- From: Christine Runnegar <runnegar@isoc.org>
- Date: Tue, 11 Dec 2012 16:14:06 +0000
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Hi all. Here is the informal chairs summary for 6 December 2012. We covered a lot during the call so the summary is a little longer than usual. Thanks to our scribes Robin, Tara, Nick and Frederick. Next call on 24 January 2012 (same time) -------- Completed action items: - CSP privacy review (see below) New action items: - Proximity API privacy review – due 17 January 2013 (one week before the end of the Last Call period) - Guidance on fingerprinting - Guidance on API correlation privacy risks Ongoing action items: - Privacy considerations document/s We need volunteers for these action items. Please sign up to help! * Report out from the TPAC breakout session: Is preventing fingerprinting a lost cause? Thank you Brad Hill for organising a great session Slides: http://www.w3.org/wiki/Fingerprinting Outcomes: Consensus that this is not a lost cause. Some possible approaches - DNT, Incognito/In Private browser modes; Tor button; create a "standard" fingerprint, different user profiles Active vs passive fingerprinting - relatively easy to detect active How to address without significant degradation of user experience? Fingerprinting is a recurring discussion across the W3C Cost-benefit analysis is difficult Reference to PING and call for guidance on fingerprinting Might might sense to stop server-side fingerprinting Offer users the ability to disable features? More discussion needed Nick has started developing guidance on fingerprinting, see: http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/0204.html This will be posted in a collaborative place so that we can start adding detail. * Report out from the TPAC DAP WG meeting with PING members (Frederick Hirsch) DAP minutes for the session: http://www.w3.org/2009/dap/materials/minutes-2012-11-02.html#item01 Informal chair's notes (item 7): http://lists.w3.org/Archives/Public/public-device-apis/2012Nov/0105.html Summary report (from Frederick Hirsch’s email of 6 December 2012 http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/0212.html): Members of the W3C privacy interest group (PING) joined DAP to review privacy concerns using the Pick Contacts Web Intents specification to provide concrete context. (Joined by Christine Runnegar, Rigo and Nick). Rigo clarified that even though the WG may not make normative conformance requirements for some privacy related items, documenting a SHOULD in an informative section has value as it provides a linkage to the legal system (e.g. this allows the question as to why it was not done given that the issue was documented). General note that there is a data protection requirement for the transfer of user data outside the user sphere, so documents should indicate need for confidentiality in data transfers (but should not mandate SSL as there may be other other mechanisms used). WG clarified case for debugging information and Rigo noted that this is indeed acceptable even in a production system as long as the use is limited. Please take a look at the following: "Web Application Privacy Best Practices" W3C WG Note: http://www.w3.org/TR/2012/NOTE-app-privacy-bp-20120703/ "Device API Privacy Requirements" W3C WG Note: http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/ Agreement to continue discussions on PING calls as needed. Rigo, Christine and Nick agreed with Frederick that the meeting with the DAP WG was a valuable exercise. Rigo said that it is good to see privacy considerations being developed and noted their value in helping people using the specifications to understand the issues, and offering guidance. This is why he suggested non-normative language. Nick queried whether we (PING) were coming in to late in the process. Frederick said that DAP is a special case (noting that privacy should generally be brought up at the beginning). DAP had Alissa and John from CDT involved from the beginning so the DAP had privacy expertise within the group, from the beginning. The meeting was not so late for this work as the WG is exploring how to combine Web Intents (driven by Google) with Web Activities (driven by Mozilla). Hannes observed that it is often difficult to include people who have not followed the work from the beginning – often the implications are subtle and people need to understand the deployment model. He requested a high level description of Web Intents. Frederick provided this link: http://webintents.org/. * Report out from the Do Not Track and Beyond workshop (Nick Doty) The workshop explored the degree to which W3C standards have policy implications, and the inter-relationship between standards and policy. This discussion revealed that: - participants in W3C work are not always clear what they mean by the term “policy” - in almost all cases (if not all) standards will have policy effects - there might be specifications where it is more or less valuable to consider what would be most effective in terms of more traditional policy The conversation will continue. The workshop also covered user studies, economic arguments regarding DNT, and future work. Frank Dawson presented his Privacy Specification Assessment idea and PING’s role was emphasised (e.g. in developing guidance and conducting reviews). There was also apparent interest in icons or standardised short notices from industry, technical and academic participants. In particular, there was some interest in leveraging the careful work undertaken in P3P on definitions and issues. See, for example: http://dev.w3.org/2009/dap/privacy-rulesets/. This might offer some potential for new work. In this respect, Rigo suggested that this