<tara> Hullo and welcome!

<npdoty> "living in the land of privacy" :)

<scribe> Scribe: keiji

<Ian> Slides for payments discussion

Chritine: Guests from web annotation and web payment group

<Ian> [Doug Intro]

Doug: I am team contact from web annotation.

<Ian> [Ian intro: 19 years at w3c, former head of comms, current payments lead]

Ian: also 19 years first time to join privacy group.

Ivan: from annotation group and digital publishing

<Zakim> azaroth, you wanted to introduce self :)

Rob: from web annotation group and digital publishing IG.

<Zakim> TimCole, you wanted to introduce myself

<tara> Welcome everyone!

christine: agenda request was to put web annotation discussion 1st.
... we usually have over view of the specification.
... who can make introduction.

Rob: we have three specs.

<christine> Web Annotation Data Model URI: http://www.w3.org/TR/2016/WD-annotation-model-20160331

<christine> Web Annotation Vocabulary URI: http://www.w3.org/TR/2016/WD-annotation-vocab-20160331/

<christine> Web Annotation Protocol URI: http://www.w3.org/TR/2016/WD-annotation-protocol-20160331/

Rob: purpose of the model is to describe annotations.
... explain the spec overviews...

<npdoty> +1 that spam is a key intersecting issue

<ivan> +1 to doug

<npdoty> +1 on harassment

Doug: I want to know that this architecture in the charter of the WG thare are all privacy implication.

<shepazu> note that the WG scope is wider than the 3 specs we have, and there are potentially deeper privacy issues in the architecture itself (including harassment issues) that aren't necessarily in the scope of these specs, like finding text, tracking what users are highlighting/commenting on, private annotations, and other issues; there is an issue that an annotation service provider (including annotation aggregators) might track user visits across sites (e.g.

<shepazu> traffic data), and that others might mine this data for public annotations for fingerprinting

Doug: we understand that a lot issues but today we would like to limit the scope.

christine: agree that.

<shepazu> there's privacy issues from the sites that are being annotated, as well (e.g. that sites might snoop on readers)

tim: there are big issues beyond the spec.

Ivan: the model is easy to extend.

<ericstephan> +1 ivan to open and extensible

gnorcie: some one might not want to have annotation so there should be some option.

<npdoty> +1 on that point, we discussed that at a panel here in Berkeley yesterday

<Zakim> shepazu, you wanted to address opt-out

doug: we aware this issue.
... we had the conversation on opt-out issues.
... abuse prevention initiatives
... it is beyond annotation but this is issue W3C address.
... I am interested in following up this opt-out mechanism.

Joe: having such conversation is valuable.

doug: we should continue this conversation in this group not in annotation group.

<npdoty> it might be useful if shepazu can follow-up on public-privacy mailing list on the more general harassment issue that applies to specs other than Annotation

nick: Question in data model part.
... agent author part
... what is expected application for those
... that defines privacy requirement on data model.

Rob: how the data model is used.
... use case and motivation are difficult questions.

<Zakim> npdoty, you wanted to comment on data model for identity and audience

Rob: you can point with URL as an author
... audience we do not anticipate you will not use it for access control.
... user is not a member of a class of person this annotation is not appropriate for use in access control.
... may be not understood by audience.

<Zakim> azaroth, you wanted to discuss opt-out

Rob: opt-out was not a web site is not wanted annotated
... if you have personal note, bookmark etc… content provider do not care about it. If you publish it many people can see it it becomes issue.

<npdoty> I like the foaf/URI model, but there's also other fields I don't totally understand, like a hashed-mailto address which has a privacy/security purpose that I'm not sure about

<npdoty> and I'd be interested to know more about how I would post private or access-controlled annotations

tim: if you have group of people annotating different part of document.

<azaroth> npdoty: Yeah, that was a relatively recent addition. It's essentially a unique identity (ala a URI) but as a string generated in a one-way fashion from the private email address

<JoeHallCDT> http-auth @npdoty? or is that dead

tim: that could be a use case.

<JoeHallCDT> ah, it's cookie-like but passed in URL

doug: key is not that this things can be published it does not invade privacy.

<npdoty> it might be that certain things are left to implementations (like access control), but it's useful to explicitly note which things are going to be like that

doug: people can publish more and can annotate.
... in such scenario we do not have control over the annotation.
... I think that we do have notion of private group different from audience.

<npdoty> azaroth: is the hashed email intended to be used for reputation/spam? does sha1 hash provide the level of privacy that the user expects?

doug: we can limit access to document only for specific private group.
... it is some thing like access control.

christine: we need to continue this conversation on opt-out issue.

<npdoty> I'm happy to continue offline, but can we get a sense of the schedule for feedback?

<azaroth> npdoty: Yes, or at least hopefully it will contribute to personal identity management that could help with spam. And for the second question ... we don't know! Very happy for feedback on that :)

christine: we can continue over mailing list.

<tara> Many thanks!

<azaroth> Thank you for inviting us! :)

<ivan> thanks for having us!

christine: this discussion is very important in PING and feel free to join our discussion.

Rob: we would like to have feedback as soon as possible.

<npdoty> azaroth: it's helpful to have those purposes stated explicitly somewhere, so that we can evaluate whether the mechanisms satisfy those purposes

<npdoty> comments requested as soon as possible, with a CR transition planned for a few weeks

<ivan> https://github.com/w3c/web-annotation/issues/204

Ivan: there were two other comments other than opt-out.
... I would welcome if there is discussion on this topic.

<npdoty> sure, we should send collected discussion to the contacts/group

Ivan: feel free to use github issue list.

Payments

<Ian> https://www.w3.org/2016/Talks/ij_ping/

Ian: answring nick question.
... we are scheduling f2f in July.

<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#2

Ian: if we can get feedback before that timming it is appreciated.

<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#3

Ian: 15 min may be too short to discuss.
... if you have expeience one click web service like uber etc. it is what we would like to achieve.

<JoeHallCDT> chairs: for scheduling: I think we'll need to postpone the topic I suggested for another time (I have a hard stop and don't want to short shrift Web Payments)

Ian: payment applicaiton to priovide credential. When you click buy button how the browser react would be defined.
... harmonized payment experience accross web sites.
... being presented choinces and user choose etc.
... makeing digita wallet on web possible.

<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#4

Ian: there are many restriction around digital wallet.
... explains First Public Working Drafts.
... we define how to make payment out of browser.

<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#6

Ian: there may be some other privacy issues.
... how much merchant can know method of payment from user side.

nick: question on client-side credential.

<JoeHallCDT> regrets, I have to leave the call!

<JoeHallCDT> cheers

nick: you suggest transaction can be done through client side?

<Zakim> npdoty, you wanted to comment on client-side

Ian: Longer term scope include various kind of payment method.

<shepazu> for tokenization, think of a nonce

Ian: we are moving the direction only provide less information.
... Bank and merchant are interested in fraud prevention.

<npdoty> yeah, I think it's similar to the spam discussion in annotation

Ian: that is topic we did not mention.

<npdoty> there are attacks on security that implementers will need to respond to, and there are often going to be privacy implications about that response

<ericstephan> great discussion, thank you. Gotta run

<Ian> (People may wish to comment on the editor's drafts, which are likely to be more up to date with improvements)

doug: I am interested in talking on blockchain
... and identity.

<npdoty> yeah, thanks all for presenting your works in progress

<npdoty> 26 May?

<Ian> IJ: Thank you all!

next call May 26th.

<azaroth> Thanks all and bye!