IRC log of w3cdnt on 2011-04-29

Timestamps are in UTC.

01:29:25 [lowenthal]
lowenthal has joined #w3cdnt
01:38:52 [rpacker]
rpacker has joined #w3cdnt
02:13:59 [npdoty]
npdoty has joined #w3cdnt
02:23:15 [fjh]
fjh has joined #w3cdnt
02:51:07 [dsinger]
dsinger has joined #w3cdnt
03:13:31 [lowenthal]
lowenthal has joined #w3cdnt
13:11:44 [RRSAgent]
RRSAgent has joined #w3cdnt
13:11:44 [RRSAgent]
logging to
13:11:58 [karl]
RRSAgent, make logs public
13:12:48 [lowenthal]
lowenthal has joined #w3cdnt
13:12:52 [karl]
Meeting: Web Tracking and User Privacy Workshop - 29 April 2011
13:13:13 [rigo]
rigo has joined #w3cdnt
13:22:05 [jmorris]
jmorris has joined #w3cdnt
13:25:13 [wseltzer]
Serge: UI is critical, and study of UIs for informed consent.
13:25:41 [wseltzer]
user decision change when shown the low-level detail that will be shared
13:27:25 [wseltzer]
Q: How do we show users both sides of the tradeoff?
13:27:49 [wseltzer]
Ian: and how do we show users the impact of their decisions over time...
13:28:31 [wseltzer]
Serge: avoid browser detritus
13:29:18 [wseltzer]
Nick Doty: flexibility of implementation vs consistency of UI?
13:30:44 [wseltzer]
Ian: Security is often not the user's primary objective. Rather, to pay bills, etc.
13:31:14 [tlr]
tlr has joined #w3cdnt
13:31:32 [wseltzer]
Lorrie: P3P implementers often cut and pasted from the spec, not human-readable
13:31:57 [wseltzer]
... the WG should spend some time thinking about implementation UI
13:33:06 [wseltzer]
Serge: Since the user is the audience for privacy controls, we need study, to focus on users' response
13:34:27 [wseltzer]
Hannes: Facebook has incremented its privacy options over time, standardization taking years of study doesn't
13:36:17 [wseltzer]
[Can study be concurrent, rather than blocker?]
13:37:26 [wseltzer]
Helen Nissenbaum: get informed consent when you're going to violate user expectations
13:37:54 [bryan_sullivan]
bryan_sullivan has joined #w3cdnt
13:38:02 [AndroUser]
AndroUser has joined #w3cdnt
13:39:32 [wseltzer]
Ian: We can't just stick with initial expectations. How to show them the value ads may provide?
13:40:35 [wseltzer]
XXX MSR: instant preview of difference between view with and w/o tracking - split-screen?
13:42:27 [wseltzer]
Ian: Dynamic equilibrium. Situation will change if ad-block goes from 5% to 95%
13:43:54 [wseltzer]
Andy: UI standards are incredibly difficult [crowd agreement]
13:46:44 [wseltzer]
Jonathan Mayer: align the incentives. e.g. if you start with opt-out, FB has incentive to get the user to opt back in to "Like"
13:48:34 [wseltzer]
Jules: think about the economic context of adoption
13:48:44 [npdoty]
npdoty has joined #w3cdnt
13:50:03 [wseltzer]
Did Jules just compare privacy-concerned individuals to the Tea Party?
13:50:52 [tlr]
tlr has joined #w3cdnt
13:52:13 [bryan_sullivan]
Links to WAC's definition of W3C POWDER extensions in ?WAC 2.0? (, to address developer disclosure of device API and private data usage: ?Privacy Considerations for API Usage?, ?Privacy Considerations for Device Property Access
13:52:13 [bryan_sullivan]
13:52:43 [fjh]
fjh has joined #w3cdnt
13:54:47 [wseltzer]
alissa, trying to point rigo your way with the mic
13:55:42 [wseltzer]
crowdsourced mic direction...
13:57:58 [tlr]
tlr has changed the topic to: W3C Workshop on Web Tracking & User Privacy | Car & cab sharing wiki:
13:59:37 [fjh]
wikipedia - "Moral hazard occurs when a party insulated from risk behaves differently than it would behave if it were fully exposed to the risk"
14:00:06 [npdoty_]
npdoty_ has joined #w3cdnt
14:00:09 [wseltzer]
Karl: A user know he's gained weight by looking in the mirror. How can we put mirrors into the browser?
14:00:29 [fjh]
in other words, moral hazard is when you don't have the consequences, e.g. make risky investment but are covered in case of loss etc, so I'm not sure I understand how this is applicable to trust seals - a party can still be liaible
14:00:31 [dsinger]
wonders if the comparison with disabling cookies is a red-herring; when I disable cookies\, I do something technical that is not immediately obvious to web sites (though they can test it); web sites that don't test may fail in weird ways, long after I set this. DNT is not like that; it's a request *to the site* and if it has negative consequences they can explain it (and ask permission to over-ride) if needed
14:00:39 [fjh]
14:04:52 [rpacker]
rpacker has joined #w3cdnt
14:05:55 [AndroUser2]
AndroUser2 has joined #w3cdnt
14:18:00 [ianp]
ianp has joined #w3cdnt
14:35:35 [ianp]
ianp has joined #w3cdnt
14:37:14 [jmorris]
jmorris has joined #w3cdnt
14:37:57 [rpacker]
rpacker has joined #w3cdnt
14:39:18 [jeff]
jeff has joined #w3cdnt
14:39:59 [npdoty]
npdoty has joined #w3cdnt
14:40:11 [bryan_sullivan]
bryan_sullivan has joined #w3cdnt
14:40:12 [fjh]
fjh has joined #w3cdnt
14:40:16 [adrianba]
adrianba has joined #w3cdnt
14:40:45 [fjh]
fjh has left #w3cdnt
14:42:43 [wseltzer]
Jules: opt-out rates below 1%; business shouldn't fear a usable opt-out
14:43:46 [wseltzer]
... distinguish behavioral from measurement, because lots of industry depends on measurement.
