Privacy Office Hour Notes – January 9th, 2019

Huge thank you to all who attended the very productive office hours! The recap notes are a bit delayed, but they were not forgotten! A full agenda can also be found in an earlier post, and the full transcript can be found in Slack.

Here are the highlights of the meeting:

Agenda Item 1 – Roadmap Review

  • @idea15 reminded us that there is a more recent version of the Roadmap.
    • @desrosj will investigate how to give more maintainers access to update the roadmap page.
  • @lakenh mentioned Trac issue #44161, regarding IP addresses stored within the usermeta table.
    • @xkon provided an example of a user meta session token, and it contained both a user agent and IP address.
    • @lakenh also discovered that the community-events-location user meta field also contains a full IP address.
      • He also suggested perhaps anonymizing that particular IP by dropping the last few places as the geographical location shouldn’t change by much.
    • @desrosj then asked if these fields were accounted for within the original data export/erasure tools.
      • @garrett-eclipse delivers the bad news that they were not.
      • Ticket to track this issue has been opened, #45889.

Agenda Item 2 – 2019

  • @idea15 gave an update on the cross-project privacy group which broke ground at Drupal Europe. Joomla’s Glip (similar to WordPress’ Slack) now has representatives from this WordPress Privacy team, Drupal, Joomla, Typo3, Umbraco, as well as other industry representatives who are all providing aid to make all CMSs have great privacy features built-in.
  • @desrosj helped to set expectations for what privacy-related changes are acceptable moving forward based on a recent discussion in #core-committers. Small enhancements and bug fixes will generally be OK to include in new releases with little oversight. Larger enhancements will need approval by version release leads.
  • Brainstorm session for how the team’s goals and the greater WordPress project’s goals overlap in 2019.
    • @desrosj suggested the following three areas of being places that we can help out:
      • Providing a way for users to opt-in to automatic plugin and theme updates.
      • Providing a way for users to opt-in to automatic updates of major Core releases.
      • Building a WordPress.org directory for discovering blocks, and a way to seamlessly install them.
    • @desrosj also suggested Health Check as a possible area, as perhaps there are some server level privacy checks that could be built in.
      • @clorith expressed that the team was open to any ideas and that privacy features for Health Check can be created as GitHub issues on its repo for consideration.

#core-privacy, #privacy

Core Privacy Agenda – 9 January 2019

Happy New Year to all, and hope everyone enjoyed the holiday season. Our weekly office hours resume today, January 9th, 2019 at 19:00 UTC in #core-privacy.

The goal today is to ease back into the swing of things a bit slowly, starting with short office hours today, and see where things go from there.

Agenda

  • Roadmap Review
    • Is our roadmap still looking how we want it? Is anything missing?
  • 2019 Plans
    • Matt posted the 9 priorities for 2019 last month.
    • Privacy is not explicitly mentioned in any of them. But, as a team, we should brainstorm where overlap exists with the team’s goals and where we can help out on this list.
      • Example: Auto-update support is one of the priorities; perhaps we can try and get the telemetry changes merged with it (#43492)
  • Open Floor
  • Off-Topic Open Floor
    • How were your holidays? Catch up and chit-chat 🙂

Hope to see you all there! All contributors welcome regardless of skill level or expertise.

#core-privacy, #privacy

Core-Privacy Agenda – 12 December

When/Where: Join us in #core-privacy on Making WordPress Slack on Wednesday, 12 December at 1900 UTC

1. WCUS postmortem
a. Leo and Kevin’s privacy talk – comments, feedback, and follow up
b. Contributor Day – lack of a table as a core component team despite having had a table at WCEU
c. Morten’s talk/Leo
d. Other business arising

2. V2 roadmap updates

3. Team issues
a. Recruitment of new team members and contributors (chicken and egg discussion)
b. Instructions regarding the core-privacy team issued to the Marketing team
c. Team structure & visibility – per 17 October office hours summary and 28 June meeting

