06:43:00 RRSAgent has joined #privacy-principles 06:43:04 logging to https://www.w3.org/2023/09/13-privacy-principles-irc 06:43:04 RRSAgent, do not leave 06:43:04 RRSAgent, make logs public 06:43:05 Meeting: Privacy Principles 06:43:05 Chair: Jeffrey Yasskin, Daniel Appelquist 06:43:05 Agenda: https://github.com/w3ctag/privacy-principles/blob/main/meetings/2023-09-tpac/breakout/agenda.md 06:43:07 Slideset: https://raw.githack.com/w3ctag/privacy-principles/main/meetings/2023-09-tpac/breakout/slides.html 06:43:10 clear agenda 06:43:12 agenda+ Pick a scribe 06:43:16 agenda+ Reminders: code of conduct, health policies, recorded session policy 06:43:18 agenda+ Goal of this session 06:43:20 agenda+ Discussion 06:43:22 agenda+ Next steps / where discussion continues 06:43:28 Ian has left #privacy-principles 07:12:53 Ian has joined #privacy-principles 07:12:55 Ian has left #privacy-principles 13:06:02 RRSAgent has joined #privacy-principles 13:06:03 logging to https://www.w3.org/2023/09/13-privacy-principles-irc 13:06:07 ack psnyder 13:06:15 q+ 13:06:39 psnyder: there's been disagremenet about whether this doc should be very narrow, or broader to what privacy means on the web at large 13:06:45 ... there are lots of opinions 13:06:51 ... would be totally expectation to make this about expectation on users 13:06:56 ... users don't have any representations in the w3c 13:07:04 ... would be inappropriate to say what users ought to be doing on the web in this document 13:07:17 bmay: my intent is not to define the expectations of users, but for users, about what they can expect form interactions on the web 13:07:21 ... not necessarily in this document 13:07:25 ... a companion document may be more appropriate 13:07:39 ... since users are a major constituency and we're talking about their privacy, we should give them perspective 13:07:43 psnyder: that would be useful 13:08:06 ack charlieharrison 13:08:06 jyasskin: that seems like something the privacy wg can take up, not something the tf is going to 13:08:16 robin has joined #privacy-principles 13:08:24 charlieharrison: there are a lot of principles here. Valuable, but also worry about the difficultly of applying these to specific specifications 13:08:28 ... it's a lot of things to keep in your head at once 13:08:40 ... what has the TAG thought about process changes, eg. incorporating in the S&P questionnaire 13:08:45 ... other ways to force us to look at this? 13:08:50 DKA: hmm 13:09:05 q+ robin to present your favorite section 13:09:15 ... I do think it needs to be integreated in the the P&S questionnaire in a way that doesn't make the questionnaire 3x as long as it currently is 13:09:31 ... channeling Nick Doty for a second. Nick would say any shortened version of this list is necessarily not going to be as accurate 13:09:41 cfredric has joined #privacy-principles 13:09:45 ... I agree with that, and also understand and sympathetic to the point about not wanting to read the encyclopaedia before I start my work 13:10:02 ... maybe we need a demystifier, or something that guides.. 13:10:07 ... which principles to be interested in 13:10:15 charlieharrison: any sort of narrowing of focus for specific sub areas is great 13:10:43 q+ to talk about establishing a guide document (this one, say) while shortening/focusing the questionnaire 13:10:45 ... it's hard to keep in my head focussing things ... we don't want to make the S&P questionnaire longer, but we also want people to think more about all of these things. We should figure out where we stand 13:10:54 DKA: there should be one point of entry in the review process for security and privacy 13:11:09 ack robin 13:11:09 robin, you wanted to present your favorite section 13:11:10 ... a jumpin goff point, the first port of call should be the questionnaire. That would be my starting point, but we haven't discussed it. Good feedback. 13:11:39 robin: /waves 13:11:46 ... my favourite part is the focus on user agents 13:12:00 ... a lot of us take this for granted in browsers, but it was worth writing down in the context of privacy 13:12:12 ... one aspect that I personally am very interested in is to consider uas as being fiduciaries 13:12:15 ... agents to whom you delegate 13:12:27 ... when you delegate to an agent, you're entrusting them with a lot of power over your life 13:12:32 ... and they have a lot of expertise which you don't have 13:12:37 +q 13:12:37 ... this puts them in a position of power wrt to you 13:12:44 ... there are legal frameworks so they cannot abuse that power 13:12:52 ... I think it's important