15:54:41 RRSAgent has joined #privacy 15:54:41 logging to http://www.w3.org/2016/07/28-privacy-irc 15:55:58 Zakim has joined #privacy 15:56:01 present+ wseltzer 15:56:21 weiler has joined #privacy 15:56:24 present+ tara 15:56:26 present+ 15:57:16 npdoty has joined #privacy 15:57:53 christine has joined #privacy 15:57:58 Meeting: Privacy Interest Group 15:58:05 Chairs: Tara and Christine 15:58:42 present+ christine 16:00:15 yoav has joined #privacy 16:00:23 tharindi has joined #privacy 16:00:30 barryleiba has joined #privacy 16:00:37 Present+ Andrey_Logvinov 16:01:03 present+ Barry_Leiba 16:01:33 Zakim, who is here? 16:01:33 Present: wseltzer, tara, weiler, christine, Andrey_Logvinov, Barry_Leiba 16:01:36 On IRC I see barryleiba, tharindi, yoav, christine, npdoty, weiler, Zakim, RRSAgent, Andrey_Logvinov, tara, shepazu_, ln5_, schuki, dveditz, mkwst, terri, Mek_, dustinm, 16:01:36 ... hadleybeeman, mounir, wseltzer, trackbot, plinss 16:01:39 agenda +Welcome and introductions 16:01:45 agenda +Wake Lock API privacy considerations 16:01:51 scribe: weiler 16:02:18 scribenick: weiler 16:02:42 rrsagent, pointer? 16:02:42 See http://www.w3.org/2016/07/28-privacy-irc#T16-02-42 16:03:20 tara: newcomers, please introduce yourselves. 16:03:41 agenda +Updated privacy and security considerations of the Vibration API 16:03:45 Barry Leiba: work for Huawei; IETF veteran. 16:03:48 agenda here: https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0010.html 16:04:05 Andrey_Logvinov: 16:04:29 Craig Spiezle: 16:04:48 s/Logvinov:/Logvinov: Yandex, working on wake lock API 16:05:11 Mike: wants to talk re: an issue in webappsec 16:05:37 zakim, take up agendum 2 16:05:37 agendum 2. "Wake Lock API privacy considerations" taken up [from tara] 16:06:06 tara: introduced Andrey to talk about wake lock API 16:06:18 https://www.w3.org/TR/wake-lock/ 16:07:25 andrey: concern that lock and keep screen awake and burn battery. other things (video) do this, too. 16:07:33 barry: what's the privacy issue? 16:07:34 presumably the hidden video hack is a bug, not functionality to maintain 16:08:04 https://github.com/w3c/wake-lock/issues/78 16:08:05 andrey: no privacy issue. but another device could see that the device is awake. could create a side channel. Not sure if danger is real. 16:08:32 s/that lock and/that lock can/ 16:09:00 q+ 16:09:23 ack np 16:09:54 agenda + Fingerprinting Guidance for Web Specification Authors 16:10:06 agenda +Privacy questionnaire 16:10:10 mikeoneill has joined #privacy 16:10:17 agenda +EME 16:10:22 npdoty: other APIs have some limitation re: "only applicable when the screen is on", so as to prevent surreptitious / background abuse.... geolocation, camera/microphone. 16:10:23 q+ to ask about secure contexts 16:10:30 agenda +WebRTC 16:10:36 ... if they can keep screen on w/o user realizing it, could have implications for these other APIs 16:10:58 agenda +TPAC 16:11:10 agenda +WebAppSec 16:11:11 q+ 16:11:29 marta has joined #privacy 16:11:58 andrey: is is correct that APIs should not be allowed to wake device/screen -- they just prevent locking, they don't enable wake. right? 16:12:25 npdoty: @@ 16:12:49 s/is is/ is it/ 16:13:44 s/@@/my concern is that keeping a wake lock that keeps the screen on might make it easier to extend other API capabilities in unexpected ways 16:13:47 -> https://www.w3.org/TR/secure-contexts/ Secure Contexts 16:13:57 wendy: is this a feature that should be available only in secure contexts? 16:14:05 andrey: maybe 16:14:50 yoav has joined #privacy 16:14:58 christine++ 16:15:35 q? 16:15:38 ack ws 16:15:38 wseltzer, you wanted to ask about secure contexts 16:15:43 ack ch 16:16:07 christine: latest version of spec talk basically re: battery. need to thing about nick's concern... there are privacy implications. users may not be aware of background tasks e.g. tracking location because wake lock has been enabled for other applications. need to think re: wendy's Q. 16:16:21 ... cross-origin linking: not sure if that's a risk or not. should look at it. 16:16:36 q? 16:16:44 andrey: something we should consider. 16:17:23 tara: to andrey: any other questions for the group? looking for comments by end of Aug? 16:17:27 can you resend the link please? 16:17:41 do you have any particular questions for us? 16:17:55 Wake Lock API editor's draft is here: https://w3c.github.io/wake-lock/ 16:18:01 q+ 16:18:20 Andrey: no further Q. (no comment on deadline.) 16:18:49 I can do it 16:18:51 christine: would someone on call take task to compile PING's feedback to group re: privacy considerations? 16:19:16 present+ marta 16:20:20 can we get the deadline for comments in the minutes? 16:21:31 tara: vibration API - deferred. 