16:49:40 RRSAgent has joined #privacy 16:49:40 logging to http://www.w3.org/2014/01/30-privacy-irc 16:49:42 RRSAgent, make logs 263 16:49:44 Zakim, this will be 16:49:44 I don't understand 'this will be', trackbot 16:49:45 Meeting: Privacy Interest Group Teleconference 16:49:45 Date: 30 January 2014 16:49:51 rrsagent, make logs public 16:52:02 tara has joined #privacy 16:52:50 zakim, this will be ping 16:52:50 ok, rigo; I see Team_(privacy)16:49Z scheduled to start 3 minutes ago 16:55:21 Team_(privacy)16:49Z has now started 16:55:28 +[Apple] 16:55:36 rigo has changed the topic to: Agenda 30 Jan http://lists.w3.org/Archives/Public/public-privacy/2014JanMar/0009.html 16:57:09 christine has joined #privacy 16:57:21 richt has joined #privacy 16:57:42 +[IPcaller] 16:57:43 -[IPcaller] 16:57:57 Zakim, [IPcaller] is me 16:57:57 sorry, christine, I do not recognize a party named '[IPcaller]' 16:58:22 Zakim, IPcaller is me 16:58:22 sorry, christine, I do not recognize a party named 'IPcaller' 16:58:40 zakim, who is here? 16:58:40 On the phone I see [Apple] 16:58:41 On IRC I see richt, christine, tara, RRSAgent, Zakim, npdoty, rigo, glenn, fjh, TallTed, wseltzer, trackbot 16:59:13 +npdoty 16:59:34 +[IPcaller] 16:59:49 Zakim, [Apple] has tara 16:59:49 +tara; got it 17:00:06 Zakim, [IPcaller] is richt 17:00:06 +richt; got it 17:00:42 +karima 17:00:48 Karima has joined #privacy 17:01:14 Ashok_Malhotra has joined #privacy 17:01:15 Hi everyone. Waiting for a few more folks to join. 17:01:18 +[IPcaller] 17:01:35 Zakim, IPcaller is me 17:01:35 +christine; got it 17:01:51 +[IPcaller] 17:01:54 zakim, IPcaller is me 17:01:54 +fjh; got it 17:02:12 zakim, who is here? 17:02:12 On the phone I see [Apple], npdoty, richt, karima, christine, fjh 17:02:13 [Apple] has tara 17:02:13 On IRC I see Ashok_Malhotra, Karima, richt, christine, tara, RRSAgent, Zakim, npdoty, rigo, glenn, fjh, TallTed, wseltzer, trackbot 17:02:21 +[CDT] 17:02:46 +Ashok_Malhotra 17:03:43 JoeHallCDT has joined #privacy 17:04:08 + +1.469.242.aaaa 17:04:18 scribenick: npdoty 17:04:21 alas, I cannot scribe today but promise next time 17:04:43 Zakim, aaaa is FrankDawson 17:04:43 +FrankDawson; got it 17:05:10 +bblfish 17:05:26 richt: Rich Tibbet from Opera, patches for Chromium/blink and work in standards, Network Services Discovery 17:05:38 bblfish has joined #privacy 17:05:42 hi 17:05:45 Topic: Network Service Discovery 17:05:48 http://www.w3.org/TR/discovery-api/ 17:06:14 richt: at a high level, connecting to devices / services on your network 17:06:27 ... UPNP/Zeroconf, which you may know as Bonjour 17:06:35 ... these protocols expose endpoint urls that speak http 17:06:56 -FrankDawson 17:06:57 ... tried to get to a point where a developer can request a well-known service type so they can communicate with services on different devices 17:07:11 ... layered on top of HTTP, can use XHR 17:07:40 ... 1.5 years in; lots of feedback from implementer mailing lists, like from Mozilla / Chromium 17:07:53 ... some concerns about privacy and security, worry about exposing unsafe devices 17:08:04 ... extremely wide range of different devices and services 17:08:12 +Clarke 17:08:24 ... change volume on your speaker, but also can change configuration of your router 17:08:43 ... in terms of security, added a requirement to the specification that services that want to be exposed, need to implement CORS 17:08:51 Clarke has joined #privacy 17:08:59 ... expose HTTP headers that those services have been audited/cleared for sharing with web pages 17:09:14 ... that's the main mechanism for security 17:09:25 ... the other major part is how the user interacts 17:09:36 Clarke Stevens from CableLabs just joined. I'm on the phone too. 17:09:45 ... a permissioning prompt where the user selects the services they want to share, like how we do geolocation 17:09:57 ... a certain degree of privacy and security, but looking for more input 17:10:20 ... any other ideas of what we can do, and an audit of how it works or whether anyone considers it unsafe 17:10:36 ... happy to answer questions 17:10:43 Present+ Frederick_Hirsch 17:10:52 q? 17:10:53 http://www.w3.org/TR/discovery-api/ 17:10:53 +q 17:10:53 Present+ Clarke_Stevens 17:11:04 ack christine 17:11:11 regrets+ wseltzer 17:11:12 q+ 17:11:29 yrlesru has joined #privacy 17:11:35 christine: appreciate your taking the time. forgive my introductory questions 17:12:06 ... permission prompt point -- what's the granularity or persistence of those permissions? 