to approach browsers with the same mindset 13:13:04 ... if browsers start to abuse the extremely high levle of trust we put in them, it breaks the web and is bad for users 13:13:14 ack mt 13:13:14 mt, you wanted to talk about establishing a guide document (this one, say) while shortening/focusing the questionnaire 13:13:21 mt: Martin Thompson, Mozilla 13:13:26 ... about the S&P questionnaire 13:13:34 ... this document represents something of a contribution in this space that helps with that 13:13:40 ... it's also very abstract and complicated 13:13:46 ... I don't think it serves the purpose of a guide we might expect to have 13:13:54 ... I think we have a much better understanding of security 13:14:00 ... and we can produce more cogent and precise guides for that 13:14:05 ... but privacy is more difficult 13:14:13 ... I'd like to see some work to guide material that accomopanies or is part of this 13:14:21 ... in ietf we've built up a culture of security, rooted in the idea we have a guide 13:14:35 ... we have a requirement that people write security considerations, but we don't give them a long qustionnaire 13:14:53 ... we provide material so people can understand the sorts of things they might need to accomplish what is acceptable 13:14:58 ... I'd like to see this sort of process here 13:15:08 ... if you ever consider this done... 13:15:15 DKA: the idea is that this document is done quite soon 13:15:18 q+ 13:15:31 mt: but there is follow on work. I'd encourage keeping the taskforce open or look at work in PING to continue this valuable work 13:15:34 DKA: that's good feedback 13:15:39 ... comes undre the heading of ensuring this is used 13:15:41 ack philippp 13:15:49 philippp: Philipp, Google chrome 13:15:57 ... protecting users from abusive behaviour 13:16:00 ... about pooling information 13:16:20 ... historically ?? are useful for shairng.. but also are a cross site tracking vector 13:16:31 ... anything else to help people band together to protect themselves form abuse, especially for smaller publishers 13:16:40 ... this section is here so you know you're on solid ground for inventing those things 13:16:41 DKA: yeah 13:16:49 ... it's the starting point 13:16:58 ack bmay 13:17:06 mt: to ask about Michael Champion's feedback on the document 13:17:10 q+ to ask about Michael Champion's feedback on the document 13:17:56 bmay: may have overlooked it - is there any part that addresses the consequences of decisions, or considering the consequences on privacy 13:17:56 ... eg. 3p cookies being withdrawn - which I think has a positiv eimpact on user privacy, but also unintended consequence of having first parties gather much more information than they previously did 13:17:56 ... is that something the document intends to address? 13:17:56 jyasskin: unintended consequences? 13:18:00 bmay: and prioritising review of unintended consequences as part of the privacy review 13:18:02 rhiaro: s/??/identifiers like IP address and email addresses/ 13:18:13 jyasskin: I don't think we address unintended consequences. We have a section about looking like there' sa tradeoff 13:18:22 I am reminded of the known knowns, known unknowns, and unknown unknowns taxonomy here 13:18:26 ... when they beomce known consequences, how do you think about when there is one good thing and one bad thing 13:18:41 ... a lot of privacy experts experience is if you think a bit harder about your problem space you can often find a way to get both good things 13:18:45 ... but that's not always the result 13:18:49 ack mt 13:18:49 mt, you wanted to ask about Michael Champion's feedback on the document 13:19:32 mt: you received extensive feedback from Michael Champion on this. I share sentiments on readability and accessibility of this doc 13:19:32 ... there's a lot here that I like but it's hard going 13:19:32 ... what have you put in to look at addressing that feedback 13:19:33 robin: we've received several such feedback 13:19:40 ... it's been difficult to figure out a good path towards addressing it 13:19:49 ... one part is t's written in a style that is not readable, that is largely my fault 13:19:53 fsenra has joined #privacy-principles 13:19:55 ... we have been trying to address with good old fashioned editing 13:20:00 ... we can make progress 13:20:14 ... the other part of the feedback is people saying there's a lot of concepts in here and it seems like privacy is hard 13:20:19 ... I'm not entirely sure what we can do 13:20:38 ... it relates slightly to.. in part to previous comment about boiling things down to a section that can be