PING - informal summary - 13 November 2014

• From: Christine Runnegar <runnegar@isoc.org>
• Date: Fri, 21 Nov 2014 10:43:30 +0000
• To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
• Message-ID: <EE72E078-A235-40F2-A12C-EBB6CCEEE44B@isoc.org>

PING - informal summary – 13 November 2014 – informal face-to-face meeting

Thank you for taking some time out of your busy schedules at IETF91 to join the informal face-to-face meeting on 13 November 2014. We had some new faces too.

Also, thanks to Natasha Rooney from the Web and Mobile Interest Group and Mark Nottingham from the TAG for joining us.

=> IEEE Privacy work

The IEEE 802 Executive Committee Privacy Recommendation Study Group, in collaboration with IAB/IESG and IEEE 802, has been conducting a trial at IETF 91 to randomise the MAC address of participating users' Wi-Fi enabled devices.

Juan-Carlos Zuniga (IEEE 802 Privacy SG) shared some information about:
- the IEEE 802 Privacy SG 
- a newly formed Study Group focused on local address management, and 
- the MAC address randomisation trial at IETF 91 to assess the performance and implications of randomisation of users’ devices MAC addresses.

There is a proposal in the SG to structure local MAC addresses as a means of addressing potential MAC address collision issues.

The MAC randomisation trial is still ongoing. So far, participation has been fairly limited and no issues have been reported. The SG will publish a report in some form following the meeting and is seeking feedback. More trials are likely to be needed to more comprehensively study the implications for performance, privacy, virtual machines, etc. Likely candidates are future IETF and IEEE meetings. One suggested venue for a larger scale trial was DEFCON 2015.

In this discussion, Hannes Tschofenig mentioned the IPv6 Privacy Survey undertaken by the former IAB Privacy Program.

For more information, please see [1]

=> TAG and private browsing mode

Mark Nottingham gave an overview of the TAG’s work on browsers “private browsing mode”. The work looks at the mode for three use cases: other users, network attacker, the website itself. The aim is to provide “best class” protection in private browsing mode while not lowering privacy standards outside privacy browsing mode.

The work can be followed on the tag email list [2]. Mark hopes to have a draft ready by the January TAG face-to-face meeting.

=> Secure origin/authenticated origin

We discussed recent conversations at TPAC regarding secure origin/authenticated origin, and particularly the idea of HTTPS only APIs (e.g. for “powerful feature” APIs) and some of the issues where there are applications already using the APIs without that requirement (e.g. geolocation). Even with Encrypted Media Extension (EME), there are some early implementations that do not use secure origin. Discussions are ongoing.

=> Permissions

We also discussed conversations at TPAC regarding permissions. The W3C Mobile Interest Group and others are looking into this issue. The aim is to have a good permissions model for Web standards (especially APIs). The Mobile Interest Group is looking at developments in native apps and is presently more inclined to adopt an approach that is closer in look and feel on the front end to iOS than Android. The focus is on permissions in time (i.e. at the time they are needed), persistence, changing permissions. They have approached the Web Applications Security WG concerning this work.

Christine 

[1] https://www.ietf.org/registration/MeetingWiki/wiki/91privacy
[2] www-tag@w3.org

Received on Friday, 21 November 2014 10:44:04 UTC