Web Tracking and User Privacy Workshop, 29 April 2011

29 Apr 2011


See also: IRC log


Lorrie Cranor (lfc), Thomas Roessler (tlr)
wseltzer, npdoty, rigo


User experience

Serge: UI is critical, and study of UIs for informed consent.
... user decision change when shown the low-level detail that will be shared

xx: How do we show users both sides of the tradeoff?

IanFette: and how do we show users the impact of their decisions over time...

Serge: avoid browser detritus

npdoty: flexibility of implementation vs consistency of UI?

IanFette: Security is often not the user's primary objective. Rather, to pay bills, etc.

Lorrie: P3P implementers often cut and pasted from the spec, not human-readable
... the WG should spend some time thinking about implementation UI

Serge: Since the user is the audience for privacy controls, we need study, to focus on users' response

Hannes: Facebook has incremented its privacy options over time, standardization taking years of study doesn't

<wseltzer_> Can study be concurrent, rather than blocker?

HelenNissenbaum: get informed consent when you're going to violate user expectations

IanFette: We can't just stick with initial expectations. How to show them the value ads may provide?

xxx_MSR: instant preview of difference between view with and w/o tracking - split-screen?

IanFette: Dynamic equilibrium. Situation will change if ad-block goes from 5% to 95%

Andy: UI standards are incredibly difficult <crowd agreement>

jmayer: align the incentives. e.g. if you start with opt-out, FB has incentive to get the user to opt back in to "Like"

Jules: think about the economic context of adoption

<wseltzer_> Did Jules just compare privacy-concerned individuals to the Tea Party?

<bryan_sullivan> Links to WAC's definition of W3C POWDER extensions in ?WAC 2.0? (http://specs.wacapps.net/2.0/feb2011/), to address developer disclosure of device API and private data usage: ?Privacy Considerations for API Usage? http://specs.wacapps.net/2.0/feb2011/core/widget-security-privacy.html#toc-security-privacy-api, ?Privacy Considerations for Device Property Access

<bryan_sullivan> http://specs.wacapps.net/2.0/feb2011/core/widget-security-privacy.html#toc-security-privacy-property-groups

<fjh> wikipedia - "Moral hazard occurs when a party insulated from risk behaves differently than it would behave if it were fully exposed to the risk"

Karl: A user know he's gained weight by looking in the mirror. How can we put mirrors into the browser?

<fjh> in other words, moral hazard is when you don't have the consequences, e.g. make risky investment but are covered in case of loss etc, so I'm not sure I understand how this is applicable to trust seals - a party can still be liable

<dsinger> wonders if the comparison with disabling cookies is a red-herring; when I disable cookies\, I do something technical that is not immediately obvious to web sites (though they can test it); web sites that don't test may fail in weird ways, long after I set this. DNT is not like that; it's a request *to the site* and if it has negative consequences they can explain it (and ask permission to over-ride) if needed

How can compliance be encouraged, monitored and enforced through self-regulatory mechanisms?

Jules: opt-out rates below 1%; business shouldn't fear a usable opt-out
... distinguish behavioral from measurement, because lots of industry depends on measurement.

Kevin_TrustE: "There's not all bad companies we certify"
... Compliance certification. How does an external party know what's happening?
... Additional elements of transparency needed. Audit; show profile to users; map to consumer expectations.
... and companies should be given a chance to get user's trust..

Andy_Evidon: We're competitors, but here we're working together to build a standard.
... Transactional transparency; relevant information; meaningful choices

Gil_DoubleVerify: behavioral targeting can happen at lots of places in the ad chain
... risk of inadvertently misleading endusers

<wseltzer_> Really? then networks should audit clients and statements more carefully

Gil: opt-out generally intends to leave all behavioral advertising, not per-network

jmayer: NAI says opt-out is opt-out of being shown behavioral ads only -- that's not what users want/think
... any chance for self-reg to get closer to user prefs?

