Permissions Workshop, day 2 -- 27 Sep 2018

<ParLannero_> Scary permissions! Great topic.

The Role of Platforms

<npdoty> scribenick: npdoty

[introductions of reps from Chrome, Brave, Apple, Mozilla]

standardizing permissions models vs. leaving it up to each browser?

jnovak: how can we tie a permission to a user event; what is the value of an asset and how long should permission last
... iOS and MacOS have different UI with different affordances
... standards shouldn't overspecify UI

Thomas: don't prescribe how to actually implement or when to show them, a good amount of leeway
... would love for browsers to be aligned in their behavior, when prompting changes
... standardization so that developers have something to build against -- a balance
... leaning more towards browser being able to change in response to ecosystem

Diane: for immersive web, permissions have different weight with the physicality of the experience
... the way that it's presented to you can really impact what you do
... asking for access to all files on a device, while floating in space above a giant grid

[terrifying]

Diane: don't want to overspecify, but need a starting point so that people who are using know where to go to look for permissions and for the interface to be comfortable

tomlowenthal: difficult problem in establishing informed, affirmative consent for powerful/invasive practices, while wanting to be respectful of attention/focus
... responsibility of the browser to be an agent and a steward
... present questions that they can reasonably decide about, and only when a decision is necessary
... use clear signals from the user and mediate as the agent on their behalf
... a Web experience that is safe, respectful of consent and attention
... different models of consent, but current model is only okay, drawing a hard line around certain things
... responsibility to experiment

Thomas: +1

jnovak: are we asking users enough questions? in reviewing specifications when we note fingerprinting risks, should we ask the user?

gmandyam: other third-party interactions, including hardware/platform providers (like my employer)
... browser would need to handle discovery of local services
... for example, a network service discovery API that was proposed, but it was too hard to allow arbitrary access to local network devices
... at least need browsers to communicate to hardware vendors and others: what are the minimum criteria needed for these services to be discoverable?
... just having that out there on paper would help us

<wseltzer> gmandyam: "what is the minimum set of requirements that browsers would require of 3d party hardware to make their services discoverable to the user?"

Thomas: yes, as browsers need to communicate to various vendors. not sure if it needs to be standardized
... browser wants to add a capability, then they should discuss with other browsers to see if others are interested

<Zakim> robin, you wanted to talk about a baseline for permissions rather than specific UI

robin: don't need complex standards work, but need some documented/public -- like Notes at W3C or similar
... so that people not in the room yet, future browser vendors, etc.

tomlowenthal: a non-standard ledger, a collective register of what changes are being made where everyone can get to it (as opposed to silo'd changelogs)
... have a log of changes which are going to be made

hober: the Interventions document is a similar list

Thomas: Chrome has an Intent to Implement

robin: but maybe it would be useful to have a place that has it from all the browsers
... has been done specifically around Service Workers

tomlowenthal: index by feature or date, rather than going to each browser's notes individually

robin: whether UI should be standardized is an old discussion which we won't see new resolution on
... but, what about a baseline of browser behavior, where browsers can do more but not less
... we all agree that this is the baseline regarding privacy and data protection and security on the Web

jnovak: legal requirements that any agent will have to offer, so might basically need to standardize?

Thomas: a minimum standard might just be what the standards process is
... while it might be nice, I don't think permissions requires a common set for privacy and security

robin: a uniform baseline so that we can trust the security and privacy of the browser

tomlowenthal: would like that, but would have to include identifiers/fingerprinting, and not sure if that would require prohibiting adding new features

Diane: experimentation is very important for new browsers, wouldn't want a baseline to prevent collection of data on something new

wbaker: experiences required to portray in front of the user, browsers should own that and take every active step to do it, and if browsers don't then others will do that for you
... building consent managers will be difficult, the countervailing strategies from browser vendors prevent publishers from building the experiences that they are required by law to build

hta: the way sites interact with the browser must be standardized (ways to query, etc.)
... Permissions API heading in the right direction. shouldn't standardize user interface
... may need Best Practice documents that can be used to persuade browsers, to enable legal compliance
... need test interfaces for all the permutations of permissions, what happens if the user grants one permission or withdraws another one
... API must be standardized and testing must be available, UI guidance but not standards

aleecia: building consent management into the browser rather than leaving it to publishers/other parties
... for GDPR to be implemented in practice, browsers have to take on consent management

bradkulick: heard multiple cases of users not being able to manage their data, but users don't understand the long/detailed statements
... these are all valid, if in tension
... we need to find some consistency somewhere, and within the browser would be a good spot

weiler: permissions for features and permissions for data -- should we distinguish those

jnovak: no clear separation, some features (geolocation) also produce data

Thomas: notifications is a good example of a feature that doesn't necessarily implicate user data
... legitimate sites that want capabilities that come with data, and they can be good or bad data

ParLannero_: hearing a suggestion that we have a permission interface in the browser, it might be difficult
... the browser could delegate the permission interface to a third party?

