PING - informal chairs summary - 26 June 2014

PING - informal chairs’ summary – 26 June 2014

Next meeting – 31 July 2014 at the usual time

Thanks to Joe Hall and Nick Doty for very kindly, once again, acting as scribe.

* The W3C Privacy Activity Page [1] has been updated with links to all the PING call summaries

* The Privacy Considerations draft has been imported into Github [2] and there has been some further discussion regarding the approach on the public-privacy email list. An informal working task force has been assembled (Hannes, Nick, Joe, Christine) to drive this work forward. The informal TF will aim to have a face-to-face meeting at IETF 90 to work on the draft.

Action: Please volunteer to join this informal TF and provide your input on the document via the public-privacy email list.

* SPA: Frank Dawson was unable to attend the call, so no updates were provided. Joe Hall observed that there could, currently, be some overlap between the Privacy Considerations draft and the SPA draft. To prevent overlap, Hannes Tschofenig suggested the SPA focus on process and the Privacy Considerations focus on the content for privacy reviews. Christine proposed that the TF examine both documents at IETF 90 to address this issue.

Action: Please provide your input via the public-privacy email list.

* Browser fingerprinting: Nick Doty is waiting for more expert feedback. Christine suggested inviting interested experts to a “coffee” meeting at IETF 90 to discuss the draft. Nick said he has already spoken with some security experts at IETF, but that this may be a useful way to get some broader feedback. Joe offered some names of experts to approach: Keaton Mowery, DKG, Tom Ritter. He also foreshadowed a new draft RFC (expected to be available in 1-2 weeks) examining how censorship tools have resulted in reducing the openness of the Web.

Action: Nick and Christine to solicit more feedback on the draft; Joe to provide a link to the draft RFC

* IndieUI: User Context 1.0 [3] has received approval to transition to First Public Working Draft. PING members are encouraged to review the Privacy Model.

Action: Please volunteer to review the Privacy Model of User Context 1.0 and share your comments on the public-privacy email list. (Note: Joe is willing to review if someone will partner with him on this.)

* Indie UI and Geolocation – communicating justification for wanting data – As a follow-up to the May PING call, James Craig posted a message on the public-geolocation and the public-indie-ui email lists observing that the Geolocation API currently lacks a means for Web applications to communicate why a user’s location is wanted/needed, providing details of the approach proposed for Indie UI User Context 1.0 to enable this functionality, and seeking comments. [4] This sparked some discussion. One concern raised was spoofing risk – i.e. how can the user be sure that the string comes from a trusted source.

Nick reported that this issue was discussed when the Geolocation API was developed and that a decision was made at that time not to include it. Joe posed the questions: “What is the difference between now and then? Have platforms changed? Motivations? Arguments for and against?” He also suggested that it might be useful to track how things have changed in the intervening period and the potential implications for including this functionality. Nick observed that this is a “classic issue” that is likely to come up across many W3C specifications so it would seem worthwhile for PING to address this. 

In the context of this discussion, Joe Hall mentioned a paper that will be presented by Dan Boneh and his group at USENIX regarding how a mobile accelerometer can be used as a microphone – an example of an unexpected use that was most likely not contemplated when considering privacy & security risks before implementation.

Nick and the chairs will consider a possible action item for PING on this issue.

* Privacy reviews and other tasks

Action: Nick will investigate easy to use tools for PING to keep track of documents, timelines and interested people

* The W3C Web Security Interest Group reached out to PING to ask about our working methods. Christine reported that we are still developing our methodology and guidance documents. She also reported that calls with other WGs on particular specifications are very useful.

* The Device APIs Working Group has published a Last Call Working Draft of the following three specifications - Vibration API [5], Ambient Light Events [6], and HTML Media Capture [7]. Each specification is returning from Candidate Recommendation to Last Call due to normative changes to address implementer feedback as well as some minor editorial improvements. The end of the review period is 24 July 2014. (Notes: PING provided some early feedback on Ambient Light Events. HTML Media Capture provides advice for User Agent implementation concerning privacy. The security and privacy considerations section was made non-normative to address testability and implementation concerns.) Christine expressed some concern that the advice regarding UA implementation of HTML Capture to seek user consent before initiating capture of content by microphone or camera is not normative, but noted that she does not, as yet, know the reasoning that led to that decision. (Note: Frederick Hirsch addressed this point following the call on the public-privacy email list [8])

Action: Frederick Hirsch (DAP WG chair) was not on the call, so Christine and Nick will follow-up with Frederick for more information regarding the development of the privacy considerations for these specifications.

* Beacon: Nick suggested that PING examine the privacy considerations of the Beacon specification [9] (at Last Call Working Draft stage – comments invited by 29 July 2014)

Action: Nick will circulate some rough notes on the public-privacy email list to start the discussion.

* HTML5: The specification has gone back to Last Call. The HTML5 WG is actively seeking security comments, but would also welcome privacy comments. It would be helpful if PING could at least take a look at the section “Privacy concerns” [10]

* TPAC: Registration is open - http://www.w3.org/2014/11/TPAC/ - PING meeting slot is on the Friday.

Action: Please provide suggestions for the agenda.

* PING @ IETF 90

Action: Please let Christine/Tara know if you would like to participate in an informal face-to-face meeting. Based on interest and availability, a time will be determined.

* Other news:

The IAB has its combined Privacy and Security Programs into a new Privacy and Security Program [11]

IETF 90 Preliminary Agenda is available [12]

Joe Hall reported on the recent the US Supreme Court unanimous opinion in Riley v. California [13] – law enforcement must have a judicially-issued warrant to search mobile phones. This will be a very influential government privacy case. (Amicus curiae briefs were filed by EFF, CDT and EPIC, among others. Article in SCOTUSblog [14])

[1] http://www.w3.org/Privacy/

[2] https://w3c.github.io/privacy-considerations/ (rendered version)
 
[3] http://www.w3.org/TR/2014/WD-indie-ui-context-20140626/

[4] http://lists.w3.org/Archives/Public/public-indie-ui/2014May/0045.html
 
[5] http://www.w3.org/TR/2014/WD-vibration-20140619/
 
[6] http://www.w3.org/TR/2014/WD-ambient-light-20140619/
 
[7]  http://www.w3.org/TR/2014/WD-html-media-capture-20140619/
 
[8] http://lists.w3.org/Archives/Public/public-privacy/2014AprJun/0024.html
 
[9] http://www.w3.org/TR/2014/WD-beacon-20140624/
 
[10] http://www.w3.org/TR/html5/introduction.html#fingerprint

[11] http://www.iab.org/activities/programs/privacy-and-security-program/
 
[12] https://datatracker.ietf.org/meeting/90/agenda.html
 
[13] http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf
 
[14] http://www.scotusblog.com/2014/06/get-a-warrant-todays-cellphone-privacy-decision-in-plain-english/

Christine and Tara
 

Received on Wednesday, 2 July 2014 07:45:05 UTC