Jules: there might be some minimization you could do, but for the most part collection is mostly the same for ad delivery / measurement as it was for behavioral

Aleecia: users aren't just worried about the ads that appear, but definitely about collection
... Users would be just as concerned about analytics
... Will feel betrayed if just as much data is collected but used differently

Jules: you scare a lot of industry folks at the table when you start talking about no collection at all

Gil: should group companies into those with oversight and those without oversight, any other granularity will be indecipherable to the user

<dsinger> all I need of data retention periods is that they are shorter than the time to your next security leak (or other negative consequence) :-)

Jules: it's a shame that iab daa didn't take on retention periods, but maybe someone should
... Concern by companies about flexibility because if they make a statement today, they're locked in because the FTC might consider it a material change
... So would prefer to have it defined at a self-regulatory group that could make some reasonable changes later to their policies

Kevin_TrustE: consumers think that once the toothpaste is out of the tube, that's it

Lorrie: do we need regulation in addition to self-regulation, and if so, how?

Andy_Evidon: is there room for a 2-way body for reporting companies at use particular practices or abuses? Yes.

Kevin_TrustE: good place for a whitelist.

<wseltzer> "Throw some people over the bus, or off the ship"

Andy_Evidon: we need increased pressure for companies to join these selfreg programs.

<lowenthal> something... about buses... or throwing. do mean things to them, that's what i'm trying to say

How would regulators encourage, monitor and enforce compliance?

SamuelsonClinic: lots of weasel words in description of terms make it unclear what is specifically intended
... Consent is not just binary, you commonly give some limited consent based on the context
... Why don't trade alliances outlaw anti-circumvention techniques, like respawning?

Presenter: Ed Felten, FTC, CITP

EdFelten: from the FTC, but not speaking for the FTC or any particular commissioner

EdFelten: 1/ is it universal, would it cover all trackers?
... 2/ is it usable
... 3/ is it permanent?
... 4/ does it cover all tracking technologies? Can questions of compliance be addressed?
... 5/ does it control collection instead of opting out of some use

<tlr> Ed's slides: http://www.w3.org/2011/track-privacy/slides/Felten.pdf

EdFelten: we are a law enforcement agency, authority granted by Congress
... sometimes get specific authority, as in Do Not Call where a law was passed by Congress
... sometimes a general authority, as in the FTC Act, enforcement power against unfair and deceptive acts in commerce
... deceptive: if a company makes a firm promise not to do something, and then does and a consumer is harmed as a result [npdoty: I don't think harm is important in deception cases], then that would be against the rules
... does have implications for a self-regulatory setting, FTC might be interested in deviations from that code of conduct
... speaking for the agency, FTC has not taken a position as to whether a new law is needed for Do Not Track
... would be happy to see stakeholders agree on some reasonable arrangement that is mutually acceptable
... might get a good outcome for consumers without a law or rulemaking
... people are watching (including people in Congress) to see whether that will happen

Presenter: Chris Soghoian, academic and activist, no longer at FTC

csoghoian: security and fraud exemptions that have been proposed could be the exemption that swallow the rule
... Yahoo! kept a separate set of logs for security and fraud, which were not subpoena-proof, so for those concerned about government access this is a considerable problem
... security and fraud exemptions always seem like a reasonable idea because who wouldn't want that?
... but many of these are 1st-party, and so wouldn't be under the scope of DNT anyway
... click-fraud, for example, is related to clicking on an ad, which should count as a 1st-party interaction
... so the remaining issue is impression fraud
... somehow, however, ad networks are detecting impression fraud for people who delete cookies, or people who use Apple browsers that block 3rd-party cookies by default
... why shouldn't DNT users get at least or better protections than people who buy something from the Apple Store?
... ad networks sound like national security, arguing that there can't be transparency for fear of tipping off the bad guys
... secrecy is hiding things that would otherwise be laughable if described publicly

Presenter: Andrew Patrick, from the Office of the Privacy Commissioner of Canada

AndrewPatrick: web trackers are currently breaking the law (with an asterisk)
... "law*"
... at least breaking Canadian laws
... mostly the 3rd-parties (though perhaps 1st parties are breaking the laws as well)
... "information about an identifiable individual"
... IP address and cookies, therefore, can be personal information
... don't believe the people who say that they're doing anonymous tracking, which is difficult or perhaps impossible
... just stripping identifiers doesn't go far enough

<tlr> slides: http://www.w3.org/2011/track-privacy/slides/Patrick.pdf

AndrewPatrick: consent is not enough: corporations have responsibilities in addition to just getting consent
... have to specify the purpose before the time of collection, openness, transparency
... Do Not Track proposals, while laudable, don't address the problem
... and could make things worse by letting the trackers off too easy, by claiming that this is the only thing they have to do