16:22:22 https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0016.html 16:22:25 npdoty: made some updates on fingerprinting guidance doc over the last month. 16:23:13 ... big changes, trying to address comments received: title [is that such a big change?], added examples, 16:23:17 Re: Wake lock - email list said "We would appreciate to receive your feedback before the end of August" 16:23:24 "the preferred method for feedback is to file issues in our github repository: https://github.com/w3c/wake-lock/issues" 16:24:24 ... (e.g. re: battery status, sensors, proximity, flash plugins, ...), updated research section. 16:24:33 https://github.com/w3c/fingerprinting-guidance/issues 16:24:41 ... everything else was clarification/wording. 16:25:06 ... seven open issues. edits to date address five. need input on two. asked TAG for input on their comments. 16:25:34 q? 16:25:39 q 16:25:41 q- 16:25:49 q+ 16:25:54 ... if this group agrees on the "pending review" items, we can close them. 16:26:14 zakim, who is here? 16:26:14 Present: wseltzer, tara, weiler, christine, Andrey_Logvinov, Barry_Leiba, marta 16:26:17 On IRC I see marta, mikeoneill, barryleiba, tharindi, christine, npdoty, weiler, Zakim, RRSAgent, Andrey_Logvinov, tara, shepazu_, ln5_, schuki, dveditz, mkwst, terri, Mek_, 16:26:17 ... dustinm, hadleybeeman, mounir, wseltzer, trackbot, plinss 16:26:17 present+ mikeoneill 16:26:44 ack mi 16:27:28 mikeoneill: @@ ... protocol has a header origin policy. server says "random", and client bounces it back. spec says that rules of third party header should follow cookies 16:28:45 ... if interested in this, looks at webappsec. does this need to be talked about? e.g. should there be an API so user can see if fingerprinting is happening? 16:28:52 http://w3c.github.io/fingerprinting-guidance/#clearing-all-local-state 16:29:48 npdoty: this keeps coming up. might be moved to a different doc. heard two suggestions: #1 should avoid unnecessary new mechanisms. #2 enable clearing at the same time as cookies 16:29:52 present+ terri 16:30:02 ... don't think users care re: difference 16:30:50 mikeoneill: info should be there for browsers to offer privacy add-ons. @@ .. if recommendation comes out for a a new API re: fingerprinting risks, it should covered by permissions API. 16:31:16 npdoty: you can control your user agent w/o an API 16:32:00 q? 16:32:29 npdoty: could you review this section of the doc? it's not making UI suggestions now; maybe it should. 16:32:37 mikeoneill: I'll look over the weekend. 16:33:05 tara: recap: you're waiting for comments on a couple of issues, and want us to review the rest. 16:34:09 agenda? 16:34:16 tara: privacy questionnaire. 16:34:17 zakim, take up agendum 5 16:34:17 agendum 5. "Privacy questionnaire" taken up [from tara] 16:34:49 ... christine not answering, so moving on. 16:34:56 zakim, take up agendum 6 16:34:56 agendum 6. "EME" taken up [from tara] 16:35:01 christine has joined #privacy 16:35:07 https://github.com/w3c/encrypted-media/issues/221#issuecomment-233498615 16:35:15 i|https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0016.html|Topic: Fingerprinting Guidance for Web Specification Authors 16:35:17 https://w3c.github.io/encrypted-media/#privacy 16:35:20 apologies all - computer crashed 16:35:42 tara: joe hall says that EME is going to PR in a few weeks. privacy section has been fleshed out. they'd like some review. if you missed that, I'm sure they'd appreciate comments - don't want to joe to ask. 16:35:53 s/want/wait/ 16:36:30 EME has a very lengthy priv/sec considerations section, which looks interesting and will take some effort to review 16:36:41 zakim, take up agendum 4 16:36:41 agendum 4. "Fingerprinting Guidance for Web Specification Authors" taken up [from tara] 16:36:56 chrisinte: we asked the IAB if they'd like to give up any feedback 16:37:00 zakim, take up agendum 5 16:37:00 agendum 5. "Privacy questionnaire" taken up [from tara] 16:37:47 christine: I'm hoping things will be quieter in august, so I'm going to try to shepherd our work on this (which is not the same as the TAG's self-review questionnaire). Nick/Greg had input. Wendy moved the draft to github. 16:38:00 https://github.com/w3c/ping 16:38:34 ... expect to hear gentle encouragement next week. thanks to barry, Kathleen(?), Joe Hall for volunteering to be maintainers for self-review questionnaire. 16:38:43 q? 16:38:44 .. will use github for that. 16:39:00 sorry, is that github repo to be used for multiple documents? 16:39:15 -> https://github.com/w3ctag/security-questionnaire The TAG Privacy/Security Self Review 16:39:20 zakim, take up agendum 7 16:39:20 agendum 7. "WebRTC" taken up [from tara] 16:39:42 1] https://github.com/w3c/webrtc-pc/issues/687 16:39:50 https://github.com/w3c/webrtc-pc/issues/688 16:39:54 tara: Stefan from WebRTC has added some responses to our comments. 