- From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
- Date: Fri, 21 Oct 2016 15:52:29 +0100
- To: Tara Whalen <tjwhalen@gmail.com>
- Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CAC1M5qqNNznwXL=fA4efcn+f1brT6=ZnmTD6ZY8oM3Uo7y+7qw@mail.gmail.com>
Hi Tara, Thanks a lot. I'm looking forward to the aspects of user behavioral privacy issues. Happy to help here. Best Lukasz 2016-10-20 6:10 GMT+01:00 Tara Whalen <tjwhalen@gmail.com>: > Hello all, > > Thanks again to all of you who participated in the PING TPAC meeting, > either in person or remotely. I’ve pulled together a summary of what was > discussed, including some future work items, to supplement the minutes that > can be found online at https://www.w3.org/2016/09/20-privacy-minutes.html > > TPAC discussion topics: > > > * Mitigating Browser Fingerprinting in Web Specifications > > Nick Doty gave an overview of this document [1] to the group (including > its structure and purpose) before discussing the open issues to be > resolved. Feedback from the TAG and PING identified items that are marked > "pending review" [2]; issues 11 and 13 were discussed. Issue 11 is on > providing hooks for instrumentation/detection of fingerprinting -- ways to > make it easier for browser extensions to reveal website activity. The > conclusion was that this is not something to include in this guidance > document, given that instrumentation is mostly implementation-specific, not > Web-specific. Issue 13 is on actionability -- how to make the document more > readily applied in practice. To date, we’ve had a few people use this > document, but could dig further to see how useful it has been. Also this > could be tied in with the privacy questionnaire; they are two separate > documents but they could be integrated more (e.g., with relevant elements > from fingerprinting guidance surfaced in the event that this consideration > arises in the privacy questionnaire). After further discussion, Nick noted > it would be useful to close out the “pending-review” items, solicit some > additional feedback from other groups, and to get this document in a note > by the end of the year. > > > * PING privacy questionnaire > > Christine Runnegar led discussion of the privacy questionnaire [3], which > was developed to help authors to identify and address privacy implications > of their specifications. The TPAC meeting was spent in reviewing the > current state of the document and identifying items for future work, with > the goal being a working draft by the end of the year. The challenge is > produce a questionnaire with enough guidance to be helpful, without it > being overwhelming. One proposal was that those with security expertise > could try to draft a questionnaire as a starting point; Joe Hall and Kepeng > Li volunteered to do this. A process item was raised: we may need to > determine at what stage of spec development the privacy considerations > would be expected to be included; this could be discussed with Ralph Swick > (W3C). As for concrete work, it was suggested that we could combine the TAG > and PING questionnaires and begin with a “high-level” overview (suggested > by Mike West) followed by more detailed sections. > > > * Privacy Protection Principles > > Kepeng Li sent a message to the PING mailing list on privacy protection > principles [4], to help in furthering privacy discussions, which he > presented to the group. The discussion highlighted how there were several > related works (e.g., OECD privacy guidelines, US FIPPs) that provide > foundational principles; this may not be the right document to develop > through PING. However, it is possible that some parts of this document may > be useful for the privacy questionnaire; Kepeng will explore this avenue. > > > * Terminology discussion > > As part of a mailing list discussion about documentation, Joe Hall asked > whether a standardized privacy vocabulary would be useful in our work [5]. > There are words that we may need to define in order have consistency and > clarity (e.g., “spoof”; “randomize”). This need not be exhaustive but a > basic list might be helpful; there was general support for creating such a > list and hosting it on a wiki or GitHub. > > > * Planning next year's work > > TPAC provided a great opportunity for planning what PING should be engaged > with over the next year. We have already identified work we need to > complete on documents (e.g., group notes) as well as conducting regular > reviews, but this was an opportunity to identify additional items. A > number of ideas were floated at the IETF F2F meeting [6], which were used > as a starting point for the TPAC discussion. > > > - > > Privacy/incognito mode: there have been various discussions both > within and outside the W3C (e.g., “privacy mode” [7]) about the different > interpretations of this concept. Many different aspects of user privacy > have been conflated under this umbrella, leading to much confusion. There > was interest within the group for finding ways to improve the situation > (e.g., developing a document); David Singer volunteered to spearhead this > work. > > > - > > Data gathering on privacy-violating techniques: given the state of > sophistication of the web, where advances in techniques (like > fingerprinting) can move quickly, it may be helpful to have a means for > collecting relevant research in one place for reference. This might also > include (where possible) information about large-scale behaviours (e.g., > user behaviours), as this data is used to motivate and direct > privacy-focused work in the Web space. > - > > Making privacy reviews more systematic: this was an item raised by Joe > Hall, who was trying to find ways to improve PING’s overall process. There > was discussion of the ways in which the TAG carries out reviews, as > possible model; there is a need to ensure things remain scalable. It may be > helpful to streamline the process by which reviews are requested (in > general); following the GitHub repository for spec reviews [8] might > provide a means for keeping basic track of items. > > > [1] https://github.com/w3c/fingerprinting-guidance > > [2] https://github.com/w3c/fingerprinting-guidance/issues/ > > [3] https://github.com/w3c/ping/blob/master/privacy-questions.html > > [4] https://www.w3.org/wiki/Privacy/Privacy_protection_principles > > [5] https://lists.w3.org/Archives/Public/public-privacy/ > 2016JulSep/0038.html > > [6] https://lists.w3.org/Archives/Public/public-privacy/ > 2016JulSep/0018.html > > [7] https://gist.github.com/mnot/96440a5ca74fcf328d23 > > [8] https://github.com/w3ctag/spec-reviews/issues/ > > >
Received on Friday, 21 October 2016 14:53:00 UTC