<wseltzer> T[homas|om]: No

Thomas: would be hesitant to put in a third party's hands
... would be hesitant putting in a third party's hands
... would be hesitant putting in a third party

tomlowenthal: the permissions interface is currently a niche feature, but like the direction
... but concerned about respect for people's time and attention
... a UX challenge for browsers

bobby: contrast with password managers, a somewhat successful areas, what is the utility of a password manager and could we extend that to permissions?

tomlowenthal: a good data breach dashboard, where you can go to see what has been lost
... could have automatically logging what data has been sent to which site, a tool that is easy to use and mostly automated
... lots of engineering work has gone into existing password managers, most browsers have less implementation than dedicated software
... could be a template for what we want to do in terms of managing permissions, it appears only when needed
... doesn't need to be standardized, but could collaborate

Diane: scared by collecting all the data I've sent to all websites in one place

<weiler> +1 to Tom

[recalls that "consent receipts" were proposed for this functionality]

Diane: yay for password managers, but easier to change password than other data about myself

<ryo-k> also +1 to Tom

tdrake: a list of the sites that might have collected data about my physical space

Thomas: interesting, but it would be hard for a browser to do that

Diane: the data collected could be about anywhere

Thomas: it would be nice if we could do more in standards, but as there's still lots of experimentation, leaving decisions up to browser and having active communications from/between browsers

tomlowenthal: want both certainty and improvement, trying things out but also being clear about what we're trying

jnovak: there are exogenous things that may force us

[what's a third party and delegation of software decisions]

<wseltzer> weiler: breakouts

<wseltzer> ... Designate someone other than the leader to take notes and report back

<wseltzer> ... 2: XR (Nell), and Changes in the Environment (Aleecia)

<wseltzer> ... Please scribe

<wseltzer> ... #permissions2 will be XR in the other room

<wseltzer> ... return here at 10:45

<ParLannero_> I will need to logout soon. Thanks for setting up the webex meeting!

<inserted> scribenick: bradkulick

Changes in the Environment

aleecia: DNT started 6-7 yrs ago on
... not as much on consumer side. then iot has helped to get us here
... env changed and here we are
... here are 8 thots on changes:
... 1 better priv reporting in journalism
... seeing new financial models, but they are payment for no ads
... ad blocking is wway up
... thot to be niche at first
... ad blocking way up
... adv panic
... dnt was meant to be a way to avoid ad blocking
... when do ad blocking, they dont come back
... on consumers side -- equifax and Cam analytics were big news
... 80% polling for ccpa would like to be able to opt-out of data collection
... other changes:
... snowden
... tech stack is all vuln
... privacy issues intermingled with security issues
... NSA wants to keep these security toys, which are also privacy concerns
... another related piece.. San Bernadino
... govt lost in the press
... this is back for the aussies
... backdoors everywhere unless working with a bank
... using enc is assymtpion of guilt

martin (who didnt state his name for the scribe): this is not how i see it

scribe: legal status of requests ambigious
... interesting part of the biz collaboration with govt

aleecia: oath has serious data breaches, but thru lawful intercept (didn't capture all)

martin (who didnt state his name AGAIN for the scribe): the intent was not to break enc and part of supp info to the bills

scribe: not appropriate to characterize as breaking enc

aleecia: thank you martin for the info
... will be interesting to see how it plays out
... last piece
... learning from brexit, trump, seeing data targeting social unrest
... fate of western democracy gets hinged in part on what happens in this room
... people asking FB, G, etc to do better
... do we care, do perms matter
... does this change what we do with perms

wendell: in 2011 and 2012 w3c had conferences on some of this
... lot of issues that drtive ad blocking and DNT... it would be good it web standards supports some things to allow this
... for example something to elimate need for cookie syncing
... analytics -- there is no understandinf of how analytics works
... a lot of these things need to be build on top of the web platorm
... find a way to use narrow use cases to allow them

<mt_____> for wbaker: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon

wendell: bizs can be clear what they need to run
... what is diff is when things are changing

serge: i've study these... these are honest apps...
... on android platform, where there isnt enforcement. we are finding 75% sending with other identifiers

<serge> *dishonest* apps

serge: ad actors are behaving

sam: what is the impact on ads when 40% say no

wendell: not clear, but will impact the companies and people will be out of jobs

sam: i believe they will work around it

<serge> People were out of jobs when asbestos became illegal

wendell: i believe you are right. biz will try to protect their bizs

<serge> That's not really society's problem.