14:44:31 [wseltzer]
Kevin Trilli, Truste: "There's not all bads companies we certify"
14:45:22 [AndroUser]
AndroUser has joined #w3cdnt
14:46:53 [wseltzer]
... Compliance certification. How does an external party know what's happening?
14:47:37 [wseltzer]
...Additional elements of transparency needed. Audit; show profile to users; map to consumer expectations.
14:48:48 [wseltzer]
... and companies should be given a chance to get user's trust..
14:50:11 [wseltzer]
Evidon: We're competitors, but here we're working together to build a standard.
14:51:59 [wseltzer]
... Transactional transparency; relevant information; meaningful choices
14:53:47 [wseltzer]
Gil Resh, DoubleVerify: behavioral targeting can happen at lots of places in the ad chain
14:54:02 [vincent]
vincent has joined #w3cdnt
14:54:13 [wseltzer]
... risk of inadvertently misleading endusers
14:54:54 [wseltzer]
[Really? then networks should audit clients and statements more carefully]
14:56:49 [wseltzer]
Gil: opt-out generally intends to leave all behavioral advertising, not per-network
14:57:17 [wseltzer]
Jonathan Mayer: NAI says opt-out is opt-out of being shown behavioral ads only -- that's not what users want/think
14:57:33 [wseltzer]
... any chance for self-reg to get closer to user prefs?
15:01:36 [npdoty]
Jules: there might be some minimization you could do, but for the most part collection is mostly the same for ad delivery / measurement as it was for behavioral
15:02:22 [npdoty]
Aleecia: users aren't just worried about the ads that appear, but definitely about collection
15:02:52 [npdoty]
... Users would be just as concerned about analytics
15:03:20 [npdoty]
... Will feel betrayed if just as much data is collected but used differently
15:07:06 [npdoty]
Jules: you scare a lot of industry folks at the table when you start talking about no collection at all
15:09:19 [sudbury]
sudbury has joined #w3cdnt
15:11:40 [npdoty]
Gil: should group companies into those with oversight and those without oversight, any other granularity will be indecipherable to the user
15:25:49 [dsinger]
all I need of data retention periods is that they are shorter than the time to your next security leak (or other negative consequence) :-)
15:26:57 [npdoty]
Jules: it's a shame that iab daa didn't take on retention periods, but maybe someone should
15:27:59 [npdoty]
... Concern by companies about flexibility because if they make a statement today, they're locked in because the FTC might consider it a material change
15:28:37 [npdoty]
... So would prefer to have it defined at a self-regulatory group that could make some reasonable changes later to their policies
15:31:02 [lowenthal]
lowenthal has joined #w3cdnt
15:31:08 [npdoty]
Kevin: consumers think that once the toothpaste is out of the tube, that's it
15:31:58 [npdoty]
Lorrie: do we need regulation in addition to self-regulation, and if so, how?
15:32:54 [npdoty]
Evidon: is there room for a 2-way body for reporting companies at use particular practices or abuses? Yes.
15:33:15 [npdoty]
KevinTrustE: good place for a whitelist.
15:35:51 [lowenthal]
lowenthal has joined #w3cdnt
15:38:29 [wseltzer]
"Throw some people over the bus, or off the ship"
15:39:30 [npdoty]
Evidon: we need increased pressure for companies to join these selfreg programs.
15:39:56 [lowenthal]
something... about buses... or throwing. do mean things to them, that's what i'm trying to say
15:41:34 [npdoty]
SamuelsonClinic: lots of weasel words in description of terms make it unclear what is specifically intended
15:43:04 [npdoty]
... Consent is not just binary, you commonly give some limited consent based on the context
15:43:05 [lowenthal]
wseltzer, guarantee: better than whatever is for lunch
15:43:18 [tlr]
tlr has joined #w3cdnt
15:44:30 [npdoty]
... Why don't trade alliances outlaw anti-circumvention techniques, like respawning?
15:45:10 [rigo]
rigo has joined #w3cdnt
15:45:17 [npdoty]
npdoty has joined #w3cdnt
15:45:50 [npdoty]
EdFelten: from the FTC, but not speaking for the FTC or any particular commissioner
15:46:23 [rigo]
is it universal, would it cover all trackers?
15:46:34 [rigo]
2/ is it usable
15:46:44 [rigo]
3/ is it permanent?
15:47:04 [npdoty_]
npdoty_ has joined #w3cdnt
15:47:14 [rigo]
4/ does it cover all tracking technologies? Can questions of compliance be addressed?
15:47:38 [rigo]
5/ does it control collection instead of opting out of some use
15:47:43 [tlr]
Ed's slides:
15:48:01 [npdoty]
ScribeNick: npdoty
15:48:19 [npdoty]
EdFelten: we are a law enforcement agency, authority granted by Congress
15:48:41 [npdoty]
... sometimes get specific authority, as in Do Not Call where a law was passed by Congress
15:49:08 [npdoty]
... sometimes a general authority, as in the FTC Act, enforcement power against unfair and deceptive acts in commerce
15:50:04 [npdoty]
... deceptive: if a company makes a firm promise not to do something, and then does and a consumer is harmed as a result [npdoty: I don't think harm is important in deception cases], then that would be against the rules
15:50:29 [npdoty]
... does have implications for a self-regulatory setting, FTC might be interested in deviations from that code of conduct
15:50:50 [npdoty]
... speaking for the agency, FTC has not taken a position as to whether a new law is needed for Do Not Track
15:51:07 [npdoty]
... would be happy to see stakeholders agree on some reasonable arrangement that is mutually acceptable
15:51:17 [npdoty]
... might get a good outcome for consumers without a law or rulemaking
15:51:31 [npdoty]
... people are watching (including people in Congress) to see whether that will happen
15:52:11 [npdoty]
ChrisSoghoian: academic and activist, no longer at FTC
15:52:38 [npdoty]
csoghoian: security and fraud exemptions that have been proposed could be the exemption that swallow the rule
15:53:28 [npdoty]
... Yahoo! kept a separate set of logs for security and fraud, which were not subpoena-proof, so for those concerned about government access this is a considerable problem
15:53:51 [npdoty]
... security and fraud exemptions always seem like a reasonable idea because who wouldn't want that?
