15:55:41 RRSAgent has joined #privacy 15:55:41 logging to http://www.w3.org/2012/09/20-privacy-irc 15:55:52 rrsagent, make logs public 15:56:01 Meeting: Privacy Interest Group teleconference 15:56:09 chair: christine 15:56:11 +Rigo 15:56:16 zakim, mute me 15:56:16 Rigo should now be muted 15:56:41 agenda+ Introductions of new members and guests 15:56:44 spreibus has joined #privacy 15:56:59 +npdoty 15:57:04 Hi. For some reason, I can't get Skype to get me through the bridge - never get the prompt for the code. 15:57:08 agenda+ Permissions on the Web (Guest: Dom) 15:57:21 But I am here on IRC and will do the best I can. 15:57:22 agenda+ Coordinating and delivering privacy reviews of draft W3C specifications 15:57:27 tara, note that the code is 1932 today, not the usual 15:57:34 I know - never got that far! 15:57:44 +[IPcaller] 15:57:44 also, you might try calling in a few times, Zakim has been acting up the past few days 15:57:56 tara, keep on re-trying 15:57:57 Twice so far; will keep trying. Thanks! 15:58:14 JC has joined #PRIVACY 15:58:17 I had also trouble from a normal phone, seems like there is another large conf going on 15:58:35 + +44.122.376.aabb 15:58:36 christine has joined #privacy 15:58:49 +??P21 15:59:00 zakim, ??P21 is me 15:59:00 +fjh; got it 15:59:01 Zakim, +44.122.376.aabb is me. 15:59:02 +spreibus; got it 15:59:03 zakim, unmute me 15:59:03 Rigo should no longer be muted 15:59:25 + +1.613.304.aacc 15:59:34 +justin_ 15:59:38 + +1.510.701.aadd 15:59:59 Zakim, who is on the phone? 15:59:59 On the phone I see +33.4.92.96.aaaa, Rigo, npdoty, [IPcaller], spreibus, fjh, +1.613.304.aacc, justin_, +1.510.701.aadd 16:00:13 Present+ Frederick_Hirsch 16:00:14 zakim, +1.613.304.aacc is me. 16:00:14 +tara; got it 16:00:23 Zakim, call dom-mobile 16:00:23 ok, dom; the call is being made 16:00:24 +Dom 16:01:08 Zakim, aaaa is Kboudaou 16:01:08 +Kboudaou; got it 16:01:20 zakim, aaaa is Karima_Boudaoud 16:01:20 sorry, rigo, I do not recognize a party named 'aaaa' 16:01:23 Kboudaou is Karima 16:01:28 Zakim, justin_ is actually joehall today 16:01:28 I don't understand 'justin_ is actually joehall today', npdoty 16:01:31 +[Microsoft] 16:01:33 Zakim, justin_ is actually joehall 16:01:33 I don't understand 'justin_ is actually joehall', npdoty 16:01:42 Zakim, justin_ is really [CDT] 16:01:42 +[CDT]; got it 16:01:49 Zakim, [CDT] has joehall 16:01:49 +joehall; got it 16:01:54 zakim, Kboudaou is really Karima_Boudaoud 16:01:54 +Karima_Boudaoud; got it 16:02:05 scribenick: rigo 16:02:10 scirbe: rigo 16:02:15 Zakim, agenda? 16:02:18 I see 3 items remaining on the agenda: 16:02:22 1. Introductions of new members and guests [from rigo] 16:02:25 2. Permissions on the Web (Guest: Dom) [from rigo] 16:02:27 3. Coordinating and delivering privacy reviews of draft W3C specifications [from rigo] 16:02:28 Regrets, Hannes Tschofenig, Erin Kenneally 16:02:41 agenda+ Proposed candidates for PING review 16:02:49 agenda+ Privacy considerations 16:02:57 agenda+ Liaisons 16:03:16 Zakim, take up agendum 1 16:03:16 agendum 1. "Introductions of new members and guests" taken up [from rigo] 16:03:21 regrets+ Hannes_Tschofenig Erin_Kenneally 16:03:30 tara has joined #privacy 16:03:46 + +1.207.756.aaee 16:04:06 Zakim, who is making noise? 16:04:13 zakim, who is tortured 16:04:13 I don't understand 'who is tortured', rigo 16:04:16 npdoty, listening for 10 seconds I heard sound from the following: [IPcaller] (74%) 16:04:49 Presentation: Rigo, W3C Legal Counsel 16:04:53 Zakim, {IP caller} is me 16:04:54 I don't understand '{IP caller} is me', christine 16:04:55 JC Cannon, Microsoft, online privacy strategy 16:04:56 Christine Runnegar, ISOC 16:05:01 JC Cannon, MS 16:05:04 Nick Doty, W3C 16:05:08 Zakim, [IP caller] is me 16:05:10 Joe Hall, CDT 16:05:10 I don't understand '[IP caller] is me', christine 16:05:11 Zakim, [IPcaller] is christine 16:05:17 +christine; got it 16:05:24 +??P35 16:05:30 Dom, W3C 16:05:36 Sören Preibusch, U Cambridge 16:05:45 Frederick Hirsch, Nokia, Chair of DAP WG 16:05:49 Tara Whalen, Office of the Privacy Commissioner of Canada, PING co-chair 16:05:54 s/Dom/Dominique