<serge> Companies don't have an inalienable right to profit by any means necessary.

wendell: but many other players wont be acting in these bad ways

jason: biz models built on platform and now should make changes to continue to allow... is thi syour arguement

wendell: yes, but add contrainted changes, not everything

jason: fundemental question: lots of tech used in unforseen ways and some are priv invasive in unexpected ways, remember platform also need to think about protecting users.
... i understand the ask for webid for the web
... i would say why not just do contextual ads

wendell: respond to contextul ads
... selling media requires how much you sold
... serverside counting was first used
... it was good in the beginning of web
... still need to be able to measure

jason: i hear your arg as need to sustain current biz models
... biz models need to adapt

<Zakim> robin, you wanted to speak to a reliable ad stack to bypass cookies entirely

<serge> Food companies would make a lot more revenue if there weren't regulations concerning the amount of rat feces that can appear in their products.

Robin (who also didnt announce his name for the scribe): there are other solutions

scribe: web platform has js to handle, but the way it is done is a hack ontop of a hack
... fraud is a huge problem
... and adds 20%
... adding ID is not the answer since they will be abused
... maybe alts would be browser vendors, signatures
... signing viewability requests
... prob is real, we should help the ad ecosystem work better

aleecia: thanks for being polite
... how do we do it better
... gone from internet should be anon to how we can track and make better

<tomlowenthal> +q

aleecia: conflating internet with the web... thats another problem...
... what the point, who is it for, what is it for?

<tomlowenthal> +q to point out that nobody wants to be tracked, and ads don't even need tracking

sam: tv ads did using tthe tracking that is being asked

martin: and it was terrible

aleecia: in fairness, the financial model was diff
... i get basic point, but they are diff

tom: nobody wants to be tracked
... at all

<Zakim> tomlowenthal, you wanted to point out that nobody wants to be tracked, and ads don't even need tracking

tom: in Eurpoe, trakcing w/o consent is harmful
... b/c it has been built into the mobile model is not a reason to do it elsewhere
... you dont need to tracking people to do good ads
... do the moral thing and the right thing

<serge> The ad ID *doesn't* work. Period.

jason: point about ad id in mobile and have for web.... there are alot of things that might not be okay about it to put it on the web
... it's a complex prob.
... we can look at things

Frauke: i am not sure if its true that people dont want to see if they need to pay

tom: u dont need to track to see good ads
... you shoud always have option to pay to not see ads

???: wondering if you could point me to data research

scribe: your point is about def of tracking

tom: my def of tracking is someone else know about multiple events about me

aleecia: i can provide some research
... bunch of changes

Permissions, Policy, and Regulation (Bobby)

<inserted> scribenick: wseltzer

bobby: The Digital Standard, https://github.com/TheDigitalStandard/TheDigitalStandard
... examples of insufficient disclosures, e.g. ACR (automated content recognition) on smart TVs; a fertility-tracking app
... chart ranking peer-to-peer payment services
... https://twitter.com/darkpatterns
... Deceived by Design

<mt_____> https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf

<serge> This is highly relevant: https://medium.com/@eshan/the-rise-of-the-ux-torturer-7fba47ba6f22

<mt_____> also: https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/

serge: a dark pattern in Office: "Yes" and "Not now" buttons.

robin: have you considered building ranking for browsers?

<mt_____> I got hit by the above: I had to use Chrome because hangouts doesn't work in other browsers; hangouts require login; that meant I was logged in to Chrome = fail

<serge> https://twitter.com/v0max/status/997291608449126400

<serge> my mistake: it's "Accept" and "Learn More"

bobby: yes, and it's complex to do and to keep updated

mt_____: for the rankings, there's additional text available to explain the categories

bobby: prompts for discussion: examples of exemplary behavior?
... Can we have have standardized permissions for other user activity?

ted: at what point on a grid do you say "we don't recommend using this application?"

bobby: if there were a real security problem, we'd indicate that and say don't use
... pushing companies to connect their privacy policies to product features/capabilities

serge: we're planning to offer an API to our data (on privacy and security flaws in apps)

