See also: IRC log
<keiji> I think it opened already.
<weiler> still not working for me.
<weiler> others?
<keiji> https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648
<tara> Sorry, Nigel -- I had a problem this morning also.
<christine> hi are we talking about webex?
<keiji> Does this link work?
<tara> Sorry about that; I copied it from an earlier agenda but clearly something went wrong.
<christine> link?
<tara> Good to hear!
<keiji> https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648
<keiji> Meeting number: 648 986 475
<tara> Welcome, Nigel!
<christine> hi, joined webex
<christine> thanks nigel
<scribe> scribenick: npdoty
tara: introductions
<christine> thank you Nick!
Nigel Megitt, BBC, Chair of TTWG
<tara> Timed Text Markup Language 2 (TTML2)
<tara> Working draft: https://www.w3.org/TR/2017/WD-ttml2-20170630/
nigel: update to TTML 2, currently in Working Draft, hoping to be last working draft before Candidate Rec, seeking wide review
<nigel> TTML2 Security and Privacy section
<nigel> Draft self-review questionnaire re security and privacy
nigel: reviewed the self-review
questionnaire from the TAG, not a lot of privacy issues, but
does have a privacy considerations section
... external resources can be loaded (images, audio,
etc.)
... unlikely to reveal anything that isn't available through
some other mechanism
... merely downloading a TTML document could reveal that the
person needs the information in it, likely for subtitles or
captions, which provides a hint as to the user's hearing
ability
... because a document format rather than API, not many privacy
or security issues
<Zakim> chaals-o, you wanted to note that it reveals to the server which users appear to be using captions.
chaals-o: downloading reveals that you're using captions at all
nigel: if origin wants to track viewing habits of particular users, can do that already with different methods based on how the media is being distributed
chaals-o: how much does it really expose that the user asked for the captions file?
nigel: not very much
... not included in privacy considerations section
currently
<nigel> IMSC 1.0.1 profile of TTML1
nigel: might make sense to update privacy and preference and external images to include comments from TTML1 in TTML2
chaals-o: caching might limit the amount of information revealed here
nigel: typically there is some Javascript for the control (like the subtitles button)
<Zakim> npdoty, you wanted to ask, does it reveal more than just wants-captions?
<tara> npdoty: the fact that the user hit the button at all -- reveals that they are using captions for example
<tara> npdoty: but are there other things revealed? e.g., language prefs?
<tara> npdoty: are there conditional things, like audio if I can't read, or load Russian lang version if that's my preferred lang?
<tara> NIgel: yes and no - conditionals define semantic inclusion of that content as used for presentation
<tara> Nigel: implementation *could* only load the things that it needs - if there are external resources referenced at all
<tara> Nigel: could be done on demand, or up-front. Document defines, for example, five language tracks -- implementation could fetch all of them
<tara> Nigel: or could only fetch as required
<tara> npdoty: trying to consider the potential better or worse implementations - so, on-demand, for example, would reveal more information
<tara> Npdoty: so we would highlight this as an area of privacy consideration.
<tara> nigel: we could add a note to say there is an effect depending on whether or not you use on-demand approach
<chaals-o> [By an large I think this work is good to go...]
<tara> npdoty: in TTML 1 - there is discussion of cross-origin policy; TTML 2 says this is out of scope? Is this addressed elsewhere?
<tara> npdoty: there are security considerations
<tara> Nigel: embedded content - things can be referenced or included as binary; no, looks like there is nothing about fetch semantics at all
<tara> npdoty - mostly concerned about fetching external resources
<tara> Nigel - mostly talks about *impact* of CORS rejection but not about implementation; does this need to be part of the spec or "somebody else's problem"?
<tara> npdoty: I think that other doc markup specs are being specific about how content is fetched, primarily due to these security concerns, so should work here.
<tara> npdoty: if different implementation do different things, there may be false assumptions about what is in place (like following CORS)
<tara> nigel: that is an impact of preventing loading the resource, which *is* mentioned
<tara> nigel: because there is no specified way to get the TTML doc, you can't relate to any of the resources *in* it (URIs) - seem a bit separated?
<tara> nigel: there is nothing about origin of TTML doc so how do you enforce CORS?
<Zakim> npdoty, you wanted to ask about fetch and CORS
https://fetch.spec.whatwg.org/#goals
<tara> npdoty: may want to review the fetch spec (see link) to see if relevant
<tara> npdoty: this also considers things like service workers, etc that are relevant to sec & priv
nick: mixed content might also be relevant for privacy/security
<christine> yes, thanks
nigel: completed self-review questionnaire, should we send that to anyone?
tara: mostly just useful for review
<tara> Item: PING F2F at IETF 99
christine: small group at ietf,
talked about ways to improve level of engagement in Interest
Group, helping other groups to do privacy reviews
... related efforts on improving security reviews
... most effective way for this group is to have these
discussions with editors/chairs
... thanks for being persistent in asking group to send
someone
<tara> Thanks, Sam, for your efforts!
christine: getting up to speed on
Github, to do more work on privacy questionnaire
... use the mailing list for general discussion of web privacy
issues that are coming up in research or news
... put together in one place the privacy considerations in
current specifications, catalog of what's been done
... Niels from Article 19 expressed some interest in tools for
doing that
... at next IETF, could have a web privacy hackathon, as was
done last time for HTTP Status 451
... what are the privacy implications and considerations of the
standard?
weiler: for IETF get-together,
things that could use input from the masses, or just document
work
... privacy issues in the @@ spec via device identifiers
... Web Authentication is a topic we should pay attention
to
<weiler> a/@@/Web Authentication/
weiler: web privacy
hackathon/meetup suggested for IETF 101 in London, March 2018
(not the next IETF, which is Singapore in November)
... TPAC, book your hotel room now!
<Zakim> weiler, you wanted to discuss other specs that may need or want privacy reviews
tara: potential meeting conflicts at TPAC
weiler: trying to recruit
security reviewers based on specific requests to Web Security
Interest Group
... Input Events?
npdoty: I think we did talk to Input Events
chaals: will follow up
<tara> https://www.w3.org/TR/push-api/
chaals: I think the editor already considered that feedback
<tara> https://w3c.github.io/push-api/security-privacy-questionnaire.md
<tara> https://github.com/w3c/push-api/issues/
chaals-o: we discussed Push API at a recent meeting, there were some open questions where we expected them to come back to us, but they haven't yet - as noted in a message to us a couple of days ago
npdoty: it sounds like they are waiting for feedback from us, but we're also waiting for something from Push API editors
chaals-o: do we have a way to track past reviews/feedback?
christine: if we start a good practice today, we can go back and add others
<wseltzer> PING git repository
https://www.w3.org/wiki/Privacy/Privacy_Reviews
wseltzer: other groups (like i18n) have used cross-linking of issues in github, so that other groups can see issues and discussion in progress during a review
christine: will try to learn how to do that!
August 24th for next meeting
<tara> Arbitrarily picking Aug 24
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/haven't/haven't yet - as noted in a message to us a couple of days ago/ Default Present: npdoty, weiler, Nigel, tara, keiji, chaals, christine, wseltzer, MarkOblad, terri Present: npdoty weiler Nigel tara keiji chaals christine wseltzer MarkOblad terri Regrets: leiba Found ScribeNick: npdoty Inferring Scribes: npdoty WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 27 Jul 2017 Guessing minutes URL: http://www.w3.org/2017/07/27-privacy-minutes.html People with action items:[End of scribe.perl diagnostic output]