See also: IRC log
<tara> Oops - somehow WebEx kicked me off!
<tara> That is not helpful!
<tara> Ah - okay now.
<scribe> scribenick: npdoty
<tara> Requests for reviews:
<tara> Screen Orientation API
<tara> https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0030.html
<tara> IndexedDB API
<tara> https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0031.html
<wseltzer> warning, danger lies there
<tara> WebPref: https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0035.html
wseltzer: brainstorming on how
can we get the privacy reviews done for these specs
... have talked to a few groups that need a real
privacy/security considerations explanation in their
specs
... that is, not just "there are no privacy or security
considerations"
... as a small group, we have trouble keeping up with all the
specs
... working on self-review guidelines and then review that just
focus on their answers to those questions, could be a more
rapid response
... and start talking with the person who did that self-review
and knows the spec technically
... so that we can get into more detailed questions about
cross-origin or sensors with that person
tara: 1) some specs we are getting people who provide the answers to the self-review questionnaire but more of that could improve the review; 2) late-stage specs that haven't looked at the questionnaire may be an issue
wseltzer: sure, 2) is more on
W3C, and is getting spread with education and tooling
... for our reviews on these calls, could we get champions of
issues to take the next step of reading and highlighting
anything htat looks concerning
tara: we had tried to identify an individual who would solicit comments and move things forward
<tara> nick: it helps to have the groups fill out the questionnaire but there is more work to be done.
<tara> nick: reviewer does have to review the spec in some detail to find the relevant info
tara: +1, reviewer has to look at
the spec itself, not just self-review responses
... to add their own level of analysis or catch issues
<tara> nick: when we have assigned people, have we followed up?
tara: we have had people who would manage responses, but had more of a problem that the group itself didn't contribute answers to compile
wseltzer: can we use Github
issues as a way to put pressure on both the WGs and PING?
... e.g. open a privacy review issue that can't be closed
without conducting a privacy review (either by PING or someone
else, like a WG member), and PING can point out with comments
if a review is not sufficiently detailed
... Github is where work is being moved. Director is asking for
a disposition of issues at transitions, and groups typically
point to their Github issue list
tara: in terms of getting the process happening earlier, is there anything formal / involved with Github, to get this to happen sooner?
wseltzer: having the
questionnaires in better shape would help a lot
... questionnaire should point out that you should have a
priv/sec section and it should address your responses to this
(per dsinger)
npdoty: I only see a timeline
request on 1 of the 3 requests that we're looking at
... can someone follow-up with those groups to ask about their
timeline?
tara: Web Payments likely to come back with a group of changes in January
<wseltzer> [for example, I note that Screen Orientation doesn't even mention "privacy". that should be an automatic push-back.]
<tara> I will go track down deadlines.
https://www.w3.org/wiki/Privacy/Privacy_Reviews
npdoty: wiki is out of date, but it's becoming clear that as the review requests come in more quickly, we either need more volunteers within PING, or need to find ways for reviews to happen within groups
<wseltzer> https://github.com/w3c/screen-orientation/issues/96
weiler: how likely are we to get effective reviews from the group itself?
npdoty: it might be rare to get comprehensive reviews from the author or someone in the group already, but could get quite detailed expertise if they're willing to recruit security/privacy people from their own organizations to conduct a review
weiler: that suggests that maybe we should mention in questionnaires that they may need to ask for expertise not already within the WG
wseltzer: Web Perf a particular
area of privacy concern because the focus of the APIs is to
gather very detailed data, which could be used for
fingerprinting and the like
... since they're currently revising lots of them, important
that they at least have privacy considerations described
... in some cases just describing features that are already
implemented
... privacy issues can either note that we can't recommend it
as implemented, or note the privacy issues for potential
implementers who can mitigate in some ways
wseltzer: can successfully point out research results that changed certain features
<tara> User Data Controls in Web Browsers
<tara> https://gist.github.com/mnot/96440a5ca74fcf328d23
tara: additional context on mnot's shared doc on user data controls?
wseltzer: Mark shared this
document as an evolution from previous conversations with
PING
... expanded from just private browsing modes to looking at
different modes more generally
... describe those modes so that other specs can reference how
they should behave in those different modes
... could adopt this as a PING note for ongoing work
... and could modify questionnaires/reviews to refer to this
document and these modes more specifically
... another privacy review request from dsinger on VTT
privacy/security considerations
<tara> npdoty: looking at IndexDb spec
npdoty: IndexedDB group refers to
"clear browsing data" and how their spec's data should be
handled
... and I think it would be useful to have a formal
description/categorization of the different features across
browsers, as opposed to refering to a single name of a
feature
tara: nice seeing our group note out there in the wild, being pointed to by Princeton researchers
:)
<tara> 1. status of document
<tara> 2. met with EFF folks about directions
<tara> Status: needs revisions to make it more actionable for people writing browser specs
<tara> What are common sources of fingerprinting (so people can easily identify them)
<tara> May also need to weigh pros and cons -- explicitly note that *these* are the factors that are the most concerning, to go into the weighing process
<tara> Intend to add them by the end of the year and get PING feedback
<tara> EFF feedback:
<tara> 1. Some fingerprinting work could benefit from prioritizing how we fix those issues.
<tara> Since some fingerprinting happens at implementation, versus specs, we can ID the bugs
<tara> Making FP detectable is helpful (sometimes prevented)
<tara> 2. Sometimes we are getting into UI/UX issues
<tara> Like - how much information is overload?
<tara> Might be helpful to have a meeting to discuss these user-facing issues -- write up some advice
<tara> 3. Coordination -- we talk about clearing information (e.g., cookies...) but also there is a separate effort in IETF space, about rotation (e.g., of IP address)
<tara> We might want to talk about these things at the same time.
<tara> If your IP address rotates at same time at the cookie, then they can be tracked together, but otherwise it may be equivalent to clearing.
<tara> So this is a place where we could coordinate layers and groups.
<weiler> ach weile
<tara> Sam: how might we cross that layer boundary?
<weiler> s/r//
<tara> npdoty: IAB folks had talked about number rotations; EFF can help link us up with folks working in that layer of the problem
<tara> Use our networks to connect these discussions.
tara: great, plenty of work to do
there :)
... Privacy Questionnaire question out to Christine, who is
currently managing that
npd has a workshop on January 12th
<weiler> Wendy and I are also busy on 12 Jan
<tara> Tentatively Jan 19 but need to consult with Christine.
npdoty: post-election responses?, besides our work still being important
weiler: might be a key recruitment point on encouraging participation in privacy/security and standardization
+1
tara will follow up on the list with decided time for next meeting
and follow-up on ongoing work items over the holiday
tara: thank you all for your hard work
trackbot, end meeting
This is scribe.perl Revision: 1.148 of Date: 2016/10/11 12:55:14 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: i/certain features/Topic: User Data Controls in Web Browsers FAILED: s/ach weiler// Succeeded: s/ach weile// Found ScribeNick: npdoty Inferring Scribes: npdoty Default Present: wseltzer, tara, npdoty, weiler, jim_lim, lake_polan, mary_hodder Present: wseltzer tara npdoty weiler jim_lim lake_polan mary_hodder Agenda: https://lists.w3.org/Archives/Public/public-privacy/2016OctDec/0048.html Found Date: 01 Dec 2016 Guessing minutes URL: http://www.w3.org/2016/12/01-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]