15:54:08 [npdoty]
... but many of these are 1st-party, and so wouldn't be under the scope of DNT anyway
15:55:04 [npdoty]
... click-fraud, for example, is related to clicking on an ad, which should count as a 1st-party interaction
15:55:34 [npdoty]
... so the remaining issue is impression fraud
15:56:08 [npdoty]
... somehow, however, ad networks are detecting impression fraud for people who delete cookies, or people who use Apple browsers that block 3rd-party cookies by default
15:56:35 [npdoty]
... why shouldn't DNT users get at least or better protections than people who buy something from the Apple Store?
15:57:03 [npdoty]
... ad networks sound like national security, arguing that there can't be transparency for fear of tipping off the bad guys
15:57:46 [npdoty]
... secrecy is hiding things that would otherwise be laughable if described publicly
15:58:11 [npdoty]
AndrewPatrick: from the Office of the Privacy Commissioner of Canada
15:58:38 [npdoty]
... web trackers are currently breaking the law (with an asterisk)
15:58:53 [npdoty]
... "law*"
15:59:30 [npdoty]
... at least breaking Canadian laws
15:59:50 [npdoty]
... mostly the 3rd-parties (though perhaps 1st parties are breaking the laws as well)
16:00:46 [npdoty]
... "information about an identifiable individual"
16:00:56 [npdoty]
... IP address and cookies, therefore, can be personal information
16:01:12 [npdoty]
... don't believe the people who say that they're doing anonymous tracking, which is difficult or perhaps impossible
16:01:35 [npdoty]
... just stripping identifiers doesn't go far enough
16:01:44 [tlr]
16:02:00 [npdoty]
... consent is not enough: corporations have responsibilities in addition to just getting consent
16:02:12 [npdoty]
... have to specify the purpose before the time of collection, openness, transparency
16:02:29 [npdoty]
... Do Not Track proposals, while laudable, don't address the problem
16:02:52 [npdoty]
... and could make things worse by letting the trackers off too easy, by claiming that this is the only thing they have to do
16:03:29 [npdoty]
RobvanEijk: from the Dutch Data Protection Authority, but speaking for himself
16:04:07 [npdoty]
... May 25th deadline for the ePrivacy directive implementations
16:04:26 [npdoty]
... if US companies are targeting EU citizens, then EU data protection law applies
16:04:53 [npdoty]
... EU privacy directive, been around for at least 30 years
16:05:10 [npdoty]
... a new such directive is under discussion
16:06:10 [npdoty]
... Article 7 is the core of how privacy works in Europe
16:06:51 [npdoty]
... you can process personal data, but if so you need to at least have a legitimate interest balanced against the concerns of the user
16:08:05 [npdoty]
... proportionality: is it necessary to collect all the data I'm collecting? can I accomplish my goal in another way, with less data?
16:08:50 [npdoty]
... in addition to the legitimate interest, companies may fail the condition of having taken into account the rights of the user
16:09:22 [npdoty]
... a lot of different stakeholders involved, but everyone uses different terminology, it would be good to re-use some of the existing terminology
16:11:11 [npdoty]
TimLee(CITP): sounds like things under consideration are already potentially illegal in these other countries: is what Facebook is doing today already illegal under these laws?
16:11:53 [npdoty]
AndrewPatrick: already illegal today, and I think we've moved Facebook a long way, for example in how they handle disclosure of data to 3rd-party apps
16:12:52 [npdoty]
IanFette: contra to csoghoian, you would still need to collect IP addresses for fraud of impressions
16:13:51 [npdoty]
csoghoian: you can get by without retaining data
16:14:14 [npdoty]
IanFette: but it's more complex, you still need to retain data about IP addresses, for example
16:15:07 [npdoty]
DwayneBerlin: (first to admit to being a lawyer), the FTC has already spoken on tracking in the Sears case
16:15:35 [npdoty]
... very broad, speaks to the deployment of any technology that tracks the user's activity on the Web
16:15:58 [npdoty]
... unusually detailed about the form of the disclosure (not in the privacy policy or terms of use), relying exclusively on the informed consent model
16:17:39 [karl]
RRSAgent, make minutes
16:17:39 [RRSAgent]
I have made the request to generate karl
16:17:48 [npdoty]
csoghoian: the facts of the Sears case wasn't about online tracking, but a program/plugin that users download and install and track
16:18:22 [npdoty]
DwayneBerlin: but I'm not sure that was the limitation of the coverage of that rule
16:19:17 [npdoty]
FTCLawyer: Sears is about burying a disclosure being a deceptive practice, which applies beyond a specific technology
16:20:35 [npdoty]
asoltani: if a consumer disabled DNT in order to watch The Daily Show, would that count as affirmative consent for even more invasive practices? would this actually make it worse, as opposed to baseline regulations?
16:21:19 [npdoty]
AndrewPatrick: if the failure to activate DNT counts as acceptable, that definitely lets them off too easy
16:23:33 [npdoty]
HelenNissenbaum: would the FTC agree that the burden is on you to show that you're complying? is that within the power of the FTC?