Frauke: right now you don't have consumer perception in the mix?

bobby: I'd like to get more data on consumers' perception

<christine_utz> Are the tracks synced in some way? I'm worried about missing the Vocabularies session

bobby: we have a national panel surveying individuals

Frauke: are those surveys public?

bobby: no, those are private

https://www.consumerreports.org/digital-payments/mobile-p2p-payment-services-review/

[session switch]

This room will be API designs and consistency

API designs and consistency

https://www.w3.org/TR/permissions/

<inserted> scribenick: moneill

nick: permissions api - requests or revoke

nic: martin: also restrict()

<wseltzer> https://wicg.github.io/feature-policy/

nick: also talk about FP, CSP, Origin Manifest

martin: mozilla impleenting feature policy

nick: many apis have their own permissions api

<wseltzer> moneill: missing from Permissions API is ability for requester to ask why they want the permission, and for that to get recorded

moneill: discuss extra info passed accross from origin about purpose etc.

martin: when prompt come, promise does not resolve, yest till doorhanger eventually appears

thomas: browsers should mediate when doorhanger appear

tom: discussion about browser mediation and promise resolution

nell: getting into the weeds on particular use of API

martin: restrict() : csp is a disaster , FP is bastard step child,
... like that top level context has authority
... javascript replaces FP headers

jason: you have add strings to camera access permission api in iOS

nell: visal cues to sy text comes from site rather browser
... its too easy to be paralised into inaction
... more user research - weve hit a wall history is topping us move forward

thomas: user study organised thru W3C would be good.

wendy: could be pING that organises those kind of studies.

nell: is there prior history?

wendy: not aware, not directly

nell: is there is existing research, then decide if further could be done thru W3C

jason: ping maybe not the place to start this

nick: this is mpossibly more than privacy

thomas: Google Chrome already has lot of data

martin: nenough of mozilla data public
... telemetry is public

nell: we should be aware of whta this means before we start. big opportunity for this group to initiate this

tom: what im hearing: we need data so we can make decisions, weve hit an emprical question, lets get data from browsers if its there, then decide then - its a process
... mabe valuable to have a 1 or 2 day workshop to start of this activity

thomas: hear hear

nell: we have a real opportunity to get answers

wendy: discuss all this at TPAC

<wseltzer> [lunch]

<tomlowenthal> Perhaps, if a WG needs an empirical answer on a question to proceed, they could track that question in the form of their usual issue-tracking, hand that question over to the get-an-answer-to-an-empirical-question process, and then get back an answer before proceeding. Perhaps we could have a workshop on empirical research?

<inserted> scribenick: jnovak

Consent Requests

Christine Utz: Did measurements of the top 500 websites in each EU member state and looked to see what happened because of GDPR. Looked at privacy policies and cookie notices.

scribe: Learned about GDPR yesterday and today.
... Six legal basis: consent is one
... consent needs to be freely given
... some transparency requirements about what consent is given for
... consent needs to be recorded in some way

<mt_____> c.f. https://en.wikipedia.org/wiki/Hobson's_choice

scribe: and individual needs to be able to withdraw consent at any time
... Core findings of study is that there is an increase everywhere in privacy policies and consent notifications

Christine Utz: six types of notifications for consent: No option, confirmation only, binary, check boxes, slider, IAB vendor selection

<ParLannero> Hi, I'm still with you from Europe. Thanks for keeping the Webex open. :)

scribe: in the checkbox model there's usually one checkbox that is deemed "necessary" and cannot be unchecked
... slider is also category based
... IAB vendor selection dialog seen earlier in Jo's talk
... display of distribution by type, with 50% having no banner
... second most is no option
... Problems: nothing presents websites from deeming all cookies as strictly necessary; need to implement the setting of cookies or not as strictly necessary.
... GDPR requires withdraw of consent but difficult to implement this especially if a third party cookie because can code the website a way that the cookies only set after user consent but because of SOP cannot delete the cookie
... As soon as you try to withdraw consent for a third party, get message that you can't and an opt-out link
... this was the only opt out library that did this; most just failed silently
... there's also too much consent notifications
... Next steps: usability study of consent notifications, until this everyone wants a browser based solution
... possibly a matrix based approach?

Mike O'Neill: Regarding third party cookies, can set them using external tag management systems, but, can't get rid of the cookie, but can make sure that the third party cookie doesn't load again.