repeated 13:20:50 ... oen of the cultural differences between privacy and security spaces is that in security, a lot of the original experts were already computer people 13:21:00 ... and so moving from that to a shorter list, distilling things, was easier 13:21:09 ... in the privacy space, computer people tend to be clueless about how privacy works 13:21:24 ... so there's more work to bridge that gap so that we can ultimatley.. and I agree with you that's where we want to get - boil it down to simpler lists and principles 13:21:40 ... I invite input and feedback on this. Struggling to figure out ways of building upu that understanding and culture outside of the privacy community 13:21:48 ... and much more broadly in the web community without making it as difficult and as much to read 13:21:52 alextcone has joined #privacy-principles 13:21:59 ... either we don't do it well and we're not saying enough 13:22:03 q? 13:22:06 ... or we bring all the improtant concepts, and.. it's a lot 13:22:26 q+ 13:22:27 sysrqb has joined #privacy-principles 13:22:45 Matt G: from chromeOS 13:23:01 ... reading through, it's apparent that it seems to conflate advice for UAs and sites or people collecting data 13:23:08 ... I would say it's probably more than hafl of the recommendations apply to sites? 13:23:19 +1 to separate out site guidance 13:23:29 ... so if you don't want to remove advice for sites, separating it out to two major sections would make it a lot easier for people implementing UA features 13:23:33 robin: I think that is true, but I'm also getting asked for an email address by most websites I visit. 13:23:34 this goes to what we discussed earlier about focused guides 13:23:36 ... that might mitigate the problem of being too much 13:23:58 ... and teasing apart.. example in section 2.9... says system designer shsould.. then gives examples of only things services can do 13:24:06 eeeps has joined #privacy-principles 13:24:11 DKA: if you see things that could be more clearly stated and we're conflating concepts, please raise an issue on the document! 13:24:40 ... one of the feedback points we've heard, which is actionable, is to take that list at the bottom and bring it up to the top? and and split it up into lists that are applicable to each particular persona who might be reading the doc 13:24:44 q+ 13:24:44 ... definitely something we can do 13:24:49 ack bmay 13:24:54 bmay: thanks everyone who worked on this to date 13:25:17 ... Recommend to everyone who is nterested in the subject to get involved. We're in a position where people are losing confidnec ein the web, if we can make the web trustworthy again that would be best for everyone 13:25:20 ack reillyg 13:25:47 reillyg: in the beginning of the document it says it's expanding on the privacy from the EWP 13:25:56 ... the title of that is "security and privacy are essential" 13:26:01 ... is the next task to do this for security 13:26:15 DKA: maybe 13:26:20 jyasskin: I think there's less confusion about security 13:26:25 ... there's more consensus 13:26:34 ... I think we're missing a threat model for the web. Security people agree and haven't written it down 13:26:38 ... that's a webappsec working item 13:26:43 q? 13:26:43 q? 13:26:48 [+1 we think we understand security better than privacy] 13:26:51 jyasskin: Thanks all for coming, please send patches 13:27:01 RRSAgent please make minutes 13:27:11 Meeting: Privacy Principles breakout, TPAC 2023 13:27:17 Zakim, end meeting 13:27:17 As of this point the attendees have been bmay, wanderview, doniv, rhiaro, rupert, past, gendler, jyasskin, psnyder, charlieharrison, tomayac, alextcone, Tara, mhcr, cfredric, 13:27:19 ... Nigel_Megitt, Reilly_Grant, Dan_Appelquist 13:27:19 RRSAgent, please draft minutes 13:27:20 I have made the request to generate https://www.w3.org/2023/09/13-privacy-principles-minutes.html Zakim 13:27:23 I am happy to have been of service, rhiaro; please remember to excuse RRSAgent. Goodbye 13:27:27 Zakim has left #privacy-principles 13:27:49 [I think people who know and care distrust the Web, but that's because it's an IT system and they are generally seen as not being trustworthy] 13:28:34 [normal people talk about how much they no longer trust their phones. And who trusts a modern electric car?] 13:59:22 Ian has joined #privacy-principles 14:13:16 weiler has joined #privacy-principles 14:13:19 weiler has left #privacy-principles 14:50:16 caribou has left #privacy-principles 15:22:22 RRSAGENT, bye 15:22:28 RRSAGENT, set logs public 15:22:31 RRSAGENT, bye 15:22:31 I see no action items