16:24:24 [npdoty]
EdFelten: we could have a conversation about how such a regime might work and then if the FTC as a body decided they wanted to do that, the FTC would still have to decide whether they had such an authority or whether Congress would need to give them that authority
16:24:55 [wseltzer]
s/FTCLawyer/Peder Magee, FTCLawyer/
16:25:05 [npdoty]
... auditing or reporting requirements (in other contexts) do often enabled improved enforcement
16:26:13 [npdoty]
csoghoian: when companies get to choose who audits them, you get really bad audits, as in Enron or Moody's
16:29:43 [npdoty]
Bill(U_of_M): policy makers not attuned to adoption issues; fuel efficiency standards or E911 as examples
16:30:13 [npdoty]
AndrewPatrick: should really be as technology-neutral as possible
16:30:55 [npdoty]
EdFelten: right now there's a vigorous and healthy discussion going on about how DNT works
16:31:08 [npdoty]
... it could easily be counterproductive to dictate at this point what solution makes sense for the stakeholders
16:31:29 [npdoty]
... Congress might act at some point to get the FTC to take a more specific position
16:31:44 [npdoty]
... right now it's good for the FTC to be involved in the discussion and foster the discussion by the stakeholders
16:33:37 [npdoty]
RigoW: it's really difficult when regulators are ignoring the technical community and discussing their thing in their corner and wondering why their law remains pure fantasy
16:34:00 [npdoty]
... at the same time, the technology community often doesn't give due respect to those societal values
16:34:22 [npdoty]
... W3C has some track record in getting this discussion to happen, but W3C won't put forward an opinion itself
16:34:52 [npdoty]
EdFelten: FTC definitely isn't ignoring it, given that people are here
16:35:12 [npdoty]
RigoW: yes, that's why this discussion is happening (contra the past)
16:35:21 [npdoty]
csoghoian: it's a huge improvement over years in the past
16:36:05 [npdoty]
DaveSinger: if law enforcement will mandate retention, will limiting retention on the consumer side matter at all?
16:37:11 [npdoty]
RobvanEijk: this problem may be addressed in the EU because the Privacy Directive will cover law enforcement as well
16:38:05 [npdoty]
csoghoian: FTC has concluded that privacy policies aren't read and privacy-by-design is valuable, while DoJ and FBI take contrary positions (reasonable expectation; encryption off by default)
16:39:31 [npdoty]
jmorris: should there be an ack or an agreement response header? if it were a one-way transmission and a company regularly ignored it, would that be enough to warrant a legal action? what do we have to do to get the FTC to use its unfairness standard? would an industry best practice that isn't followed be enough?
16:40:09 [npdoty]
AndrewPatrick: even if they do acknowledge, there are still other obligations that they have
16:41:44 [npdoty]
EdFelten: unfairness is a complicated question; it does matter whether something is a considered a best practice or whether the practice is widely followed
16:42:41 [npdoty]
csoghoian: since deception is so important, I like the idea of a hook for FTC
16:43:16 [npdoty]
... also an interesting idea that whitelisted tracking (for TPLs) that had the string "no-tracking" or "no cookies", which might be a hook for deception
16:44:19 [npdoty]
Jules: want to push back on the idea that the companies that have been doing this for 10 or 15 years have been breaking the law
16:45:59 [npdoty]
... in EU, by arguing that it's not personal information, they may have avoided even taking the steps towards a link for opting out since there is a law
16:46:46 [npdoty]
... express consent opt-in for cookies is heading for a clash unless we get something like DNT to count
16:47:56 [npdoty]
RobvanEijk: if you'd like to know what's going on, you should be able to get a signal
16:48:21 [npdoty]
Lorrie: what kind of time frame is the FTC observing this process?
16:48:50 [npdoty]
EdFelten: it doesn't quite work that way; there may come a time where the leadership of the FTC decides that we need a more assertive strategy, but there's no fixed deadline as far as I know
16:53:27 [jeff]
jeff has joined #w3cdnt
16:56:41 [AndroUser2]
AndroUser2 has joined #w3cdnt
17:13:54 [sudbury]
sudbury has joined #w3cdnt
17:45:20 [sudbury]
sudbury has joined #w3cdnt
17:49:57 [sudbury]
sudbury has joined #w3cdnt
17:52:37 [jmorris]
jmorris has joined #w3cdnt
17:54:55 [jeff]
jeff has joined #w3cdnt
17:55:01 [karl]
karl has joined #w3cdnt
17:55:57 [alissa]
alissa has joined #w3cdnt
17:58:32 [npdoty]
npdoty has joined #w3cdnt
17:58:51 [npdoty]
ScribeNick: npdoty
17:59:32 [npdoty]
wseltzer: transparency as part of FIPPs
18:00:20 [rpacker]
rpacker has joined #w3cdnt
18:00:38 [tlr]
tlr has joined #w3cdnt
18:00:52 [npdoty]
... if you don't get feedback from the server about whether you really aren't being tracked
18:01:16 [npdoty]
... but could still at least be audited on the server side.
18:02:02 [npdoty]
... visibility: showing info back to the user (as in notification icons proposed by self-reg) if they drill down into it
18:02:22 [AndroUser]
AndroUser has joined #w3cdnt
18:02:40 [npdoty]
... TPLs give active feedback to the user, so the user can adapt their behavior to what they get from the server
18:03:06 [npdoty]
I'm personally not aware of the active feedback that comes from an applied TPL
18:04:36 [npdoty]
wseltzer: if we have to call in the heavy hand of the law, we get less flexibility.
18:05:28 [npdoty]
... TrustE has modified their TPL in response to feedback about having too many whitelisted domains: a helpful feedback loop.
18:05:56 [npdoty]
SueGlueck: Senior Attorney, Microsoft
18:06:13 [npdoty]
Topic: Tracking to Consensus; Coordination of Policy and Technical Standardization in Web Privacy Efforts
18:06:41 [jmorris]
jmorris has joined #w3cdnt
18:06:57 [npdoty]
SueGlueck: what do we actually want to standardize and how do we want to go about doing it?
18:07:24 [npdoty]
... Poll: do you policy kind of work in the weekdays?
18:07:53 [npdoty]
... Poll: have you also participated in significant standards work?
18:08:44 [npdoty]
... Poll: are you a technologist? [Lots.] Poll: and you have been involved in a policy standard? [Many hands go down.]