17:12:30 richt: have a prototype, but haven't actually built the UI; have some experience with WebRTC and Geolocation previously 17:13:07 ... site requests a particular type of service, browser searches for a list of candidates, candidates are displayed to the user and can click share 17:13:33 ... specification describes longevity, that permissions have to be asked again after next loading of a page 17:13:47 q+ to ask about persistence 17:14:35 ack fjh 17:14:53 fjh: for CORS, how do you know which origin corresponds to what? 17:15:27 richt: look for the existence of CORS headers, looking for wildcard matching 17:15:49 ... no particularly good way for CORS to specify a local IP address which you don't know ahead of time 17:16:02 q+ to ask if that's how CORS is intended 17:16:17 ... indicate to browsers in a general way that they're web-ready 17:16:51 ... as a user you could whitelist certain device types in your browser 17:17:09 ... in that case you could connect to legacy devices and services 17:17:19 ... likely to be an advanced option for users 17:17:38 ... or browsers could blacklist certain services, like routers, even if the user tries to whitelist them 17:17:58 ... a remedy for browser-makers to ensure user security 17:18:08 fjh: how would you blacklist a router? what do you need to know? 17:18:24 richt: there are well-known service types (defined by upnp), well-known strings 17:18:40 ack npdoty 17:18:40 npdoty, you wanted to ask about persistence and to ask if that's how CORS is intended 17:18:43 please refer to the editor's draft: https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html 17:19:07 The CORS mechanism has not yet been published in the TR version. 17:19:34 ndoty: is asking for permissions repeatedly intended usage of CORS 17:19:46 s/ndoty/npdoty/ 17:19:47 + +1.214.566.aabb 17:20:13 richt: this approach is necessary, e.g. don't want automatic connection after a delay, e.g. 30 days 17:20:43 npdoty: another question, is this intended use of CORS header or are you just taking advantage of it 17:20:59 zakim aabb is yrlesru 17:21:19 richt: once have service endpoint URL it is a resource, so CORS is appropriate, browser enforces CORS mechanism 17:21:26 … using as specified 17:21:53 … but in discovery sending HTTP OPTIONS request, using response to see if CORS supported and has headers 17:22:00 … not changing CORS 17:22:22 … potential issue with CORS regarding limit of exposure to local IP addresses, using wildcards 17:22:54 zakim, ??aabb is me 17:22:54 sorry, yrlesru, I do not recognize a party named '??aabb' 17:23:04 … when searching, knowing requesting web page and origin, check that in service responses so wildcard not needed alwasy 17:23:25 … but sub domains might be an issue (???) 17:23:25 zakim, aabb is me 17:23:25 +yrlesru; got it 17:23:33 s/alwasy/always 17:23:42 scribenick: npdoty 17:23:53 tara: any points that haven't been asked about yet? 17:24:10 richt: CORS, user-whitelisting or ua-blacklisting 17:24:37 ... different ways we could approach this problem -- building on top of existing APIs like XHR and WebSockets 17:24:50 ... powerful, but low-level 17:24:57 q+ to ask about identifiers 17:25:30 ... right now talking XML, but could next be JSON or WebSocket -- not very specific to UPNP, for example 17:26:10 npdoty: common issue is unique identifiers can be used to correlate activity or re-identify user in unexpected manner 17:26:22 … is identifier being given to endpoint 17:26:31 … can two web services correlate activity? 17:26:48 richt: spec does not deal with this, open DAP issue 17:27:12 … endpoint URL likely to have numeric component, exposing and leaking local IP configuration 17:27:18 … this is a concern 17:27:37 … discussing how to obfuscate local IP addresses, would appreciate PING feedback on this 17:27:44 … might be also an issue in WebRTC? 17:27:52 … probably not a good practice. 17:28:19 … obfuscating may create issue with responses containing IP addresses for media resources etc, so some thought required 17:28:30 … please give feedback on importance of issue and approaches 17:28:34 npdoty: will think about it 17:28:39 scribenick: npdoty 17:28:54 tara: may all need a bit more reflection over material from today 17:29:18 q+ 17:29:19 richt: we've concisely covered our issues. leaking IP address configuration is a key issue for feedback 17:29:22 q- 17:29:23 +q 17:29:33 ... editors' draft best for review (includes CORS) 17:29:37 https://dvcs.w3.org/hg/dap/raw-file/tip/discovery-api/Overview.html 17:29:53 Would an alternative to persistent local IP address be capability for renewal of the identifier at user control? 