Re: Privacy CG draft charter from Maciej Stachowiak on 2019-09-28 (public-privacy@w3.org from July to September 2019)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 28 Sep 2019 11:29:33 -0700
To: Michael Champion <Michael.Champion@microsoft.com>
Cc: Samuel Weiler <weiler@w3.org>, W3C Privacy Interest Group <public-privacy@w3.org>
Message-id: <E19F925B-D92E-4439-A52A-57E450B306EA@apple.com>
> On Sep 28, 2019, at 11:07 AM, Michael Champion <Michael.Champion@microsoft.com> wrote:
> 
> > there is no harm from leaving incubation in scope for PING
> 
> I don't understand this point in the charter.  I wish I had understood that the proposed PING charter language apparently refers to *technical spec* incubation before the ballot closed, because I would have pushed for us to formally object.
> 
> Interest Groups are not an appropriate venue for technical spec incubation.

I agree with this general sentiment. Incubating policy documents or material like the Privacy Threat Model is wholly appropriate. But the lack of sufficient IPR policy is suboptimal for technical specifications.

That said, I support the work of PING and I hope we can work this out appropriately.

> The process document says:
> 5 Working Groups and Interest Groups
> 
> This document defines two types of groups:
> Working Groups. <https://www.w3.org/2019/Process-20190301/#GroupsWG> Working Groups typically produce deliverables (e.g., Recommendation Track technical reports <https://www.w3.org/2019/Process-20190301/#rec-advance>, software, test suites, and reviews of the deliverables of other groups). There are additional participation requirements described in the W3C Patent Policy <https://www.w3.org/Consortium/Patent-Policy>.
> Interest Groups. <https://www.w3.org/2019/Process-20190301/#GroupsIG> The primary goal of an Interest Group is to bring together people who wish to evaluate potential Web technologies and policies. An Interest Group is a forum for the exchange of ideas.
> Also, AFAICT IG's operate under the Disclosure Requirements subset of the patent policy. [BTW, the links in the draft charter the AC voted on are broken].  CG's  do spec incubation work under an explicit, lightweight patent policy.  While they don't necessarily operate under a consensus process, we can tweak the Privacy CG description to be an informal charter requiring consensus decisions, buy-in from multiple implementers on spec proposals, and so forth.

CGs get to define their own decision policy, so we should probably define one in the draft charter. (I will send a separate email on this topic specifically).

> 
> > My preference and recommendation is to not change the PING charter at this 
> > time.  We all understand the new split of work proposed above, 
> 
> I can live with that, but wonder what others think about moving PING from an IG to a WG fairly soon?  It's clear that the W3C privacy community wants to a more authoritative voice, and that implies it should workvia the WG consensus process and patent policy.   Creating a WG iprobably sn't necessary until the proposed CG incubates specs ready for the standards track, but it's worth some up-front discussion.

I’d expect Privacy CG to produce two kinds of deliverables:

- Specifications for new privacy-focused additions to the web platform.
- Proposals for changes to existing core web and internet specifications, for example, to support partitioning or equivalent protections for all client-side storage.

Once there are items in the first category, it would be great to have a WG to drive them through the full standards process. The reason not to start with a WG is that WGs need to explicitly define their standards-track deliverables in the charter. But there are not many things that clearly agreed on.

For items in the second category, it’s likely the action would be to file issues and pull requests, once the proposals are sufficiently developed.

There are also existing examples of paired CGs and WGs, for example for WebAssembly, and such a setup seems to work well.

I think promoting PING to a WG might be the right path, once there’s enough clarity


> 
> From: Samuel Weiler <weiler@w3.org>
> Sent: Friday, September 27, 2019 5:49 AM
> To: W3C Privacy Interest Group <public-privacy@w3.org>
> Subject: Privacy CG draft charter
>  
> Colleagues,
> 
> There is some interesting privacy specification work afoot, most of 
> which is not quite ready to be in a WG.  Attendees at TPAC agreed to 
> incubate that work in a new Privacy Community Group (CG).  The Privacy 
> Interest Group (PING) will continue to handle horizontal review and 
> general guidance docs, such as the threat model doc it just adopted and 
> the questionnaire that was updated in collaboration with the TAG earlier 
> this year.
> 
> Below is a proposed charter for the new CG.  Discussions about chairs 
> for the CG are still in progress - I hope we will wrap those up in the 
> next few days.  In the meantime, I invite discussion on the charter.
> 
> 
> "The mission of the Privacy Community Group is to improve user privacy 
> on the web. This community group will incubate the next set of 
> privacy-focused web standards to improve browser behavior for user 
> privacy. This group coordinates closely with the Privacy Interest Group 
> (PING); it is expected that high-level privacy concepts, threat models, 
> etc., developed in the Privacy Interest Group will be incorporated into 
> the technical standards produced in this community group. Initial 
> participants will include multiple browser vendors, privacy advocates, 
> web application developers, and other interested parties. This group's 
> work will be done primarily in GitHub."  [Thanks to Jatinder Mann for 
> this draft.]
> 
> As in the draft charter, I expect the CG and PING to work in close 
> cooperation.  There was some discussion of what tooling, if any, to 
> share with PING.  I suspect the answers will be: separate GitHub repos, 
> separate mailing list, and same Slack instance (if the CG wants to use 
> Slack at all).  I trust the CG chairs to sort that out.
> 
> Some have observed that incubation is still (also) in scope for PING, 
> per the draft charter that went out for AC review in June.  My 
> preference and recommendation is to not change the PING charter at this 
> time.  We all understand the new split of work proposed above, and there 
> is no harm from leaving incubation in scope for PING.  PING's new 
> charter has already been delayed by other things, and I don't want to 
> further delay it.  Assuming all goes as planned, we can clean this up 
> the next time we revise the PING charter.  And if this CG were to 
> somehow not be the right thing, incubation at least has a fallback home 
> in PING.
> 
> Lastly, if anyone has a slick name for the new CG that results in a 
> usable and pronouncable acronym and might help newcomers understand the 
> differences between PING and the CG, I would love the suggestion. 
> "Privacy CG" doesn't capture much, and "Privacy Incubation CG" doesn't 
> have a good acronym.  (I think renaming of PING might also be in scope, 
> so feel free to be creative.)
> 
> -- Sam Weiler, W3C/MIT
Received on Saturday, 28 September 2019 18:30:01 UTC