18:08:59 [npdoty]
... an interesting ride working through policy issues in a technical standards body
18:09:54 [npdoty]
... what should be standardized? My list: Tracking Protection [Lists] as one more choice
18:11:32 [npdoty]
... which standards bodies have the most experience working through policy issues? Would this be in the scope of the charter of IETF?
18:12:04 [npdoty]
... because browsers have started to implement DNT header, the clock is ticking and we need to get this done
18:12:15 [karl]
... we should idenitfy the stakeholders
18:12:46 [npdoty]
... global nature of the web (given the earlier presentation on legality in Canada/EU)
18:12:47 [karl]
... There are also countries without any legal frameowrks, the Web is happening anywhere.
18:13:04 [npdoty]
AlexF: why standardize? what should get standardize? should standards groups define policy?
18:13:20 [npdoty]
Topic: why standardize? what should get standardize? should standards groups define policy?
18:13:40 [karl]
Consumer/User values what does that mean in the DNT system?
18:13:40 [npdoty]
AlexF: find consensus; define outcomes; make it enforceable
18:13:47 [karl]
... Consumer/User values what does that mean in the DNT system?
18:14:31 [npdoty]
... What should get standardized? On the table: TPL, DNT Header, DOM property, response header, whitelisting capability, compliance audit perspective
18:14:34 [karl]
... (graphs of the different parts that should be standardized)
18:15:01 [npdoty]
... should standards groups define policy? we DO have the expertise, in the W3C those with expertise are eager to get involved
18:15:11 [karl]
... We do have the expertise, but not enough stakeholders.
18:15:27 [npdoty]
... we DON'T have the full range of stakeholders, including some of the display advertising folks, for example
18:16:16 [npdoty]
... joint (with Stanford) submission to the IETF for the DNT header, defining syntax and semantics of the header and the response -- this is a DRAFT
18:16:29 [karl]
... (few points from the position papers)
18:16:32 [karl]
... See
18:16:34 [npdoty]
... TPLs are independent from DNT header/DOM element
18:16:54 [npdoty]
... feasible efforts for work across W3C and IETF
18:17:22 [npdoty]
... public forum, need to have public participation, so that we can bring in the ad networks / display ad ecosystem and have their buy-in and input
18:17:39 [karl]
... The tracking protection in the DOM element should be done at W3C
18:17:50 [npdoty]
... so we propose W3C cover TPLs and DOM, while IETF covers HTTP header and corresponding pieces
18:17:51 [karl]
... and the corresponding pieces at the IETF
18:18:31 [karl]
PeterSaintAndre: I do not speak for IETF
18:18:52 [npdoty]
PeterSaintAndre: we work based on rough consensus and running code
18:18:58 [karl]
... anyone can write a proposal, IETF has a very open process.
18:19:03 [npdoty]
... a very open process, anyone can participate
18:19:06 [karl]
... we value freedom of speech
18:19:08 [npdoty]
... people feel very free to speak
18:19:24 [npdoty]
... got lots of vocal feedback at Prague
18:19:50 [npdoty]
... whether everyone will show up is an open question, have to corral them sometimes
18:20:06 [karl]
... there has been a good relationship between W3C and IETF
18:20:07 [npdoty]
... division with W3C: IETF has tended to do HTTP protocol while HTML/XML etc done at the W3C
18:20:24 [npdoty]
... open question of the right place is where to do this work
18:21:12 [npdoty]
... IETF is structured into working groups, multiple streams, including IETF working groups or individual submissions, enter into RFCs
18:21:40 [karl]
(next IETF meeting: Quebec city, Canada, July 24 - 29, 2011)
18:21:43 [npdoty]
... a lot of similarity in how things work between IETF/W3C, advantages and disadvantages
18:22:13 [npdoty]
... at IETF, no consensus or decision yet on whether to take on this work or decide where it should be done
18:23:11 [karl]
Jmayor: how ietf and w3c cooperate?
18:23:13 [npdoty]
jmayer: historically, how have IETF and W3C collaborated?
18:23:32 [npdoty]
tlr: historically had joint working groups
18:23:57 [npdoty]
... now prefer to carve out which pieces can be done where and then have a liaison relationship on how to coordinate
18:24:23 [npdoty]
... a good working relationship, which functions well when there's a good interface defined between work items
18:24:52 [karl]
PeterSaintAndre: the relationship had been improved for the last few years
18:25:00 [npdoty]
PeterSaintAndre: things have gotten better as we've had more overlap in people, people getting involved as individual participants on both sides
18:25:34 [karl]
dsinger: DNT is HTTP header so IETF, but it is also user management, policy
18:25:40 [npdoty]
DavidSinger: on the one hand, I think HTTP header so should be IETF, on the other hand, I think because it's about state and about users which seems like W3C
18:25:41 [karl]
.... which is IETF usually.
18:25:52 [npdoty]
PeterSaintAndre: yes, that's why it's challenging
18:25:55 [karl]
s/which is IETF/which is W3C/
18:26:34 [npdoty]
Shawn: why split it between the two?
18:27:20 [npdoty]
AlexF: very different user experience of the TPL and DNT
18:27:21 [karl]
alexF: my understanding is that there are strong differences between the TPL and DNT Headers.
18:27:32 [npdoty]
... more stakeholders we can bring in on advertising would increase success
18:28:35 [npdoty]
jmayer: as a technological matter, TPLs are relatively straightforward in how we understand them, whereas the meaning of the header requires much more standardization
18:29:09 [npdoty]
SueGlueck: it's not intended as an ad blocker, curated lists for blocking tracking
18:29:23 [npdoty]
... which could be advertising or some other form of blocking
18:30:22 [npdoty]
... the struggle around the header is about defining what tracking means, is the IETF better for making these policy decisions
18:30:27 [npdoty]
... ?
