Today's agenda: no reviews on the stack, discuss PING planning
We can think about the broader W3C work in general and what could W3C be doing to further web privacy?
<specter> Hi!
<specter> thanks Wendy!
Next IETF meeting (IETF 101) - put together topics for "mini privacy hackathon" before meeting
See email: https://lists.w3.org/Archives/Public/public-privacy/2018JanMar/0021.html
Any questions on the hackathon?
<npdoty> I'll be looking at mailing list analysis / research at the IETF hackathon if others are interested in that as well: https://mailarchive.ietf.org/arch/msg/hackathon/dX1qDS3yfUg3Xnuw-tnRVMr6z88
IETF hackathon page: https://www.ietf.org/how/runningcode/hackathons/101-hackathon/
On broader planning: is there still interest in a permissions workshop?
Sam: yes, still interest but no concrete planning
Suggestion: PING can take effort to push this forward
Find a host (Mozilla?)
There is a related workshop in Europe?
<npdoty> is there a link to more info?
https://www.w3.org/2018/vocabws/
"A W3C Workshop on Privacy and Linked Data", 17–18 April 2018, WU Wien, Vienna, Austria
"Data Privacy Controls and Vocabularies"
seltzer: this is mainly an EU workshop with peripheral W3C involvement
christine: permissions is an area
where PING could provide contributions - important area
... what could W3C be doing (technical or otherwise)?
jason: have thoughts, not
fully-formed yet, on what PING can be doing
... Dave Singer mentioned at TPAC that PING could be "center of
excellence" for privacy
Speakers, info source, etc -- this could be one place to contribute
<npdoty> I like the idea of bringing in speakers, like inviting people to speak at TPAC
christine: agree, this group knows of people who are doing work in this domain to call on
how to do this in a format that is long-lasting -- beyond a phone call
Would need a repository
Not everyone can be live on the call, for instance -- this is solveable
Record talks for later
wseltzer: seminars, best practices would be a great thing
<npdoty> ws: what are good mechanisms that voluntary standards can help with?
another thing (from W3C perspective) -- what are good mechanisms to improve user privacy on the web, and how can we "pull together" on standards to help this?
Can we learn from less-successful efforts in this space?
<scribe> New advertising group is an opportunity to find solutions
christine: is there a way to standardize aspects of private browsing, or at least document current state of play?
Would be snapshot (since it's not static); this is only one piece but been talked about as an area PING could work on
jason: Hadley Beeman has some work on this (TPAC presentation)
tara: I recall there being general support, if no concrete plan
weiler: will close the loop with
Hadley
... finding sites that are detecting incognito mode, turning
users away in that mode, is akin to ad-blocker detection
Is this something PING should look into, if detection will push people away from using incognito mode?
christine: highlighting the practice is useful; people may be unaware of this
solution is trickier, but exploring the issue likely helpful
<jnovak> nick if you’re talking we can’t hear you
chaals: it's interesting to document; why is this intrinsically bad, though?
Pay sites take dim view of those who circumvent free access restrictions
<Zakim> weiler, you wanted to answer chaals
weiler: I see case for pay sites, but for some sites this might be about ad tracking
<npdoty> we could spend a lot of time documenting all privacy-related features in browsers
<npdoty> ... like the different tracking-blocking measures
<npdoty> ... but I'm not sure whether it will be as useful for us
chaals: sites might be poor actor (using the tech badly), but I am not sure this is a justification for technically blocking it - it makes more sense to explain what people do on the web, and let the world judge when that it OK and when it isn't
christine (in response to npdoty) - it might be useful if there was a need to standardize some of these features
jnovak: re sites detecting private browsing modes, with legit/illegit purposes...there is a higher-level question: what *is* privacy model for the web?
Both what is it now, and what should it be?
People have different ideas about what privacy is and should be, which is expressed differently in extensions, etc
PING could have higher-level convo to inform development
<weiler> I'm enthused by this vision.
<npdoty> +1
eg, third-party trackers might be bad thing, but newspaper views but not be...but we don't have developed enough views for that yet
christine: discussions have often been "this is the way the web works" rather than "what is the privacy model?" - lot of area for PING to revisit this issue
<npdoty> I think it would help privacy review conversations as well if we had a common privacy model, and could point out why something would change it
<npdoty> as in the confusion over "same-origin policy" being an ambiguous term
jnovak: if we have a model/philosophy of privacy on the web, can inform review work, push out to groups that are developing standards
Can bring privacy discussion to earlier stage -- feature design, not CR
christine: so how do we have this conversation?
Have workshop, with people presenting proposals ahead of time?
Have series of moderated discussions?
Would need a champion to bring enthusiasm, participants, etc
Ideas from group?
jnovak: I like workshop idea - lot of thoughts/opinions, need f2f to get to convergence
Take outputs and put into github or similar
Q: How do we differentiate between privacy and advertising/biz model of web?
Previous discussion, esp. about tracking, devolved into focusing on this specific aspect of privacy
These are second or third-level considerations, not primary
<weiler> If we're doing this as a f2f w/s, I'd love to see it attached to the PETS Symposium, just to get that community's input.
christine: I also fear that focusing on biz aspects will hamper discussion/broader considerations
Need to decouple these considerations
chaals: in contrast, if you talk about privacy w/out talking about what people are doing in reality would be a mistake
I think any discussion need not talk about enforcing a specific model/worldview -- either a very pro-privacy or pro-business stance
jnovak: we agree to some degree. I don't think we can't/shouldn't consider biz models.
