PING – informal chairs summary – 25 February 2016 from Tara Whalen on 2016-03-24 (public-privacy@w3.org from January to March 2016)

From: Tara Whalen <tjwhalen@gmail.com>
Date: Thu, 24 Mar 2016 00:49:50 -0700
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CA+T70Aj0LcbXAOCNxGNypQ5QF66hZXXAcjrDUgfCqaLUjU93iw@mail.gmail.com>

PING – informal chairs summary –  25 February 2016

Thank you to Stefan Håkansson (WebRTC WG) and Frederick Hirsch (Device APIs
WG) for joining our call.

Thanks to Nick Doty for acting as scribe.

Our next call will be on 24 March 2016 at the usual time.

* Web RTC 1.0

The WebRTC Working Group is working toward publishing the WebRTC 1.0
specification to Candidate Recommendation [1] and asked PING for input on
privacy aspects [2], including privacy considerations and the risks
associated with exposing IP addresses as part of the establishment of the
P2P connection. At the time of the PING call, the WG anticipated that
Candidate Recommendation status was at least a couple of months away, but
the group is working hard to make progress. Discussion during the call
identified a number of questions to resolve, which have been summarized and
sent to the WG for resolution. In brief, the items to be addressed focused
on providing more detailed background on how issues were address or
mitigated (e.g., the rationale underlying specific decisions); leakage of
information such as local IP addresses or device IDs; and user-focused
issues such as how to give effective notifications (e.g., about where data
is going), which indicators should be part of the user agent, and how to
handle revocation of permissions.

* Vibration API

The Device APIs WG are considering proposing a revision of the Vibration
API, including a possible section on Security and Privacy [3], and reached
out to PING for input [4]. The initial concerns raised were that device
vibration can be detected (e.g., with motion sensors) and used for
fingerprinting, and that a device can be made to vibrate as a means of
detection. Further discussion brought up the parallels with previous
discussion on the Ambient Light Events review [5] -- specifically, if we
can find a way to detect that this is happening and alert the user, the
this might act as a mitigation. There was also further focus on
cross-device tracking as a risk, with the result that this would be brought
back to the WG for discussion.

* Privacy Questionnaire
A reminder that Greg Norcie has ported the Privacy Questionnaire over to
GitHub [6] to make collaboration and contributions easier, and hopes that
we can use this document for addressing some of the more difficult privacy
questions (e.g., notice and consent).

* Next call

24 March 2016 at UTC 17

Christine and Tara

[1] https://www.w3.org/TR/2016/WD-webrtc-20160128/
[2] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0007.html
[3]
https://github.com/anssiko/vibration/commit/48489c54e0b7ed80900e0906fa79803c8fa77069
[4] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0016.html
[5] https://www.w3.org/TR/ambient-light/
[6] https://github.com/gregnorc/ping-privacy-questions

Received on Thursday, 24 March 2016 07:50:26 UTC