<wseltzer> https://github.com/gorhill/uMatrix/wiki

<wseltzer> https://arxiv.org/abs/1808.05096

Wendell: Some color into the world of a big publishing site.
... all of this is the result of process at my shop
... a lawyer (probably) comes and says you will offer these sorts of opt-in and opt-out functionality to consumers, make it so.
... the lawyers go off and refine the legal understanding
... at least two, maybe three interpretations of stances the company and industry would take
... initially a strict consent requirement
... then a legitimate interest basis with silos for some data that requires additional scrutiny and thus consent (e.g. geolocation)
... out of all of this there is a set of publishers, people who operate websites, who legal says liability flows from them to rest of adtech ecosystem

<christine_utz> Here's the link to our paper: http://arxiv.org/abs/1808.05096

Wendell: publishers had a choice: they could get the browsers to provide the relevant legal assurance that the correct solicitations were made and the material basis was provided and could be passed along down the line or the publishers would have to go provide own experience.
... decision was made for variety of reasons that the browsers would do this
... the purpose of the discussion today is to formulate problems today to see how much browsers could update and join
... and put into chrome
... proposal via W3C was a separate cookie jar with provenance supplied via a header.
... web representation of that standard still out there
... none of the browsers went out to implement that
... in a bizarre state where regulators and legislators maneuvering faster than the industry
... may get a new law or a legal decision against publishers that may result in the publishers wanted to delegate to the browsers.

<tomlowenthal> +q

Wendell: other point to point out is that it could be produced by the browsers but, today, browser's tracking protection features are blocking cookies for consent because the consent walls are third party cookies

tomlowenthal: would like to understand what, if anything, browsers should build

moneill: Consent UI and enforcement
... what actually does happen

tomlowenthal: Still don't know what the mechanism that is desired here
... can you draw what it might look like for some hypothetical browser?
... Don't know what the actual feature looks like
... heard the term 'consent manager' or 'offload to browsers'

Wendell: I should be able to do go point you to wireframes, but don't have them handy, will whiteboard it.

https://advertisingconsent.eu/wp-content/uploads/2018/06/Transparency-Consent-Framework-Presentation-Website.pdf

slides 16-18

wendell: see a series of screens depending on the set of relationships
... DPCs have said they want 25 screens
... last screen is that if you have relationships with other service providers, way that GDPR is written is that if you do business and flow data with co-controllers, have to solicit consent for the co-controllers so data can be shared with them. this is different from the processor model.

tomlowenthal: If the last screen is people that a consumer has never heard of, why would they ever say yes?

wendell: Good question

tomlowenthal: If no one ever says yes, why ask the question? Why not automatically say no

wendell: One of the things you are not allowed to do here is to pre-populate checkboxes because free and informed consent. Maybe order the list and have names recognized at the top? It is possible by legal interpretation to have "yes check here and allow all". That is a legal interpretation, may change. A substantial number may change.
... on first party site do see people check it

moneill: have found a roughly 50/50 split, depends on the number of buttons

tomlowenthal: I create an elaborate API, site calls it and asks for all the permissions. browser parses this and has the opportunity to present UI to user, perhaps the user has made decisions already (e.g. never consent to anything), browser fills out in part with user decisions.
... a user who downloads brave will make the indication they never will allow for tracking.
... API is called
... website gets answer No
... If DNT is any indicator, should ask question using the webpage not the browser API

wendell: Don't follow
... the "not using the browser" piece

tomlowenthal: If you reasonably expect that probably going to get answer no from the browser all the time, why use the browser API, why not ask user?

wendell: Only thing that matters is if you got more business done, so, if get no business from browser, why use the browser just use the webpage one instead.
... get business done = experience product and make money

tomlowenthal: Are you suggesting their goal is not to have consent UI in front of users or to get as many yeses as possible

wendell: Want to have as many happy people experience work as possible.
... there's a set of experiences in the way mandated by someone else, so an interest not to do so

tomlowenthal: They're conditionally mandated: need to get consent only for the things that are requiring consent
... regardless or not if (legal interpretation that is it is always necessary to get consent even for not-adtech)
... then, isn't there is a time where the No users have any use to you

wendell: Know that there are users who have always said no to tracking in a variety of ways. There is a discussion as to whether or not some controls against tracking are legitimate or not. Perspective is that things built into browser are 'legitimate'
... if it is not in there by the consumer or agents of consumer to circumvent the publisher's legal requirements.

tomlowenthal: if the ad block is in the browser is that okay under this architecture?

wendell: Yes

tomlowenthal: So ship an API that accepts JSON to display, browser always responds no.

