PING@TPAC 2015 report from Tara Whalen on 2015-12-03 (public-privacy@w3.org from October to December 2015)

From: Tara Whalen <tjwhalen@gmail.com>
Date: Thu, 3 Dec 2015 00:10:56 -0800
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CA+T70AgH6twxAhRH1ZCWO6wg2DXh4_3bcvP9AefSz=Jjof7zTg@mail.gmail.com>
Hello all,

Belatedly, here is the report from the PING meeting at TPAC 2015 in
Sapporo, which took place on Friday 30 October 2015. Thanks to all
attendees (~20 members and observers) and of course extra thanks to the
scribes: Hadley Beeman, Nick Doty, and Karen O'Donoghue.

Agenda: https://www.w3.org/wiki/Privacy/TPAC_2015_Agenda

Main items from agenda:

* Fingerprinting Guidance
Nick Doty presented the Fingerprinting Guidance document [1], which was in
the last steps of discussion prior to its being published as a draft Group
Note. The document has been reviewed by both PING and the TAG, and received
additional outside feedback. There were some changes made in response to
the TAG comments, particularly in regards to the TAG Finding on
Unsanctioned Web Tracking [2]. The fingerprinting document can definitely
still be built upon, and suggestions were made concerning concrete examples
and specific technical guidance for specification developers to mitigate
these issues. At this stage the consensus from the group (after two rounds
of approval on the mailing list) was that it was ready to be published as a
draft Group Note. (NB: This Group Note was published after the TPAC
meeting, on 24 November 2015 [3].)

* Privacy and Security Questionnaire
PING has been working on a Privacy and Security Questionnaire [4], which
has received a lot of recent work from Joe Hall and Greg Norcie (who were
unfortunately unable to attend TPAC). A similar document has been developed
through the TAG, in the form of a security and privacy self-questionnaire
[5]. One of the items to resolve was how these two documents should evolve,
and for what purposes (e.g., should they be merged in any way?). Discussion
on these documents indicated support for two different documents: a short,
high-level TAG document that is mostly for specification authors, with the
PING questionnaire being more a more detailed document that can be used for
reviewing specifications (e.g., by PING reviewers) or for those looking for
more in-depth privacy guidance. Further feedback and contributions are
solicited, both for the TAG and PING questionnaires.

* Items PING can contribute to
There have been a number of documents for which PING has been asked for
contributions, which were discussed during the TPAC meeting (e.g., at the
Web Application Security Working Group meetings)

- Secure Contexts - W3C Editor’s Draft [5]
There was a review request for the section on "Risks associated with
non-secure contexts".
Preliminary discussion at the PING meeting highlighted the value of using
consistent definitions (e.g., passive and active network attacker), and the
ongoing challenge of ensuring users have a clear and reliable understanding
of what is happening to their data.

- Clear Site Data - W3C Editor’s Draft [6]
This document discusses a means for web developers to instruct a user agent
to clear a site’s locally stored data for a particular host. (One use case
would be as a means for a website to recover after an attack, to ensure
that clients did not retain non-trustworthy data.) Discussion identified
the possible user discomfort of unexpected data deletions (although this
mechanism does not permit, for example, deletion of history); the question
of whether locally-stored items outside the origin's control still maintain
state (and thus ideally should be deleted); and when do permissions get
cleared?

- Private browsing mode [7]
This topic was raised back in August [8], around the idea of clearing state
after visiting a website with sensitive content (i.e., trying to assist a
user in removing traces of a site visit). François Légaré gave a
presentation, which included a draft proposal put together for Firefox [9],
which outlines several privacy and security considerations and shows some
mockups of the user experience. The plan is to do more user research and
prototyping. Discussion indicated there is broad concern around private
browsing (across a wide number of contexts) and we may need to make a
concerted effort to push work forward in this domain.

* Ongoing privacy issues for W3C work

- Service Workers and related issues
There was a short discussion around issues raised by Service Workers [10],
with a focus on the Web Background Spec API [11]. The core idea is to deal
with synching over unreliable networks by launching a service worker event
in the background to continue synchronization attempts. There were two
privacy considerations already identified: location tracking (e.g.,
revealing client’s IP address to server after user left the page) and
history leaking (e.g., client changes network, passive eavesdroppers on new
network may see fetch requests). Discussion noted that this was similar to
the Web Beacon Spec [12], from the Web Performance Working Group. Mike West
also noted he was working on a related (new) item, a sort of
"one-stop-shop" reporting mechanism [13], and was looking for feedback.

- Push API [14]
Related to the previous item are concerns around tracking in the background
- when there is no UI, how is the user aware of what is happening? Push
services, as presented in the API, cover such cases as "the webapp is not
currently active in a browser window...the user may close the webapp, but
still benefits from the webapp being able to be restarted when a push
message is received." Trying to find a good option is a challenge. Nick
Doty suggested you might try restrictions such as "only need visibility if
you have outgoing network activity", and linked to work on asynchronous
notice as a "privacy pattern" design solution [15].

* AOB
David Singer initiated a discussion on sharing data with sites - trying to
find a middle ground between individual popups and over-broad consent. Idea
is to use a digitally-signed file: list of things the site needs <e.g.,
heart rate [and nothing else]>, with a promise to agree to <privacy
regulation X>; with this agreement good for <date range>. Then the browser
can mediate the interaction, and there is a record of what happened to data
on what site; this allows for a "promise violation" if the site shares data
beyond what was in the agreement. Discussion brought up issues such as how
the user negotiates the agreement; how revocation of consent is managed
(e.g., if policy changes after you give away data). This proposal may be
developed and discussed further.

[1] https://w3c.github.io/fingerprinting-guidance
[2] http://www.w3.org/2001/tag/doc/unsanctioned-tracking
[3] http://www.w3.org/TR/2015/NOTE-fingerprinting-guidance-20151124
[4] https://www.w3.org/wiki/Privacy_and_security_questionnaire
[5] https://w3c.github.io/webappsec-secure-contexts/
[6] http://w3c.github.io/webappsec-clear-site-data/
[7] https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0016.html
[8] https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0087.html
[9] https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades
[10] https://slightlyoff.github.io/ServiceWorker/spec/service_worker/
[11] https://slightlyoff.github.io/BackgroundSync/spec/
[12] https://w3c.github.io/beacon/
[13] https://mikewest.github.io/error-reporting/
[14] https://w3c.github.io/push-api/
[15] http://privacypatterns.org/patterns/Asynchronous-notice

- Tara
Received on Thursday, 3 December 2015 08:11:34 UTC