18:30:44 [npdoty]
PeterSaintAndre: working groups have done work with policy implications, like GeoPriv
18:31:11 [npdoty]
... policy decisions about tracking might not be defined in a technical standard at all
18:31:16 [karl]
s/... ?/What are really the differences? IETF-W3C? why one better from another one/
18:31:37 [npdoty]
... tracking might be a different thing in the EU and Canada
18:32:23 [npdoty]
csoghoian: browser vendors are apparently implementing before any formal standardization spec
18:33:01 [npdoty]
... technology companies are implementing it before an agreement while the advertising companies are deciding to wait
18:33:33 [npdoty]
... since Microsoft is both, why isn't Microsoft's ad business respecting the header?
18:33:49 [npdoty]
SueGlueck: chicken/egg problem
18:34:12 [npdoty]
... clock is ticking both because we have implemented the header in our browser and because of FTC and other regulators are putting pressure on it
18:34:27 [AndroUser]
AndroUser has joined #w3cdnt
18:34:27 [npdoty]
... does lead to some uncomfortable choices because we own an ad network
18:34:45 [npdoty]
... do think it's a good forcing function for us
18:35:09 [npdoty]
AlexF: HTML5 is another example of browsers leading before a formal specification
18:35:14 [npdoty]
<general laughter in audience>
18:35:43 [npdoty]
AlexF: browser movement does change the discussion from theoretical to concrete
18:36:32 [npdoty]
karl: usually work is done in one forum rather than the other because the interested people are there
18:36:37 [npdoty]
... there's no strong sense of competition
18:36:44 [npdoty]
... lots of overlap in both organizations
18:36:57 [npdoty]
... differences are in patent practices, forms of working
18:37:09 [npdoty]
... depends on the competencies of the people engaged in the work, that's the main difference
18:37:40 [npdoty]
... it happens all the time that browsers implement something in a sort of beta form to see if it works before working together to standardize
18:38:33 [npdoty]
PeterSaintAndre: that's why IETF believes in rough consensus and running code, sometimes one comes first, sometimes the other
18:39:32 [karl]
JohnMorris: I'm skeptical that be w3c or ietf
18:39:36 [npdoty]
jmorris: my personal assumption is that I'm skeptical that an IETF WG or W3C WG is the right place for the meaning of tracking to be resolved
18:39:58 [karl]
... the meaning of tracking will be well defined in these fora
18:40:39 [npdoty]
... TPL and DNT header could be done in separate working groups or at least separate workflows, so that debates over one won't slow down the other
18:40:47 [karl]
... I would hate battles of one piece of technology slowing down the other ones.
18:41:03 [npdoty]
tlr: what are the timelines for this work to be done, and how do we match up the work on those timelines?
18:41:38 [wseltzer]
view from the front of the room: lots of glowing apples
18:41:51 [npdoty]
WuChou: DNT HTTP header in IETF makes sense since IETF covers HTTP protocol
18:42:23 [npdoty]
... good to do TPLs through W3C since it's most likely to be described through XML
18:42:53 [npdoty]
tlr: HTTP headers are one of the well-defined extension points so that other groups can standardize them and then have them approved by IETF
18:43:33 [karl]
PeterSaintAndre: Joint WG last call, coordination, are part of the processes to have appropriate reviews
18:43:36 [npdoty]
PeterSaintAndre: can ask for review from HTTP experts at the IETF, or get last call review at the IETF
18:44:37 [npdoty]
jmayer: could we have advisory work in the standards body, help from the technical community to a federal agency that's looking at regulation. does this seem sensible, or is there history of this?
18:45:19 [npdoty]
hannes: in emergency services, there was a question about how the technology works, and standards group provided information to FCC
18:45:56 [npdoty]
... FCC has requirements on location accuracy (different in different jurisdictions), and so the technical standard needs to support the strictest such requirement
18:46:52 [npdoty]
tlr: can a standards body organize a forum for discussion between technologists and regulators? interest groups are one way to do that, a public discussion that can be managed by chairs and staff
18:47:42 [npdoty]
alissa: different standards bodies require different numbers of existing implementations; in W3C you generally need 2 in order to reach a final recommendation, in IETF it varies by the level of standard
18:48:13 [jeff]
jeff has joined #w3cdnt
18:48:38 [karl]
(session closed)
18:49:01 [karl]
(we will be using the blackboard)
18:49:05 [npdoty]
Topic: Switching to the chalk board! with tlr and Lorrie
18:49:56 [npdoty]
I've been impressed with the diversity of views at this workshop; does anyone know what the breadth of participation has been like at IETF, at Prague, for example?
18:50:58 [npdoty]
lfc: definitions include all-tracking, oba-tracking (as in opt-out cookies, just behavioral targeting), middle ground (CDT, EFF, etc. definitions with exceptions)
18:51:41 [karl]
... how much consensus is there around school of thoughts
18:51:42 [npdoty]
... are people willing to proceed in the process even if the definition isn't the one that they most like?
18:52:21 [karl]
(laughing about doing a show of hands or a hummmm)
18:52:27 [npdoty]
... what would your first choice be out of these three choices?
18:53:40 [jeff]
Each approach got some hums
18:54:05 [karl]
a longer or a shorter hmmm
18:54:13 [karl]
18:54:15 [karl]
18:54:18 [karl]
18:54:20 [karl]
18:54:32 [npdoty]
let the record show that nobody hummed to say that the CDT definition is unacceptable for work
18:56:07 [npdoty]
tlr: working groups are for the purpose of negotiating between the participants about the technical and sometimes policy decisions
18:56:21 [npdoty]
... could also have an interest group as a forum for additional discussion, including future work
18:56:31 [npdoty]
... W3C is prepared to run and staff a Working Group
18:57:00 [npdoty]
... we have limited time, some questions that need to be resolved relatively quickly in a way that's visible and accountable to the public
18:57:49 [npdoty]
... I have heard that we need a process that will address several of these questions within a set time, and if that doesn't happen then we need to accept that maybe there is no consensus on this particular topic
18:58:16 [npdoty]
whatever we do needs to be time-limited and tightly-scoped
18:58:27 [npdoty]
tlr: whatever we do needs to be time-limited and tightly-scoped
18:58:37 [npdoty]
... what is that scope and that timeline?
