PING - informal chairs summary and action items - 5 December from Christine Runnegar on 2013-12-11 (public-privacy@w3.org from October to December 2013)

From: Christine Runnegar <runnegar@isoc.org>
Date: Wed, 11 Dec 2013 06:43:38 +0000
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <74FF74F2-244A-4B08-AE8A-7A14F8B060C1@isoc.org>

INFORMAL CHAIRS SUMMARY

Regrets: Erin Kenneally and Joe Hall

Our next call will take place on 30 January 2014 at the usual time. Please mark your calendars.

We will have a guest from the Device APIs WG joining us to discuss the draft Network Services Discovery specification [1].

Action items:

*Please review EME [2] and provide your comments by 18 December 2013 so that we have enough time to compile them for the HTML WG before the end of the year.

*Please review GetUserMedia [3] and provide your comments by 18 December 2013 so that we have enough time to compile them for the Media Capture Task Force before the end of the year.

*Please review and provide your comments on these drafts:

- Fingerprinting Guidance for Web Specification Authors [4]
- Privacy Considerations for Web Protocols [5]
- Specification Privacy Assessment [6]

by 23 January 2014, one week before the next call.

(1) Fingerprinting Guidance for Web Specification Authors

Nick has produced an excellent draft. The chairs would like to see this draft move forward as a draft Group Note. To this end, additional feedback will be sought prior to the next call. If the chairs consider that the document is mature enough to transition to a draft Group Note, a call for consensus will be issued on the email list following the call.

If the draft is published as a PING Draft Group Note, the chairs propose to seek additional input through the Technical Advisory Group (TAG), Web Security Interest Group, W3C chairs list, IETF, and other relevant communities.

Nick Doty outlined recent changes to the document such as the addition of text on mitigations and Do Not Track. Nick continues to hear some scepticism as to whether it is feasible to stop active fingerprinting. He noted that the guidance in the draft is less prescriptive for active fingerprinting, but that there is new text regarding detectability. Christine asked what compliance with DNT preference expression is likely to mean for fingerprinting. Nick noted that the work is still ongoing in the Tracking Protection WG, so he cannot give a complete answer until the specifications are finalised. However, Nick expressed the view that some sites might still do fingerprinting if it is needed for security purposes or occurs automatically during the request, but that it would not keep the data and correlate the requests. This is mainly mitigation against the privacy implications regarding the correlation and use of such data. It will not prevent Javascript from running, but it might prevent the activities that concern a user.

(2) Privacy reviews

*Web Cryptography

The comments provided by Robin Wilton on the Web Cryptography API [7] and the WebCrypto Key Discovery [8] have been provided to the Web Cryptography WG. A further call for comments was issued on the public-privacy@w3.org email list. No additional comments were provided.

*EME

Joe Hall provided comments on EME. These were circulated on the public-privacy@w3.org email list before the call. Additional reviewers are requested.

Wendy Seltzer recommended that PING get its comments in before the end of the year. She also noted that the Web Security Interest Group has been asked to undertake a security review.

*GetUserMedia

Frank Dawson undertook a review of GetUserMedia using the process prescribed in the draft Specification Privacy Assessment (SPA) document. These comments were circulated on the public-privacy@w3.org email list. Additional reviewers are requested. Given that Frank Dawson’s review was somewhat experimental, he would appreciate receiving feedback on his analysis, especially from someone who is an expert in GetUserMedia.

The chairs would like to close two open action items by the end of the year - the EME and the GetUSerMedia privacy reviews.

(3) Privacy Considerations for Web Protocols

It is hoped that Hannes Tschofenig (editor) will be able to continue to participate in PING. There has been some discussion of the draft on the public-privacy@w3.org email list, but it would be very useful if PING members (and others) could review the draft and provide their feedback prior to the next call so that this work can move forward.

(4) Specification Privacy Assessment

Frank has received comments from Art Barstow on the draft Specification Privacy Assessment document. It would be helpful to have additional feedback before the next PING call. Nick has some comments that he will provide to Frank. Frank will revise the draft between now and the next call.

As with the fingerprinting guidance, if the chairs consider that the document is mature enough to transition to a draft Group Note, a call for consensus will be issued on the public-privacy@w3.org email list following the call.

(5) Web standards and surveillance (what can PING do?)

This was a preliminary discussion. Please circulate your ideas on the public-privacy@w3.org email list.

We discussed the recent IETF meeting. Some of the takeaways from that meeting were:
- There was consensus in the IETF technical plenary: to address pervasive surveillance; consider this threat model when assessing whether standards-track specifications are acceptable or not; include encryption even outside authentication where practical; strive for end-to-end encryption, etc.
- The scale of the threat changes the assessment of the threat and countermeasures. For example, increasing the difficulty of surveillance becomes a much more interesting countermeasure where it is on a large scale. Making surveillance detectable is also important.

The W3C and the IAB will be holding a workshop adjacent to the IETF on "Strengthening the Internet Against Pervasive Monitoring (STRINT) on 28 February and 1 March 2014. This workshop will be hosted by the EU FP7 STREWS Project. PING members are encouraged to submit position papers (due 15 January 2014). More information is available here: https://www.w3.org/2014/strint/Overview.html

It is important that the W3C take active steps to improve robustness of Web standards against the surveillance threat. PING can contribute by conducting privacy reviews of draft specifications, keeping this additional threat model in mind. The chairs will approach the chairs of the Web Security Interest Group to explore the possibility of coordinating privacy and security reviews. PING’s work on Privacy Considerations for Internet Protocols and Fingerprinting Guidance for Web Specification authors is also important, as they will provide privacy design principles and guidance for mitigating privacy threats.

Interested persons are invited to join the Web Security Interest Group.

Christine and Tara

[1] http://www.w3.org/TR/discovery-api/
[2] https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html
[3] http://dev.w3.org/2011/webrtc/editor/getusermedia.html
[4] http://w3c.github.io/fingerprinting-guidance/
[5] http://www.tschofenig.priv.at/w3c-privacy-guidelines.html#guidelines
[6] http://yrlesru.github.io/SPA/
[7] https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
[8] http://www.w3.org/TR/webcrypto-key-discovery/

Received on Wednesday, 11 December 2013 06:44:07 UTC