Presenter: Rob van Eijk, from the Dutch Data Protection Authority, but speaking for himself

RobvanEijk: May 25th deadline for the ePrivacy directive implementations
... if US companies are targeting EU citizens, then EU data protection law applies
... EU privacy directive, been around for at least 30 years
... a new such directive is under discussion
... Article 7 is the core of how privacy works in Europe
... you can process personal data, but if so you need to at least have a legitimate interest balanced against the concerns of the user
... proportionality: is it necessary to collect all the data I'm collecting? can I accomplish my goal in another way, with less data?
... in addition to the legitimate interest, companies may fail the condition of having taken into account the rights of the user
... a lot of different stakeholders involved, but everyone uses different terminology, it would be good to re-use some of the existing terminology

TimLee_CITP: sounds like things under consideration are already potentially illegal in these other countries: is what Facebook is doing today already illegal under these laws?

AndrewPatrick: already illegal today, and I think we've moved Facebook a long way, for example in how they handle disclosure of data to 3rd-party apps

IanFette: contra to csoghoian, you would still need to collect IP addresses for fraud of impressions

csoghoian: you can get by without retaining data

IanFette: but it's more complex, you still need to retain data about IP addresses, for example

DwayneBerlin: (first to admit to being a lawyer), the FTC has already spoken on tracking in the Sears case
... very broad, speaks to the deployment of any technology that tracks the user's activity on the Web
... unusually detailed about the form of the disclosure (not in the privacy policy or terms of use), relying exclusively on the informed consent model

csoghoian: the facts of the Sears case wasn't about online tracking, but a program/plugin that users download and install and track

DwayneBerlin: but I'm not sure that was the limitation of the coverage of that rule

PederMagee_FTC: Sears is about burying a disclosure being a deceptive practice, which applies beyond a specific technology

asoltani: if a consumer disabled DNT in order to watch The Daily Show, would that count as affirmative consent for even more invasive practices? would this actually make it worse, as opposed to baseline regulations?

AndrewPatrick: if the failure to activate DNT counts as acceptable, that definitely lets them off too easy

HelenNissenbaum: would the FTC agree that the burden is on you to show that you're complying? is that within the power of the FTC?

EdFelten: we could have a conversation about how such a regime might work and then if the FTC as a body decided they wanted to do that, the FTC would still have to decide whether they had such an authority or whether Congress would need to give them that authority
... auditing or reporting requirements (in other contexts) do often enabled improved enforcement

csoghoian: when companies get to choose who audits them, you get really bad audits, as in Enron or Moody's

Bill_U_of_M: policy makers not attuned to adoption issues; fuel efficiency standards or E911 as examples

AndrewPatrick: should really be as technology-neutral as possible

EdFelten: right now there's a vigorous and healthy discussion going on about how DNT works
... it could easily be counterproductive to dictate at this point what solution makes sense for the stakeholders
... Congress might act at some point to get the FTC to take a more specific position
... right now it's good for the FTC to be involved in the discussion and foster the discussion by the stakeholders

Rigo: it's really difficult when regulators are ignoring the technical community and discussing their thing in their corner and wondering why their law remains pure fantasy
... at the same time, the technology community often doesn't give due respect to those societal values
... W3C has some track record in getting this discussion to happen, but W3C won't put forward an opinion itself

EdFelten: FTC definitely isn't ignoring it, given that people are here

Rigo: yes, that's why this discussion is happening (contra the past)

csoghoian: it's a huge improvement over years in the past

DaveSinger: if law enforcement will mandate retention, will limiting retention on the consumer side matter at all?

RobvanEijk: this problem may be addressed in the EU because the Privacy Directive will cover law enforcement as well

csoghoian: FTC has concluded that privacy policies aren't read and privacy-by-design is valuable, while DoJ and FBI take contrary positions (reasonable expectation; encryption off by default)

jmorris: should there be an ack or an agreement response header? if it were a one-way transmission and a company regularly ignored it, would that be enough to warrant a legal action? what do we have to do to get the FTC to use its unfairness standard? would an industry best practice that isn't followed be enough?