might entail examining how to transport metadata that tells the user agent what is happening and how to interface with the user. (See Rigo’s paper: http://www.w3.org/2012/10/dsr-rw-json-p3p/). The minutes will be posted and the workshop co-chairs (Nick Doty and Jan Schallaboeck) will be publishing a short report. * Update regarding CSP privacy issues (Trent Adams) – follow-up from the last call [A very big thank you (“accolades”) to Trent for taking the leadership on this, and working with the WebAppSec WG to ensure these issues were addressed appropriately.] The Content Security Policy work under the Web Applications Security work kicked off a question about privacy that Fred Andrews brought to PING. This raised three substantive issues and an overall engagement concern. Regarding the substantive issues: Three issues brought up over time in the CSP discussion list. The first could be classified as a phone home mechanism (in effect, a report out feature, i.e. if there was a violation, to allow the owner of the domain to do something about it). The issue raised was that it was a silent reportage, and as such shouldn't the user be able to see and agree to the report out. The group looked at the issues and responded that as it is for networked applications as opposed to desktop applications, users would expect information to be exchanged. It is not like a core dump problem with an OS. The reporting fields in initial draft that were probably stretches beyond what was strictly necessary to debug and deal with security concerns, so a number have been removed. What are left in the current version are the reporting fields that are needed for debugging of the system or enforcement action. The third issue is fingerprinting, which is a known issue. Unfortunately, by developing techniques to allow the CSP to lock down delivery of content to specific channels, there will be the opportunity to fingerprint. The group evaluated the concerns and said that addressing them is outside the CSP scope. Regarding the engagement issue: We understand that the reason Fred Andrews brought his concerns to PING is that he felt that his concerns were not being dealt with fairly in the WebAppSec WG. Trent took this issue as well as the substantive issues to the chairs of WebAppSec, noting that PING needs to ensure privacy issues are properly dealt with. The chairs opened up the issues, did due diligence, catalogued the decisions and updated the issue tracker. Trent also spoke to the chairs last night. They expressed their apologies that they let the conversation on the list get beyond what is the normal way of discourse and said that they appreciate PING’s willingness to help. Rigo commented that this is a success for PING and said that Trent can report to the WebAppSec WG that he is fully satisfied with the way these issues have been addressed, particularly because the WG considered each of the fields in reporting back. Some references: http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0008.html https://www.w3.org/2011/webappsec/track/issues/11 http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0048.html * Upcoming privacy reviews: Proximity API (Frederick Hirsch) Frederick explained that the DAP WG used to have big complicated specifications, but these are harder to test, more difficult to understand and get implementations, and more difficult to understand the privacy and security issues. So, the DAP started producing more smaller specifications. The Last Call of the Device APIs (DAP) Proximity API was published today and is located at http://www.w3.org/TR/2012/WD-proximity-20121206/ An example use case is to detect when the phone is near a person's face (e.g. in a call) to avoid inadvertent touch events. The specification provides two event mechanisms, one to indicate whether or not something is close and the other to provide implementation dependent distance information. It appears that there are no privacy considerations to note in the specification but feedback would be appreciated. The specification does not contain any privacy or security considerations at this point. Frederick suggests not adding generic fingerprinting considerations to every specification unless there is something noteworthy - any functionality potentially provides additional information. But, the systemic risks do need to be documented somewhere (e.g. in a document developed by PING). There was some discussion as to whether the document should go on www.webplatform.org or be an extension of the DAP privacy considerations document or a PING note. The group will start developing the document and then decide where it would best fit. Frederick noted that one approach to mitigate fingerprinting is not to flag status, but simply to not do the function if it is not available, but this is not in this specification. He does not see privacy concerns with respect to this specification alone, but would like PING to review the specification nonetheless. Nick noted a possible scenario for correlation risk involving APIs plus something else. He provided the example of Color Labs Hyped Mobile App. Christine called for volunteers to conduct the privacy review and start working on the guidance document. Joe Hall volunteered for the privacy review. Other DAP privacy reviews see also http://lists.w3.org/Archives/Public/public-privacy/2012OctDec/0214.html HTML Media Capture – under revision after LC review, expect to publish updated WD, may request privacy review. Also in the future – contacts and calendar *Identity transparency in the browser This item previously raised by Henry Story will be on the next call’s agenda. Christine and Tara
Received on Tuesday, 11 December 2012 16:14:48 UTC