Minutes IETF106: pearg
minutes-106-pearg-01

Meeting Minutes Privacy Enhancements and Assessments Research Group (pearg) RG
Date and time 2019-11-18 05:30
Title Minutes IETF106: pearg
State Active
Other versions plain text
Last updated 2019-12-03

minutes-106-pearg-01
===============================
PEARG Session
IETF 106 - Singapore
Monday, November 18, 2019
13:30-15:30 (UTC+08:00)
Location: Canning
Meeting Minutes
===============================

WG chairs: Christopher Wood, Shivan Sahib
Meeting minutes: Joey Salazar

Administrivia (5 minutes)
  * 2 min - Blue sheets / scribe selection / NOTE WELL
      * 3 min - Agenda revision

Research Presentations (40 minutes)
  * Privacy Preserving via HE (Xianhui Lu)
  * Data privacy risks of machine learning (Prof Reza Shokri, N-CRiPT) - 20min
    * Dkg: Do you know if it's possible to remove user data
      * yes, but even though it's removed it's a partial removal, for some
      moodels it can be a complete removal of the data but it's easier for some
      models than for others, this is partly to avoid the need to retrain when
      data is removed.
    * Eric Rescorla: what are the types of protection depending on the training
    models?
      * there's 2 trust models and the types of attack and protection for them
      depend on the moodel.
  * Personal Information Tagging for Logs (PITFoL) (Sandeep Rao, Grab) - 20mins
    * dkg: have you looked at deterministic or format preserving methods for
    the logs? the way data is being classified as pii or not might not be
    sufficient
      * yes, this has been considered
    * (from openXchange, please add name): maybe there should be a discussion
    on best practices and principles * Wes Hardaker: why not hard-coding along
    with ruling for determining what data is pii?
      * yes considering this
    * Ben Schwartz: http request logging might be useful for this
      * yes that's a good point because some vendors are very specific on what
      type of logs they want to see
    * Allison M: support adoption of this, maybe no option to be prescriptive
    but can provide questions and guidance. Perhaps doc can talk about a time
    limit, this might help people improve policies.
      * Good input but have to see from a privacy point of view
    * Ben (Comcast): the audience might not be too large
    * Chris Wood: looks like this will go for adoption after humming

Draft Presentations (35mins)
  * Network-based Website Fingerprinting (Chris Wood) - 10 mins
    * Eric Rescorla: This is useful and approaches some issues that are critical
    * Joe Hall: useful for IRTF and possibly for IETF too
    * dkg: the framing of web fingerprinting is a bit confusing, might be good
    to clarify. Please keep working on it, we need a place to collect this info
    and to point people to.
      * it'd be nice if there's a different term that could be used
    * Richard: dkg mostly covered what was going to say, think if there's some
    abstractions that could be made, check on censorship techniques * Colin
    Perkins: we've got plenty of rfcs * Shivan: let's humm to decide if it goes
    for adoption: positive, it goes for adoption
  * Introduction to MEDUP (Bernie Hoeneisen) - 5 mins
  * Privacy and Security Threat Analysis for Private Messaging (https:/ 
  ools.ietf.org/html/draft-symeonidis-pearg-private-messaging-threats-00)
  (Iraklis Symeonidis) - 20 mins
    * Ben Schwartz: this might seem like an opinionated draft instead of a
    neutral one, maybe thinking of it as a framework instead of as an analysis,
    users tend to be worried about insider threats. This might be applicable to
    communications as a whole instead of only messaging
      * let's take this offline
    * (please add name): the problem addressed by this work might not be a high
    priority for users
      * an aim is to bring threat considerations at the point that a product is
      being designed
    * Eric Rescorla: encourages to approach email or messaging depending on the
    focus of this work. This might not be useful for designing.
      * this is more a call for discussion to start approaching threats in a
      more systematic way
    * Richard: agrees this is important but thinks the issue is not lack of
    understanding of the threats, it's more of a consolidation effort issue *
    dkg: agrees this doc might be too broad to be useful in infrastructure.
    This is useful for research, the scope of attacks on emails is not fully
    understood. Needs to be more tech scoped to be useful for designing. *
    Mallory Knodel: Clarification question taken offline
      * this will be about the types of threats and directions of threats that
      we think should be covered