Privacy Interest Group Teleconference -- 08 Mar 2018

Today's agenda: no reviews on the stack, discuss PING planning

We can think about the broader W3C work in general and what could W3C be doing to further web privacy?

<specter> Hi!

<specter> thanks Wendy!

Next IETF meeting (IETF 101) - put together topics for "mini privacy hackathon" before meeting

See email: https://lists.w3.org/Archives/Public/public-privacy/2018JanMar/0021.html

Any questions on the hackathon?

<npdoty> I'll be looking at mailing list analysis / research at the IETF hackathon if others are interested in that as well: https://mailarchive.ietf.org/arch/msg/hackathon/dX1qDS3yfUg3Xnuw-tnRVMr6z88

IETF hackathon page: https://www.ietf.org/how/runningcode/hackathons/101-hackathon/

On broader planning: is there still interest in a permissions workshop?

Sam: yes, still interest but no concrete planning

Suggestion: PING can take effort to push this forward

Find a host (Mozilla?)

There is a related workshop in Europe?

<npdoty> is there a link to more info?

https://www.w3.org/2018/vocabws/

"A W3C Workshop on Privacy and Linked Data", 17–18 April 2018, WU Wien, Vienna, Austria

"Data Privacy Controls and Vocabularies"

seltzer: this is mainly an EU workshop with peripheral W3C involvement

christine: permissions is an area where PING could provide contributions - important area
... what could W3C be doing (technical or otherwise)?

jason: have thoughts, not fully-formed yet, on what PING can be doing
... Dave Singer mentioned at TPAC that PING could be "center of excellence" for privacy

Speakers, info source, etc -- this could be one place to contribute

<npdoty> I like the idea of bringing in speakers, like inviting people to speak at TPAC

christine: agree, this group knows of people who are doing work in this domain to call on

how to do this in a format that is long-lasting -- beyond a phone call

Would need a repository

Not everyone can be live on the call, for instance -- this is solveable

Record talks for later

wseltzer: seminars, best practices would be a great thing

<npdoty> ws: what are good mechanisms that voluntary standards can help with?

another thing (from W3C perspective) -- what are good mechanisms to improve user privacy on the web, and how can we "pull together" on standards to help this?

Can we learn from less-successful efforts in this space?

<scribe> New advertising group is an opportunity to find solutions

christine: is there a way to standardize aspects of private browsing, or at least document current state of play?

Would be snapshot (since it's not static); this is only one piece but been talked about as an area PING could work on

jason: Hadley Beeman has some work on this (TPAC presentation)

tara: I recall there being general support, if no concrete plan

weiler: will close the loop with Hadley
... finding sites that are detecting incognito mode, turning users away in that mode, is akin to ad-blocker detection

Is this something PING should look into, if detection will push people away from using incognito mode?

christine: highlighting the practice is useful; people may be unaware of this

solution is trickier, but exploring the issue likely helpful

<jnovak> nick if you’re talking we can’t hear you

chaals: it's interesting to document; why is this intrinsically bad, though?

Pay sites take dim view of those who circumvent free access restrictions

<Zakim> weiler, you wanted to answer chaals

weiler: I see case for pay sites, but for some sites this might be about ad tracking

<npdoty> we could spend a lot of time documenting all privacy-related features in browsers

<npdoty> ... like the different tracking-blocking measures

<npdoty> ... but I'm not sure whether it will be as useful for us

chaals: sites might be poor actor (using the tech badly), but I am not sure this is a justification for technically blocking it - it makes more sense to explain what people do on the web, and let the world judge when that it OK and when it isn't

christine (in response to npdoty) - it might be useful if there was a need to standardize some of these features

jnovak: re sites detecting private browsing modes, with legit/illegit purposes...there is a higher-level question: what *is* privacy model for the web?

Both what is it now, and what should it be?

People have different ideas about what privacy is and should be, which is expressed differently in extensions, etc

PING could have higher-level convo to inform development

<weiler> I'm enthused by this vision.

<npdoty> +1

eg, third-party trackers might be bad thing, but newspaper views but not be...but we don't have developed enough views for that yet

christine: discussions have often been "this is the way the web works" rather than "what is the privacy model?" - lot of area for PING to revisit this issue

<npdoty> I think it would help privacy review conversations as well if we had a common privacy model, and could point out why something would change it

<npdoty> as in the confusion over "same-origin policy" being an ambiguous term

jnovak: if we have a model/philosophy of privacy on the web, can inform review work, push out to groups that are developing standards

Can bring privacy discussion to earlier stage -- feature design, not CR

christine: so how do we have this conversation?

Have workshop, with people presenting proposals ahead of time?

Have series of moderated discussions?

Would need a champion to bring enthusiasm, participants, etc

Ideas from group?

jnovak: I like workshop idea - lot of thoughts/opinions, need f2f to get to convergence

Take outputs and put into github or similar

Q: How do we differentiate between privacy and advertising/biz model of web?