Hazael-Massieux/ 16:05:57 dsinger has joined #privacy 16:06:22 Zakim, who's on the call? 16:06:22 On the phone I see Karima_Boudaoud, Rigo, npdoty, christine, spreibus, fjh, tara, [CDT], +1.510.701.aadd, Dom, [Microsoft], +1.207.756.aaee, ??P35 16:06:25 [CDT] has joehall 16:06:30 +[Apple] 16:06:35 Mark Lizar, working on Open Notes 16:06:37 Mark Lizar, Open Notice effort 16:06:38 zakim, [apple] has dsinger 16:06:38 +dsinger; got it 16:06:46 s/Open Notes/Open Notice/ 16:07:04 JoeHallCDT has joined #privacy 16:07:19 ?? Customer comments 16:07:28 +[OpenLink] 16:07:35 Zakim, [OpenLink] is temporarily me 16:07:35 +MacTed; got it 16:07:37 Zakim, mute me 16:07:37 MacTed should now be muted 16:07:39 Zakim, next agendum 16:07:39 agendum 2. "Permissions on the Web (Guest: Dom)" taken up [from rigo] 16:08:00 ebw has joined #privacy 16:08:15 Yes chair apologies for the echo 16:08:24 CR: have a guest today, introducing Dom 16:08:35 http://www.w3.org/2012/Talks/dhm-privacy-www/ 16:09:30 DHM: issue coming up in web platform, presented in WWW 2012, basic issue is that the more features we bring to the browser, the more risk we create in terms of privacy and security. Create a hole in the sandbox 16:10:19 ... two WGs where this is salient: DAP and WebRTC Working Group. Want to start discussion on make the web as powerful as it needs to be and keep its privacy preserving capabilities 16:10:20 zakim, who is here? 16:10:20 On the phone I see Karima_Boudaoud, Rigo, npdoty, christine, spreibus, fjh, tara, [CDT], +1.510.701.aadd, Dom, [Microsoft], +1.207.756.aaee, ??P35, [Apple], MacTed (muted) 16:10:23 [CDT] has joehall 16:10:23 [Apple] has dsinger 16:10:24 On IRC I see ebw, JoeHallCDT, dsinger, tara, christine, JC, spreibus, RRSAgent, fjh, Zakim, npdoty, rigo, dom, Kboudaou, MacTed, wseltzer 16:10:38 ArtB has joined #privacy 16:10:51 ... classical issues: Making possible for web application to access camera on the device. 16:11:22 s/?? Customer comments/Mary Hodder: CustomerCommons.org 16:11:32 ... creates privacy issues. Pages shouldn't get access to your camera, would open device to spying and surveillance 16:11:58 ... one possible solution is to ask for permission, same issue for location dependent services 16:12:18 recently example of Web cam problem: http://news.bbc.co.uk/1/hi/programmes/click_online/9751569.stm 16:12:25 ... hard issue ot communicate the issue to the user on what thisis supposed to do 16:13:13 ... difficult issues in terms of user interface. Even once you have obtained user permission. And you want the user to be aware that a permission is granted and active, how to do that 16:13:26 ... classical issues of DAP 16:13:45 .... there is no clear plan to make this future proof 16:14:49 ... another issue is linked with fingerprinting. The more features youi provide, the better people can re-recognize your device. Again the camera and its resolution can be revealing, the codecs that is used, any number of capabilities, whether it has a flash or not 16:15:29 ... in most cases not a problem, but if you do that on the web, it would be so much information to identify a browser uniquely 16:16:04 ... again an issue that every group is facing. The more groups are facing it, the more fingerprinting becomes a palpable issue. 16:16:15 ... is fingerprintting the wrong battle? 16:16:23 some people are debating whether fingerprinting is still a battle worth fighting or not 16:16:39 ... this needs a permissions model 16:17:03 think about media capabilities requests for example 16:17:05 ... in many cases people want to have trusted applications that could ignore most of those issues 16:17:36 ... some also linked to site-wide authentication, might want to share more information, non trivial problems 16:18:20 ... once you get access to more private data, addressbook and calendar, you get more info that allows new types of attack 16:19:16 ... creates tensions and difficulties. Some early solutions that emerge, web characteristics has some ?? 