Core Privacy Office Hour Summary – 14 November

Moving forward, the Core Privacy Office Hour will be held at 19:00 UTC.

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack.

The agenda for the chat is available here.

NTIA Comments (Pre-chat)

A few noteworthy comments on the NTIA RFC for the Proposed United States Privacy Approach:

Meeting Time

With daylight saving time changes behind us for now, a new time for the weekly office hours meeting was discussed. The top voted for time slot was 19:00 UTC with 10 votes. There was a tie for second with 17:00 and 18:00 UTC receiving 8 votes each. No time slot will work for everyone, so the 19:00 UTC time slot as chosen to maximize attendance. The hope is that if agendas and summaries continue to be consistently posted, the component can gain more momentum at this new time with higher attendance.

As always, the slack channel (#core-privacy) is always open for discussions! And catching up asynchronously is always welcome.

WordPress 5.0

WordPress 5 release is presently scheduled for Tuesday, November 27 – that’s less than two weeks away. A new beta released a day or so ago – great time to try out the new block editor and new release and double check privacy policy editing especially. Noteworthy patches: https://core.trac.wordpress.org/ticket/45151 and https://github.com/WordPress/gutenberg/pull/11604 and https://core.trac.wordpress.org/ticket/45057

We also discussed the use of Google Fonts in Gutenberg – see https://github.com/WordPress/gutenberg/issues/11648 – the issue title may not be accurate, but the issue does bear further investigation. @allendav and @desrosj will look at it and others are welcome to as well. @desrosj summed up a great approach for this and similar situations: “Not arguing to leave it in, but to change it, we need to have a clear suggestion for how to proceed, as well as a description of why it needs to be changed so others can understand. This seems like a larger issue though because [other items used by core] are loaded from Google.”
@desrosj also committed to “work on coming up with a list of all externally loaded resources and circle back with Allen on it. We’ll come up with a plan forward, and try to clarify why/if it must be changed.”

Needs-Privacy-Review

@garrett-eclipse ‘s ticket is waiting for commit to add the new tags – see https://meta.trac.wordpress.org/ticket/3896

Update on WordPress.org page 3rd party scripts

@allendav got the green light from @Matt to remove the Quantcast scripts as well as replace the Twitter and Facebook script-powered sharing buttons with simple links. This should improve end-user privacy as well as decrease page load times. See https://meta.trac.wordpress.org/ticket/3655#comment:25

Next Office Hour

The next core privacy office hour will be Wednesday, November 21st, 2018 at 1900 UTC in #core-privacy. Expect an agenda to be posted on Monday, November 19th. Ping @allendav @idea15 or @desrosj if you’d like to add an item to the agenda, or feel free to add it yourself at https://docs.google.com/document/d/1oQnV7L1KVeFhLCLRzJZ6cbntLmIxqAtWZGa7EAs9eQE/edit

#core-privacy
#privacy

Core Privacy Agenda – 14 Nov 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Agenda:

  • New time for core privacy weekly chat starting next week (@desrosj)
  • WP 5 drops Tue Nov 27 – do we need another quick round of WP 5 compatibility testing with privacy features? (@allendav)
  • Tickets
    • Update on moving core files from @allendav (core:43895) – developing a plan here – https://docs.google.com/document/d/1naG6Bs2RK7j1PkKXmCdflY3ei2ZgZtV6zHCWeRz01s0/edit
  • Needs-privacy-review tag
    • Update from @garrett-eclipse (meta:3896) – “wrote the patch and it’s now awaiting a commit. There’s two additional items after commit which is including links but we’ll hold on that until the tag starts to get some usage”
  • Raising awareness of core privacy work and meetings
    • Update from @riankinney re marketing newsletter — getting the word out about Office Hours, our need for developers and end-user feedback
  • “What is privacy in our context?”
    • What is privacy in the sense of what areas do we look at in our work @idea15
    • Separating the theory from the practice (e.g. our dev guidelines)
    • Update on working with Chris Tiezel for cross-platform definitions @idea15

Items postponed to next week:

  • WP mobile app permissions and tracking (@allendav)
  • Follow up on 3rd party code (Twitter, Facebook, Quantcast?) on WP.org footers (@allendav)

