See also: IRC log
<tara> Hullo and welcome!
<npdoty> "living in the land of privacy" :)
<scribe> Scribe: keiji
<Ian> Slides for payments discussion
Chritine: Guests from web annotation and web payment group
<Ian> [Doug Intro]
Doug: I am team contact from web annotation.
<Ian> [Ian intro: 19 years at w3c, former head of comms, current payments lead]
Ian: also 19 years first time to join privacy group.
Ivan: from annotation group and digital publishing
<Zakim> azaroth, you wanted to introduce self :)
Rob: from web annotation group and digital publishing IG.
<Zakim> TimCole, you wanted to introduce myself
<tara> Welcome everyone!
christine: agenda request was to
put web annotation discussion 1st.
... we usually have over view of the specification.
... who can make introduction.
Rob: we have three specs.
<christine> Web Annotation Data Model URI: http://www.w3.org/TR/2016/WD-annotation-model-20160331
<christine> Web Annotation Vocabulary URI: http://www.w3.org/TR/2016/WD-annotation-vocab-20160331/
<christine> Web Annotation Protocol URI: http://www.w3.org/TR/2016/WD-annotation-protocol-20160331/
Rob: purpose of the model is to
describe annotations.
... explain the spec overviews...
<npdoty> +1 that spam is a key intersecting issue
<ivan> +1 to doug
<npdoty> +1 on harassment
Doug: I want to know that this architecture in the charter of the WG thare are all privacy implication.
<shepazu> note that the WG scope is wider than the 3 specs we have, and there are potentially deeper privacy issues in the architecture itself (including harassment issues) that aren't necessarily in the scope of these specs, like finding text, tracking what users are highlighting/commenting on, private annotations, and other issues; there is an issue that an annotation service provider (including annotation aggregators) might track user visits across sites (e.g.
<shepazu> traffic data), and that others might mine this data for public annotations for fingerprinting
Doug: we understand that a lot issues but today we would like to limit the scope.
christine: agree that.
<shepazu> there's privacy issues from the sites that are being annotated, as well (e.g. that sites might snoop on readers)
tim: there are big issues beyond the spec.
Ivan: the model is easy to extend.
<ericstephan> +1 ivan to open and extensible
gnorcie: some one might not want to have annotation so there should be some option.
<npdoty> +1 on that point, we discussed that at a panel here in Berkeley yesterday
<Zakim> shepazu, you wanted to address opt-out
doug: we aware this issue.
... we had the conversation on opt-out issues.
... abuse prevention initiatives
... it is beyond annotation but this is issue W3C
address.
... I am interested in following up this opt-out mechanism.
Joe: having such conversation is valuable.
doug: we should continue this conversation in this group not in annotation group.
<npdoty> it might be useful if shepazu can follow-up on public-privacy mailing list on the more general harassment issue that applies to specs other than Annotation
nick: Question in data model
part.
... agent author part
... what is expected application for those
... that defines privacy requirement on data model.
Rob: how the data model is
used.
... use case and motivation are difficult questions.
<Zakim> npdoty, you wanted to comment on data model for identity and audience
Rob: you can point with URL as an
author
... audience we do not anticipate you will not use it for
access control.
... user is not a member of a class of person this annotation
is not appropriate for use in access control.
... may be not understood by audience.
<Zakim> azaroth, you wanted to discuss opt-out
Rob: opt-out was not a web site
is not wanted annotated
... if you have personal note, bookmark etc… content provider
do not care about it. If you publish it many people can see it
it becomes issue.
<npdoty> I like the foaf/URI model, but there's also other fields I don't totally understand, like a hashed-mailto address which has a privacy/security purpose that I'm not sure about
<npdoty> and I'd be interested to know more about how I would post private or access-controlled annotations
tim: if you have group of people annotating different part of document.
<azaroth> npdoty: Yeah, that was a relatively recent addition. It's essentially a unique identity (ala a URI) but as a string generated in a one-way fashion from the private email address
<JoeHallCDT> http-auth @npdoty? or is that dead
tim: that could be a use case.
<JoeHallCDT> ah, it's cookie-like but passed in URL
doug: key is not that this things can be published it does not invade privacy.
<npdoty> it might be that certain things are left to implementations (like access control), but it's useful to explicitly note which things are going to be like that
doug: people can publish more and
can annotate.
... in such scenario we do not have control over the
annotation.
... I think that we do have notion of private group different
from audience.
<npdoty> azaroth: is the hashed email intended to be used for reputation/spam? does sha1 hash provide the level of privacy that the user expects?
doug: we can limit access to
document only for specific private group.
... it is some thing like access control.
christine: we need to continue this conversation on opt-out issue.
<npdoty> I'm happy to continue offline, but can we get a sense of the schedule for feedback?
<azaroth> npdoty: Yes, or at least hopefully it will contribute to personal identity management that could help with spam. And for the second question ... we don't know! Very happy for feedback on that :)
christine: we can continue over mailing list.
<tara> Many thanks!
<azaroth> Thank you for inviting us! :)
<ivan> thanks for having us!
christine: this discussion is very important in PING and feel free to join our discussion.
Rob: we would like to have feedback as soon as possible.
<npdoty> azaroth: it's helpful to have those purposes stated explicitly somewhere, so that we can evaluate whether the mechanisms satisfy those purposes
<npdoty> comments requested as soon as possible, with a CR transition planned for a few weeks
<ivan> https://github.com/w3c/web-annotation/issues/204
Ivan: there were two other
comments other than opt-out.
... I would welcome if there is discussion on this topic.
<npdoty> sure, we should send collected discussion to the contacts/group
Ivan: feel free to use github issue list.
<Ian> https://www.w3.org/2016/Talks/ij_ping/
Ian: answring nick
question.
... we are scheduling f2f in July.
<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#2
Ian: if we can get feedback before that timming it is appreciated.
<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#3
Ian: 15 min may be too short to
discuss.
... if you have expeience one click web service like uber etc.
it is what we would like to achieve.
<JoeHallCDT> chairs: for scheduling: I think we'll need to postpone the topic I suggested for another time (I have a hard stop and don't want to short shrift Web Payments)
Ian: payment applicaiton to
priovide credential. When you click buy button how the browser
react would be defined.
... harmonized payment experience accross web sites.
... being presented choinces and user choose etc.
... makeing digita wallet on web possible.
<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#4
Ian: there are many restriction
around digital wallet.
... explains First Public Working Drafts.
... we define how to make payment out of browser.
<Ian> https://www.w3.org/2016/Talks/ij_ping/?full#6
Ian: there may be some other
privacy issues.
... how much merchant can know method of payment from user
side.
nick: question on client-side credential.
<JoeHallCDT> regrets, I have to leave the call!
<JoeHallCDT> cheers
nick: you suggest transaction can be done through client side?
<Zakim> npdoty, you wanted to comment on client-side
Ian: Longer term scope include various kind of payment method.
<shepazu> for tokenization, think of a nonce
Ian: we are moving the direction
only provide less information.
... Bank and merchant are interested in fraud prevention.
<npdoty> yeah, I think it's similar to the spam discussion in annotation
Ian: that is topic we did not mention.
<npdoty> there are attacks on security that implementers will need to respond to, and there are often going to be privacy implications about that response
<ericstephan> great discussion, thank you. Gotta run
<Ian> (People may wish to comment on the editor's drafts, which are likely to be more up to date with improvements)
doug: I am interested in talking
on blockchain
... and identity.
<npdoty> yeah, thanks all for presenting your works in progress
<npdoty> 26 May?
<Ian> IJ: Thank you all!
next call May 26th.
<azaroth> Thanks all and bye!