AndrewPatrick: even if they do acknowledge, there are still other obligations that they have

EdFelten: unfairness is a complicated question; it does matter whether something is a considered a best practice or whether the practice is widely followed

csoghoian: since deception is so important, I like the idea of a hook for FTC
... also an interesting idea that whitelisted tracking (for TPLs) that had the string "no-tracking" or "no cookies", which might be a hook for deception

Jules: want to push back on the idea that the companies that have been doing this for 10 or 15 years have been breaking the law
... in EU, by arguing that it's not personal information, they may have avoided even taking the steps towards a link for opting out since there is a law
... express consent opt-in for cookies is heading for a clash unless we get something like DNT to count

RobvanEijk: if you'd like to know what's going on, you should be able to get a signal

Lorrie: what kind of time frame is the FTC observing this process?

EdFelten: it doesn't quite work that way; there may come a time where the leadership of the FTC decides that we need a more assertive strategy, but there's no fixed deadline as far as I know

wseltzer: transparency as part of FIPPs
... if you don't get feedback from the server about whether you really aren't being tracked
... but could still at least be audited on the server side.
... visibility: showing info back to the user (as in notification icons proposed by self-reg) if they drill down into it
... TPLs give active feedback to the user, so the user can adapt their behavior to what they get from the server

<npdoty_> I'm personally not aware of the active feedback that comes from an applied TPL

wseltzer: if we have to call in the heavy hand of the law, we get less flexibility.
... TrustE has modified their TPL in response to feedback about having too many whitelisted domains: a helpful feedback loop.


Presenter: Sue Glueck, Senior Attorney, Microsoft

SueGlueck: what do we actually want to standardize and how do we want to go about doing it?
... Poll: do you do policy kind of work in the weekdays?
... Poll: have you also participated in significant standards work?
... Poll: are you a technologist? [Lots.] Poll: and you have been involved in a policy standard? [Many hands go down.]
... an interesting ride working through policy issues in a technical standards body
... what should be standardized? My list: Tracking Protection [Lists] as one more choice
... which standards bodies have the most experience working through policy issues? Would this be in the scope of the charter of IETF?
... because browsers have started to implement DNT header, the clock is ticking and we need to get this done

<karl> ... we should identify the stakeholders

SueGlueck: global nature of the web (given the earlier presentation on legality in Canada/EU)

<karl> ... There are also countries without any legal frameworks, the Web is happening anywhere.

AlexF: Why standardize? What should get standardized? Should standards groups define policy?
... find consensus; define outcomes; make it enforceable
... Consumer/User values what does that mean in the DNT system?
... What should get standardized? On the table: TPL, DNT Header, DOM property, response header, whitelisting capability, compliance audit perspective
... (graphs of the different parts that should be standardized)
... should standards groups define policy? we DO have the expertise, in the W3C those with expertise are eager to get involved
... We do have the expertise, but not enough stakeholders.
... we DON'T have the full range of stakeholders, including some of the display advertising folks, for example
... joint (with Stanford) submission to the IETF for the DNT header, defining syntax and semantics of the header and the response -- this is a DRAFT
... (few points from the position papers)

<karl> See http://www.w3.org/2011/track-privacy/papers/mozilla.pdf

AlexF: TPLs are independent from DNT header/DOM element
... feasible efforts for work across W3C and IETF
... public forum, need to have public participation, so that we can bring in the ad networks / display ad ecosystem and have their buy-in and input
... The tracking protection in the DOM element should be done at W3C
... so we propose W3C cover TPLs and DOM, while IETF covers HTTP header and corresponding pieces

PeterSaintAndre: I do not speak for IETF
... we work based on rough consensus and running code
... anyone can write a proposal, IETF has a very open process.
... a very open process, anyone can participate
... we value freedom of speech
... got lots of vocal feedback at Prague
... whether everyone will show up is an open question, have to corral them sometimes
... there has been a good relationship between W3C and IETF
... division with W3C: IETF has tended to do HTTP protocol while HTML/XML etc done at the W3C
... open question of the right place is where to do this work
... IETF is structured into working groups, multiple streams, including IETF working groups or individual submissions, enter into RFCs

