Core-Privacy Agenda – 12 December

When/Where: Join us in #core-privacy on Making WordPress Slack on Wednesday, 12 December at 1900 UTC

1. WCUS postmortem
a. Leo and Kevin’s privacy talk – comments, feedback, and follow up
b. Contributor Day – lack of a table as a core component team despite having had a table at WCEU
c. Morten’s talk/Leo
d. Other business arising

2. V2 roadmap updates

3. Team issues
a. Recruitment of new team members and contributors (chicken and egg discussion)
b. Instructions regarding the core-privacy team issued to the Marketing team
c. Team structure & visibility – per 17 October office hours summary and 28 June meeting

#core-privacy

Core-Privacy Office Hours Summary, 21 and 28 November

Ticket and coding issues

  • Gutenberg 11999, Fix the Privacy Policy Help Notice – merged into Core r43920. There is an open PR on the Classic Editor that will reverse the changes in r43920 and preserve the current placement of the notice (below the post title, above the editor) when that plugin is active.
  • As far as the contributors are aware, Gutenberg 11648 is the only remaining 5.0 related privacy ticket.
  • Quantcast advertising tracking has been removed from the .org footer. Props @ocean90. Matt has also approved replacing the social networking links with non-tracker links.
  • There are some potential privacy issues regarding Google Captcha 3.0. @idea15 to research.
  • #45395, which added the “shield” illustration to the admin dashboard privacy page, has raised the issue of the currency and accuracy of the text under it.
  • The 26 November bug scrub examined several new tickets: #45416 #45154, #45136, #44952, #44940, and #44876.
  • The needs-privacy-review tag in Trac (#3896) has been marked commit. @garrett-eclipse will add a link to the “needs-privacy-review” page on the main component page when there are active tickets.
  • There are 46 privacy tickets awaiting review.

Conference talks

Team issues

  • @javorszky has had to step away from contributing due to time constraints. @allendav is also unable to contribute at pre-4.9.6 levels. The team is always looking for new participants and contributors.
  • @riankinney and @idea15 are meeting with the Joomla! Core privacy team after WCUS to identify potential areas for mutual cooperation and to also learn more about their consent and logging work.
  • @idea15 wrote a post about the component’s work for the Marketing team.
  • The attendees agreed to use our 12 December office hours meeting, after WCUS and our contributions to Gutenberg are out of the way, to kickstart the V2 core privacy work.

Reminder: our weekly office hours are now at Wednesdays at 1900 UTC while bug scrubs remain Mondays at 16:00 UTC. The next office hours will take place on Wednesday, December 5, 2018 at 19:00 UTC

#core-privacy

Core Privacy Agenda – 21 Nov 2018 – New Time

When/Where: Join us in #core-privacy on Making WordPress Slack on Wednesday, November 21, 2018 at 1900 UTC

Agenda:

  • Update on WP 5 testing/patches
  • Update on 3rd party code (Twitter, Facebook, Quantcast?) on WP.org footers (@allendav)
  • Update on WP mobile app permissions and tracking (@allendav)
  • Update on Google Fonts in Gutenberg (@allendav and @desrosj)
  • Google Captcha 3.0

What the Cool Privacy Kids Are Reading / Trying This Week:

  • Proposed data privacy law could send company execs to prison for 20 years – https://arstechnica.com/tech-policy/2018/11/proposed-data-privacy-law-could-send-company-execs-to-prison-for-20-years/
  • Google accused of trust demolition – https://www.bbc.co.uk/news/amp/technology-46206677

Upcoming WordCamp (and other Event) Privacy Talks:

  • Planned talks
  • SURPRISE! https://2018.us.wordcamp.org/session/whats-privacy-got-to-do-with-it/
  • Opportunities
  • ???

Helpful links:

  • Core Privacy Component Home Page https://make.wordpress.org/core/components/privacy/
  • Core Privacy Posts https://make.wordpress.org/core/tag/core-privacy/
  • Core Privacy Roadmap https://make.wordpress.org/core/roadmap/privacy/
  • Plugin Privacy Handbook https://developer.wordpress.org/plugins/privacy/
  • Open Privacy Component Tickets https://core.trac.wordpress.org/query?status=accepted&status=assigned&status=new&status=reopened&status=reviewing&component=Privacy&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone&col=component&order=priority

#core-privacy
#privacy

Core Privacy Office Hour Summary – 14 November

Moving forward, the Core Privacy Office Hour will be held at 19:00 UTC.

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack.

The agenda for the chat is available here.