Previous discussion, esp. about tracking, devolved into focusing on this specific aspect of privacy

These are second or third-level considerations, not primary

<weiler> If we're doing this as a f2f w/s, I'd love to see it attached to the PETS Symposium, just to get that community's input.

christine: I also fear that focusing on biz aspects will hamper discussion/broader considerations

Need to decouple these considerations

chaals: in contrast, if you talk about privacy w/out talking about what people are doing in reality would be a mistake

I think any discussion need not talk about enforcing a specific model/worldview -- either a very pro-privacy or pro-business stance

jnovak: we agree to some degree. I don't think we can't/shouldn't consider biz models.

More like: if we try to start by encoding *all* existing models, it'll hamper discussion

chaals: There are plenty of people who do good work on privacy in places like China and what those users need
... (found good application from China, as the only one of the class that had vaguely reasonable privacy policy and implementation

barryleiba: I've been focusing on tracking by things like FB "like", social media sharing icons

<npdoty> barryleiba, DNT was a specific response to that situation, and various browser tracker blocking features have tried to respond to that

Not a lot of discussion on this topic, lack of awareness of how this permits tracking even when people have other blockers

<npdoty> double-keying cookies, etc.

barryleiba: would be nice if W3C could do something in this area

christine: we previously discussed doing webinars about work in the field

having a blog post or similar discussing how this happens from a web perspective, is understandable to users (layperson audience)

barryl: we could raise awareness of mitigation techniques, but many are "too geeky", not great for mobile

jnovak: Mozilla, for example, are trimming referers
... interesting mitigation that doesn't require user effort

Could PING provide a forum for discussing mitigations?

<jnovak> and / or standardizing mitigations

wseltzer: concrete things PING could do 1. cataloging these things that different browsers + modes do for privacy

Or more broadly, things that *affect* privacy

We could map these out, see which things are valuable enough that they should be in all browsers, how to communicate about them to users

We might get better ideas of possibilities based on what has been done (including extensions users have adopted)

npdoty: good ideas but also is a *lot* of work -- many features, many browsers -- lot of effort to ramp up and also maintain

Would help to know who would use it before committing to lot of work

wseltzer: envision some sort of wiki space, people can note what they find

<npdoty> I guess I was thinking compatibility tables, https://caniuse.com/

Might lead to some interesting explorations

jnovak: I think this is complementary -- if we look at what we think would be useful features, and which *have* been adopted/deployed

wseltzer: each of those represent an idea that *some* implementer thought was worthwhile
... so is a seed for finding useful features

chaals: it would be a lot of work, but helpful to see what people have considered important enough to implement

Helpful also for motivating further work

Would rather take question as "what are people doing" and then saying "is this improving privacy or not"?

Rather than working out what privacy *is*, which is harder to nail down

Practical work may help in making progress

(keeping scope)

christine: appreciate the pragmatic approach
... if we can get participation from implementers -- point to resources, be on a call? -- that would be a start

PING members likely able to identify who these people are

christine: lot of great ideas proposed, work to be done, but of course we have members with not a lot of free time
... need to keep it manageable

Suggestion: take look at what is happening now (like Mozilla referer trimming)

Explore whether it's useful for web users or not, as starting point

Also like to think about coming up with list of topics and speakers for webinars -- like on a wiki?

Open to ideas as to what we can tackle first

npdoty: still concerned about meta-questions of resources

as in not having enough time to participate

christine: chairs, Sam, and anyone else who wants to participate will figure this out after the call

we do indeed struggle with reviews - finding people with right overlapping sets of expertise

sometimes -- small but exciting initiative will attract people to pitch in

example: hackathon for HTTP 451 --was inspiring

so cantry find a way to get dedicated time for people with interest & skills together

chaals: yes, necessary to figure out what resources we have. Valuable to have someone dedicate small amounts of regular time to push things ahead
... not sure where to find list of comments we have given -- that would be a helpful resource (find common threads)

<npdoty> not up to date, but an incomplete list of privacy reviews: https://www.w3.org/wiki/Privacy/Privacy_Reviews

privacy questionnaires may reflect common threads but we may not have had dedicated to track these

tooling and process is important -if it's hard to contribute *part-time*, we won't get anyone

need to deal with bursty flow - having small amounts of activity is helpful

Devices and Sensors recharter

(does not look dead)

weiler: Devices & Sensors WG is trying to recharter

There have been privacy issues in this domain; if PING members have comments, please contribute

Preferably on WG mailing list

Chair of WG doesn't so much want generalized privacy concerns -- specific ones, preferable

Make a good case for a particular concern

<npdoty> I think both charters and document tooling have been good places to prompt privacy reviews

Next call?

PING & Friends f2f at IETF will happen again

I cannot go. :-(

<npdoty> I can't do the 19th, but could do the 12th or 5th

Next call: April 19?

<weiler> 19 April is lovely for me, but that is far away, in case new review requests come in.

<npdoty> 5 April?

<jnovak> 5th works for me

Try 5 April.

Thanks all!

christine: appreciate the work & ideas you all provided

<chaals> Hmm. Note that HTML will put up a request at the start of April... 19th would be a good time to have a discussion of it

- DRAFT -

Privacy Interest Group Teleconference

08 Mar 2018

Attendees

Contents

Devices and Sensors recharter

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output