What the Cool Privacy Kids Are Reading / Trying This Week:

  • 60 Minutes on GDPR – https://www.cbsnews.com/news/gdpr-the-law-that-lets-europe-take-back-their-data-from-big-tech-companies-60-minutes/ props @idea15
  • ICO updates https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/ props David Orf
  • WP GDPR Compliance Plugin Privilege Escalation Flaw https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/ props @garrett-eclipse

Upcoming WordCamp (and other Event) Privacy Talks:

  • Recent talks
    • @chrisweigman Encrypt All the Things – WordCamp Orlando https://2018.orlando.wordcamp.org/schedule/sessions/
    • @riankinney Ethics on the Web – WordCamp Orlando https://2018.orlando.wordcamp.org/schedule/sessions/
    • Chris Teitzel – With Great Power Comes Great Responsibility – WordCamp Seattle – https://2018.seattle.wordcamp.org/session/with-great-power-comes-great-responsibility/
  • Planned talks
  • Opportunities

Helpful links:

  • Core Privacy Component Home Page https://make.wordpress.org/core/components/privacy/
  • Core Privacy Posts https://make.wordpress.org/core/tag/core-privacy/
  • Core Privacy Roadmap https://make.wordpress.org/core/roadmap/privacy/
  • Plugin Privacy Handbook https://developer.wordpress.org/plugins/privacy/
  • Open Privacy Component Tickets https://core.trac.wordpress.org/query?status=accepted&status=assigned&status=new&status=reopened&status=reviewing&component=Privacy&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=milestone&col=component&order=priority

#core-privacy, #privacy

Core Privacy Agenda – 7 November 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Agenda:

  • We need a facilitator and note-taker for today (@allendav is on travel/AFK)
  • New Meeting Time discussion @desrosj
  • Tickets
  • Needs-privacy-review tag – Update from @garrett (meta:3896)
    • “wrote the patch and it’s now awaiting a commit. There’s two additional items after commit which is including links but we’ll hold on that until the tag starts to get some usage”
  • Raising awareness of core privacy work and meetings
    • Update from Rian re marketing newsletter — getting the word out about Office Hours, our need for developers and end-user feedback
  • “What is privacy in our context?”
    • What is privacy in the sense of what areas do we look at in our work @idea15
    • Separating the theory from the practice (e.g. our dev guidelines)
    • Update on working with Chris Tiezel for cross-platform definitions @idea15

Items postponed to next week:

  • WP mobile app permissions and trackers (@allendav)
  • Trackers on WP.org footer (@allendav)

What the Cool Privacy Kids Are Reading / Trying This Week:

Upcoming WordCamp (and other Event) Privacy Talks:

  • Planned talks
  • Opportunities

Helpful links:

#privacy #core-privacy

Core Privacy Agenda – 31 October 2018

When/Where: Join us in #core-privacy on Making WordPress Slack from 1500-1600 UTC

Facilitator: @idea15

Note-taker: @allendav

Agenda

Tickets and code issues

Component documentation:

  • Update on getting a privacy home page at make.wordpress.org/privacy (@allendav)
  • Handbook review (@allendav , Rian)

Marketing/conference talks/collaboration

  • Cross-platform privacy group update
  • Rian Kinney – BobWP podcast
  • Any upcoming WordCamp talks?

Group meta issues

  • Reminder of Monday bug scrub for 5 Nov (@?)
  • Office hour meeting time change (@?)
  • Need facilitator, note-taker for next week

What the Cool Privacy Kids Are Reading / Trying This Week:

Helpful links:

#core-privacy, #privacy

Core-privacy Office Hours Summary – 17 October

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack.

Roadmap Progress

There was no roadmap related progress to report this week. The component’s focus until post-Gutenberg remains the 31 bug tickets, with a goal of marking at least 75% of them as ready for commit.

Gutenberg Privacy Review

@allendav, @garrett-eclipse, and @azaozz have been reviewing Gutenberg for potential privacy issues.

In response to concerns about the source of the data presented on https://gutenstats.blog, @allendav will add a note to the footer on that site clarifying that the post counts come from Jetpack-connected sites. @allendav also reports that there is no Automattic tracking code in Gutenberg, and that if a site has Jetpack and Gutenberg installed, some of Jetpack’s Gutenberg blocks are loaded from Automattic’s CDN.