NTIA Comments (Pre-chat)

A few noteworthy comments on the NTIA RFC for the Proposed United States Privacy Approach:

Meeting Time

With daylight saving time changes behind us for now, a new time for the weekly office hours meeting was discussed. The top voted for time slot was 19:00 UTC with 10 votes. There was a tie for second with 17:00 and 18:00 UTC receiving 8 votes each. No time slot will work for everyone, so the 19:00 UTC time slot as chosen to maximize attendance. The hope is that if agendas and summaries continue to be consistently posted, the component can gain more momentum at this new time with higher attendance.

As always, the slack channel (#core-privacy) is always open for discussions! And catching up asynchronously is always welcome.

WordPress 5.0

WordPress 5 release is presently scheduled for Tuesday, November 27 – that’s less than two weeks away. A new beta released a day or so ago – great time to try out the new block editor and new release and double check privacy policy editing especially. Noteworthy patches: https://core.trac.wordpress.org/ticket/45151 and https://github.com/WordPress/gutenberg/pull/11604 and https://core.trac.wordpress.org/ticket/45057

We also discussed the use of Google Fonts in Gutenberg – see https://github.com/WordPress/gutenberg/issues/11648 – the issue title may not be accurate, but the issue does bear further investigation. @allendav and @desrosj will look at it and others are welcome to as well. @desrosj summed up a great approach for this and similar situations: “Not arguing to leave it in, but to change it, we need to have a clear suggestion for how to proceed, as well as a description of why it needs to be changed so others can understand. This seems like a larger issue though because [other items used by core] are loaded from Google.”
@desrosj also committed to “work on coming up with a list of all externally loaded resources and circle back with Allen on it. We’ll come up with a plan forward, and try to clarify why/if it must be changed.”

Needs-Privacy-Review

@garrett-eclipse ‘s ticket is waiting for commit to add the new tags – see https://meta.trac.wordpress.org/ticket/3896

Update on WordPress.org page 3rd party scripts

@allendav got the green light from @Matt to remove the Quantcast scripts as well as replace the Twitter and Facebook script-powered sharing buttons with simple links. This should improve end-user privacy as well as decrease page load times. See https://meta.trac.wordpress.org/ticket/3655#comment:25

Next Office Hour

The next core privacy office hour will be Wednesday, November 21st, 2018 at 1900 UTC in #core-privacy. Expect an agenda to be posted on Monday, November 19th. Ping @allendav @idea15 or @desrosj if you’d like to add an item to the agenda, or feel free to add it yourself at https://docs.google.com/document/d/1oQnV7L1KVeFhLCLRzJZ6cbntLmIxqAtWZGa7EAs9eQE/edit

#core-privacy
#privacy

Core Privacy Agenda – 14 Nov 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Agenda:

  • New time for core privacy weekly chat starting next week (@desrosj)
  • WP 5 drops Tue Nov 27 – do we need another quick round of WP 5 compatibility testing with privacy features? (@allendav)
  • Tickets
    • Update on moving core files from @allendav (core:43895) – developing a plan here – https://docs.google.com/document/d/1naG6Bs2RK7j1PkKXmCdflY3ei2ZgZtV6zHCWeRz01s0/edit
  • Needs-privacy-review tag
    • Update from @garrett-eclipse (meta:3896) – “wrote the patch and it’s now awaiting a commit. There’s two additional items after commit which is including links but we’ll hold on that until the tag starts to get some usage”
  • Raising awareness of core privacy work and meetings
    • Update from @riankinney re marketing newsletter — getting the word out about Office Hours, our need for developers and end-user feedback
  • “What is privacy in our context?”
    • What is privacy in the sense of what areas do we look at in our work @idea15
    • Separating the theory from the practice (e.g. our dev guidelines)
    • Update on working with Chris Tiezel for cross-platform definitions @idea15

Items postponed to next week:

  • WP mobile app permissions and tracking (@allendav)
  • Follow up on 3rd party code (Twitter, Facebook, Quantcast?) on WP.org footers (@allendav)

What the Cool Privacy Kids Are Reading / Trying This Week:

  • 60 Minutes on GDPR – https://www.cbsnews.com/news/gdpr-the-law-that-lets-europe-take-back-their-data-from-big-tech-companies-60-minutes/ props @idea15
  • ICO updates https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/ props David Orf
  • WP GDPR Compliance Plugin Privilege Escalation Flaw https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/ props @garrett-eclipse

Upcoming WordCamp (and other Event) Privacy Talks:

  • Recent talks
    • @chrisweigman Encrypt All the Things – WordCamp Orlando https://2018.orlando.wordcamp.org/schedule/sessions/
    • @riankinney Ethics on the Web – WordCamp Orlando https://2018.orlando.wordcamp.org/schedule/sessions/
    • Chris Teitzel – With Great Power Comes Great Responsibility – WordCamp Seattle – https://2018.seattle.wordcamp.org/session/with-great-power-comes-great-responsibility/
  • Planned talks
  • Opportunities