16:19:58 ... another different apporach, system application WG, that group is proposing to take all technology out of the browser context 16:20:52 ... leaving aside all the issues on privacy and security. Taking an application logic, platform already provides those barriers, sidelining the issues by taking this platform? approach 16:21:52 ... technical groups working on these issues. Went to F2F of the TAG, Unfortunately, the person caring left. Now want to find a person to drive this 16:22:13 .... not only on privacy but also on security, mainly that touches W3C WGs 16:22:47 .... perhaps someone from this group would be interested. Is a problem that was debated any number of times and there hasn't been a clear outcome so far 16:22:49 q+ 16:23:04 DHM: Question? 16:23:16 ack rigo 16:24:11 q+ 16:24:11 Fred has joined #privacy 16:24:14 CR: Excellent presentation 16:24:16 Rigo: When we discuss UI in tracking protection working group, browser vendors are not open to these discussions 16:24:26 rigo: when this comes up in Tracking Protection or other groups, it's often related to key UI issues 16:24:37 q- 16:24:47 ... are browser vendors ready to talk about UI? that's often been a blocker in past discussions 16:25:30 DHM: UI remains something that browsers compete. So far the approach has been UI based. Not everything can be solved in UI, especially if htere is no solid foundation for the UI to drag on, Inconsistencies that come into play. Need a place where browsers can discuss 16:25:42 ... communalities where they could aline 16:25:56 q+ 16:26:21 DHM: expressing things to the user is UI, but problems go beyond 16:26:27 ack JC 16:26:40 q+ 16:26:45 JC: do we know whether inconsistency is an issue for consumers 16:27:17 q+ to mention mobile as another issue with UI 16:27:57 is JC asking for research results on cross-browser privacy confusion? 16:28:05 there may be some research on this question, if not explicitly with different browsers than with different software platforms in general 16:28:17 JoeHallCDT, yes, I think so, do you have a good source? 16:28:49 I was asking a general question not specific to privacy 16:29:11 DHM: ?? WG worked on security indicator for browser, it was mixed experience 16:29:24 s/??/Web Security UI/ 16:29:30 npdoty, probably… if we can refine the query a bit! 16:29:32 File->Open didn't require explicit standardization, though, so maybe we could use a lighter weight process to achieve those commonalities 16:30:06 CR: so far we have been unfortunate about UI standardization, but there are also other approaches, can they replace a focus on UI? 16:30:28 dom, are you referring to this doc: http://www.w3.org/TR/wsc-ui/ ? 16:30:28 ML: there is value in looking what possible solutions are 16:30:33 ack fjh 16:30:35 yes, npdoty 16:31:04 -[Apple] 16:31:21 FJH: not everything goes into UI, compositing that mashes, red eye removal is a functionality somewhere on the web without user interaction 16:31:36 q+ to talk about help on fingerprinting 16:31:38 ... is there informed consent? There is not always an UI 16:31:41 q? 16:31:50 ack dom 16:31:50 dom, you wanted to mention mobile as another issue with UI and to talk about help on fingerprinting 16:31:53 q+ 16:32:38 DHM: another reason why pure UI approaches are difficult is that on mobile devices screen real estate is reduced 16:32:38 an example of not having a UI and not getting permission from the user is when you have a composite app that makes externally used apps transparent 16:32:45 q+ 16:33:02 DHM: mobile further complicates things 16:34:36 ... group asked about finger printing, would be extremely useful if this group could explain what fingerprinting is and what the challenge is and present ways to mitigate while still allowing for deeper integration. I don't think there has been enough discussion so far, What about private browsing mode. It would be great if htis group could work on that 16:35:01 is the suggestion there input to various WGs about what they should keep in mind regarding fingerprinting as they develop new features? 