#core-privacy

#privacy

Core-Privacy Office Hours Summary, 21 and 28 November

Ticket and coding issues

  • Gutenberg 11999, Fix the Privacy Policy Help Notice – merged into Core r43920. There is an open PR on the Classic Editor that will reverse the changes in r43920 and preserve the current placement of the notice (below the post title, above the editor) when that plugin is active.
  • As far as the contributors are aware, Gutenberg 11648 is the only remaining 5.0 related privacy ticket.
  • Quantcast advertising tracking has been removed from the .org footer. Props @ocean90. Matt has also approved replacing the social networking links with non-tracker links.
  • There are some potential privacy issues regarding Google Captcha 3.0. @idea15 to research.
  • #45395, which added the “shield” illustration to the admin dashboard privacy page, has raised the issue of the currency and accuracy of the text under it.
  • The 26 November bug scrub examined several new tickets: #45416 #45154, #45136, #44952, #44940, and #44876.
  • The needs-privacy-review tag in Trac (#3896) has been marked commit. @garrett-eclipse will add a link to the “needs-privacy-review” page on the main component page when there are active tickets.
  • There are 46 privacy tickets awaiting review.

Conference talks

Team issues

  • @javorszky has had to step away from contributing due to time constraints. @allendav is also unable to contribute at pre-4.9.6 levels. The team is always looking for new participants and contributors.
  • @riankinney and @idea15 are meeting with the Joomla! Core privacy team after WCUS to identify potential areas for mutual cooperation and to also learn more about their consent and logging work.
  • @idea15 wrote a post about the component’s work for the Marketing team.
  • The attendees agreed to use our 12 December office hours meeting, after WCUS and our contributions to Gutenberg are out of the way, to kickstart the V2 core privacy work.

Reminder: our weekly office hours are now at Wednesdays at 1900 UTC while bug scrubs remain Mondays at 16:00 UTC. The next office hours will take place on Wednesday, December 5, 2018 at 19:00 UTC

#core-privacy

#privacy

Core Privacy Agenda – 21 Nov 2018 – New Time

When/Where: Join us in #core-privacy on Making WordPress Slack on Wednesday, November 21, 2018 at 1900 UTC

Agenda:

  • Update on WP 5 testing/patches
  • Update on 3rd party code (Twitter, Facebook, Quantcast?) on WP.org footers (@allendav)
  • Update on WP mobile app permissions and tracking (@allendav)
  • Update on Google Fonts in Gutenberg (@allendav and @desrosj)
  • Google Captcha 3.0

What the Cool Privacy Kids Are Reading / Trying This Week:

  • Proposed data privacy law could send company execs to prison for 20 years – https://arstechnica.com/tech-policy/2018/11/proposed-data-privacy-law-could-send-company-execs-to-prison-for-20-years/
  • Google accused of trust demolition – https://www.bbc.co.uk/news/amp/technology-46206677

Upcoming WordCamp (and other Event) Privacy Talks:

  • Planned talks
  • SURPRISE! https://2018.us.wordcamp.org/session/whats-privacy-got-to-do-with-it/
  • Opportunities
  • ???

Helpful links:

  • Core Privacy Component Home Page https://make.wordpress.org/core/components/privacy/
  • Core Privacy Posts https://make.wordpress.org/core/tag/core-privacy/
  • Core Privacy Roadmap https://make.wordpress.org/core/roadmap/privacy/
  • Plugin Privacy Handbook https://developer.wordpress.org/plugins/privacy/
  • Open Privacy Component Tickets https://core.trac.wordpress.org/query?status=accepted&status=assigned&status=new&status=reopened&status=reviewing&component=Privacy&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone&col=component&order=priority

#core-privacy
#privacy

Core Privacy Office Hour Summary – 14 November

Moving forward, the Core Privacy Office Hour will be held at 19:00 UTC.

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack.

The agenda for the chat is available here.

NTIA Comments (Pre-chat)

A few noteworthy comments on the NTIA RFC for the Proposed United States Privacy Approach:

Meeting Time

With daylight saving time changes behind us for now, a new time for the weekly office hours meeting was discussed. The top voted for time slot was 19:00 UTC with 10 votes. There was a tie for second with 17:00 and 18:00 UTC receiving 8 votes each. No time slot will work for everyone, so the 19:00 UTC time slot as chosen to maximize attendance. The hope is that if agendas and summaries continue to be consistently posted, the component can gain more momentum at this new time with higher attendance.

As always, the slack channel (#core-privacy) is always open for discussions! And catching up asynchronously is always welcome.

