Privacy Interest Group Teleconference -- 13 Sep 2018

<wseltzer> trackbot, start meeting

David Chadwick: sent reminder to mailing list on Verifiable Creds

Steve Olshansky: welcome (back)

<SteveO> Thanks. Glad to be here

<christine> https://w3ctag.github.io/security-questionnaire/

Background: Mike West produced original version of this doc -- self-review questionnaire

On security -- added priacy; adopted by TAG

TAG looking at doc again (living doc) - link above is latest version

Lukasz is the contact person in TAG, is looking at it himself

Coordinating on how PING can help improve doc

Doc helps groups think through privacy considerations before coming to talk to PING -- is self-review

Want to get doc into state to be helpful to design & review process

Would like to get this into shape for TPAC (imminent!)

Many thanks to Jason Novak for stepping up to lead PING's effort on this questionnaire

<npdoty> +1 thanks to jnovak for organizing this

<jnovak> thanks. Happy to help :)

DavidC used the doc for own review (Verifiable claims); had issues with Question 13, would like further description about what is being asked for

<npdoty> looks like first/third-party contexts

runnegar: some of the questions have more detail than others, and this one looks like a candidate for adding detail

jnovak: thanks for feedback.
... thoughts for review: there are several old docs that are aligned/misaligned/out of date -- hoping to obsolete
... want to look at questionnaire all in one piece, and also want to look question-by-question

<wseltzer> Jason's email re process for questionnaire

jnovak: circulated email about process; want broad input from PING and want to get planning in place for TPAC timeline

<wseltzer> +1 to jnovak's proposal

runnegar: suggest we review proposal on this call

jnovak: process goal: to do all this in github -- this is where doc resides, is W3C/TAG standard tool, useful for version control
... easier to manage pull requests for TAG review

want to corral specific PING folks to work on specific sections of document - use github, send comments for PING review

jnovak: get comments back before TAG merge
... also should work with to lukasz for coordination of pull requests

it's 4-5 week schedule now to get ahead of TPAC deadline

npdoty: Opening a PR and *then* getting feedback from people - is that right process? Would it be better to get feedback before PR?

jnovak: might be due to misunderstanding of git mechanics but goal is mainly to just have the right place for PING to give feedback
... whatever the right process is for that - fine to follow this

<npdoty> the TAG repo does have a list of issues: https://github.com/w3ctag/security-questionnaire/issues/

mikeoneill has there been much activity on github so far? I think you should create a branch for the work for the next few weeks.

jnovak: we need to make a branch - do we have a PING repo to fork this to?

wseltzer: suggest working in TAG repo with PING branch

<npdoty> I think a fork is reasonable, because otherwise they have to give us commit access to their repo

runnegar: Jason would also welcome input if you're not so familiar with github

<wseltzer> https://github.com/w3ctag/security-questionnaire

jnovak: would also welcome assistance from github experts
... will set up branch

<wseltzer> https://github.com/w3c/ping is the PING repo

jnovak: we'll work through issues in weekly meetings to coordinate the work
... email chairs to join

npdoty: do we add issues, or work on open items?

jnovak: both. First week: spend time thinking through what we want doc to be.
... if we identify missing section, then we may create work item "add section foo"
... but also we have several existing work items to complete

runnegar: do we have clarity on process now?
... most importantly: we would really appreciate your putting your hand up to contribute

<DavidC> I put my hand up :-)

runnegar: most important person to contact is Jason but also can talk to chairs & staff

<mikeoneill> I can put some time in over the next few weekends

runnegar: if we're okay with process, we can move to the content, but want to make sure we're solid on that point first
... moving to the self-review questionnaire now

<christine> https://w3ctag.github.io/security-questionnaire

jnovak will walk us through questionnaire

jnovak: date is wrong, for starters
... it's about helping spec authors consider security & privacy issues
... starts off with a "privacy by default"-type stance
... talks about user agents in helpful way
... 1.1 - talks about thinking about privacy early, but not sure this is actionable

when you are thinking of building *feature*, think about these concerns

additional concrete steps for authors to take might help

threat models: are reflective of original time doc was written; now there might be more about third-party tracking

(for example)

questions to consider: they have varying levels of depth

some are fine as-is; but maybe "high-value data" is not as clear (what exactly is this?)

some are also more security-focused (rather than privacy)

also location, sensors & others -- need to be updated for current issues/web

fingerprinting doc -- browsers have started making changes on this

incognito mode -- discussions likely (see also research talk this past Monday)

Is this something spec authors should be/can be thinking about?

good mitigation strategies -- but very broad and large hammers in here

there may be better suggestions here (like from GamePad API)

<mikeoneill> +q

runnegar: does anyone on the call have suggestions that we could start discussing today?

npdoty: basic structure is good, matches model in docs like fingerprinting doc; mitigations is the big gap here
... threat models: mostly have focused threats to users from the *site* - not from malicious network attacker

jnovak: that threat has to be in scope

npdoty: suggest making this explicit

runnegar: agree; also stress need to update doc with current ecosystem

DavidC: the origin should be added to threat model

<npdoty> we also occasionally review specs that don't fit into that simple model (origin, browser, user) -- because they're data formats, or technology that can be used that isn't browser-mediated

Different between privacy & security -- clarify

When somebody goes to website -- how much can user be made aware of what is happening without making terrible UX

Should be topic area for putting user at the center - informing user appropriately

Might be explored in permissions workshop later this month?

<npdoty> yeah, user understanding and transparency aren't especially represented here

Find way to highlight user-focused aspects of privacy

(above discussion from mikeoneill)

jnovak: there is lot of discussion of user agent, but not so much about this being "user's agent"
... we may be able to add edits to the start to address this

npdoty: to mike's point -- expanding list of mitigations might help; we use transparency & control
... user understanding is a type of mitigation

runnegar: we have two options now -- we have had a good discussion of the process/plan and initial ideas.

jnovak - can we discuss when we want to get started? To make TPAC, have to start Mon Sept 17th or Sept 24th

Getting started sooner better than later if possible

runnegar - unless any objections...let's start Mon 17th.

consensus seems to be: let's jump in the 17th!

runnegar: reiterate: Jason doing a lot of work but can't do this alone, so please pitch in!
... key thing is to get main elements moving
... AOB?
... thanks, all for joining
... also - the Monday research talk went really well (incognito mode)

Thanks all!

- DRAFT -

Privacy Interest Group Teleconference

13 Sep 2018

Attendees

Contents

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output