16:35:03 CR: see your clear message to work on fingerprinting and have some good people to work on that 16:35:09 ack fjh 16:36:30 FJH: what question are we answering, we have to get the question right. many players and components, not privacy by design will help, people simplify and this is good engineering. Should we address limitations of service providers 16:36:58 I think JC had also mentioned the possibility of recommendations for deployments/developers and not just spec-writers and browser implementers 16:37:14 Yes 16:37:38 DHM: agree that finding the right question is part of the problem. On ISP, there are two kind of service providers. One is rather attackers that do not care about privacy, and good guys who lack guidance 16:38:14 ... in practice we can not do much about attackers other than making their life as hard as possible and give them less data 16:38:47 ... too little effort on service providers who want to do the right things. 16:39:19 Got it 16:40:00 http://www.w3.org/TR/2012/NOTE-app-privacy-bp-20120703/ 16:40:48 (settings work for expressing your preference, but doesn't work for reacting to permissions request AFAICT) 16:40:57 ArtB has left #privacy 16:42:59 what is the incentive to obtain implementation? 16:43:01 rigo: some research experience from PrimeLife about UI, that footsteps are very recognizable 16:43:07 RW: organize Workshop between the DAP and other WGs and the Privacy community 16:43:24 maybe that is a rhetorical question. 16:43:37 I think we could organize one in Sophia 16:44:26 q+ to mention November workshop 16:44:30 ack ri 16:44:31 (I think a workshop in Sillicon Valley might actually be better to attract e.g. browser vendors) 16:44:52 q? 16:44:57 ack npdoty 16:44:57 npdoty, you wanted to mention November workshop 16:45:06 What do we do where there is inadequate regulation? 16:46:07 ND: wanted to talk about the workshop question. We are having a workshop end of November in Berkeley, Mostly taling about discussing about what to do after DNT, but may be one opportunity for people in the valley to discuss 16:46:08 that is the next logical question 16:46:32 JC, I would start with tears 16:46:40 (I personally don't think that regulation is the only reward; making the Web a better dev platform is a pretty strong motivation for a number of vendors) 16:47:05 zakim, take up next agendum 16:47:05 agendum 3. "Coordinating and delivering privacy reviews of draft W3C specifications" taken up [from rigo] 16:47:11 [thanks for inviting me, I'll be going now] 16:47:14 customers do value privacy I 16:47:18 thx dom! 16:47:23 -Dom 16:47:26 Much thanks, Dom! 16:47:32 I think a lot of people in the community can benefit directly from consumer trust in the Web platform 16:47:35 Many thanks, Dom. 16:47:35 Thanks dom ! 16:47:45 Navigation timing and Web intents suggested 16:47:47 -tara 16:48:00 navigation timeing: http://www.w3.org/TR/navigation-timing/ 16:48:09 Web Cryptography has just published a first draft 16:48:17 Web Intents: https://dvcs.w3.org/hg/web-intents/raw-file/tip/spec/Overview-respec.html 16:48:56 CR: before going into this, wanted to discuss procedure more generally and how to organize review in a timely fashion 16:49:03 +tara 16:49:05 q+ 16:49:13 zakim, who is making noise? 16:49:20 q? 16:49:21 ack npdo 16:49:27 fjh, listening for 13 seconds I heard sound from the following: npdoty (69%) 16:49:32 No - just got kicked off Skype. Back now! 16:50:15 ND: generally it would be great if we could do this. If htere are documents we can provide input to. In IETF the IAB has provided insight, there were lots of requests, but no right expertise in the WG, so faded away. 16:50:35 q+ 16:50:43 ... we might want to make sure that we only work on documents where we have time and people 16:51:18 FJH: one intention with web intents is that once you trust the origin the privacy barriers go low. Highlight it here 16:51:22 ack fjh 16:51:36 s/intention/question 16:51:42 CR: thanks for explanation, not visible from title 16:51:43 I think just documenting the different concepts we have around trust for particular origins would be worthwhile 16:52:04 in some groups, we've been referring to an origin-pair as a useful privacy concept 16:52:08 CR: Introducing request wanted to ask for someone working on this 16:52:35 s/Highlight it here/This is related to explicit intents in WebIntents for example./ 16:53:08 for Web Intents and Navigation Timing, do we have volunteers to help? 16:53:26 I might be able to review on Web Intents, though I have limited time 16:53:49 if someone wants me to help and wants to help me with that :) 16:54:07 CR: if this an issue of expertise? Or is is it generally to get involved in privacy reviews? 