Helpful links:

  • Core Privacy Component Home Page https://make.wordpress.org/core/components/privacy/
  • Core Privacy Posts https://make.wordpress.org/core/tag/core-privacy/
  • Core Privacy Roadmap https://make.wordpress.org/core/roadmap/privacy/
  • Plugin Privacy Handbook https://developer.wordpress.org/plugins/privacy/
  • Open Privacy Component Tickets https://core.trac.wordpress.org/query?status=accepted&status=assigned&status=new&status=reopened&status=reviewing&component=Privacy&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone&col=component&order=priority

#core-privacy, #privacy

Core Privacy Agenda – 7 November 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Agenda:

  • We need a facilitator and note-taker for today (@allendav is on travel/AFK)
  • New Meeting Time discussion @desrosj
  • Tickets
  • Needs-privacy-review tag – Update from @garrett (meta:3896)
    • “wrote the patch and it’s now awaiting a commit. There’s two additional items after commit which is including links but we’ll hold on that until the tag starts to get some usage”
  • Raising awareness of core privacy work and meetings
    • Update from Rian re marketing newsletter — getting the word out about Office Hours, our need for developers and end-user feedback
  • “What is privacy in our context?”
    • What is privacy in the sense of what areas do we look at in our work @idea15
    • Separating the theory from the practice (e.g. our dev guidelines)
    • Update on working with Chris Tiezel for cross-platform definitions @idea15

Items postponed to next week:

  • WP mobile app permissions and trackers (@allendav)
  • Trackers on WP.org footer (@allendav)

What the Cool Privacy Kids Are Reading / Trying This Week:

Upcoming WordCamp (and other Event) Privacy Talks:

  • Planned talks
  • Opportunities

Helpful links:

#privacy #core-privacy

Core Privacy Office Hours Summary – 31 October 2018

Office hours started at 1500z.

Agenda: https://make.wordpress.org/core/2018/10/30/core-privacy-agenda-31-october-2018/

  • Ticket issues
  • Gutenberg
    • gutenstats.blog footer updated to clarify origin of data
    • @allendav to follow up with jetpack about how they are presenting their gutenblocks that rely on connection to their backend – maybe will serve as a good example for other guten-makers
  • Mobile Apps
  • needs-privacy-review tag
  • BuddyPress
    • @garrett-eclipse is working it – would love checklist to work from if possible
  • Component Documentation
    • @allendav has started chatting with @chanthaboune about how to better document core privacy work, raise visibility. Nothing to report out yet. More forthcoming.
    • We committed to publishing our office hours agenda every Monday
    • Rian committed to reaching out to marketing team for possible inclusion in newsletter / other materials
    • Agenda setting is open, Google doc based at https://docs.google.com/document/d/1oQnV7L1KVeFhLCLRzJZ6cbntLmIxqAtWZGa7EAs9eQE/edit
    • Agenda item for next week: “What is privacy in our context”
    • @idea15 will reach out to Chris Tiezel to see if we can set up s shared definition across projects
  • Bob WP Podcast
    • Rian : it went well… highlighted WP Privacy Work and 4.9.6 import/export tools for ease of portability and privacy policy baseline for GDPR compliance
    • will be posted 5 Nov
  • Speaking opportunities
    • @idea15 has been invited to speak on building privacy into open source projects, largely built on the experiences here, at the annual convention of the UK National Association of DPOs in November
    • Are there any other privacy talks at WordCamps or other conferences, either coming up or that you’ve seen recently? Let us know and we’ll add it as a running list on our agenda
    • Rian also reached out to Leo Postovoit about proposing a Privacy Co-Talk/Workshop for WCEU – @allendav is also interested in helping with that, assuming he can get a green light – WCEU is June 2019 in Berlin
  • Meeting Time
    • @desrosj: For meeting time, I was thinking we wait until next week to pick a new time. With DST this weekend for the US, some folks may need to revise their selected time slots.
    • So next week we will meet here at 1500 UTC as normal, and then decide our new time slot.
  • Closing Bits and Bobs

Up next:

Office hours ended at 1600z.

Core Privacy Agenda – 31 October 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Facilitator: @idea15

Note-taker: @allendav

Agenda

Tickets and code issues

Component documentation:

  • Update on getting a privacy home page at make.wordpress.org/privacy (@allendav)
  • Handbook review (@allendav , Rian)

Marketing/conference talks/collaboration

  • Cross-platform privacy group update
  • Rian Kinney – BobWP podcast
  • Any upcoming WordCamp talks?

