- From: Tara Whalen <tjwhalen@gmail.com>
- Date: Wed, 19 Oct 2016 22:10:55 -0700
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CA+T70Ajm2phXvogjQYPp_0753xdW4CkoUUezFgaRZ7dWXBgYfQ@mail.gmail.com>
Hello all, Thanks again to all of you who participated in the PING TPAC meeting, either in person or remotely. I’ve pulled together a summary of what was discussed, including some future work items, to supplement the minutes that can be found online at https://www.w3.org/2016/09/20-privacy-minutes.html TPAC discussion topics: * Mitigating Browser Fingerprinting in Web Specifications Nick Doty gave an overview of this document [1] to the group (including its structure and purpose) before discussing the open issues to be resolved. Feedback from the TAG and PING identified items that are marked "pending review" [2]; issues 11 and 13 were discussed. Issue 11 is on providing hooks for instrumentation/detection of fingerprinting -- ways to make it easier for browser extensions to reveal website activity. The conclusion was that this is not something to include in this guidance document, given that instrumentation is mostly implementation-specific, not Web-specific. Issue 13 is on actionability -- how to make the document more readily applied in practice. To date, we’ve had a few people use this document, but could dig further to see how useful it has been. Also this could be tied in with the privacy questionnaire; they are two separate documents but they could be integrated more (e.g., with relevant elements from fingerprinting guidance surfaced in the event that this consideration arises in the privacy questionnaire). After further discussion, Nick noted it would be useful to close out the “pending-review” items, solicit some additional feedback from other groups, and to get this document in a note by the end of the year. * PING privacy questionnaire Christine Runnegar led discussion of the privacy questionnaire [3], which was developed to help authors to identify and address privacy implications of their specifications. The TPAC meeting was spent in reviewing the current state of the document and identifying items for future work, with the goal being a working draft by the end of the year. The challenge is produce a questionnaire with enough guidance to be helpful, without it being overwhelming. One proposal was that those with security expertise could try to draft a questionnaire as a starting point; Joe Hall and Kepeng Li volunteered to do this. A process item was raised: we may need to determine at what stage of spec development the privacy considerations would be expected to be included; this could be discussed with Ralph Swick (W3C). As for concrete work, it was suggested that we could combine the TAG and PING questionnaires and begin with a “high-level” overview (suggested by Mike West) followed by more detailed sections. * Privacy Protection Principles Kepeng Li sent a message to the PING mailing list on privacy protection principles [4], to help in furthering privacy discussions, which he presented to the group. The discussion highlighted how there were several related works (e.g., OECD privacy guidelines, US FIPPs) that provide foundational principles; this may not be the right document to develop through PING. However, it is possible that some parts of this document may be useful for the privacy questionnaire; Kepeng will explore this avenue. * Terminology discussion As part of a mailing list discussion about documentation, Joe Hall asked whether a standardized privacy vocabulary would be useful in our work [5]. There are words that we may need to define in order have consistency and clarity (e.g., “spoof”; “randomize”). This need not be exhaustive but a basic list might be helpful; there was general support for creating such a list and hosting it on a wiki or GitHub. * Planning next year's work TPAC provided a great opportunity for planning what PING should be engaged with over the next year. We have already identified work we need to complete on documents (e.g., group notes) as well as conducting regular reviews, but this was an opportunity to identify additional items. A number of ideas were floated at the IETF F2F meeting [6], which were used as a starting point for the TPAC discussion. - Privacy/incognito mode: there have been various discussions both within and outside the W3C (e.g., “privacy mode” [7]) about the different interpretations of this concept. Many different aspects of user privacy have been conflated under this umbrella, leading to much confusion. There was interest within the group for finding ways to improve the situation (e.g., developing a document); David Singer volunteered to spearhead this work. - Data gathering on privacy-violating techniques: given the state of sophistication of the web, where advances in techniques (like fingerprinting) can move quickly, it may be helpful to have a means for collecting relevant research in one place for reference. This might also include (where possible) information about large-scale behaviours (e.g., user behaviours), as this data is used to motivate and direct privacy-focused work in the Web space. - Making privacy reviews more systematic: this was an item raised by Joe Hall, who was trying to find ways to improve PING’s overall process. There was discussion of the ways in which the TAG carries out reviews, as possible model; there is a need to ensure things remain scalable. It may be helpful to streamline the process by which reviews are requested (in general); following the GitHub repository for spec reviews [8] might provide a means for keeping basic track of items. [1] https://github.com/w3c/fingerprinting-guidance [2] https://github.com/w3c/fingerprinting-guidance/issues/ [3] https://github.com/w3c/ping/blob/master/privacy-questions.html [4] https://www.w3.org/wiki/Privacy/Privacy_protection_principles [5] https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0038.html [6] https://lists.w3.org/Archives/Public/public-privacy/2016JulSep/0018.html [7] https://gist.github.com/mnot/96440a5ca74fcf328d23 [8] https://github.com/w3ctag/spec-reviews/issues/
Received on Thursday, 20 October 2016 05:11:25 UTC