Re: Summary of TPAC 2016 PING meeting (20 September 2016, Lisbon)

Hi Tara,

Thanks a lot. I'm looking forward to the aspects of user behavioral privacy
issues.
Happy to help here.

Best
Lukasz

2016-10-20 6:10 GMT+01:00 Tara Whalen <tjwhalen@gmail.com>:

> Hello all,
>
> Thanks again to all of you who participated in the PING TPAC meeting,
> either in person or remotely. I’ve pulled together a summary of what was
> discussed, including some future work items, to supplement the minutes that
> can be found online at https://www.w3.org/2016/09/20-privacy-minutes.html
>
> TPAC discussion topics:
>
>
> * Mitigating Browser Fingerprinting in Web Specifications
>
> Nick Doty gave an overview of this document [1] to the group (including
> its structure and purpose) before discussing the open issues to be
> resolved. Feedback from the TAG and PING identified items that are marked
> "pending review" [2]; issues 11 and 13 were discussed. Issue 11 is on
> providing hooks for instrumentation/detection of fingerprinting -- ways to
> make it easier for browser extensions to reveal website activity. The
> conclusion was that this is not something to include in this guidance
> document, given that instrumentation is mostly implementation-specific, not
> Web-specific. Issue 13 is on actionability -- how to make the document more
> readily applied in practice. To date, we’ve had a few people use this
> document, but could dig further to see how useful it has been. Also this
> could be tied in with the privacy questionnaire; they are two separate
> documents but they could be integrated more (e.g., with relevant elements
> from fingerprinting guidance surfaced in the event that this consideration
> arises in the privacy questionnaire). After further discussion, Nick noted
> it would be useful to close out the “pending-review” items, solicit some
> additional feedback from other groups, and to get this document in a note
> by the end of the year.
>
>
> * PING privacy questionnaire
>
> Christine Runnegar led discussion of the privacy questionnaire [3], which
> was developed to help authors to identify and address privacy implications
> of their specifications. The TPAC meeting was spent in reviewing the
> current state of the document and identifying items for future work, with
> the goal being a working draft by the end of the year. The challenge is
> produce a questionnaire with enough guidance to be helpful, without it
> being overwhelming. One proposal was that those with security expertise
> could try to draft a questionnaire as a starting point; Joe Hall and Kepeng
> Li volunteered to do this. A process item was raised: we may need to
> determine at what stage of spec development the privacy considerations
> would be expected to be included; this could be discussed with Ralph Swick
> (W3C). As for concrete work, it was suggested that we could combine the TAG
> and PING questionnaires and begin with a “high-level” overview (suggested
> by Mike West) followed by more detailed sections.
>
>
> * Privacy Protection Principles
>
> Kepeng Li sent a message to the PING mailing list on privacy protection
> principles [4], to help in furthering privacy discussions, which he
> presented to the group. The discussion highlighted how there were several
> related works (e.g., OECD privacy guidelines, US FIPPs) that provide
> foundational principles; this may not be the right document to develop
> through PING. However, it is possible that some parts of this document may
> be useful for the privacy questionnaire; Kepeng will explore this avenue.
>
>
> * Terminology discussion
>
> As part of a mailing list discussion about documentation, Joe Hall asked
> whether a standardized privacy vocabulary would be useful in our work [5].
> There are words that we may need to define in order have consistency and
> clarity (e.g., “spoof”; “randomize”). This need not be exhaustive but a
> basic list might be helpful; there was general support for creating such a
> list and hosting it on a wiki or GitHub.
>
>
> * Planning next year's work
>
> TPAC provided a great opportunity for planning what PING should be engaged
> with over the next year. We have already identified work we need to
> complete on documents (e.g., group notes) as well as conducting regular
> reviews, but this was an opportunity to identify additional items.  A
> number of ideas were floated at the IETF F2F meeting [6], which were used
> as a starting point for the TPAC discussion.
>
>
>    -
>
>    Privacy/incognito mode: there have been various discussions both
>    within and outside the W3C (e.g., “privacy mode” [7]) about the different
>    interpretations of this concept. Many different aspects of user privacy
>    have been conflated under this umbrella, leading to much confusion. There
>    was interest within the group for finding ways to improve the situation
>    (e.g., developing a document); David Singer volunteered to spearhead this
>    work.
>
>
>    -
>
>    Data gathering on privacy-violating techniques: given the state of
>    sophistication of the web, where advances in techniques (like
>    fingerprinting) can move quickly, it may be helpful to have a means for
>    collecting relevant research in one place for reference. This might also
>    include (where possible) information about large-scale behaviours (e.g.,
>    user behaviours), as this data is used to motivate and direct
>    privacy-focused work in the Web space.
>    -
>
>    Making privacy reviews more systematic: this was an item raised by Joe
>    Hall, who was trying to find ways to improve PING’s overall process. There
>    was discussion of the ways in which the TAG carries out reviews, as
>    possible model; there is a need to ensure things remain scalable. It may be
>    helpful to streamline the process by which reviews are requested (in
>    general); following the GitHub repository for spec reviews [8] might
>    provide a means for keeping basic track of items.
>
>
> [1] https://github.com/w3c/fingerprinting-guidance
>
> [2] https://github.com/w3c/fingerprinting-guidance/issues/
>
> [3] https://github.com/w3c/ping/blob/master/privacy-questions.html
>
> [4] https://www.w3.org/wiki/Privacy/Privacy_protection_principles
>
> [5] https://lists.w3.org/Archives/Public/public-privacy/
> 2016JulSep/0038.html
>
> [6] https://lists.w3.org/Archives/Public/public-privacy/
> 2016JulSep/0018.html
>
> [7] https://gist.github.com/mnot/96440a5ca74fcf328d23
>
> [8] https://github.com/w3ctag/spec-reviews/issues/
>
>
>