17:30:04 richt: any improvements for user privacy or security would be great 17:30:05 q? 17:30:08 ack fjh 17:30:14 fjh: what's the schedule for review? 17:30:44 richt: as long as it's not multiple months; blocker on implementation and want to calm concerns about security 17:31:09 ... privacy and security review takes as long as it takes and implementation is blocked until it's finished 17:31:33 christine: the sooner the better but not overly demanding schedule 17:31:54 ... mentioned discussions of IP address leakage and obfuscation within DAP group 17:32:14 ... could you share the different possible mitigations? 17:32:45 2nd time to express my thoughts. Would an alternative to obfuscation of IP address be ability for user, on demand, to renew their identifier. 17:32:46 richt: can obfuscate the endpoint URL easily, like a transparent proxy; the hard part is intercepting and rewriting the HTTP responses 17:33:20 ... any alternatives would be helpful 17:33:47 thanks rich for an excellent overview 17:34:18 richt: thanks all for the discussion and ongoing review 17:34:32 hi 17:34:34 Topic: WebID 17:34:35 +q 17:34:36 thank you everyone. 17:34:51 q+ bblfish 17:34:53 ack christine 17:34:56 np :-) 17:35:19 christine: question about group status. 17:35:42 https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html 17:35:44 bblfish: was Incubator, now working as a Community Group 17:35:55 is there a link for the CG, participants? 17:36:05 bblfish: would like to finish, publish specs hopefully by the summer 17:36:17 would like to bring https://2x.io/read/security-by-obscurity to the attention of this group. RE: exposing local IP addresses to web pages in WebRTC (as I mentioned earlier on this call). 17:37:11 Thanks for the clarification Nick 17:37:16 No more from me 17:38:00 bblfish: would like to push this up to the next stage, five years of work altogether 17:38:22 ... two specifications and an ontology 17:38:52 ... Web Identity and, separately, how do you communicate with WebID over TLS 17:39:04 q+ to ask about web id correlation 17:39:16 ... and then prototypes, for example, using access control for a wiki 17:39:26 ... using Linked Data 17:40:00 ... have added Privacy/Security Considerations sections to the two specs 17:40:05 ... new since we last talked here 17:40:18 ... looking for feedback on those sections 17:41:10 ... authentication over TLS, rather frequently implemented/used in browsers 17:41:13 ack fjh 17:41:13 fjh, you wanted to ask about web id correlation 17:41:21 q- bblfish 17:41:40 fjh: what the requirements are; is there an issue here of correlation which would need obfuscation 17:42:17 bblfish: WebID does make it easy to link profiles, it is meant for that specifically to support a decentralized Social Web 17:42:39 ... can create p2p social networks over HTTP, reduces centralization which is advantageous, but leakage of links/URIs 17:43:26 ... costs are weighed against the benefit of that decentralized social networking 17:43:30 Was this the reference to use cases and requirements? , https://dvcs.w3.org/hg/ldpwg/raw-file/default/ldp-ucr.html#maintaining-social-contact-information 17:43:47 ... communicating over SSL can prevent eavesdropping 17:43:55 fjh: just important to make the tradeoff clear 17:44:24 tara: timeline? 17:44:44 thanks for clarifying the potential tradeoff between decentralization and potential for Service provider (web application) correlation based on ids 17:44:45 bblfish: not a great hurry, but quick review of privacy and security sections would be helpful 17:45:21 Topic: documents in progress 17:45:41 tara: various documents in different stages of status 17:45:44 ... fingerprinting? 17:46:35 npdoty: regarding fingerprinting, made an update before the last call, had questions about feasibility of addressing the concern 17:46:46 … have some ideas but have not had a chance to write up yet 17:47:28 … would like some help with reviewing 17:47:29 Thank you fjh - that would be helpful 17:47:57 scribenick: npdoty 17:48:01 yes, I realised that too late, sorry 17:48:15 tara: comments elicited for EME and getUserMedia 17:48:46 JoeHallCDT: I sent some notes late last year, a very well-considered document already 17:49:05 ... lacked a more systematic way of doing a review in a reputable process 17:49:36 +q 17:49:46 ... if we want to do privacy reviews in a more standardized way, happy to do that (have more