See also: IRC log
<tara> Waiting for folks to join the call...
<dsinger> https://www.w3.org/TR/webvtt1/#privacy-and-security-considerations
<tara> VTT: can be used for captions
<tara> Also timed actions
<tara> (e.g., flip text in time with video)
<tara> Style sheets -- if you trigger fetches of resources, you can be notified if user, say, watches a video
<tara> Also leaks privacy of preference (e.g., user has a need for captions or subtitles)
<tara> Thanks, Sam!
npdoty: what can we learn from the Timed Text review we did last month? can you coordinate with them?
<tara> (I took some notes, was short.)
dsinger: they have the complexity of using xml.
npdoty: msot of discussion last time was re: fetch. with CSS fetching is prohibited?
dsinger: no, you can trigger fetching of style sheets. they're static - not time-based.
npdoty: comparable to fetching
DTD
... but can't load external image?
disnger: right.
... can't control what JS does with the trigger.
npdoty: anything else re: user prefs that might be revealed to JS, e.g. language?
dsinger: not that JS layer would
not already know.
... metadata track.... language no longer applies.
might be able to leave how user like style.
https://mit.webex.com/mit/j.php?MTID=meda7c1b71d647aefa4377d4610c67648
can probe color preferences, etc.
npdoty: css history sniffing had this problem - are links purple?
dsinger: I'm talking re: sniffing pixels on screen
npdoty: do different UAs do rendering differently?
dsinger: preferences affect rendering.
<tara> weiler: has been discussed that the issue is in "other layers" but I have seen this be a problem
<tara> weiler: if there is, say, a leak plugged in that layer, then we don't want to say "we're sunk because someone else has made the situation poor"
<tara> singer: basically agreeing, not thinking of anything off the top of his head
<npdoty> +1 that we don't want to accept a privacy leak just because it's already present somewhere else
npdoty: less leaks here than with, e.g., sensors
<tara> npdoty: if (static) documents can be used in a way that they reveal how things are loaded, etc then it's a problem, but not as big a risk as say, Javascript
dsinger: timed text and this would be happy to answer Q's. I think security problems are slightly more interesting.
tara: timelines? 22 Sept?
dsinger: we did a wide review a
year ago, but doing another.
... going to CR. trouble getting people's attention because it
was implemented years ago.
... Jason Novak works in Apple's privacy group. more individual
contributor; has been managing to date. he'll be showing up
more.
<npdoty> :clap:
<Zakim> dsinger, you wanted to talk about apple representation in AOB
<tara> weiler: asked to provide text to help team members -- security & privacy reviews
<tara> weiler: mentioned this team is doing privacy reviews; what else to share with AC reps?
<tara> dsinger: would plead for more people on the calls?
<tara> npdoty: we have also asked for more systematic reviews, such as with security reviews
<tara> npdoty: want to assign more folks to do review (outside of call time, say)
<tara> weiler: that has been happening for security
<tara> npdoty: outreach calls is a good time to bring this up
<npdoty> and we'd love to hear the experience on security reviews
<terri> currently the security reviews seem to be rarely happening, for those not on the web security IG
<tara> weiler: had mentioned WebAuth WG was approaching CR...hoping they are going to ask for PING input
<tara> weiler: they have decided not to ask *yet*
<Zakim> dsinger, you wanted to talk about do not track
dsinger: DNT / tracking
protectionW G is trying ot wrap up.
... exceptions API .. for a site to be able to say "in order to
do my job, I need to be able to track you"...
... exceptions API went through a significant edit. wondering
if we should do another review
... long draft.
<npdoty> are there fingerprinting implications regarding that API? I know we had previously considered that
dsinger: may be able to use different exceptions on different clients in order to fingerprint. need to look at this more closely.
<dsinger> https://w3c.github.io/dnt/drafts/tracking-dnt.html
<npdoty> (or raw code: https://github.com/w3c/dnt/blob/master/drafts/tracking-dnt.html)
<wseltzer> or https://rawgit.com/w3c/dnt/master/drafts/tracking-dnt.html
weiler: will WG ask, or do we need to provide it proactively?
dsinger: they'll ask
weiler: TPAC plans?
tara: some conflicts. I'll send a request for agenda.
<tara> Web Security IG - really try not to overlap
tara: not setting the Sept date now, but we'll send it to the list soon.
adjourned at 1632Z
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/doing/going/ Succeeded: s/1232pm/1632Z/ Present: terri npdoty dsinger tara keiji weiler wseltzer Regrets: christine No ScribeNick specified. Guessing ScribeNick: weiler Inferring Scribes: weiler WARNING: No "Topic:" lines found. WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 24 Aug 2017 Guessing minutes URL: http://www.w3.org/2017/08/24-privacy-minutes.html People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]