Notes from PING Privacy Considerations Task Force Meeting

• From: Joseph Lorenzo Hall <joe@cdt.org>
• Date: Thu, 24 Jul 2014 13:08:59 -0400
• To: "public-privacy@w3.org" <public-privacy@w3.org>
• Message-ID: <53D13DAB.7050802@cdt.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Note: there may be amendments/additions from Hannes or Nick... cheers!
- -Joe

- ----

Notes from PING Privacy Considerations Task Force Meeting (20140723)

Attending: Christine Runnegar, Hannes Tschofenig, Joe Hall, Nick Doty
(by IP phone)

Goal of the meeting: Figure out concrete steps towards finishing this
document (Privacy Considerations for Web Specifications) by the end of
the year. What do we like? What do we want to improve and/or add?

# scope, audience

Joe asked if we could quickly clarify the purpose of the document; the
DAP best practices document [1] seems pretty good.

Christine and Nick clarified that this is for web specification
authors, while the DAP best practices note is intended to be used by
implementers of Device APIs (web developers). Christine further said
that it would be great to be bold, and say "do this, don't do
this!". Nick mentioned that we don't want to be too bold or no one
would follow or read or use this document... also, more actionable
advice might be perfect for webplatform.org. However, if we can say
all specifications should have a privacy considerations section, that
would be pretty awesome.

# existing documents

In order to have a complete view of w3c privacy trends, we need to do
two things:

1. Itemize the existing privacy guidance at w3c.
2. Possibly canvass existing w3c documents for privacy considerations

As to 1, we noted the following documents:

* Privacy Considerations document [2] (link to old document, I think)
* DAP Privacy Best Practices [1]
* Draft TAG finding - Data Minimization in Web APIs [3]
* Fingerprinting document [4]
* SPA document [5]
* Security interest group wiki [6]

As to 2, Nick said that he will take an ACTION item to
programmatically compile a list of w3c specifications that have
privacy considerations sections. We'll have to figure out what to do
with those once we see them... they could be a great synthesis to
include in this document or maybe just instructive in terms of writing
it, who knows?!

# Procedural vs. spec advice?

We decided to table the consideration of the more procedural elements
of privacy standards at w3c which is what Frank's SPA document focuses
on, mostly because we wanted this meeting to be about the specific
privacy considerations document.

# Definition of privacy

We had some discussion on the PING list about whether or not this
document should describe privacy and the tendency seemed to be to take
an [RFC 6973] approach to not define it.

However, Joe argued that since this is intended for web specification
authors and trying to provide them with resources about thinking about
privacy, some description of privacy and the roles of people (spec
authors, implementers, deployers, users) involved in the web ecosystem
would be good to have. Joe offered to take an action to briefly
describe privacy from the perspective of contextual integrity (where
two parties are communicating with expectations and norms about how
their data would flow and how flows outside of that model may be
considered as privacy violations... but Joe will make this very
accessible!).

Christine would like this section to also describe examples of privacy
implications from data, metadata... e.g., you may be sending data as a
web technology but be unaware of correlations, etc. that are possible.
And we need to make sure this has an international perspective. Joe
will fold that in to this section.

# possible ways to proceed

The DAP document has a very useful set of principles that we can
abstract away from being for web developers to spec authors. We should
be able to include a concrete example for each one of those... with
the caveat that we don't want to call out specific WGs, etc. and
alienate them. Hannes took an ACTION item to develop these examples.
We brainstormed a quick list: canvas fingerprinting, geolocation
requests, clearing local state (evercookies), the non-standard
versions of CORS used by Adobe (Rigo on PING list).

Nick said that he'd love to see an [RFC 6973]-like checklist of
questions that spec authors can walk through and answer in thinking
about their spec and drafting privacy considerations section. This
would also allow them to have some thinking done before they come to
us at PING.

# TPAC

Nick mentioned that if we want to get this done this year, we need
feedback and the TPAC meeting would be a great place to talk about
this specifically. Also since now we have a PING slot on the unpopular
TPAC day of Friday that is not a plenary, we might want to find a
lunch slot or time otherwise to briefly introduce this to the larger
w3c community. Christine took an ACTION item to bug Nick offline to
think about what and when we'd present at TPAC.

# Misc

Christine and Joe (ACTION) will finish reading the document closely
and send comments to the Hannes and the list.

[1]: http://www.w3.org/TR/2012/NOTE-app-privacy-bp-20120703/
[2]: https://w3c.github.io/privacy-considerations/
[3]: http://www.w3.org/2001/tag/doc/APIMinimization
[4]: http://w3c.github.io/fingerprinting-guidance/
[5]: http://yrlesru.github.io/SPA/
[6]:
https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines
[RFC 6973]: http://tools.ietf.org/html/rfc6973

- -- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT0T2rAAoJEF+GaYdAqahxmTAP/1f7yGyGWxpvw9cUbwR+BUH9
GBTY7o32zGPmFTKnTJnOBQrXShWiCJyuyN6jlhEDCmunaOCNbBOAOA6MJFfE1Bb1
hSxsBNLSJTKwkURzjRepgVpZjw2kozLx0JTMgb4MquOeM8v+xCCBRdclENYp1185
E4Yxf/m9zh3A2V9cS87PHA1qFeLM1PPYmY6so7h36U2T9pxqzH2hZ155Mt2bCuqS
5CowHHHf1gjdYrX4K+r3rt1AWBgtosuYwNltfW5v3IMqIPKAgQ7UvlqHGAhCVHGR
/wKz+cHdiapzy70tYN2OahNhKFz5ucN5JCOTo/2UZXFjMQ7NGrNctT/qlYGMtR0m
FH5E1Uz1pDtxzFNwQT7bKEjFTxm2RjWpG/CvOmXc7YDW+QCmvnvrvIWBzwIy1Dlz
oRs0WOy2N5117oJFazT4AG8g+POhsQCLP+ZElBFZV29oEMhimNnJ7XHsFpfOgEHL
sTRIfoRQ7t2ql+HtNOO7cnPm9GTSyjQJA3M7cRCvgilqTBTNmtigeZS+LyVWWqmA
VUwtLk3SpWCsOyuFxO5wuvbHq1lHAxLu6zzzwAbstRgBGfBD6zcZgtx81qZ4p+HH
T9d82nsHr9U8nt5k/l0ZiVIYgSoaxKwMxfqiYmMbfTJ+9kEiLIzeEkIKM+GPA3y3
pyWcs3yhaKy6al8MQCQF
=FpAR
-----END PGP SIGNATURE-----

Received on Thursday, 24 July 2014 17:09:38 UTC