PING summary - 23 March 2017 from Christine Runnegar on 2017-04-13 (public-privacy@w3.org from April to June 2017)

From: Christine Runnegar <runnegar@isoc.org>
Date: Thu, 13 Apr 2017 11:11:06 +0000
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <D802CF2C-71A2-442B-B689-CEF7CE9C1DF2@isoc.org>

PING colleagues,

Here is the summary of the discussion from the last teleconference.

As a reminder, our next call will be at the usual time on Thursday 20 April 2017 at UTC 16. Johannes Wilm (editor) will be joining us to explain the details of UI Events.

(1) Request for PING review of UI Events KeyboardEvents Code Values

The Web Platform Working Group wants to move the specifications to CR.

https://w3c.github.io/uievents-code

https://w3c.github.io/uievents-key

In essence, the specification reveals a stack of events related to the user’s keyboard, potentially revealing how the keyboard is laid out. Therefore, it could be a potential fingerprinting vector. (Typing patterns are also a good source of fingerprinting.) A question was raised as to whether the Accessibility WG had been consulted to see if there are any issues related to disclosure of keyboard layout that might allow the inference of an ability or disability. The parent specification UI Events has a security considerations section, but no privacy considerations as yet. However, some of the security considerations are also privacy considerations. Nonetheless, the specification should have a privacy considerations section addressing the privacy risks and how they are mitigated, or if not, why not. Note: this has already been implemented for ~ 2 decades, but the Web Performance WG wants to have clear standards.

Please take a look at the specifications and share your feedback either directly with the Web Performance WG or on this list.

(2) Request for PING review of ARIA in HTML

https://www.w3.org/TR/html-aria/

This tells authors how to use ARIA (Accessible Rich Internet Applications), e.g. how to give different information to people with screen readers.

The specification should at the least include a note for authors that accessibility information is sensitive, should not be collected or exposed if it is inferred.

Comments are requested by 30 April 2017.

(3) Request for PING review of ODRL Information Model and ODRL Vocabulary & Expression

https://www.w3.org/TR/odrl-model/

https://www.w3.org/TR/odrl-vocab/

There may be a potential to fingerprint based on the intersection of policy settings. A question was also raised as to whether it could be used to capture keystrokes secretly (e.g. via a hidden input field). But, the specification does not log actual keys, it does post-processing; events after text to add/remove has been generated. So, the answer is probably no. There are a series of events after text entry, e.g. events to edit or modify the text (such as add or remove). Use case - people who edit content on Github, blogs, etc.

We need more information from the spec experts.
Comments are requested by 30 April 2017.

Christine and Tara

Received on Thursday, 13 April 2017 11:11:43 UTC