hi. I seem to have trouble joining Webex.
password issue apparently
thanks
<tara> We're trying to work it out, thanks folks...
e' voila! thanks
<tara> Hm my browser is giving me trouble, back shortly...
<nigel> IMSC 1.1 FPWD
update of an existing spec - a profile of the time text markup language - scoped for subtitles and captions for web mdeia
media
IMSC1 is already a rec
recently updated privacy and security considerations
doc format and specifies processor format
text profile (text to be rendered) and image profile (refers to offline resources to be fetched, images
that scope is important - no scripting is involved
biggested area of possible privacy considerations - the very fact that the document has been requested - hint/guess that user has difficulties hearing audio
but could be translation subtitles - so could conclude a language user does not understand
fetching images - could hint about user's consumption of that media
some constraints with XML
<Zakim> npdoty, you wanted to comment on purpose of images for subtitles
nick - thanks for overview - see external images mentioned in privacy and security considerations section
what is the purpose of downloading external images for subtitles?
answer - when client-side rendering could not achieve goal - allows server-side rendering - introduced in IMSC 1 - for foreign languages with complex rendering
not just for fonts and styles that might exist - where precise authorial control is needed, eg. subtitles in Avatar that speaks the language - need image based subtitles
recommendation is to have a back-up text tracker every time an image based is made available
maps to HLS or DASH - manifest with multiple alternative tracks for a language
client decides what to pick
nick - in security and privacy section - some user agents that do not enforce cross-origin policies - not sure what that refers to
answer - not all IMSC agents are user agents as defined by W3C, e.g. TV with embedded processor - unknown whether they have same or different seucrity policies
use case might be - create a subtitle track for distribution by a third party, a netizen, eg. distribute out by did not realise makes image requests to another unkonwn party who is collecting inof about consumption based on requedst
nick - can see privacy issue - not sure how cross-origin serves here
answer - ... cross-origin issue
nick - are there user agents that would refuse to load images from different origins
answ - I believe the answer is yes
nick - interesting, new info for us
ans - thought that was standard behaviour
nick - a little more detailed - most websites today include images from other origins, web browsers support that without specifying cross-origin to get images
details about whether javascript on original site can access what was loaded cross-origin, maybe someone who knows COSP better could say
yes, a privacy issue what you have described
with CSP could say doesn't include - browser should only load images from this origin
maybe we need to document what is expected to happen with CSP if it prohibited loading those images
do you want to specify that in the spec?
answer - we don't mandate anything to do with fetching at the moment - would be a whole new area for the spec - merely a reference
nick - maybe clarify language in the privacy and security considerations section - will have to think about that more
answer - UA that do inforce user cross origin security policy may prevent images being loaded, maybe could add something
may be any reasons why images do not load (note)
may be many reasons
tara - do you have what you need?
answer - i think so
tara - deadlines?
<npdoty> nigel or pierre, is there a mailing list or github issue list where we could iterate on text suggestions?
answer - just published as a public working draft, still have quite a bit of work, time to make comments
correction - in CR - want to move as quickly as possible
(yesterday, if something blocking)
<nigel> IMSC Github Repo
git repo
ask for nick to file that issue
nick - sure
thanks nigel and pierre
agenda item 2 - sensors
tara - lots of sensors review - may go through to TPAC on that
alexander
<keiji> scribe: christine
one request for review is related to security and privacy - defined some security mitigation strategies and attack vectors we consider important to address
<shalamov> https://w3c.github.io/sensors/#security-and-privacy
answered security and privacy questionnnaure
<tara> https://github.com/w3c/sensors/blob/master/security-questionnaire.md
(see links above)
looking for privacy feedback and improvements - in WD - developers are trying and giving feedback
open to questions
api to give access to sensors
data is security and privacy sensitive information (e.g. could be used to skim pin codes)
also to identify whether male or female speaker, and some parts of the conversation
user location
some mitigations, reducing accuracy of data, constraints of context, ... if click outside the website or outside iframe, stop sensors
integrations api for permissions
(scribe apologies, line quality not optimal)
scribe: details of mitigations
nick - thanks for the overview - you mentioned the permissions API and the feature policy spec
potentially a lot of things could be included in those references - what feature policy or permissions for sensors
answer - for V2 - features policy integration planned
some use iframe - use motion sensors - for those use cases, plan to use features policy
nick - for permissions API, a requirement for explicit permission for each sensor, or?
answer - UA must use permissions API - but UI is not specified anywhere - in Chrome given by default for gryo, acc, ..
still under discussion
nick - UA decide on a case by case basis?
answer - right now not clearly defined, still in progress
nick - a little harder to assess the privacy implcations of the sensors if not specified if user is involved in granting permission
answer - something beyond asking users to grant, e.g. for ambient light if reduce accuracy less can probably safely expose and privacy implications reduced
maybe in that case don't need to show any pop-ups, but maybe for other data it is required
nick - will those requirements be in the spec?
answer - should be handle by research team - what are safe limits for the sensors
nick - thanks for the context
<Zakim> weiler, you wanted to announce permissions breakout session at TPAC
<npdoty> I think there are going to be real questions about interoperability, user expectations when permissions for sensors can be implemented in such variable and unspecified ways
sam - breakout session at TPAC on Wed - on permissions and user consent - looking at these sorts of questions
<npdoty> +1, it would definitely benefit from some breakout conversation
tara - continue next week
<npdoty> will the WG be meeting at TPAC? or discuss at the PING meeting?
alexander - unfortunately cannot go to TPAC, but other will be there and could discuss these areas
tara - thanks for joining us and looking forward to future collaboration
agenda item 3 - TPAC
tara - agenda is in the processing of being finalised - several open reviews
trying to coordination with availability of other WGs
meeting on Thursday - SING is not meeting - open invitation from that group to join PING
net info api?
nick - not sure if group is meeting at TPAC, or discuss at PING
tara - ongoing work from automotive
also possibility of adding that in as well
webappssec - currently don't have any particular item, but waiting to hear
will not be short of things to do!
invitation to add agenda items to TPAC
nick - time to visit other groups in their own scheduled meeting times, either to discuss privacy or learn about their specs
has someone had a chance to go through the schedules?
will try to drop into other groups
tara - share thoughts on mailing list
sam - webauthentication is still working on agenda but they have some interesting privacy challenges
try joint meeting (1/2 hour)
christine will not be able to be at TPAC
tara - see everyone at TPAC
will be remote participation and IRC
thanks, all for agenda today
keiji - a request from verifiable claim WG - want input from PING
(reminder)
at TPAC
<npdoty> Web Payments has privacy-specific agenda items for Tuesday at TPAC
tara - ack
<npdoty> what is Verifiable Claims?
not available friday
(tara)
AOB?
<weiler> thank you!
see everyone at TPAC, ciao
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/hostkey; 830222// Succeeded: s/PINGMM// Present: npdoty weiler jnovak keiji NigelMegitt runnegar tara Pierre-AnthonyLemieux LCPolan Alexander_Shalamov mary jason Found Scribe: christine Inferring ScribeNick: christine WARNING: No "Topic:" lines found. WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 02 Nov 2017 People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]