See also: IRC log
<scribe> scribe: weiler
<scribe> scribenick: weiler
tara: newcomers, please introduce yourselves.
Barry Leiba: work for Huawei; IETF veteran.
<npdoty> agenda here: https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0010.html
Andrey_Logvinov: Yandex, working on wake lock API
Craig Spiezle: <inaudible>
Mike: wants to talk re: an issue in webappsec
tara: introduced Andrey to talk about wake lock API
<tara> https://www.w3.org/TR/wake-lock/
andrey: concern that lock can keep screen awake and burn battery. other things (video) do this, too.
barry: what's the privacy issue?
<npdoty> presumably the hidden video hack is a bug, not functionality to maintain
<tara> https://github.com/w3c/wake-lock/issues/78
andrey: no privacy issue. but another device could see that the device is awake. could create a side channel. Not sure if danger is real.
npdoty: other APIs have some
limitation re: "only applicable when the screen is on", so as
to prevent surreptitious / background abuse.... geolocation,
camera/microphone.
... if they can keep screen on w/o user realizing it, could
have implications for these other APIs
andrey: is it correct that APIs should not be allowed to wake device/screen -- they just prevent locking, they don't enable wake. right?
npdoty: my concern is that keeping a wake lock that keeps the screen on might make it easier to extend other API capabilities in unexpected ways
<wseltzer> Secure Contexts
wendy: is this a feature that should be available only in secure contexts?
andrey: maybe
<npdoty> christine++
<Zakim> wseltzer, you wanted to ask about secure contexts
christine: latest version of spec
talk basically re: battery. need to thing about nick's
concern... there are privacy implications. users may not be
aware of background tasks e.g. tracking location because wake
lock has been enabled for other applications. need to think re:
wendy's Q.
... cross-origin linking: not sure if that's a risk or not.
should look at it.
andrey: something we should consider.
tara: to andrey: any other questions for the group? looking for comments by end of Aug?
<marta> can you resend the link please?
<npdoty> do you have any particular questions for us?
<npdoty> Wake Lock API editor's draft is here: https://w3c.github.io/wake-lock/
Andrey: no further Q. (no comment on deadline.)
<marta> I can do it
christine: would someone on call take task to compile PING's feedback to group re: privacy considerations?
<npdoty> can we get the deadline for comments in the minutes?
tara: vibration API - deferred.
<npdoty> https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0016.html
npdoty: made some updates on
fingerprinting guidance doc over the last month.
... big changes, trying to address comments received: title [is
that such a big change?], added examples,
<tara> Re: Wake lock - email list said "We would appreciate to receive your feedback before the end of August"
<tara> "the preferred method for feedback is to file issues in our github repository: https://github.com/w3c/wake-lock/issues"
npdoty: (e.g. re: battery status, sensors, proximity, flash plugins, ...), updated research section.
<npdoty> https://github.com/w3c/fingerprinting-guidance/issues
npdoty: everything else was
clarification/wording.
... seven open issues. edits to date address five. need input
on two. asked TAG for input on their comments.
<mikeoneill> q
npdoty: if this group agrees on the "pending review" items, we can close them.
mikeoneill: @@ ... protocol has a
header origin policy. server says "random", and client bounces
it back. spec says that rules of third party header should
follow cookies
... if interested in this, looks at webappsec. does this need
to be talked about? e.g. should there be an API so user can see
if fingerprinting is happening?
<npdoty> http://w3c.github.io/fingerprinting-guidance/#clearing-all-local-state
npdoty: this keeps coming up.
might be moved to a different doc. heard two suggestions: #1
should avoid unnecessary new mechanisms. #2 enable clearing at
the same time as cookies
... don't think users care re: difference
mikeoneill: info should be there for browsers to offer privacy add-ons. @@ .. if recommendation comes out for a a new API re: fingerprinting risks, it should covered by permissions API.
npdoty: you can control your user
agent w/o an API
... could you review this section of the doc? it's not making
UI suggestions now; maybe it should.
mikeoneill: I'll look over the weekend.
tara: recap: you're waiting for
comments on a couple of issues, and want us to review the
rest.
... privacy questionnaire.
tara: christine not answering, so moving on.
<tara> https://github.com/w3c/encrypted-media/issues/221#issuecomment-233498615
<tara> https://w3c.github.io/encrypted-media/#privacy
<christine> apologies all - computer crashed
tara: joe hall says that EME is going to PR in a few weeks. privacy section has been fleshed out. they'd like some review. if you missed that, I'm sure they'd appreciate comments - don't wait to joe to ask.