Group meta issues

  • Reminder of Monday bug scrub for 5 Nov (@?)
  • Office hour meeting time change (@?)
  • Need facilitator, note-taker for next week

What the Cool Privacy Kids Are Reading / Trying This Week:

Helpful links:

#core-privacy, #privacy

Core-privacy Office Hours Summary – 17 October

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack.

Roadmap Progress

There was no roadmap related progress to report this week. The component’s focus until post-Gutenberg remains the 31 bug tickets, with a goal of marking at least 75% of them as ready for commit.

Gutenberg Privacy Review

@allendav, @garrett-eclipse, and @azaozz have been reviewing Gutenberg for potential privacy issues.

In response to concerns about the source of the data presented on https://gutenstats.blog, @allendav will add a note to the footer on that site clarifying that the post counts come from Jetpack-connected sites. @allendav also reports that there is no Automattic tracking code in Gutenberg, and that if a site has Jetpack and Gutenberg installed, some of Jetpack’s Gutenberg blocks are loaded from Automattic’s CDN.

Related to CDNs, @azaozz confirmed that reliance on unpkg will not be an issue once Gutenberg is merged into WordPress Core. Third party resources are loaded from a CDN when Gutenberg is in development mode. Whether this carries over after the merge into WordPress core needs to be verified.

There is a bug in Gutenberg regarding the display of the privacy notice tool. @desrosj has noted this as Gutenberg ticket 10448.

Gutenberg utilizes the Noto Serif Google Font for supported locales. @garrett-eclipse asks whether a font replacement should be proposed for the 5.0 merge, or whether the suggested privacy policy content should be updated to include Google Fonts verbiage.

The emojis in Gutenberg load from s.w.org and need further review. @garrett-eclipse seeks clarification on whether emojis are part of core and therefore covered by the existing privacy notice language.

Regarding embed blocks, @garrett-eclipse suggests that how core handles them from a privacy standpoint should follow whatever is done for embeds in general. He suggests it would be useful to propose to Gutenberg/core the feasibility of creating a “privacy flag” on blocks which could flag users about potential privacy concerns, and/or flagging admins that blocks with potential privacy ramifications have been added on their site.

BuddyPress and Privacy Reviews

@garrett-eclipse and @jjj have arranged to conduct a basic privacy review of BuddyPress.

This led to a discussion about privacy reviews being a service which the team could offer, akin to theme, plugin, or accessibility reviews. All were in agreement that the parameters and deliverables of these reviews would need further discussion. All in attendance also agreed on the need to make absolutely clear that privacy reviews would not be legal advice, nor could they be carried out in regards to achieving compliance with any specific privacy law. Rather, the reviews would focus on general issues of data collection, flows, retention, and sharing. Any action items which reviews might identify would be the developer’s responsibility to address, and not the core-privacy team.

@allendav suggested that “needs-privacy-review” could be added as a tag in Trac for patches and tickets.

@garrett-eclipse and @allendav will document the processes they have used in their Gutenberg and BuddyPress evaluations, with a view towards using these steps as the basis of a potential privacy review checklist for the handbook.

Component Documentation Review

@allendav wrote handbook documentation as part of the V1 roadmap earlier in the year. All in attendance agreed it would be good to review the handbook for new material that could be added, and to see if additional audiences could be accommodated. @allendav and @riankinney will review the existing documentation and report back with suggestions. Documentation from other teams, including design and accessibility, provide good examples to follow.

@garrett-eclipse suggested that the Privacy by Design standards used by core-privacy could be more widely adopted across the WordPress project, and more visible documentation could help to promote this.

Team Issues

A healthy and constructive discussion was had on whether the core-privacy team should continue to identify as a core component or should seek to additionally become a team. The team agreed to consult with @chanthaboune on what options are available within the team and component structure.

Group Meta Issues

Last week @desrosj circulated a Doodle poll to find a better time for weekly office hours. From the suggestions provided there, he has launched a second Doodle poll narrowing the selection down to the four most popular answers. Please provide your two best choices. The Doodle poll will appear in your local time zone, not in UTC.

@allendav has been looking into more privacy-conscious collaboration tools and reports he is not happy with the UX of Etherpad.

Sarah Gooding interviewed @idea15 for an article about the team on WP Tavern. @riankinney is doing a privacy podcast with WPBob later this month.

The next core-privacy office hours is Wednesday, October 24, 2018 at 1500 UTC. A new office hours time will be decided in this meeting.

#core-privacy

#privacy

Core-privacy agenda – 17 October 2018

This is the agenda for the weekly #core-privacy meeting on Wednesday 17 October 2018 at 1500 UTC:

Roadmap issues

Team issues

  • Group definition: Are we a core component? A component? A team? @idea15
  • Group lack of visibility and consideration: how do we get more of it within and outside the project regardless of how we are categorised? @idea15

Group meta issues

#core-privacy

#privacy