teddrake: Brave is a corner case

tomlowenthal: If it works for always answering No, then, works for every other case

wendell: I thought there was a choice?

tomlowenthal: Yes, teh download page says "Block all ads"

Robin: Interest in implementing browser is to prevent dark patterns from emerging
... I would want browser default answer to be always No
... expect to be relatively synchronous so always responds
... expect to be not in the way dialog

Wendell: If browsers create this, and tom's proposal holds of out of browser UI says that you are blocking all tracking
... or not consenting to any tracking
... Is there a way to ever turn that on?

tomlowenthal: Yes, Brave has an oft-unused button to disable ad blocking
... it is a second tier shield setting
... if we build this can build a box that says do not consent to tracking on sites

moniell: needs to be a per site setting

wendell: Would be hard pressed to say that the proposed feature above is not a factory build in thing

<wseltzer> jnovak: if a browser today set DNT to Do Not Track, why wouldn't industry take that as a signal?

<wseltzer> ... if browser asks on first launch, do you want to allow all tracking, no tracking, or site-by-site?

<wseltzer> jnovak: DNT had the agreement not to ask on first launch

<wseltzer> ... has the industry moved to willingness to accept ask on first launch?

<wseltzer> wendell: after 6 years, I believe yes

<wseltzer> ... I think there's appetite for re-evaluating

<wseltzer> ... IAB TCF: transparency and consent framework

<christine_utz> +q

https://iabtechlab.com/standards/gdpr-transparency-and-consent-framework/

<wseltzer> ... if browser were to solicit these dialogs, and those prefs were communicated, we might be able to remove roadblocks

thanks for scribing wendy!

gmandyam: First time I See Brave UA, why don't I pop somethign up blocking the user from the content

tomlowenthal: User will never see that if using brave

gmandyam: API dialog not that practical as if the browser is not going to give consent, they'll pick it up on the request

tomlowenthal: Then back int he regular world of showing dialog and content
... doing inconvenience blocking but doing it on the scconardy dialog

Wendell: One of the tenants is that if the user doesn't consent, not allowed to degrade the experience.
... difficult to defend if you block a specific browser

gmandyam: When I thin of the mobile web, look at the UA to tailor the user experience
... service providers could fall back to that

wendell: adopted that.
... consent is the strongest of these but most brittle
... there's a middle level that amounts to a paywall
... beginning to see that sort of stuff
... countermeasures is unambiguously over the line

robin and tom: there's a discussion about the fact that California can require payment; the WP29 interpretation is similar now

christine_utz: suggesting moving web app UI to browser chrome?

wendell: Yes
... there's a declared list

christine_utz: don't agree with IAB
... need any third party into dialog, would become any longer
... already unusable for large number of vendors

wendell: Yes. Imagine that the industry dynamic would be to consolidate players into fewer companies that own all the media and solicit fewer of these
... part of the problem is that the list is 300+ now, that doesn't entail the content providers.
... there's an industry evolution here and there may be only so much mindshare that consumers can tolerate in the list

harald: trying to imagine embedding a list of vendors in standard and not being anti-competitive

wendell: there's already a set of machine to machine calls at well known URLs

Harald: proposal a solution that requires a service provider?

robin: could imagine a non-IAB registrar
... could ICANN-esque

wendell: Could be like robots.txt and hang it off the top of the domain
... alternatively, like ads.txt -- who are the people who can advertise on my media
... there's a crawling mechanism to check ads.txt
... all of those are more or less in place, already run by a trade group, a push to remove from that trade group and move it elsewhere.
... if we did this through a standards space, would want to delegate this back through the web server itself

harald: so the format of that document would be part of the standard but the content would not be?

wendell: yes. thinking on the fly, but what's in that document: purposes (currently 24 and ~5 are defined); vendors (names legal entities in a country)
... BBC has to be in the list somewhere and make sure there's only one entry for them unambiguously and that's what you need a registrar for

moneill: DNT header was a signal to a domain. Whether or not that server did anything with it is a legal issue. One of the problems with the IAB vendor list is that it is a list of numbers with company names and there's no mapping to domains.

Wendell: there's a privacy policy url that you are required to fill out

moneill: there's not an entry per domain -- doubleclick.net is not clearly associated with Googl
... Google

Wendell: The names of companies are weird because have LLCs etc.

moneill: Today, go to site, get a domain -- don't get a name there.
... DNT required a set of additional URLS and well-known locations

<christine_utz> We're going to continue doing research about improving consent notifications (as long as there's no browser-based solution), so if you have some ideas for that, I'd love to chat offline.