WordPress 5.0

WordPress 5 release is presently scheduled for Tuesday, November 27 – that’s less than two weeks away. A new beta released a day or so ago – great time to try out the new block editor and new release and double check privacy policy editing especially. Noteworthy patches: https://core.trac.wordpress.org/ticket/45151 and https://github.com/WordPress/gutenberg/pull/11604 and https://core.trac.wordpress.org/ticket/45057

We also discussed the use of Google Fonts in Gutenberg – see https://github.com/WordPress/gutenberg/issues/11648 – the issue title may not be accurate, but the issue does bear further investigation. @allendav and @desrosj will look at it and others are welcome to as well. @desrosj summed up a great approach for this and similar situations: “Not arguing to leave it in, but to change it, we need to have a clear suggestion for how to proceed, as well as a description of why it needs to be changed so others can understand. This seems like a larger issue though because [other items used by core] are loaded from Google.”
@desrosj also committed to “work on coming up with a list of all externally loaded resources and circle back with Allen on it. We’ll come up with a plan forward, and try to clarify why/if it must be changed.”

Needs-Privacy-Review

@garrett-eclipse ‘s ticket is waiting for commit to add the new tags – see https://meta.trac.wordpress.org/ticket/3896

Update on WordPress.org page 3rd party scripts

@allendav got the green light from @Matt to remove the Quantcast scripts as well as replace the Twitter and Facebook script-powered sharing buttons with simple links. This should improve end-user privacy as well as decrease page load times. See https://meta.trac.wordpress.org/ticket/3655#comment:25

Next Office Hour

The next core privacy office hour will be Wednesday, November 21st, 2018 at 1900 UTC in #core-privacy. Expect an agenda to be posted on Monday, November 19th. Ping @allendav @idea15 or @desrosj if you’d like to add an item to the agenda, or feel free to add it yourself at https://docs.google.com/document/d/1oQnV7L1KVeFhLCLRzJZ6cbntLmIxqAtWZGa7EAs9eQE/edit

#core-privacy
#privacy

Core Privacy Agenda – 14 Nov 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Agenda:

  • New time for core privacy weekly chat starting next week (@desrosj)
  • WP 5 drops Tue Nov 27 – do we need another quick round of WP 5 compatibility testing with privacy features? (@allendav)
  • Tickets
    • Update on moving core files from @allendav (core:43895) – developing a plan here – https://docs.google.com/document/d/1naG6Bs2RK7j1PkKXmCdflY3ei2ZgZtV6zHCWeRz01s0/edit
  • Needs-privacy-review tag
    • Update from @garrett-eclipse (meta:3896) – “wrote the patch and it’s now awaiting a commit. There’s two additional items after commit which is including links but we’ll hold on that until the tag starts to get some usage”
  • Raising awareness of core privacy work and meetings
    • Update from @riankinney re marketing newsletter — getting the word out about Office Hours, our need for developers and end-user feedback
  • “What is privacy in our context?”
    • What is privacy in the sense of what areas do we look at in our work @idea15
    • Separating the theory from the practice (e.g. our dev guidelines)
    • Update on working with Chris Tiezel for cross-platform definitions @idea15

Items postponed to next week:

  • WP mobile app permissions and tracking (@allendav)
  • Follow up on 3rd party code (Twitter, Facebook, Quantcast?) on WP.org footers (@allendav)

What the Cool Privacy Kids Are Reading / Trying This Week:

  • 60 Minutes on GDPR – https://www.cbsnews.com/news/gdpr-the-law-that-lets-europe-take-back-their-data-from-big-tech-companies-60-minutes/ props @idea15
  • ICO updates https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/ props David Orf
  • WP GDPR Compliance Plugin Privilege Escalation Flaw https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/ props @garrett-eclipse

Upcoming WordCamp (and other Event) Privacy Talks:

  • Recent talks
    • @chrisweigman Encrypt All the Things – WordCamp Orlando https://2018.orlando.wordcamp.org/schedule/sessions/
    • @riankinney Ethics on the Web – WordCamp Orlando https://2018.orlando.wordcamp.org/schedule/sessions/
    • Chris Teitzel – With Great Power Comes Great Responsibility – WordCamp Seattle – https://2018.seattle.wordcamp.org/session/with-great-power-comes-great-responsibility/
  • Planned talks
  • Opportunities

Helpful links:

  • Core Privacy Component Home Page https://make.wordpress.org/core/components/privacy/
  • Core Privacy Posts https://make.wordpress.org/core/tag/core-privacy/
  • Core Privacy Roadmap https://make.wordpress.org/core/roadmap/privacy/
  • Plugin Privacy Handbook https://developer.wordpress.org/plugins/privacy/
  • Open Privacy Component Tickets https://core.trac.wordpress.org/query?status=accepted&status=assigned&status=new&status=reopened&status=reviewing&component=Privacy&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone&col=component&order=priority

