September in Lisbon - open questionnaire to chairs - do you plan to meet?

encourage you to meet then


good to have PING meeting

AOB - privacy questionnaire

Joe speaking

are there reviews that might be coming our way? having some specs to work with with the draft seems like a good idea

to ask ourselves, is this useful

Wendy spekaing

useful candidates likely to come - Web Payments API and Web Authentication re strong authentication for the Web

<JoeHallCDT> Permissions, what's going on there?

a good time for different kinds of specs to run against the questionnaire

<npdoty> we could try to keep this list up to date: https://www.w3.org/wiki/Privacy/Privacy_Reviews

<JoeHallCDT> yes!

<npdoty> yeah, JoeHallCDT, we should look at Permissions API as well, which is early and important

<JoeHallCDT> sounds like work some of us maybe should be directly involved in?

<npdoty> web app sec

<npdoty> https://w3c.github.io/permissions/

AOB. Would be good to have more privacy experts with tech expertise to review and more regularly part of PING

Joe speaking ... re cross-device apps tracking

maybe look at the people who express interest in this and have at least some Web knowledge - bring them in into this effot

maybe some from IAPP community, FTC PrivacyCon event

PING outreach when we can

laptop stickers

(for promotion and security)

next pING 28 April

Summary of Action Items

[NEW] ACTION: JoeHallCDT to add the cross-device/cross-origin emitter-sensor interaction to privacy questionnaire [recorded in http://www.w3.org/2016/03/24-privacy-minutes.html#action01]

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/03/24 17:21:55 $

Scribe.perl diagnostic output

[End of scribe.perl diagnostic output]