Storage Access

<wseltzer> https://github.com/w3c/permissions-ws-2018/blob/master/storageaccesspermission.md

<inserted> scribenick: npdoty

directive has been law, but regulations are still in progress in different jurisdictions [?]

moneill suggesting that browser can resolve the legal requirements (on publishers?) on consent for local device storage beyond some exemptions

jnovak: sites seem to be asking for browsers to handle the consent management chrome for a set of permissions that they are required to get

mt_____: hypothetically, mediate consent prompting through the browser, and always-reject

moneill: sites might ask for cross-domain persistent state for some particular purpose
... that users might agree to

mt_____: cookie-syncing -- if the first-party wants to pass the information along, they can, and can't be stopped

moneill: but there are legal constraints on that -- other people worry about that

robin: if we can make it so that circumvention is a clear legal violation, that might help

gmandyam: if I were trying to share localstorage across origins, I would send it across with webmessage

[but that would be detectable]

[wait, IndexedDB is origin-scoped, right?]

moneill: let's worry about the stuff that is detectable, and let others worry about those other cases

<gmandyam> To npdoty: IndexedDB is origin-scoped, but Web Messaging allows cross-domain info exchange in the context of the user agent

jnovak: how to detect and block third-party cookies is an ongoing implementation

moneill proposal text: https://github.com/w3c/permissions-ws-2018/blob/master/storageaccesspermission.md

can be discussed in wicg going forward

<ParLannero> great! Where do I find wicg?

swapping first/third-party cookie jars (in Safari), or copying a cookie from a first-party jar into the third-party jar

<wseltzer> ParLannero, https://github.com/wicg

<ParLannero> Thanks!

first parties being able to prompt for embedded third parties

npdoty: don't currently have the functionality where a first party can specify that its third parties shouldn't have access to cookies (or only double-keyed cookies)

jnovak: why embed the third-party content?

lots of web functionality for embedding third party content

robin: publishers often want to embed advertising with some functionality but with some limits

https://github.com/whatwg/html/issues/3338

<jnovak> https://webkit.org/blog/8124/introducing-storage-access-api/

<jnovak> https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/

(links describe current functionality and proposals regarding Storage Access API)

<ParLannero> wseltzer, who was presenting the EU cookie regulation?

<ParLannero> Need to leave. Thanks for having me. I hope there's a followup meeting soon - and the next time I will try to join on venue.

Wrap-up

<hta> scribenick: hta

Summarizing the breakouts.

sam: scary permissions - 3 things stood out.
... engagement as a metric. May be dangerous.
... installation ceremony as a trust indicator. Webstore presumably blessed.
... 3rd point: should we be doing these things at all? (scary caps) - not sure where to have that discussion

mt: summary from changes that have happend 7-8 years
... not much more came out concretely from that session

diane: XR takeaways
... XR is great
... 1) fingerprinting, 2) prior art of what to do and not to do, 3) immersive mode and why it's terrifying
... immersive mode is like fullscreen but more so. AR-lite is a mode where the page doesn't get that much world info.
... hit-testing can become world map if you do enough of it, which negates the restriction
... how can we move between inline mode and immersive mode?
... conclusion: VR/AR/XR are awesome, people should work on it, and people should make it good
... followup: schedule a couple of hours VC to follow up a few specific points
... WG will also meet at TPAC

consumer reports session: no reporter

wendy: great presentation on CR dashboards rating mobile payments apps
... please consider how this can be applied to other products (browsers!)
... proposal: CR may rate browsers on privacy. Some part of this could be automated in WPT.

Ryo: Context session
... how to prompt without letting them be exploited to force users to say "yes"
... geo is easy to understand, others may be much much harder
... outdating mechanism for permissions?
... iot: Cars are different - need a legal ID to operate
... legal IDs may be used for tracking (if available)
... IoT: how many users are using the devices in the room? Did the owner give context to them all?

jason: prompting - browser chrome -....
... could the W3C take on a role to survey results of various permission models, including possibly displaying words from the website. Wendy to investigate

vocabularies - Christine Utz presenting

scribe: facilitate talk between tech people and legal department
... a standardized vocabulary allows creating automated systems for compliance checks

Martin: taxonomies also cover taxonomy of purposes

Tom: Consent requirements

Jason: some ad industry folks think that if browsers took care of consent stuff, the cookie consent walls could go away.
... call for a next step "propose an API"

