PING - informal chairs summary - 23 June 2016 from Christine Runnegar on 2016-06-24 (public-privacy@w3.org from April to June 2016)

From: Christine Runnegar <runnegar@isoc.org>
Date: Fri, 24 Jun 2016 23:07:13 +0000
To: "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <C326CE6F-3688-4E92-A350-59E5BCB93E82@isoc.org>

PING – informal chairs summary – 23 June 2016

Our next call will be on 28 July 2016 at the usual time.

Welcome Marta Piekarska from Blockstream, and Sam Weiler, who has recently joined W3C staff.

** Follow-up on WebRTC spec

Background: See Greg’s email [1]

We discussed the thread in GitHub at [2], noting that the four WebRTC modes are described in [3]. The default mode is 2 unless permission has been granted to access the camera and microphone. Nick observed that while mode 2 would not reveal where in the world the user is, it could be possible to fingerprint. If this risk is not already noted in the WebRTC specification, it would be helpful to add a note. Nick will mention the “Online tracking: A 1-million-site measurement and analysis” [4] paper from Princeton to the WebRTC WG.

** Performance APIs, Security and Privacy

The Web Performance WG has been working on a Group Note – Performance APIs, Security and Privacy [5]. Ilya Grigorik has reached out to PING seeking comments. This is the motivation behind the Group Note:

"The fact that something is possible to measure, and may even be highly desirable and useful to expose to developers, does not mean that it can be exposed as runtime JavaScript API in the browser, due to various privacy and security constraints. The goal of this document is to explain why that is the case and to provide guidance for what needs to be considered when making or evaluating a proposal for such APIs."

Wendy has already put some comments in GitHub [6]. Please share your comments on the public-privacy email list or directly in GitHub.

** PING Privacy questionnaire

We all need to put more effort into taking the excellent work Greg has done on the PING privacy questionnaire. We would like to have a stable version as soon as possible, and at least by the end of the year.

** Fingerprinting Guidance for Web specification authors

Nick provided a status update. Nick will be revising the draft to incorporate feedback, and specifically, to include some examples. He will aim to do this before our next call. We will then review and decide if the draft is ready for a call for consensus to publish this as a PING Group Note.

** Tracking Protection WG

The Tracking Protection WG is winding down and is likely to be closed (or at least suspended). Tracking Protection WG members are very welcome to join PING and help us improve privacy in Web standards.

** Web privacy news, etc.

Nick mentioned a paper presented at the Mobile Security Technologies (MoST) 2016 workshop at IEEE Security & Privacy event in May 2016 – “Sensor-based Mobile Web Fingerprinting and Cross-site Input Inference Attacks”, Chuan Yue, EECS Dept., Colorado School of Mines, USA. Nick will circulate a copy on the public-privacy email list.

** Web Authentication WG and Social WG

The Web Authentication WG recently published the First Public Working Draft Web Authentication Specification [7], so we should anticipate a request for a privacy review soon. There are already some interesting privacy questions such as:

- are we properly making the authentications unlinkable?
- if an authenticator wants to add additional information at the relying party's request - do we have sufficient privacy protections? (this question concerns extensions)

Wendy also said we should expect requests from the Social WG [8] soon.

Sam mentioned that the W3C is also internally looking at whether new work might be needed regarding delegations of authorisation.

** TM Forum

Wendy and Keiji received an expression of interest from the Privacy Management group in TM Forum [9] to share information and collaborate with the W3C on privacy issues.

** Blockchains and the Web workshop [10]

There will be a W3C workshop next week at MIT (29 and 30 June 2016) on “Distributed Ledgers on the Web”. Privacy is on the agenda. Please contact Marta from Blockstream if you have ideas for possible work in this area.

Christine and Tara

[1] https://lists.w3.org/Archives/Public/public-privacy/2016AprJun/0109.html

[2] https://github.com/w3c/webrtc-pc/issues/690
[3] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-01
[4] http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf

[5] https://w3c.github.io/perf-security-privacy

[6] https://github.com/w3c/perf-security-privacy/issues
[7] https://www.w3.org/TR/2016/WD-webauthn-20160531/
[8] https://www.w3.org/Social/
[9] https://www.tmforum.org/
[10] https://www.w3.org/2016/04/blockchain-workshop/

Received on Friday, 24 June 2016 23:07:45 UTC