See also: IRC log
<keiji> Thank you!
<keiji> password for what? wendy?
<keiji> I think you do not need to use password for web-ex
<keiji> I updated the list for review request please let me know if I miss something.
<keiji> https://www.w3.org/wiki/Privacy/Privacy_Reviews
<tara> Thanks, Keiji!
Agenda item 1: Welcome and introductions
<keiji> scribe: christine
<scribe> New person: Sam Weiler (new W3C staff member)
<npdoty> welcome!
Other agenda items?
2. Follow-up on WebRTC spec (see [1])
<tara> https://github.com/w3c/webrtc-pc/issues/690
https://github.com/w3c/webrtc-pc/issues/690
<npdoty> christine: asked to look at aspects of WebRTC that we've looked at before
<npdoty> ... Greg provided some comments in Github (see above)
<npdoty> ... as to what "mode" of local IP address is provided
<npdoty> ... at last IETF meeting, there was discussion about these different modes
<npdoty> https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-01
Christine read out the discussion in https://github.com/w3c/webrtc-pc/issues/690
<npdoty> wseltzer: lengthy companion IETF document on privacy issues and modes
@nick, thanks for taking over scribing
Nick - see document - https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-01 - defines the 4 modes
which can be all private local IP addresses up to none
Greg's q is what the default mode is?
<wseltzer> [[ We recommend Mode 1 as the default behavior only if cam/mic
<wseltzer> permission has been granted, or Mode 2 if this is not the case.
<wseltzer> Uberti & Shieh Expires September 21, 2016 [Page 5]
<wseltzer> Internet-Draft WebRTC IP Handling March 2016
Don't know if that defines it
<wseltzer> Users who prefer Mode 3 or 4 should be able to select a preference or
<wseltzer> install an extension to force their browser to operate in the
<wseltzer> specified mode.]]
Nick - even mode 2 which may be intended to be the default mode, could still be used to fingerprint the user, but will not reveal where in the world they are
Nick - so I think it is just a question of default
Wendy pasted in the relevant part - default is mode 2
Nick - may be an issue that the most common use of the spec might be for fingerprinting
+Q
Christine asked where should the warning go about fingerprinting - W3C spec or IETF spec or?
Nick - give the advice to the W3C people - that they should at least note it
Sam - guessing warnings like this need to go in both
<npdoty> I think there is a note about the risk in the webrtc document
<npdoty> at least, in the editor's draft
Christine - agree would be good to make sure this risk is noted in the W3C spec
Wendy - that IETF document is about the privacy concerns - addresses all these issues
Tara - follow up?
Christine - maybe discuss with Greg and add to the discussion he is already having with the WG in github
Nick - will take the task to mention the research paper from Princeton to the WG
to the WebRTC WG
Agenda item 3 3. Performance APIs, Security and Privacy [2]
<tara> Performance APIs, Security and Privacy
https://w3c.github.io/perf-security-privacy/
<tara> What is the status of this item?
<wseltzer> [wseltzer raised two issues: https://github.com/w3c/perf-security-privacy/issues ]
<tara> Authors reached out to ask for feedback; we invited them to the call but sadly they are not available.
<tara> They are pointing to the fingerprint doc and the privacy questionnaire
<tara> Published as working draft of a note.
Wendy put some comments in github, others are encouraged to do so too
<tara> Privacy questionnaire
<tara> We all need to put more time into this effort. Get it out before the end of the year.
<npdoty> +1, I have the same consideration for the fingerprinting doc
Wendy - can call for consensus to publish and do so, but if further changes needed do that first
Nick - re fingerprinting - some changes need to be made based on feedback - needs some examples and the paper I mentioned has some examples - on my to do list - hope to have before the next call
Wendy - AOB - Tracking Protection WG is coming to a close - specs are in candidate recommendation and a charter coming to an end - since seeing low adoption of the DNT signal response - likely to close the WG
or suspend and invite people to join PING
Christine - that would be great to have the extra help
<npdoty> weiler, yep, that's on me
Wendy clarified - PING is not for further discussion of tracking documents - PING is for privacy considerations and reviews - gives those poeple at new place to continue discussion on how to advance privacy on the Web
<Zakim> wseltzer, you wanted to ask nick, hrm?
Wendy - would recharter Tracking Protection WG if needed
<tara> Info sharing re Web privacy threats, mitigations, etc.
<tara> A chance for people to contribute any items of interest to thr group
<tara> IEEE S&P: some discussion of sensors being used to detect other things.
<tara> gyroscope being used to detect same person on other site?
Nick to send a pointer
<tara> Wendy: lot of data breach news. Web Auth group is working on dropping reliance on passwords
Wendy - inreasing numbers of data breach notifications, your passwords may have been compromised - Web Auth WG is working to mitigate that problme by decreasing reliance on password - juts published 1st WD
<tara> Expect a call for review soon!
<tara> Also from the Social WG.
Wendy expect review request and reviews request from the social WG
<wseltzer> https://w3c.github.io/webauthn/
Wendy - going into details - model of Web Auth - 3 part system - a local authincator, a local lcient and relying party
Wendy - local client = web server
intersting privacy questions include - are we properly making the authentications unlinkable?
and the current hot q in group is around extensions to the protocol - if an authenticator wants to add aditional information at the relying party's request - do we have sufficient privacy protections?
hope people will look at these issues
Sam - adding to what Wendy said - discussing internally, do we need to look at new work on how to delegation on authorisation?
Sam - if look how people share passwords - scope a site specific credential?
Sam - one downside of the Web Auth - might make tight sharing of we credentials hard
Sam - how do you do delegation of authorisation - discussing internally?
Nick - is this issue, new technology? or Web sites have not built into?
Sam - would like to see technology that they don't evne need to be aware of - so we do need new technology - if they implement Web Auth - delegations comes along for free
<npdoty> that seems difficult to insulate from the application
<npdoty> but certainly an interesting challenge
Keiji - the delegation issue is intresting for discussion, but should we cover in this group as a privacy issue
Sam - probably not - just wanted to provide a little context
<npdoty> will the Web Authentication group look at delegation of authorization? that seems probably outside of their scope
Wendy - we could be a good place to think about it - as it becomes an issue - there are more and less privacy solutions for delegations
privacy first thinking could get us to better solutions
Keiji - that makes sense - but the main issue is usability and functionality (just my feeling)
Wendy - yes, we don't design the protocols here
Keiji - K and Wendy received a contact from Privacy Management Forum from TM (?)
interested in standardisations and would like to communicate with us (TM Forum)
<keiji> www.tmforum.org<http://www.tmforum.org>).
Keiji - welcoming views, input
<tara> Hello Marta (from Blockchain)
<wseltzer> https://www.w3.org/2016/04/blockchain-workshop/
Marta from Blockstream - first call - having the blokchain meetup in Boston next week - will be discussing privacy there - please contact me if interested
can decide what activities are worth pursuing in this area
next call 28 July
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Marty/Marta/ Found Scribe: christine Inferring ScribeNick: christine WARNING: No "Topic:" lines found. Present: keiji weiler wseltzer tara christine samuel npdoty tharindi marta Found Date: 23 Jun 2016 Guessing minutes URL: http://www.w3.org/2016/06/23-privacy-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]