See also: IRC log
<trackbot> Date: 25 June 2015
<christine> Hello Wendy, are you here?
<christine> A very big thank you!
<tara> Christine, have you set up the conference already?
<christine> regrets Karima
<tara> Scribe?
<tara> Thanks, Wendy, for doing logistics work!
<gnorcie> testing 123
<mike_oneill> thanks
This is Lake - actual first time on IRC!
<tara> http://www.w3.org/TR/2015/WD-mediacapture-streams-20150414/#privacy-and-security-considerations
<tara> Last call on this document coincided with our PING call.
<tara> Katie had provided comments previously.
<tara> Useful to have further comments at this stage.
<tara> Homework from last call :-) was to come ready to discuss this document.
MediaCapture status: comments from email list
-no comments
<tara> No comments on email list between then and now, but Joe and Greg (CDT) indicated that they intended to review.
<mike_oneill> +q
<wseltzer> scribenick: Guest77
<wseltzer> scribe: Lake
Mike O: raised concern with cross-origin passing
<tara> Mike: Device ID as drive-by identifier; fingerprinting threat, can be passed cross-origin
Greg: agrees with fingerprinting comment; "mixed content" - need stricter definition
<SimonRice> +q
<wseltzer> [Note that WebAppSec is working on Mixed Content spec -- and would welcome comments]
<tara> CDT comments: https://lists.w3.org/Archives/Public/public-privacy/2015AprJun/0079.html
<wseltzer> Mixed Content, in CR
Mike: any third party script can see IP address
'Not limited to a single origin'
<SimonRice> Section 9.3.1 Attributes references the use of persistent identifiers
<tara> Q: how do they protect device iD?
Q: How do they protect device IDs? Why should a platform know how many devices/of which class, without seeking authorization
<tara> Christine: how do you know number of device/class of devices w/out authorization?
<christine> +q
Greg: Does consent carry forward across session? Do you have to revoke consent? Should be easy to revoke
Mike: Or built-in sunset with
defined lapse period
... Don't want to rely on people to remember to go back to
revoke/clear
Simon: Why wouldn't identifier change btw sessions?
<Zakim> wseltzer, you wanted to comment on permissions and to comment on mixed content
<wseltzer> http://www.w3.org/TR/permissions/
<tara> Wendy - two relevant specs - Mixed Content spec (see above); + Permissions API. Goal would be for other specs like Media Capture to use these as guidance.
Wendy: Mixed content spec and
Permissions API - both aim to give guidance re: mixed content
handling, permissions. Comments on persistence of permissions
should also be directed to these specs
... pushback from browser developers - while they don't want to
standardize UI, often using dropdown to control permissions
Christine: spec should go further
- recommend platforms devp'rs don't use persistent
identifiers
... indicate that permission is persistent?
Mike: interface should indicate that persistent permission is in use, with potential privacy risk
<wseltzer> [ some browsers have "door-hanger" notifications]
<SimonRice> Correction: The comment "interface should indicate that persistent permission is in use, with potential privacy risk" was from mike_oneill
Comments to be summarized to be sent to MediaCapture authors
<tara> https://w3ctag.github.io/security-questionnaire/
<tara> (Thanks, Christine, for filling in the background!)
PING to work with TAG on draft privacy questionnaire
<tara> Thanks Greg & Joe for work on this!
<tara> CDT comments: https://lists.w3.org/Archives/Public/public-privacy/2015AprJun/0068.html
CDT comments: compared draft to questions prepared by Nick; found largely focused on confidentiality, etc,
Pulled out privacy-specific list
Privacy section mirrors the security considerations section
To help people think about broader privacy questions
Need group input to flesh out privacy questions
<chaals> [+1 to having a privacy thing that isn't just an addendum to security issues]
<christine> +q
Christine: especially tricky issues/ new insights?
<SimonRice> +q
Greg: some issues hard to clearly slot as either security v. privacy
<mike_oneill> +q
Simon: data itself v uses of data; how use decisions impact individuals
Greg: doesn't really address as of now; could work this distinction in
<christine> +q
Mike: Security Qs don't address limits on persistence as of now; also should address same origin policy
<tara> Same origin policy limited in providing privacy guarantees
Mike: when you give permission to other 'principal', establishing relationship btw person and entity; should be discussed more
Greg: open to changing same origin language
<Zakim> Ryladog, you wanted to say (I cannot talk now) do we have questions about 'holding' and controlling data?
Katie: data controller responsibilities covered?
Should tell spec writers what responsibilities are for data controllers
Christine: Support this idea in principle, but what about legal responsibilities?
<tara> Christine: data controller language strays into legal requirements, which can be problematic for W3C spec
<mike_oneill> +q
<SimonRice> +q
<Ryladog> +1 to agree with you...but to identify that the technology developed have "a" responsibility
But, room to make recommendations for platform developers: 'don't use persistent IDs...'
<Ryladog> =!
<Ryladog> +1
Can achieve Simon's ask if frame in terms of data minimization, not legal responsibility
Mike: ISO standard could be useful; could import terms
<SimonRice> ICO Privacy Impact Assessment Code of Practice page https://ico.org.uk/pia and https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
Simon: See annex 1 and 2; questions for new tech projects. Could help flesh out privacy questions
<christine> +q
<mike_oneill> where is it?
Christine: F2F Ping meeting next month alongside IETF; who's attending? Could devote to questionnaire
<wseltzer> [I'll be there]
<wseltzer> Prague
<tara> Sadly, I will not be there.
<christine> +q
Christine: Would like to have stronger impact on W3C work, through good, quick, consistent advice
And, through joint work with TAG
Questionnaire will go out at TAG finding
-as
Other suggestions, to help produce standards that are more privacy protecting?
<mike_oneill> +q
Wendy: Goal is to make privacy review necessary part of spec dev't
<wseltzer> ... and to bring people together to do that work
<wseltzer> ... Thanks to all who are working here!
<tara> Yes, thanks for all the pro bono privacy work!
Mike: ISO spec as starting point for common terms
Christine: useful to have common terms; common though for standards bodies to use their own terms. Terms need to be legible to W3C standards authors
<tara> Next call?
Next call: after F2f at end of July, or August?
<mike_oneill> bye
<tara> trackbot, end meeting
This is scribe.perl Revision: 1.140 of Date: 2014-11-06 18:16:30 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Q:/Christine:/ Succeeded: s/want to consider/while they don't want to standardize UI, often/ Succeeded: s/Simon:/Mike:/ Found ScribeNick: Guest77 Found Scribe: Lake Default Present: christine, +1.613.304.aaaa, tara, +1.202.407.aabb, fjh, +1.646.283.aacc, WSeltzer, +44.793.550.aadd, Hannes, mike_oneill, Chaals, [IPcaller], Katie_Haritos-Shea Present: christine +1.613.304.aaaa tara +1.202.407.aabb fjh +1.646.283.aacc WSeltzer +44.793.550.aadd Hannes mike_oneill Chaals [IPcaller] Katie_Haritos-Shea Simon Lake Regrets: npdoty Karima WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 25 Jun 2015 Guessing minutes URL: http://www.w3.org/2015/06/25-privacy-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]