Related to CDNs, @azaozz confirmed that reliance on unpkg will not be an issue once Gutenberg is merged into WordPress Core. Third party resources are loaded from a CDN when Gutenberg is in development mode. Whether this carries over after the merge into WordPress core needs to be verified.

There is a bug in Gutenberg regarding the display of the privacy notice tool. @desrosj has noted this as Gutenberg ticket 10448.

Gutenberg utilizes the Noto Serif Google Font for supported locales. @garrett-eclipse asks whether a font replacement should be proposed for the 5.0 merge, or whether the suggested privacy policy content should be updated to include Google Fonts verbiage.

The emojis in Gutenberg load from s.w.org and need further review. @garrett-eclipse seeks clarification on whether emojis are part of core and therefore covered by the existing privacy notice language.

Regarding embed blocks, @garrett-eclipse suggests that how core handles them from a privacy standpoint should follow whatever is done for embeds in general. He suggests it would be useful to propose to Gutenberg/core the feasibility of creating a “privacy flag” on blocks which could flag users about potential privacy concerns, and/or flagging admins that blocks with potential privacy ramifications have been added on their site.

BuddyPress and Privacy Reviews

@garrett-eclipse and @jjj have arranged to conduct a basic privacy review of BuddyPress.

This led to a discussion about privacy reviews being a service which the team could offer, akin to theme, plugin, or accessibility reviews. All were in agreement that the parameters and deliverables of these reviews would need further discussion. All in attendance also agreed on the need to make absolutely clear that privacy reviews would not be legal advice, nor could they be carried out in regards to achieving compliance with any specific privacy law. Rather, the reviews would focus on general issues of data collection, flows, retention, and sharing. Any action items which reviews might identify would be the developer’s responsibility to address, and not the core-privacy team.

@allendav suggested that “needs-privacy-review” could be added as a tag in Trac for patches and tickets.

@garrett-eclipse and @allendav will document the processes they have used in their Gutenberg and BuddyPress evaluations, with a view towards using these steps as the basis of a potential privacy review checklist for the handbook.

Component Documentation Review

@allendav wrote handbook documentation as part of the V1 roadmap earlier in the year. All in attendance agreed it would be good to review the handbook for new material that could be added, and to see if additional audiences could be accommodated. @allendav and @riankinney will review the existing documentation and report back with suggestions. Documentation from other teams, including design and accessibility, provide good examples to follow.

@garrett-eclipse suggested that the Privacy by Design standards used by core-privacy could be more widely adopted across the WordPress project, and more visible documentation could help to promote this.

Team Issues

A healthy and constructive discussion was had on whether the core-privacy team should continue to identify as a core component or should seek to additionally become a team. The team agreed to consult with @chanthaboune on what options are available within the team and component structure.

Group Meta Issues

Last week @desrosj circulated a Doodle poll to find a better time for weekly office hours. From the suggestions provided there, he has launched a second Doodle poll narrowing the selection down to the four most popular answers. Please provide your two best choices. The Doodle poll will appear in your local time zone, not in UTC.

@allendav has been looking into more privacy-conscious collaboration tools and reports he is not happy with the UX of Etherpad.

Sarah Gooding interviewed @idea15 for an article about the team on WP Tavern. @riankinney is doing a privacy podcast with WPBob later this month.

The next core-privacy office hours is Wednesday, October 24, 2018 at 1500 UTC. A new office hours time will be decided in this meeting.

#core-privacy

#privacy

Core-privacy agenda – 17 October 2018

This is the agenda for the weekly #core-privacy meeting on Wednesday 17 October 2018 at 1500 UTC:

Roadmap issues

Team issues

  • Group definition: Are we a core component? A component? A team? @idea15
  • Group lack of visibility and consideration: how do we get more of it within and outside the project regardless of how we are categorised? @idea15

Group meta issues

#core-privacy

#privacy

What’s new in core-privacy

Below is a summary of the discussion from this week’s #core-privacy chat. You can read the chat in its entirety in Slack. This summary highlights current work and also provides a view into how this relatively new team is working together to further privacy awareness following the success of its V1 GDPR-specific focus.

