PING - informal chairs summary - 15 January 2015

PING - informal chairs’ summary – 15 January 2015

(Apologies for lateness of summary; PING business and my vacation overlapped... - Tara)

Our next call will be on 26 February 2015 at the usual time.

Thanks very much to chaals (Charles McCathie Nevile) for acting as scribe.

Regrets from Mark Nottingham and Joe Hall.

A warm welcome to our new PING members!

Our 15 January call was originally expected to run without a formal agenda, but to instead focus on current privacy issues of general concern to PING members. Such a broad discussion did take place during the call, but there were also sufficient additional items that an agenda was drafted.

We were fortunate to have Simon Rice, Group Manager (Technology) at the UK Information Commissioner's Office, to present and discuss the Article 29 WP Opinion regarding device fingerprinting.[1] Simon explained that the Opinion was written to clarify that device fingerprinting requires consent, just as cookies do, and that the practice can be even more intrusive than cookie-based tracking given that there is little way to detect that fingerprinting is occurring or to change a device's fingerprint. The Opinion identifies some narrowly-scoped exceptions to consent, such as MAC addresses of network controllers being necessary for communications and thus exempt from consent requirements. There were a number of questions about this Opinion from PING members, such as:

Q: for embedded third parties, does the website have responsibility for getting consent for fingerprinting done by the first party? A: As with cookies, it is the party who is processing the data that has the legal requirement to get consent (generally the third party).

Q: how would the Working Party characterize Google Analytics, which uses a first party cookie that they transmit to another server. Does that require consent? A: Analytics we would view as being done by the website operator. Google Analytics may perform analysis of a single site, but if it is shared across sites we would treat it as a third party.

Q: As for the second exception - use for licensing or security purposes -- is there required disclosure to the user that the fingerprint will be used? A: It is clear in the legislation that the exemption is from the requirement for consent, but the user must still be informed that this is taking place.

Q: If fingerprinting gets through the 5.3 rule, how is consent handled? Is it sufficient to have it in general usage rules? And how will this change in the new regulation? A: In terms of practically getting consent, we don't want a banner to accept cookies, then another for a fingerprint, and another for some more fingerprinting...But there is no reason that a website cannot include device fingerprinting in the same step as consent for cookies - e.g., by increasing the amount of information and scope of the existing request.

The next agenda item was discussion of Mike West's (Google) draft privacy and security questionnaire [2], which was introduced during our previous call on 4 December. Mike joined the call to present his document. This is a "strawman questionnaire" that specification authors should read in order to understand some possible privacy and security issues that their specification might run into. The idea is to try to get authors to consider these issues early in the process, so it acts as a sort of an "early review" and may pinpoint concerns well before the implementation stage. The goal is not to block features, but to help spec authors who are not privacy experts to think about issues. As an added benefit, this often obviates the need for a review, because the developers figure out the issue before we get there, and ask us the right questions in advance. Mike is hoping to collaborate on this questionnaire, perhaps coordinating it with existing PING documents. We expect to look further at this on our next call, when we turn our attentions back to the Privacy Considerations and related documents.

Next there was some discussion of the TAG draft finding "Transitioning the Web to HTTPS" [3] -- primarily to alert PING members that this document was to be concluded shortly (before the next PING call) and thus members were urged to share any comments promptly and directly with Mark Nottingham and the TAG.

The final item was the open discussion and information sharing on recent developments in privacy. Mainly this centered on news items around possible outlawing of certain types of encryption in the UK; these issues have been the subject of some heated debate, with concerns not only for confidentiality but also for integrity of communications.

[1] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf
[2] https://mikewest.github.io/spec-questionnaire/security-privacy/
[3] https://w3ctag.github.io/web-https/

Minutes are available here: http://www.w3.org/2015/01/15-privacy-minutes.html

Christine and Tara

Received on Monday, 23 February 2015 02:43:44 UTC