Tom: Internet Advertising Bureau has a taxonomy and vocuabulary

Martin: Storage access
... the proposal being talked about is not internalized by everyone
... idea is to integrate this proposal with the permissions API++
... Proposal in the WICG is a next step

tom: Identity
... Oauth IDPs should change their practices to obtain promises from RPs about what they want to do with the authentications provided
... should try to communicate what was the worst thing that could be done with the capability provided
... try to hold RPs accountable for behavior that diverges from the expectation of the identity subject

tnattestad: need to incentivize RPs to not require more than they need to have (and for IDPs to not give out more than asked for)

end of summaries

npdoty: what should we do next?

tnattestad: if there's something obvious chrome should be doing, tell me now :-)

robin: we'd like there to be a lot less to permit and consent to - please protect users' privacy - implement itp ++
... we as publishers don't want tracking, and would like the browser vendors to stop enabling it

ted drake: when doing doorhangers, test them without a mouse (keyboard only).... (accessibility)

scribe: how to "see" an alert without visualizing it?

wendy: spec editors asked how to set permission expectations around new features and new apis

giri: no, we're not going to change our guidance. Browser vendors feel like it's their domain. need to continue on that paradigm.

robin: more permissions and more advice won't help - can we make a simpler model - "casual web" vs "installed web"?
... could remove a bunch of APIs from the casual web (like webrtc) - which would remove a lot of fingerprinting surface

<mt_____> robin says fork the web

npdoty: reasons why we don't want to do it that way
... progressive enhancements (ask for only the little bits) are a different approach

<mt_____> npdoty says that the existence of a wall might create conditions where presence on the inner side of the wall privileges certain parties

<wseltzer> weiler: we could write down questions: can you get implicit consent, how can you provide context?

<wseltzer> ... can we enumerate more of those questions?

giri: need to beef up specs on "here are the things that users need to consciously accept doing" - but leave the UI to the browser

<inserted> scribenick: wseltzer

weiler: deeper dive around consents re capabilities and consents around data

jnovak: if the only example is notifications, then why distinguish?

<hta> wseltzer: do you have the pen?

<hta> * please

robin: sounds like discussions from 10 years ago in device APIs

npdoty: principles and questions, rather than concrete guidance, let us give more help

robin: give a checklist to the TAG

<hta> wseltzer: in the absence of specific guidance, we get a common understanding of patterns

franke: I kept hearing about users' lack of understanding; wonder what we can take as a next step there

hta: understanding why the user doesn't understand is a deep question

franke: unpack "privacy", what matters to the user

bobby: I'm re-immersed with how difficult the problem is
... many more conversations with those who build the platform

Jo: can we rate the scariness of features?

Dan: help users understand the consequences of their actions
... what does it mean when they take a choice? standardize the presentation/common understanding

weiler: thinking of language issues, timing of request

ted: no general issues re accessibility, beyond being able to access the prompt and response. cognitive accessibility, might require reminders

weiler: other assignments or actions?

npdoty: how can site developers do a better job? how can we nudge them toward better jobs?

hober: robin asked to be constrained against doing things

robin: if we can, we'll be pressured into doing them; we'd rather not be able to do bad things

thomas: can we give devs any help other than changing browser or specs?

robin: no
... we're trying to be respectful of users in an environment that's hostile to them; to do more, requires browsers to change

hta: realizing how much infrastructure there is in the advertiser-driven space
... we might be able to help it work better, in conjunction with browsers, requires that we know about it

robin: there's a lot of what happens in advertising that even other web devs don't understand
... there's value in looking at what they do
... horrible mess of hacks and script injection
... if browser supported use cases more directly, we could reduce a ton of scripts and fraud
... that would help web perf, privacy
... I know there's a business group in W3C

Jo: do we need a code of ethics for API implementers?

ted: Consumer Reports helps there

npdoty: that could help with best practice for sites
... if we came up with a list that CR evaluated against, e.g. "good sites don't permission rq on load"

weiler: thank yous!
... PC: thanks Jo, Giri, Nick, Jason, Florian Schaub, others who weren't here or helped behind the scense
... Jo for lots of advance-work
... Jason and Nick for encouraging diversity
... Thanks to Giri and Qualcomm for hosting.

[applause]

scribe: please share notes
... you can post them to github
... mailing list will continue to exit

tomlowenthal: will you tell us when you have a final report?

weiler: yes
... Thanks all for coming

Breakout room minutes

- DRAFT -

Permissions Workshop, day 2

27 Sep 2018

Attendees

Contents