16:54:16 ... no answer 16:54:24 move this discussion to the mailing list, +1 16:54:25 lets move this discussion to the mailing - list 16:54:36 Zakim, next agendum 16:54:36 agendum 4. "Proposed candidates for PING review" taken up [from npdoty] 16:54:49 Zakim, take up agendum 5 16:54:49 agendum 5. "Privacy considerations" taken up [from npdoty] 16:55:23 CR: we had discussion in August on Privacy considerations and could include the issues that Dom raised. 16:55:35 q? 16:56:02 q+ 16:56:08 the wall is listening, Rigo, unclear how to respond (talking for myself) 16:56:08 ack fjh 16:56:52 I think we may have a different group of people on the call this time than last time 16:56:52 Hello all, thank you for the invitation. Is the CSP spec. something you think needs a review? 16:56:59 FJH: one issue is privacy in general. Should do "something" but has no normative impact. 16:57:20 Fred, rather web intent is the most urgent 16:57:42 CR: everybody tired but you get homework 16:57:56 25 October for the next call? any conflicts? 16:58:01 .. 25 Oct for a call 16:58:06 fine with me 16:58:06 s/Fred, rather web intent is the most urgent// 16:58:13 wfm 16:58:14 fine for me 16:58:24 and it's just before TPAC 16:58:37 18 October? 16:58:59 25 is not optimall, but okay. 16:59:08 Um optimal. either! 16:59:13 18 October is the next call! 16:59:15 apologies for 18 Oct. 16:59:20 regrets, 18 COt 16:59:26 s/COt/Oct 16:59:29 18 October, any other major conflicts? 16:59:31 s/COt/Oct/ 16:59:43 me too: will not available on 18 oct. 17:00:28 CR: for homework, watrch for mail from Nick on Workshop in November. Would be good if we could develop a list of issues to discuss. Also should discuss requests for review from other groups. First is navigation timing and web intents 17:00:47 ... should continue discussion on privacy considerations on mailing list 17:00:51 AOB? 17:01:01 many thanks and bye bye -- see you on the mailing list 17:01:01 CR: Adjourned 17:01:04 -??P35 17:01:08 thanks 17:01:09 thanks 17:01:09 -MacTed 17:01:14 -npdoty 17:01:15 -spreibus 17:01:15 -[Microsoft] 17:01:16 -christine 17:01:16 -Rigo 17:01:16 -tara 17:01:17 -fjh 17:01:20 tara has left #privacy 17:01:23 -Karima_Boudaoud 17:01:25 rrsagent, set log public 17:01:29 JoeHallCDT has left #privacy 17:01:33 rrsagent, please draft minutes 17:01:33 I have made the request to generate http://www.w3.org/2012/09/20-privacy-minutes.html rigo 17:01:44 nick, will you link them from the PING page? 17:01:50 spreibus has left #privacy 17:02:33 ebw has left #privacy 17:02:33 s|s/Fred, rather web intent is the most urgent//|| 17:02:42 rragent, generate minutes 17:02:43 if the script already executed I can't but I can do manual edits. Will do 17:02:45 -[CDT] 17:02:58 smarthart has joined #privacy 17:03:02 s|rragent, generate minutes|| 17:03:16 rrsagent, generate minutes 17:03:16 I have made the request to generate http://www.w3.org/2012/09/20-privacy-minutes.html fjh 17:03:46 Now I know why I'm the lawyer and you the engineer :) 17:04:32 Zakim, list attendees 17:04:32 As of this point the attendees have been +33.4.92.96.aaaa, Rigo, npdoty, fjh, spreibus, +1.510.701.aadd, tara, Dom, [Microsoft], joehall, Karima_Boudaoud, +1.207.756.aaee, 17:04:35 ... christine, dsinger, MacTed 17:05:27 rrsagent, draft minutes 17:05:27 I have made the request to generate http://www.w3.org/2012/09/20-privacy-minutes.html npdoty 17:06:42 Zakim, bye 17:06:42 leaving. As of this point the attendees were +33.4.92.96.aaaa, Rigo, npdoty, fjh, spreibus, +1.510.701.aadd, tara, Dom, [Microsoft], joehall, Karima_Boudaoud, +1.207.756.aaee, 17:06:42 Zakim has left #privacy 17:06:46 ... christine, dsinger, MacTed 17:06:49 rrsagent, bye 17:06:49 I see no action items