<npdoty> EME has a very lengthy priv/sec considerations section, which looks interesting and will take some effort to review
chrisinte: we asked the IAB if they'd like to give up any feedback
christine: I'm hoping things will be quieter in august, so I'm going to try to shepherd our work on this (which is not the same as the TAG's self-review questionnaire). Nick/Greg had input. Wendy moved the draft to github.
<wseltzer> https://github.com/w3c/ping
christine: expect to hear gentle
encouragement next week. thanks to barry, Kathleen(?), Joe Hall
for volunteering to be maintainers for self-review
questionnaire.
... will use github for that.
<npdoty> sorry, is that github repo to be used for multiple documents?
<wseltzer> The TAG Privacy/Security Self Review
<tara> 1] https://github.com/w3c/webrtc-pc/issues/687
<tara> https://github.com/w3c/webrtc-pc/issues/688
tara: Stefan from WebRTC has added some responses to our comments.
<tara> https://github.com/w3c/webrtc-pc/issues/689
<tara> https://github.com/w3c/webrtc-pc/issues/690
tara: four issues that they'd
like for us to look at.
... this hasn't gone to the group yet.
christine: volunteer to respond to these?
<christine> q_
nopoty: confused: are these things we already raised?
tara: they responded to two of our issues w/ suggestions and others are Q to us.
mike: deadline?
... I'll look over the next week
... what happened over media streams (fingerprinting
issue)?
npdoty: this doc is now separate from media streams doc. at least a couple of these issues are more relevant to media stress so have been closed on this doc.
<npdoty> it looks like gnorcie was already involved in many of these threads, so joe and greg may be able to handle further discussion on those
<wseltzer> https://www.w3.org/2016/09/TPAC/
tara: we have a mtg on 20 Sept; it does not overall with webappsec this time.
<wseltzer> remember to register!
christine: we need to plot our agenda. I will not be there. If we work on privacy questionnaire before then, could make progress there.
<npdoty> is remote participation feasible for that meeting?
tara: welcome agenda suggestions. want to use our time effectively.
<npdoty> +1 for webex/phone at TPAC, thanks
christine: Kepeng asked if we
could change the time of our call.
... proposal is 1400UTC
<npdoty> what about 9 hours earlier, rather than 2 hours earlier?
barry: the people with the issue may not be on the call. fine with me.
wseltzer: hard to accommodate global participation in conference calls, but we try. but Kepeng did cite time.
craig: I'm west coast and don't
mind 7am. some of my WGs alternate timezones.
... 3/4pm west coast, sometimes. we have people in
australia.
<npdoty> 7am Pacific Time is rough for me; I would typically prefer a midnight call, but alternating seems like one possible compromise
<wseltzer> https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0018.html
christime: nothing to report from IETF. sent out a summary; it had some suggestions of things we could do as a group. e.g. 2x calls/months: one for reviews/docs, one for information sharing. could try to get researchers to give seminars
<wseltzer> ^ notes from PING@IETF
christime: could extend invites
more broadly. could have a PING blog.
... should we form a task force to standardize
incognito/private browsing mode?
<npdoty> these sounds like cool activities, if we have enough active interest/participation in doing them
mikeoneill: we could take a more active role in giving input to APIs in earlier stages of their development
weiler: (back to mtg time) we could try an experiment. seems to be some support for alternating.
<christine> 25 Aug works for me
<npdoty> 25 August works for me too
tara: next call on Aug 25
<npdoty> (if we want to start alternating or fortnightly calls, should we look for mid August or mid September?)
<barryleiba> Thanks, everyone
tara: may look at 2nd call
starting in September
... probably not change time this time, but will consider and
announce it.
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Logvinov:/Logvinov: Yandex, working on wake lock API/ Succeeded: s/that lock and/that lock can/ Succeeded: s/is is/ is it/ Succeeded: s/@@/my concern is that keeping a wake lock that keeps the screen on might make it easier to extend other API capabilities in unexpected ways/ Succeeded: i|https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0016.html|Topic: Fingerprinting Guidance for Web Specification Authors Succeeded: s/want/wait/ Succeeded: s/@@/Kepeng/ Succeeded: s/participation/participation in conference calls, but we try/ Found Scribe: weiler Inferring ScribeNick: weiler Found ScribeNick: weiler Default Present: wseltzer, tara, weiler, christine, Andrey_Logvinov, Barry_Leiba, marta, mikeoneill, terri Present: wseltzer tara weiler christine Andrey_Logvinov Barry_Leiba marta mikeoneill terri Got date from IRC log name: 28 Jul 2016 Guessing minutes URL: http://www.w3.org/2016/07/28-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]