#core-privacy, #privacy

Core Privacy Agenda – 7 November 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Agenda:

  • We need a facilitator and note-taker for today (@allendav is on travel/AFK)
  • New Meeting Time discussion @desrosj
  • Tickets
  • Needs-privacy-review tag – Update from @garrett (meta:3896)
    • “wrote the patch and it’s now awaiting a commit. There’s two additional items after commit which is including links but we’ll hold on that until the tag starts to get some usage”
  • Raising awareness of core privacy work and meetings
    • Update from Rian re marketing newsletter — getting the word out about Office Hours, our need for developers and end-user feedback
  • “What is privacy in our context?”
    • What is privacy in the sense of what areas do we look at in our work @idea15
    • Separating the theory from the practice (e.g. our dev guidelines)
    • Update on working with Chris Tiezel for cross-platform definitions @idea15

Items postponed to next week:

  • WP mobile app permissions and trackers (@allendav)
  • Trackers on WP.org footer (@allendav)

What the Cool Privacy Kids Are Reading / Trying This Week:

Upcoming WordCamp (and other Event) Privacy Talks:

  • Planned talks
  • Opportunities

Helpful links:

#privacy #core-privacy

Core Privacy Office Hours Summary – 31 October 2018

Office hours started at 1500z.

Agenda: https://make.wordpress.org/core/2018/10/30/core-privacy-agenda-31-october-2018/

  • Ticket issues
  • Gutenberg
    • gutenstats.blog footer updated to clarify origin of data
    • @allendav to follow up with jetpack about how they are presenting their gutenblocks that rely on connection to their backend – maybe will serve as a good example for other guten-makers
  • Mobile Apps
  • needs-privacy-review tag
  • BuddyPress
    • @garrett-eclipse is working it – would love checklist to work from if possible
  • Component Documentation
    • @allendav has started chatting with @chanthaboune about how to better document core privacy work, raise visibility. Nothing to report out yet. More forthcoming.
    • We committed to publishing our office hours agenda every Monday
    • Rian committed to reaching out to marketing team for possible inclusion in newsletter / other materials
    • Agenda setting is open, Google doc based at https://docs.google.com/document/d/1oQnV7L1KVeFhLCLRzJZ6cbntLmIxqAtWZGa7EAs9eQE/edit
    • Agenda item for next week: “What is privacy in our context”
    • @idea15 will reach out to Chris Tiezel to see if we can set up s shared definition across projects
  • Bob WP Podcast
    • Rian : it went well… highlighted WP Privacy Work and 4.9.6 import/export tools for ease of portability and privacy policy baseline for GDPR compliance
    • will be posted 5 Nov
  • Speaking opportunities
    • @idea15 has been invited to speak on building privacy into open source projects, largely built on the experiences here, at the annual convention of the UK National Association of DPOs in November
    • Are there any other privacy talks at WordCamps or other conferences, either coming up or that you’ve seen recently? Let us know and we’ll add it as a running list on our agenda
    • Rian also reached out to Leo Postovoit about proposing a Privacy Co-Talk/Workshop for WCEU – @allendav is also interested in helping with that, assuming he can get a green light – WCEU is June 2019 in Berlin
  • Meeting Time
    • @desrosj: For meeting time, I was thinking we wait until next week to pick a new time. With DST this weekend for the US, some folks may need to revise their selected time slots.
    • So next week we will meet here at 1500 UTC as normal, and then decide our new time slot.
  • Closing Bits and Bobs

Up next:

Office hours ended at 1600z.

#privacy

Core Privacy Agenda – 31 October 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Facilitator: @idea15

Note-taker: @allendav

Agenda

Tickets and code issues

Component documentation:

  • Update on getting a privacy home page at make.wordpress.org/privacy (@allendav)
  • Handbook review (@allendav , Rian)

Marketing/conference talks/collaboration

  • Cross-platform privacy group update
  • Rian Kinney – BobWP podcast
  • Any upcoming WordCamp talks?

Group meta issues

  • Reminder of Monday bug scrub for 5 Nov (@?)
  • Office hour meeting time change (@?)
  • Need facilitator, note-taker for next week

What the Cool Privacy Kids Are Reading / Trying This Week:

Helpful links:

#core-privacy, #privacy