19:00:20 [npdoty]
karl: Incubator Group (very time-limited) good for documenting the state of existing work, definitions of terms, conclusions about next steps
19:01:44 [npdoty]
jeff: I don't think we should plan for failure, we should set a scope that can be done in a year and then do it
19:02:35 [npdoty]
... would hate to only have an Incubator Group out of this, I think it's important that we move quickly on whatever we do
19:03:20 [npdoty]
... regarding criticisms of W3C openness: we make extensive use of Invited Experts in order to ensure that we get stakeholders involved even when not members
19:03:34 [npdoty]
tlr: +1, that's part of our job as staff
19:04:22 [npdoty]
alissa: via asoltani, hard to define the scope and timeline differently; if the scope is very small (bits on the wire) can do it quickly, with a larger scope it will take longer
19:05:14 [npdoty]
DavidSinger: we have got to do something soon for Do Not Track, within the year; we need to make it quite obvious that this is not the only problem
19:05:28 [npdoty]
... need an Interest Group to consider privacy problems on an ongoing basis and spawn specific projects as necessary
19:06:28 [npdoty]
Aleecia: given that there are implementations already, we are already late. it takes at least a year to define what tracking means, get a consensus, etc. but there's a value in a beta definition to be out in the very near term
19:06:41 [npdoty]
... and then have a full process on the definition that takes as long as it takes
19:06:57 [npdoty]
... beta definition should be within 6 weeks
19:07:55 [npdoty]
jmayer: skeptical that we can get full consensus of Do Not Track meaning (to the level that W3C and IETF usually use)
19:08:12 [npdoty]
... but can get consensus now that just not-targeting-ads isn't sufficient
19:08:30 [npdoty]
... and that there's a clear definition now, so at least there's a process for airing your grievances
19:08:50 [npdoty]
... bad for everyone for people to continue to say that they don't know what Do Not Track means and as a result won't respond to it
19:09:45 [npdoty]
tlr: want to build a process that can handle disagreement and find the points that have broad consensus and address objections
19:11:08 [npdoty]
Bryan: look at this from an ecosystem perspective and the various entities, what are the parties and how does this affect them?
19:11:57 [npdoty]
vinaygoel: I think W3C/IETF should focus on the technical and leave up the policy decision to other groups (including self-regulatory groups)
19:12:32 [npdoty]
... there is low-hanging fruit or easy consensus to get DNT as meaning OBA opt-out
19:13:08 [npdoty]
xxx: +1 on an interest group for ongoing
19:13:56 [karl]
19:14:06 [karl]
there is already a draft for the DNT header
19:14:11 [npdoty]
... need some consensus on the definition before we expect to make a significant impact
19:15:03 [npdoty]
asoltani: need a process for defining both technical standards and definitions
19:15:49 [npdoty]
... there are a few bills: a California bill, some in DC, etc., that's one limit on the timeline
19:16:31 [npdoty]
csoghoian: pushback on Yahoo! (vinaygoel), people in DC would pat themselves on the back if we agreed on that, but we actually only get one shot now until 10 years from now
19:16:51 [npdoty]
... ad networks know this, so want to make this not very useful now so that the pressure will be off
19:17:19 [npdoty]
harlan: how do we know when we have consensus? tlr: it depends.
19:18:15 [npdoty]
tlr: it's the skill of the chair so sometimes there are no major objections, but in contentious issues you can use things like a hum or a vote
19:18:33 [npdoty]
... the chairs are particularly important because they will lead the way to consensus
19:19:36 [npdoty]
... W3C has the process of Formal Objections for cases of vehement dissent, an appeal to the director TBL
19:20:05 [npdoty]
Peter: IETF has similar processes; rough consensus doesn't have unanimity, but if you vehemently disagree you can appeal
19:20:11 [npdoty]
... +1 that the chair is very important
19:20:57 [npdoty]
alissa: DAA members aren't here, and they need to be in whatever room the definition is decided on
19:21:26 [karl]
19:21:45 [npdoty]
... legislative season ends in the fall, so would recommend an extremely quick technical spec with little definition
19:22:43 [npdoty]
jeff: I'd like to get something done soon
19:24:10 [npdoty]
... is there a policy definition that can be defined in the very short term that is a good one?
19:25:25 [npdoty]
DavidSinger: is OBA opt-out just the same as tracking everything but not building a profile?
19:25:54 [npdoty]
vinaygoel: no, OBA opt-out means collecting data for some purposes (measurement, etc.) but not building profiles
19:26:04 [npdoty]
lfc: that's not the official OBA definition, that must be a new one
19:27:14 [npdoty]
karl: jmayer has already submitted a draft in March, it's there, push it!