More like: if we try to start by encoding *all* existing models, it'll hamper discussion
chaals: There are plenty of
people who do good work on privacy in places like China and
what those users need
... (found good application from China, as the only one of the
class that had vaguely reasonable privacy policy and
implementation
barryleiba: I've been focusing on tracking by things like FB "like", social media sharing icons
<npdoty> barryleiba, DNT was a specific response to that situation, and various browser tracker blocking features have tried to respond to that
Not a lot of discussion on this topic, lack of awareness of how this permits tracking even when people have other blockers
<npdoty> double-keying cookies, etc.
barryleiba: would be nice if W3C could do something in this area
christine: we previously discussed doing webinars about work in the field
having a blog post or similar discussing how this happens from a web perspective, is understandable to users (layperson audience)
barryl: we could raise awareness of mitigation techniques, but many are "too geeky", not great for mobile
jnovak: Mozilla, for example, are
trimming referers
... interesting mitigation that doesn't require user effort
Could PING provide a forum for discussing mitigations?
<jnovak> and / or standardizing mitigations
wseltzer: concrete things PING could do 1. cataloging these things that different browsers + modes do for privacy
Or more broadly, things that *affect* privacy
We could map these out, see which things are valuable enough that they should be in all browsers, how to communicate about them to users
We might get better ideas of possibilities based on what has been done (including extensions users have adopted)
npdoty: good ideas but also is a *lot* of work -- many features, many browsers -- lot of effort to ramp up and also maintain
Would help to know who would use it before committing to lot of work
wseltzer: envision some sort of wiki space, people can note what they find
<npdoty> I guess I was thinking compatibility tables, https://caniuse.com/
Might lead to some interesting explorations
jnovak: I think this is complementary -- if we look at what we think would be useful features, and which *have* been adopted/deployed
wseltzer: each of those represent
an idea that *some* implementer thought was worthwhile
... so is a seed for finding useful features
chaals: it would be a lot of work, but helpful to see what people have considered important enough to implement
Helpful also for motivating further work
Would rather take question as "what are people doing" and then saying "is this improving privacy or not"?
Rather than working out what privacy *is*, which is harder to nail down
Practical work may help in making progress
(keeping scope)
christine: appreciate the
pragmatic approach
... if we can get participation from implementers -- point to
resources, be on a call? -- that would be a start
PING members likely able to identify who these people are
christine: lot of great ideas
proposed, work to be done, but of course we have members with
not a lot of free time
... need to keep it manageable
Suggestion: take look at what is happening now (like Mozilla referer trimming)
Explore whether it's useful for web users or not, as starting point
Also like to think about coming up with list of topics and speakers for webinars -- like on a wiki?
Open to ideas as to what we can tackle first
npdoty: still concerned about meta-questions of resources
as in not having enough time to participate
christine: chairs, Sam, and anyone else who wants to participate will figure this out after the call
we do indeed struggle with reviews - finding people with right overlapping sets of expertise
sometimes -- small but exciting initiative will attract people to pitch in
example: hackathon for HTTP 451 --was inspiring
so cantry find a way to get dedicated time for people with interest & skills together
chaals: yes, necessary to figure
out what resources we have. Valuable to have someone dedicate
small amounts of regular time to push things ahead
... not sure where to find list of comments we have given --
that would be a helpful resource (find common threads)
<npdoty> not up to date, but an incomplete list of privacy reviews: https://www.w3.org/wiki/Privacy/Privacy_Reviews
privacy questionnaires may reflect common threads but we may not have had dedicated to track these
tooling and process is important -if it's hard to contribute *part-time*, we won't get anyone
need to deal with bursty flow - having small amounts of activity is helpful
(does not look dead)
weiler: Devices & Sensors WG is trying to recharter
There have been privacy issues in this domain; if PING members have comments, please contribute
Preferably on WG mailing list
Chair of WG doesn't so much want generalized privacy concerns -- specific ones, preferable
Make a good case for a particular concern
<npdoty> I think both charters and document tooling have been good places to prompt privacy reviews
Next call?
PING & Friends f2f at IETF will happen again
I cannot go. :-(
<npdoty> I can't do the 19th, but could do the 12th or 5th
Next call: April 19?
<weiler> 19 April is lovely for me, but that is far away, in case new review requests come in.
<npdoty> 5 April?
<jnovak> 5th works for me
Try 5 April.
Thanks all!
christine: appreciate the work & ideas you all provided
<chaals> Hmm. Note that HTML will put up a request at the start of April... 19th would be a good time to have a discussion of it
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/Spector/Specter/ Succeeded: s/not same as/I am not sure this is a justification for/ Succeeded: s/blocking it/blocking it - it makes more sense to explain what people do on the web, and let the world judge when that it OK and when it isn't/ Succeeded: s/need to think of/There are plenty of people who do good work on/ Succeeded: s/China...)/China, as the only one of the class that had vaguely reasonable privacy policy and implementation/ Present: weiler tara jnovak LCPolan christine wseltzer npdoty MikeSpecter chaals Barry_Leiba No ScribeNick specified. Guessing ScribeNick: tara Inferring Scribes: tara Found Date: 08 Mar 2018 People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]