Ticket milestone changes

As a result of 4.9.9 being removed from the schedule in favor of a Gutenberg only 5.0 release, 25 core-privacy tickets scheduled for 4.9.9 have been punted to either 5.0.1, 5.1, or Future Release. These included some which were already committed to trunk and backported to 4.9.9, as well as some marked commit which will not be shipped with 5.0. Each ticket will be reviewed and evaluated for release with either 5.0.1 or 5.1. Each ticket can be re-milestoned when the scopes and timelines of these releases become more clear.

Impacted tickets include #44038, #44044, #44051, #44081, #44084, #44135, #44175, #44179, #44267, #44314, #44550, #44621, #44644, #44669, #44674, #44677, #44707, #44723, #44761, #44822, #44833, #44901, #43438, #44233, and #44236.

The component’s focus until post-Gutenberg will shift to the (currently) 31 bug tickets, with a goal of marking at least 75% of them as ready for commit.

@allendav and @desrosj will also use the feature and enhancement freeze to address #43895, which aims to properly organize the privacy code introduced in 4.9.6 within the codebase.

A full list of privacy tickets can be found in Trac.

Bug scrubs are led by @desrosj every Monday. The next one will be held October 15, 2018 at 15:00 UTC in the #core-privacy room on Slack.

Future major release

There was agreement that advocating for Privacy to be a focus for a future major release (possibly 5.2) would be very helpful to land the features outlined in the V2 roadmap. The timing of two pieces of legislation of particular interest would potentially coincide with that release schedule, allowing those features to be shipped prior to the effective dates.

Roadmap

The V2 roadmap moves beyond the enhancements and fixes to the V1 GDPR privacy tools to address general areas of privacy and data protection outside legal requirements. Its scope includes:

  • Core privacy features
    • Gravatar privacy controls
    • Embed privacy controls
  • Plugin privacy
    • For administrators
    • For developers
  • Consent and logging
  • WP-CLI support
  • Multisite support

This week, those in attendance agreed to add two upcoming privacy issues within legal requirements – the US California Consumer Privacy Act (CCPA), and the EU ePrivacy Directive overhaul – to the roadmap. It is anticipated that these two pieces of privacy legislation will create the most obligations for WordPress site administrators in 2019. Team members will continue to monitor each law carefully. Once the specific requirements are announced by each respective government, a discussion of what functionality may need to be created to allow site administrators to meet their requirements well ahead of compliance deadlines will be had.

@idea15 is the lead for monitoring and evaluation of privacy legislation. @idea15 and @riankinney are working on an analysis of CCPA.

They are also monitoring other privacy legislation, including individual US state requirements as well as that of countries like Brazil, to anticipate possible future work.

Gutenberg review

@allendav is reviewing Gutenberg for any potential privacy issues stemming from CDNs, telemetry, or other issues, and will document his findings. Please make him aware of any concerns. He also welcomes privacy evaluations of Gutenberg from non-Automattic testers for transparency’s sake.

#45057 is currently the only Gutenberg blocker from a Privacy standpoint.

Cross-platform privacy working group

At Drupal Europe, @idea15 and Chris Teitzel from the Drupal core privacy team gained enthusiastic support from Dries Buytaert for a proposed cross-platform privacy working group. This group would create a forum for the core privacy teams from all major open source CMS projects (WordPress, Drupal, Joomla, Typo3, etc), to engage, share resources, compare experiences, and periodically meet in person to discuss privacy issues on the social, legal, and code levels. The group, which would be run through the Drupal community structure, may receive some funding. @idea15 will update the WordPress core privacy team in the next fortnight with news.

Group meta issues

  • Our current weekly office hours time of 1500 UTC on Wednesdays does not work for most participants. If you are interested in attending the weekly office hour meetings, please fill out this Doodle poll to identify a better time.
  • The component will be more diligent about posting agendas and meeting summaries on the Make core blog. New contributors are encouraged to volunteer, as this is a great way to get involved. @desrosj, @idea15, and @allendav will ensure these are posted when there are no volunteers for that week.
  • The team will discuss and choose team reps, in response to a discussion during the weekly Core dev chat of whether the core-privacy group is a team in addition to a component and focus.
  • @allendav will research more privacy-conscious document and collaboration tools outside Google docs.

