See also: IRC log
<keiji> present keiji, tara, npdoty
<npdoty> WebRTC FTW
<npdoty> scribenick: npdoty
runnegar: of ISOC, enough tech to be dangerous ;)
tara: engineering and privacy at Google
npdoty: UC Berkeley, School of Information
weiler: W3C Security & Privacy
keiji: Keio University and W3C, Team Contact
benhayes: Chief Privacy Officer at Nielsen, a privacy lawyer
wseltzer: W3C Strategy, another lawyer :)
christine: PING is trying to
improve privacy in Web standards, work with groups to help make
design decisions with a privacy and security perspective
... inviting spec authors or others from the WG to talk about
the functionality of the specification
... also produce guidance so that Working Groups can do their
own reviews and mitigations
... fingerprinting mitigation guidance, and a more detailed
annotated privacy questionnaire
<weiler> https://mit.webex.com/mit/j.php?MTID=mfaf091b3c460e388fc7b609bb8f2b753
christine: need to roll up our
sleeves; suggest we raise a particular privacy
issue/questionnaire each week
... and share information on current Web privacy issues (e.g.
header enrichment)
http://w3c.github.io/fingerprinting-guidance/
<christine> yes please sam
<tara> Thanks, Sam!
<weiler> scribenick: weiler
BenHayes: what you mean re: mitigating fingerprinting?
npdoty: doc defines
fingerprinting and impact on end users. TAG has written more
about this.
... tracking of users w/o controls. mitigations are re: ways
to, from our specs, limit impact on user privacy.
<npdoty> http://w3c.github.io/fingerprinting-guidance/#identifying
npdoty: @@
... section 5's goal is explaining tradeoff between
fingerprinting surface and impact.
... persistence of identifiers, availability of drive-by web,
entropy....
benhayes: what's this use of entropy?
npdoty: how much randomness?
weiler: is this close to 'anonymity set'?
npdoty: not quite
... high entropy = high identifiability.
[this seems odd to the audience]
scribe: happy to have better language.
<chaals> [I find "high entropy = high identifiability" confusing. Can we find a word less confusing, like "identifiability"?]
christine: in developing
annotated privacy questionaire... compare to IETF privacy
considerations... this is very different from what you'd give a
pivacy officier.
... in standards area, we need to offer things that are
meaningful to the spec writers.
... we commonly ask re identifiers, since spec authors
understand that. then we talk about properties of identifiers
that may have privacy implications
benhayes: talked w/ folks this AM re: no longer PII but instead @2
npdoty: we used 'entropy' for 'amount of distinguishedness'.
benhayes: feel free to use terminology you like, but it may need to be explained.
<npdoty> nick will create an issue to better explain "entropy" somewhere in the text
<chaals> ["information resolution" might be a better term, since resolution is used in other contexts. But let's not spend this meeting looking for terminoology]
<christine> chaals, would you be willing to talk about microdata?
npdoty: i need feedback on these five factors: are they useful indeciding what tradeoffs to make.
<christine> great, let's do that next
christine: any feedback from other communities?
npdoty: no.
christine: want to get this done. ideas for how to convince folks to give us feedback?
[weiler has an idea. will see what trees I can kick.]
<christine> thanks sam
chaals: who did you ask?
npdoty: EFF fingerprinting group & PING list.
chaals: you want to ask chairs & spec editors for feedback.
<scribe> scribenick: npdoty
<tara> Agenda item: Microdata
thanks. I think we've tried some to talk with chairs@ on earlier iterations, but might want to go back to that.
chaals: microdata is a straightforward specification
https://w3c.github.io/microdata/#privacy-considerations
<chaals> Microdata privacy considerations
attributes that you can add into your HTML documents, to mark up the content in a machine-readable way
chaals: you could use it to
publish information into RDF (a common use, with schema.org),
telling crawlers what the document is about
... not very clever, relies on vocabularies
... microformats, rdfa, microdata -- microdata is most used if
not the most expressive
... goal is a recommendation that reflects what is actually
implemented
... few privacy implications
<christine> q
<christine> +q
chaals: could make information more explicit, but that's the only thing I can think of that happens
christine: could microdata be
used to enhance privacy?
