Informal chairs summary and minutes

Dear all.

Here is our informal chairs summary for 14 June 2012.

The minutes can be found here: http://www.w3.org/2012/06/14-privacy-minutes.html

A very special thank you to our three guests:
 
Frederick Hirsch (Co-chair of the W3C Device APIs WG and PING member)
Virginie Galindo (Chair of the W3C Web Cryptography WG)
Nick Doty (W3C Staff Contact for the W3C Tracking Protection WG and PING)
 
The discussion about the work underway in DAP, Crypto WG and the Tracking Protection WG was very useful in helping PING understand some of the privacy issues that may arise in W3C standards development, particularly in the areas covered by those groups.
 
--------
 
*Report from DAP (Frederick Hirsch)
 
The DAP is chartered to create client-side APIs that enable the development of Web Applications and Web Widgets that interact with devices such as Calendar, Contacts, Camera, etc. As such, a wide variety of information is involved including: video; audio; sensor information; proximity; battery status; vibration information; gallery; contacts; calendar; etc. This raises a number of privacy issues, such as access to personal information; unexpected uses of information and fingerprinting.
 
Since the DAP is only working on APIs specifications, rather than the whole system, it makes dealing with privacy issues difficult.
 
The DAP produced a W3C Working Group Note in 2010 – Device API Privacy Requirements (http://www.w3.org/TR/2010/NOTE-dap-privacy-reqs-20100629/).
 
The DAP also tried to undertake some work to allow users to express their privacy preferences, but this proved too difficult, so the group focused instead on data minimisation (i.e. designing the API to return the minimum amount of data). This should be the general practice.
 
Fingerprinting is a hard problem to solve, and users tend to opt for utility when there is a trade-off with privacy.
 
The DAP has 2 taskforces:
 
- Media Joint Task Force (with the Web Applications WG)
- Web Intents Task Force
 
The API specification does not mandate the user-interface or user interaction. This is left to implementation (relying on the market and/or law to decide what is appropriate and best practice). In any case, specifying the user-interface would be difficult given the multitude of possible ways of interacting (including voice). A better approach is to insist on a particular paradigm.
 
The Web Intents Task Force will be producing a new draft soon. This will need a privacy considerations section.
 
The DAP welcomes input from PING.
 
Suggestion provided by Wendy Seltzer: offer a standard anonymity profile
Suggestion provided by Nick Doty: make it easier for the browser (or a researcher) to detect fingerprinting
 
Action: Frederick Hirsch will share these suggestions with the Media Joint Task Force
 
*Report from Crypto WG (Virginie Galindo)
 
The W3C Web Cryptography Group started recently. It is chartered to develop cryptographic tools for developers – anything a developer needs to add cryptography to their application (end-to-end security). However, these are tools, not a whole solution.
 
The Crypto WG is currently actively discussing the JavaScript API – how to handle secrets and making sure that when a user creates a secret they will not be tracked by that secret.
 
Potential privacy issue: if there is leakage of crypto key information - potential for tracking and fingerprinting.
 
Link to Editor’s Draft Web Cryptography API - http://www.w3.org/2012/webcrypto/WebCryptoAPI/
 
Crypto WG welcomes input from PING.
 
*Report from Tracking Protection WG (Nick Doty)
 
A very brief update:
- Web services can track user activity so the focus of the group has been user preference expression (“do not track”). There is also new work on defining what it means to “comply”.
- Next F2F next week – trying to get to last call
 
*Privacy Considerations
 
We need to move this work forward. PING members were encouraged to offer suggestions for the outline and provide pointers to relevant work.
 
Kasey and Joanne offered to help.
 
* AOB
 
Pär Lannerö would like comments on the Common Terms Project (see the email dated 19 April 2012)

Thanks everyone.

Christine and Tara

Received on Friday, 13 July 2012 08:11:24 UTC