Privacy Interest Group Teleconference

24 Aug 2017

See also: IRC log


terri, npdoty, dsinger, tara, keiji, weiler, wseltzer


<tara> Waiting for folks to join the call...

<dsinger> https://www.w3.org/TR/webvtt1/#privacy-and-security-considerations

<tara> VTT: can be used for captions

<tara> Also timed actions

<tara> (e.g., flip text in time with video)

<tara> Style sheets -- if you trigger fetches of resources, you can be notified if user, say, watches a video

<tara> Also leaks privacy of preference (e.g., user has a need for captions or subtitles)

<tara> Thanks, Sam!

npdoty: what can we learn from the Timed Text review we did last month? can you coordinate with them?

<tara> (I took some notes, was short.)

dsinger: they have the complexity of using xml.

npdoty: msot of discussion last time was re: fetch. with CSS fetching is prohibited?

dsinger: no, you can trigger fetching of style sheets. they're static - not time-based.

npdoty: comparable to fetching DTD
... but can't load external image?

disnger: right.
... can't control what JS does with the trigger.

npdoty: anything else re: user prefs that might be revealed to JS, e.g. language?

dsinger: not that JS layer would not already know.
... metadata track.... language no longer applies.

might be able to leave how user like style.


can probe color preferences, etc.

npdoty: css history sniffing had this problem - are links purple?

dsinger: I'm talking re: sniffing pixels on screen

npdoty: do different UAs do rendering differently?

dsinger: preferences affect rendering.

<tara> weiler: has been discussed that the issue is in "other layers" but I have seen this be a problem

<tara> weiler: if there is, say, a leak plugged in that layer, then we don't want to say "we're sunk because someone else has made the situation poor"

<tara> singer: basically agreeing, not thinking of anything off the top of his head

<npdoty> +1 that we don't want to accept a privacy leak just because it's already present somewhere else

npdoty: less leaks here than with, e.g., sensors

<tara> npdoty: if (static) documents can be used in a way that they reveal how things are loaded, etc then it's a problem, but not as big a risk as say, Javascript

dsinger: timed text and this would be happy to answer Q's. I think security problems are slightly more interesting.

tara: timelines? 22 Sept?

dsinger: we did a wide review a year ago, but doing another.
... going to CR. trouble getting people's attention because it was implemented years ago.
... Jason Novak works in Apple's privacy group. more individual contributor; has been managing to date. he'll be showing up more.

<npdoty> :clap:

<Zakim> dsinger, you wanted to talk about apple representation in AOB

<tara> weiler: asked to provide text to help team members -- security & privacy reviews

<tara> weiler: mentioned this team is doing privacy reviews; what else to share with AC reps?

<tara> dsinger: would plead for more people on the calls?

<tara> npdoty: we have also asked for more systematic reviews, such as with security reviews

<tara> npdoty: want to assign more folks to do review (outside of call time, say)

<tara> weiler: that has been happening for security

<tara> npdoty: outreach calls is a good time to bring this up

<npdoty> and we'd love to hear the experience on security reviews

<terri> currently the security reviews seem to be rarely happening, for those not on the web security IG

<tara> weiler: had mentioned WebAuth WG was approaching CR...hoping they are going to ask for PING input

<tara> weiler: they have decided not to ask *yet*

<Zakim> dsinger, you wanted to talk about do not track

dsinger: DNT / tracking protectionW G is trying ot wrap up.
... exceptions API .. for a site to be able to say "in order to do my job, I need to be able to track you"...
... exceptions API went through a significant edit. wondering if we should do another review
... long draft.

<npdoty> are there fingerprinting implications regarding that API? I know we had previously considered that

dsinger: may be able to use different exceptions on different clients in order to fingerprint. need to look at this more closely.

<dsinger> https://w3c.github.io/dnt/drafts/tracking-dnt.html

<npdoty> (or raw code: https://github.com/w3c/dnt/blob/master/drafts/tracking-dnt.html)

<wseltzer> or https://rawgit.com/w3c/dnt/master/drafts/tracking-dnt.html

weiler: will WG ask, or do we need to provide it proactively?

dsinger: they'll ask

weiler: TPAC plans?

tara: some conflicts. I'll send a request for agenda.

<tara> Web Security IG - really try not to overlap

tara: not setting the Sept date now, but we'll send it to the list soon.

adjourned at 1632Z

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/08/24 16:33:01 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/doing/going/
Succeeded: s/1232pm/1632Z/
Present: terri npdoty dsinger tara keiji weiler wseltzer
Regrets: christine
No ScribeNick specified.  Guessing ScribeNick: weiler
Inferring Scribes: weiler

WARNING: No "Topic:" lines found.

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 24 Aug 2017
Guessing minutes URL: http://www.w3.org/2017/08/24-privacy-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]