16:39:55 https://github.com/w3c/webrtc-pc/issues/689 16:40:00 https://github.com/w3c/webrtc-pc/issues/690 16:40:03 ... four issues that they'd like for us to look at. 16:41:03 q? 16:41:06 ... this hasn't gone to the group yet. 16:41:13 q+ 16:41:36 christine: volunteer to respond to these? 16:41:37 q+ 16:41:37 q_ 16:41:44 ack ch 16:41:46 q- 16:42:11 nopoty: confused: are these things we already raised? 16:42:26 tara: they responded to two of our issues w/ suggestions and others are Q to us. 16:42:34 mike: deadline? 16:42:43 ... I'll look over the next week 16:42:59 q? 16:43:00 .. what happened over media streams (fingerprinting issue)? 16:43:32 ack np 16:43:32 npdoty: this doc is now separate from media streams doc. at least a couple of these issues are more relevant to media stress so have been closed on this doc. 16:44:04 zakim, take up agendum 8 16:44:04 agendum 8. "TPAC" taken up [from tara] 16:44:13 it looks like gnorcie was already involved in many of these threads, so joe and greg may be able to handle further discussion on those 16:44:21 https://www.w3.org/2016/09/TPAC/ 16:44:25 tara: we have a mtg on 20 Sept; it does not overall with webappsec this time. 16:44:28 remember to register! 16:45:14 christine: we need to plot our agenda. I will not be there. If we work on privacy questionnaire before then, could make progress there. 16:45:35 is remote participation feasible for that meeting? 16:45:43 q+ AOB 16:45:52 tara: welcome agenda suggestions. want to use our time effectively. 16:46:42 +1 for webex/phone at TPAC, thanks 16:47:32 ack nex 16:47:37 ack next 16:47:53 christine: @@ asked if we could change the time of our call. 16:48:09 ... proposal is 1400UTC 16:48:14 s/@@/Kepeng/ 16:48:53 what about 9 hours earlier, rather than 2 hours earlier? 16:48:57 barry: the people with the issue may not be on the call. fine with me. 16:50:16 wseltzer: hard to accommodate global participation. but Kepeng did cite time. 16:50:36 craig: I'm west coast and don't mind 7am. some of my WGs alternate timezones. 16:50:54 ... 3/4pm west coast, sometimes. we have people in australia. 16:51:17 s/participation/participation in conference calls, but we try/ 16:51:24 7am Pacific Time is rough for me; I would typically prefer a midnight call, but alternating seems like one possible compromise 16:51:24 q+ 16:52:20 https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0018.html 16:52:32 christime: nothing to report from IETF. sent out a summary; it had some suggestions of things we could do as a group. e.g. 2x calls/months: one for reviews/docs, one for information sharing. could try to get researchers to give seminars 16:52:34 ^ notes from PING@IETF 16:52:53 ... could extend invites more broadly. could have a PING blog. 16:53:13 ... should we form a task force to standardize incognito/private browsing mode? 16:54:18 these sounds like cool activities, if we have enough active interest/participation in doing them 16:55:06 mikeoneill: we could take a more active role in giving input to APIs in earlier stages of their development 16:55:20 ack weiler 16:56:12 weiler: (back to mtg time) we could try an experiment. seems to be some support for alternating. 16:56:23 25 Aug works for me 16:56:41 25 August works for me too 16:56:56 tara: next call on Aug 25 16:56:58 (if we want to start alternating or fortnightly calls, should we look for mid August or mid September?) 16:57:00 Thanks, everyone 16:57:11 Zakim, list participants 16:57:11 As of this point the attendees have been wseltzer, tara, weiler, christine, Andrey_Logvinov, Barry_Leiba, marta, mikeoneill, terri 16:57:30 ... may look at 2nd call starting in September 16:57:42 ... probably not change time this time, but will consider and announce it. 16:57:59 RRSAgent, make log public 16:58:06 RRSAgent, generate minutes 16:58:06 I have made the request to generate http://www.w3.org/2016/07/28-privacy-minutes.html weiler 16:58:48 how much US east coast participation do we usually have? 16:59:09 what about a call at 12am Pacific, 9am Central European? 16:59:21 ouch. 17:00:12 do other West Coasters not like midnight phone calls? 17:05:16 (I don't like midnight calls...) 17:29:57 barryleiba has left #privacy 17:37:36 TallTed has joined #privacy 18:16:41 yoav has joined #privacy 18:26:14 chaals has joined #privacy 18:27:03 chaals1 has joined #privacy 18:27:44 shepazu_ has joined #privacy 19:05:34 weiler has joined #privacy 19:17:20 yoav has joined #privacy 19:24:42 weiler has joined #privacy 19:51:16 yoav has joined #privacy 20:01:48 npdoty has joined #privacy 21:00:17 chaals has joined #privacy 21:01:49 chaals1 has joined #privacy 21:14:02 chaals has joined #privacy 22:06:52 chaals has joined #privacy