Next Meeting

The next office hours will be held on October 17, 2018 at 15:00 UTC in the #core-privacy room on Slack.

#core-privacy

#privacy

JavaScript Chat Summary – July 3rd

Below is a summary of the discussion from this week’s JavaScript chat (agenda, Slack transcript).

Participants: @abdullahramzan, @adamsilverstein, @aduth, @afercia, @atimmer, @bpayton, @euthelup, @gziolo, @herregroen, @lonelyvegan, Jorge Costa, @omarreiss, @nerrad, @netweb, @pento, @sharaz, @schlessera.

Have a topic for discussion for the next meeting? Leave a suggested edit on next week’s agenda.

Deprecation Strategy

(Continued from last week’s discussion)

Problem: How can we introduce breaking changes necessary for user benefit without sacrificing a commitment to backward compatibility?

A deprecation strategy proposal has been discussed. Some highlights:

  • Proposal to Include a link to the specific documentation surrounding a deprecation (similar to React).
  • Console logging turns out to be not entirely successful on its own based on the experience from Gutenberg.
  • Feedback collected should be integrated into the UI, ex. Admin bar, Updates screen.
  • For those plugins that are using a recommended set of core build tools, issues could be surfaced there.

Action items:

  • Chat to #meta about logging all deprecations.
  • Discuss Admin bar notifications integration with @johnbillion, who authored Query Monitor plugin.
  • Logging to wordpress.org is also something that should be discussed with the #core-privacy team to make sure we start out in a compliant fashion.

Discussion is going to be continued next week.

Sunsetting the Packages Repository

Last week it was decided in our meeting to merge WordPress/packages repository to the WordPress/gutenberg repository. There is an open pull request at https://github.com/WordPress/gutenberg/pull/7556 which is almost ready to land. We are waiting for Gutenberg 3.2 release to ensure it doesn’t interfere with the development cycle.

Next steps:

  • Fix the problematic test suite which started to fail on Travis after it was moved to Gutenberg.
  • Merge in the latest changes added in Gutenberg.
  • Test, review and deploy!
  • Ensure all opened issues, PRs , and missing docs are moved over to Gutenberg repository. @netweb started it already.

Core CSS

@omarreiss gave update on core CSS reorganization. Mostly the same as the JS effort, but smaller scope. The current idea is to unify the CSS in a `src/styles` directory with a ` css` and a `sass` directory. We discussed the following:

  • Is Sass the right path forward or should we move closer to native CSS with something like PostCSS?
  • There were previous discussions with @helen in the past on further refactoring CSS to use native CSS with PostCSS rather than Sass/SCSS.
  • How do we deal with styles reuse in a components era? There are similar ongoing efforts in Gutenberg started by @youknowriad in https://github.com/WordPress/gutenberg/pull/7640

Code Style

There have been new proposals with regards to code styling:

Decision:

  • Let’s move forward with quotes exception following the related PHP standards.
  • @aduth is going to add more explicit rules around acronyms at start of variable name and leave the rest as initially proposed.

Dev setup

It’s been requested that two core Trac tickets receive approval:

  1. Make sure all JS globals are explicitly assigned to the window: https://core.trac.wordpress.org/ticket/44371.
  2. Move all JS build config to Webpack: https://core.trac.wordpress.org/ticket/43731.

@netweb volunteered to review item (2). It was also noted that (2) depends on (1).

#privacy

WordPress Privacy Chat Agenda – June 20

Agenda proposal:

  • Stats (Trac tickets)
  • Roadmap
  • Feedback from WCEU Contributor day and the workshop
  • Open discussion

Join us on slack at 15:00 UTC.
Open trac tickets
#core-privacy, #agenda

#privacy

WordPress Privacy Chat Agenda – June 06

Agenda proposal:

  • Welcome to new contributors
  • Info: Name change: slack channel, GitHub repository
  • Stats: Trac tickets stats
  • Roadmap
  • Open discussion

Join us on slack at 15:00 UTC.
Open trac tickets
#core-privacy, #agenda

#privacy