19:28:15 [karl]
... see
19:28:33 [npdoty]
jmorris: on behalf of CDT, CDT is actively thinking about whether they can handle a policy process like this, which would be a possibility
19:29:24 [npdoty]
aleecia: (this might not be a good idea, but,) could at least come up with a basic user communication a la: "hi, I see that you have a DNT header turned on, here's what it means for this site"
19:29:26 [jmorris]
s/behalf of CDT,/behalf of CDT and without making any predictions or commitments/
19:30:56 [npdoty]
Shawn: we would really need the W3C to come out with prescriptive rules about what you have to do in response to the header
19:31:10 [npdoty]
AlexF: really need a definition on 1st party vs 3rd party
19:31:40 [npdoty]
... from a Mozilla perspective, we are coming up with an implementation guide for what servers should do
19:31:46 [npdoty]
... this could be an incubator
19:32:34 [npdoty]
Andy: what about reducing the scope? (concerned about having exemptions for fraud/security)
19:33:04 [npdoty]
... if those are exempt, I don't need to participate as much
19:34:08 [npdoty]
DavidSinger: response headers or responding with consequences from the site sounds good; supporting Aleecia's suggestion
19:34:50 [npdoty]
asoltani: don't want to add more confusion
19:35:50 [npdoty]
Yahoo!: in particular the bottom of the page
19:36:26 [npdoty]
Evidon: need more research projects
19:38:01 [npdoty]
jmorris: a beta definition that changes later might upset users about things changing underneath them
19:38:30 [npdoty]
vinaygoel: without granular control, users might opt out completely instead of just opting out of brands they don't trust
19:39:01 [npdoty]
csoghoian: but consumers don't have the time to opt out of every single brand
19:39:18 [npdoty]
... and haven't heard of any of these companies (ad networks)
19:40:20 [npdoty]
vinaygoel: what I mean instead is that if Yahoo! requires them to opt back in (a quid pro quo), they should be able to opt back in only for a single party
19:40:53 [npdoty]
csoghoian: but what if the quid-pro-quo requirement is about unknown companies?
19:42:49 [npdoty]
tlr: how do we get this pile of work into something that happens in a reasonable amount of time? what are the direct next steps?
19:44:02 [npdoty]
AlexF: we have been talking to ad networks / trade associations
19:44:54 [npdoty]
... that could be one of our first action items
19:46:10 [npdoty]
Bryan: a typical first step is to create a landscape document (entities, technologies involved) would demonstrate to the market that we have a good understanding
19:47:17 [npdoty]
jeff: concern about not getting the right thing, concern about not having all the important stakeholders
19:47:41 [npdoty]
... we the W3C want to have as many stakeholders as possible, happy about Alex's suggestion, we'll go wherever we need to go to have those meetings
19:48:14 [npdoty]
... if for whatever reason we can't get all that together, we still need to do something, so we may end up with a beta definition anyway
19:49:55 [npdoty]
jmayer: I don't disagree with CDT or other concerns about the beta, but there are opportunity costs in not going ahead quickly
19:50:54 [npdoty]
xxx: the choice is not now or never
19:51:36 [npdoty]
SueGlueck: there are alphas and there are betas; if it does feel uncertain or alpha, industry is less likely to embrace it or invest money/engineering into it
19:52:10 [npdoty]
... a more robust or thoughtful beta would be more useful, even if it takes longer than 6 weeks
19:53:26 [npdoty]
Andy: most of the bills introduced call for FTC rulemaking, so the legislative timeline may not be a specific limit on defining tracking
19:54:01 [npdoty]
lfc: some people would like to do something before any bill gets passed; FTC has to issue a report by the end of the year
19:54:46 [npdoty]
alissa: it's not about timeline of passage of specific legislation, but about general interest
19:55:16 [npdoty]
DavidSinger: the time limit is the next major privacy incident
19:56:01 [npdoty]
asoltani: we could have an opportunity to shape the language in some of these bills, smart guidance to policymakers might be helpful
19:56:44 [npdoty]
Aleecia: if I were running an industry self-reg group, I would try to get a definition out as soon as possible, in order to beat a W3C definition and be the only voice
19:57:14 [npdoty]
csoghoian: FTC rulemaking since you don't want Congress making specific technical requirements
19:57:49 [npdoty]
... self-regulatory response will be that they get to avoid regulation altogether because of, for example, agreement on DNT == OBA opt-out
19:58:54 [npdoty]
tlr: this is a global problem, what does coordination beyond the US need to look like?
19:59:30 [jeff]
+1 to tlr
20:00:35 [npdoty]
alissa: it's hard to say something nation-specific in an international standards body
20:02:40 [npdoty]
kevin: tls/ssl was international, but then certificate authorities had national discretion
20:04:20 [karl]
20:04:33 [npdoty]
tlr: immediate action will be a report on what's on the board and this discussion
20:05:08 [npdoty]
... questions of forum could be figured out through usual channels
20:05:16 [npdoty]
... at least consensus on Interest Group
20:05:41 [npdoty]
... have made progress on what the recommendation work should be, at W3C, IETF and elsewhere, but still needs to be finalized
20:05:47 [karl]
you can subscribe by sending an email to with the word subscribe in the topic
20:06:23 [npdoty]
lfc: a summary of the hums
20:06:32 [npdoty]
... fairly evenly split about their first choice was
20:06:53 [npdoty]
... but show-stoppers for both, but the CDT definition wasn't a show-stopper for anyone in the room
20:08:27 [npdoty]
Bryan: related work in Device API disclosure, should look at the overlap of existing work (in W3C or outside)
20:09:01 [npdoty]
jeff: thanks to tlr and lfc [lots of applause]
20:09:12 [npdoty]
... what will we be seeing next?
20:09:20 [karl]
BIG THANKS to npdoty and wseltzer
20:10:40 [npdoty]
tlr: first record of the meeting will be out soon, perhaps a week; a summary report no later than mid-May (to tell the AC at Bilbao)
20:11:19 [npdoty]
... strawman charter by the end of May
20:12:02 [npdoty]
... announcements will go to the registration list, but eventually please subscribe to
20:16:47 [AndroUser2]
AndroUser2 has joined #w3cdnt
20:17:08 [AndroUser2]
AndroUser2 has joined #w3cdnt
20:17:58 [AndroUser2]
AndroUser2 has joined #w3cdnt
20:18:39 [AndroUser2]
AndroUser2 has joined #w3cdnt
20:18:40 [AndroUser2]
AndroUser2 has joined #w3cdnt
20:19:09 [AndroUser2]
AndroUser2 has joined #w3cdnt
22:00:12 [AndroUser2]
AndroUser2 has joined #w3cdnt
22:38:19 [lowenthal]
lowenthal has joined #w3cdnt
23:39:00 [alissa]
alissa has joined #w3cdnt
23:49:56 [lowenthal]
lowenthal has joined #w3cdnt