help inside CDT now) 17:49:53 ack christine 17:50:49 christine: pleased to hear your ability to participate 17:51:00 yrlesru, thanks for the pointer to the WebId use case ( catching up on IRC ) 17:51:24 ISO/IEC 29100:2011 Information technology -- Security techniques -- Privacy framework Is now publicly available at no cost at http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip 17:51:25 JoeHallCDT: hoping to have more chance to engage, that PING would be a good place to have those discussions 17:51:53 christine: current status on EME? 17:52:28 If Nick Doty can note this in minutes. This standard provides a standard privacy framework (terminology, roles, responsibilities, principles, etc) for privacy that is aligned with proposed EU DP Regulation in many ways. 17:52:57 Thanks for the update re status on EME 17:52:59 JoeHallCDT: a lot of tension, html media group very interested in closing down issues but still quite a bit of principled concern 17:53:24 ... also a separate alternative proposal in WHATWG 17:53:42 ... need some guidance 17:54:16 ... had already done a good job thinking about privacy, in the UA and in the CDMs 17:54:38 Joe, I would be available for a workshop on the subject during week of CDT Gala and IAPP in DC. 17:54:47 ... settle on a coordinated systematic way for doing a privacy review when someone comes up to PING 17:55:02 ... can't wrap it up without knowing what the framework should be 17:55:12 q+ 17:55:14 q+ to ask about learnings from EME 17:55:24 +q 17:55:41 ... is "already looks good" an appropriate response? 17:55:55 yrlesru: tried offline to start reviewing a number of specs 17:56:20 ... a number of framework approaches you can take -- classically, look at the data flows from the applicable privacy principles 17:56:32 ... or look at collection/storage/transfer/processing/ 17:56:56 ... Hannes had proposed an approach that was a standard list of principles and threats, a potential checklist 17:57:45 ... 1) people come to us after the fact, a checkbox so that they can go to the next phase of implementation 17:58:23 ... or 2) talk to people earlier during the design alternatives phase, where we think through systematically the different ways we could think through 17:58:40 ... an ISO standard on privacy principles is now publicly available and may be useful 17:58:52 http://standards.iso.org/ittf/PubliclyAvailableStandards/c045123_ISO_IEC_29100_2011.zip 17:59:20 yrlesru: if we want to meet up in person around CDT event and try with a whiteboard, would work for me 17:59:34 JoeHallCDT: can talk offline; IETF is a potential conflict 18:00:17 tara: running out of time at this point, wrapping up comments 18:00:38 quick point Tara before you close 18:00:40 yrlesru: one problem that's come up: do we have a clear understanding of what the use cases are for an API? 18:00:42 q- 18:00:48 ack yrlesru 18:01:00 ... have seen that same problem crop up on other specs 18:01:02 ack christine 18:01:15 cool please let me know what questions we need to look at, answer :-) 18:01:20 christine: really appreciate the enthusiasm to work out a structured way for PING to do privacy reviews 18:01:40 ... a key goal is to develop guidance and to develop the system for reviews 18:01:58 ... what we've been doing is having informal privacy reviews even while we're in process for developing guidance 18:02:40 next call -- March 13th? 18:02:49 (later than the first week of March, because of the IETF conflict) 18:02:51 -Ashok_Malhotra 18:02:56 -Clarke 18:02:56 I'll also suggest a PING meeting at IETF on the mailing list 18:02:57 thanks a lot 18:03:00 -[CDT] 18:03:01 -yrlesru 18:03:02 -fjh 18:03:03 -richt 18:03:04 tara: thanks all 18:03:04 -npdoty 18:03:06 -christine 18:03:07 -karima 18:03:07 chair: tara 18:03:08 -[Apple] 18:03:11 -bblfish 18:03:12 Team_(privacy)16:49Z has ended 18:03:12 Attendees were npdoty, tara, richt, karima, christine, fjh, [CDT], Ashok_Malhotra, +1.469.242.aaaa, FrankDawson, bblfish, Clarke, +1.214.566.aabb, yrlesru 18:03:18 rrsagent, please draft the minutes 18:03:18 I have made the request to generate http://www.w3.org/2014/01/30-privacy-minutes.html npdoty 18:20:22 JoeHallCDT has joined #privacy 18:36:33 JoeHallCDT has joined #privacy 18:40:00 richt has joined #privacy 18:45:40 JoeHallCDT has left #privacy 19:32:43 Karima has joined #privacy 20:17:53 Zakim has left #privacy 20:35:11 richt has joined #privacy 20:36:40 richt_ has joined #privacy 20:49:30 Karima has joined #privacy 22:02:03 richt has joined #privacy