=============================== PEARG Session IETF 106 - Singapore Monday, November 18, 2019 13:30-15:30 (UTC+08:00) Location: Canning Meeting Minutes =============================== WG chairs: Christopher Wood, Shivan Sahib Meeting minutes: Joey Salazar Administrivia (5 minutes) * 2 min - Blue sheets / scribe selection / NOTE WELL * 3 min - Agenda revision Research Presentations (40 minutes) * Privacy Preserving via HE (Xianhui Lu) * Data privacy risks of machine learning (Prof Reza Shokri, N-CRiPT) - 20min * Dkg: Do you know if it's possible to remove user data * yes, but even though it's removed it's a partial removal, for some moodels it can be a complete removal of the data but it's easier for some models than for others, this is partly to avoid the need to retrain when data is removed. * Eric Rescorla: what are the types of protection depending on the training models? * there's 2 trust models and the types of attack and protection for them depend on the moodel. * Personal Information Tagging for Logs (PITFoL) (Sandeep Rao, Grab) - 20mins * dkg: have you looked at deterministic or format preserving methods for the logs? the way data is being classified as pii or not might not be sufficient * yes, this has been considered * (from openXchange, please add name): maybe there should be a discussion on best practices and principles * Wes Hardaker: why not hard-coding along with ruling for determining what data is pii? * yes considering this * Ben Schwartz: http request logging might be useful for this * yes that's a good point because some vendors are very specific on what type of logs they want to see * Allison M: support adoption of this, maybe no option to be prescriptive but can provide questions and guidance. Perhaps doc can talk about a time limit, this might help people improve policies. * Good input but have to see from a privacy point of view * Ben (Comcast): the audience might not be too large * Chris Wood: looks like this will go for adoption after humming Draft Presentations (35mins) * Network-based Website Fingerprinting (Chris Wood) - 10 mins * Eric Rescorla: This is useful and approaches some issues that are critical * Joe Hall: useful for IRTF and possibly for IETF too * dkg: the framing of web fingerprinting is a bit confusing, might be good to clarify. Please keep working on it, we need a place to collect this info and to point people to. * it'd be nice if there's a different term that could be used * Richard: dkg mostly covered what was going to say, think if there's some abstractions that could be made, check on censorship techniques * Colin Perkins: we've got plenty of rfcs * Shivan: let's humm to decide if it goes for adoption: positive, it goes for adoption * Introduction to MEDUP (Bernie Hoeneisen) - 5 mins * Privacy and Security Threat Analysis for Private Messaging (https:/ ools.ietf.org/html/draft-symeonidis-pearg-private-messaging-threats-00) (Iraklis Symeonidis) - 20 mins * Ben Schwartz: this might seem like an opinionated draft instead of a neutral one, maybe thinking of it as a framework instead of as an analysis, users tend to be worried about insider threats. This might be applicable to communications as a whole instead of only messaging * let's take this offline * (please add name): the problem addressed by this work might not be a high priority for users * an aim is to bring threat considerations at the point that a product is being designed * Eric Rescorla: encourages to approach email or messaging depending on the focus of this work. This might not be useful for designing. * this is more a call for discussion to start approaching threats in a more systematic way * Richard: agrees this is important but thinks the issue is not lack of understanding of the threats, it's more of a consolidation effort issue * dkg: agrees this doc might be too broad to be useful in infrastructure. This is useful for research, the scope of attacks on emails is not fully understood. Needs to be more tech scoped to be useful for designing. * Mallory Knodel: Clarification question taken offline * this will be about the types of threats and directions of threats that we think should be covered