... improve transparency about privacy aspects of a page
chaals: by itself it wouldn't
make a difference, but need to process microdata, which is
typically done by third-party applications -- a browser
extension or a search engine, say
... could identify documents that shouldn't be read or
shouldn't be published because they are privacy-sensitive
... could identify parts of the HTML interface that are
collecting sensitive form data
... not specific to microdata, but microdata provides a
mechanism to achieve it
... microdata not especially expressive, so might not be the
best option
... most often used for search engines to provide rich snippets
based on marked up pages
<christine> most common use of microdata is to mark up personal data (e.g. author name) so need to fix privacy considerations
<chaals> NPD: Should we be recommending access control for personal information?
npdoty: think it's incorrect to say that it's not generally personally identifying, because an extremely common use is marking up name/author information for search engine publishing
chaals: enabling easier machine
processing of potential information about people
... so might want to recommend that users take care when
marking it up that way
christine: changing the privacy implications of the personal data that's in that page, because it's easier to find or easier to consume/process
<chaals> [point to the need to consider what information is being collected, or made more collectble, and what are the implcations of doing so.]
chaals: will file an issue on
that point.
... helpful feedback
christine: need to move forward
with the privacy questionnaire
... what's a good discrete question to start with on the email
list?
chaals: went looking for privacy
questionnaires, and I found 3!
... would be very helpful if we went through our own
documentation to point to 1 or 2, but in a consistent
manner
<tara> Thanks, chaals.
keiji and weiler, can you help us fix the documentation?
christine: point to TAG sec/priv
questionnaire
... and make it clear that work-in-progress one at Greg's
longer questionnaire
chaals: for me, the questions in
the wiki were easier to understand around privacy issues
(rather than just security issues, or more technical
points)
... could split security and privacy questionnaires
npdoty: my impression was that tag document could become shorter, and point to longer documents
christine: hoping we'll have some staff/volunteers back and more accessible
wseltzer: we can publish whatever
we have consensus on, not seeing active work on sec/priv
questionnaire
... incremental improvement, decide where the best pointer is
to a single document
... leaving it as 3 documents where no one is working on any of
them is causing confusion
<weiler> wseltzer++
christine: +1, let's sort that offline
<tara> https://www.w3.org/2017/11/TPAC/
do a questionnaire walkthrough at TPAC?
would need a pretty solid draft by then
<weiler> maybe more than one? open invitation?
chaals: don't expect it to ever be totally finished because we'll keep learning things
christine: should try to identify a good test case early
npd: +1
<tara> Sounds good for TPAC plan!
christine: npdoty, do you have a list of specs with privacy considerations?
npdoty: will try to come up with that offline
tentatively planning on June 29th for next meeting
[adjourned]
<keiji> yes, thank you nick!
<keiji> Chair tara
<keiji> 6-10 NOVEMBER 2017?
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/in stds/...in standards/ Succeeded: s/fingerpritning/fingerprinting/ Succeeded: s/ present +christine// Succeeded: s/present +christine// Default Present: weiler, keiji, tara, npdoty, wseltzer, BenHayes, chaals Present: weiler keiji tara npdoty wseltzer BenHayes chaals christine Found ScribeNick: npdoty Found ScribeNick: weiler Found ScribeNick: npdoty Inferring Scribes: npdoty, weiler Scribes: npdoty, weiler ScribeNicks: npdoty, weiler Agenda: https://lists.w3.org/Archives/Public/public-privacy/2017AprJun/0027.html Got date from IRC log name: 18 May 2017 Guessing minutes URL: http://www.w3.org/2017/05/18-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]