<karl> (next IETF meeting: http://www.ietf.org/meeting/81/index.html Quebec city, Canada, July 24 - 29, 2011)

PeterSaintAndre: a lot of similarity in how things work between IETF/W3C, advantages and disadvantages
... at IETF, no consensus or decision yet on whether to take on this work or decide where it should be done

jmayer: historically, how have IETF and W3C collaborated?

tlr: historically had joint working groups
... now prefer to carve out which pieces can be done where and then have a liaison relationship on how to coordinate
... a good working relationship, which functions well when there's a good interface defined between work items

PeterSaintAndre: things have gotten better as we've had more overlap in people, people getting involved as individual participants on both sides

DavidSinger: on the one hand, I think HTTP header so should be IETF, on the other hand, I think because it's about state and about user management and policy which seems like W3C

PeterSaintAndre: yes, that's why it's challenging

Shawn: why split it between the two?

AlexF: my understanding is that there are strong differences between the TPL and DNT Headers.
... more stakeholders we can bring in on advertising would increase success

jmayer: as a technological matter, TPLs are relatively straightforward in how we understand them, whereas the meaning of the header requires much more standardization

SueGlueck: it's not intended as an ad blocker, curated lists for blocking tracking
... which could be advertising or some other form of blocking
... the struggle around the header is about defining what tracking means, is the IETF better for making these policy decisions?

PeterSaintAndre: working groups have done work with policy implications, like GeoPriv
... policy decisions about tracking might not be defined in a technical standard at all
... tracking might be a different thing in the EU and Canada

csoghoian: browser vendors are apparently implementing before any formal standardization spec
... technology companies are implementing it before an agreement while the advertising companies are deciding to wait
... since Microsoft is both, why isn't Microsoft's ad business respecting the header?

SueGlueck: chicken/egg problem
... clock is ticking both because we have implemented the header in our browser and because of FTC and other regulators are putting pressure on it
... does lead to some uncomfortable choices because we own an ad network
... do think it's a good forcing function for us

AlexF: HTML5 is another example of browsers leading before a formal specification

<general laughter in audience>

AlexF: browser movement does change the discussion from theoretical to concrete

karl: usually work is done in one forum rather than the other because the interested people are there
... there's no strong sense of competition
... lots of overlap in both organizations
... differences are in patent practices, forms of working
... depends on the competencies of the people engaged in the work, that's the main difference
... it happens all the time that browsers implement something in a sort of beta form to see if it works before working together to standardize

PeterSaintAndre: that's why IETF believes in rough consensus and running code, sometimes one comes first, sometimes the other

jmorris: my personal assumption is that I'm skeptical that an IETF WG or W3C WG is the right place for the meaning of tracking to be resolved
... the meaning of tracking will be well defined in these fora
... TPL and DNT header could be done in separate working groups or at least separate workflows, so that debates over one won't slow down the other

tlr: what are the timelines for this work to be done, and how do we match up the work on those timelines?

WuChou: DNT HTTP header in IETF makes sense since IETF covers HTTP protocol
... good to do TPLs through W3C since it's most likely to be described through XML

tlr: HTTP headers are one of the well-defined extension points so that other groups can standardize them and then have them approved by IETF

PeterSaintAndre: can ask for review from HTTP experts at the IETF, or get last call review at the IETF

jmayer: could we have advisory work in the standards body, help from the technical community to a federal agency that's looking at regulation. does this seem sensible, or is there history of this?

hannes: in emergency services, there was a question about how the technology works, and standards group provided information to FCC
... FCC has requirements on location accuracy (different in different jurisdictions), and so the technical standard needs to support the strictest such requirement

tlr: can a standards body organize a forum for discussion between technologists and regulators? interest groups are one way to do that, a public discussion that can be managed by chairs and staff

alissa: different standards bodies require different numbers of existing implementations; in W3C you generally need 2 in order to reach a final recommendation, in IETF it varies by the level of standard

Switching to the chalk board! with Thomas and Lorrie

I've been impressed with the diversity of views at this workshop; does anyone know what the breadth of participation has been like at IETF, at Prague, for example?

lfc: definitions include all-tracking, oba-tracking (as in opt-out cookies, just behavioral targeting), middle ground (CDT, EFF, etc. definitions with exceptions)
... how much consensus is there around school of thoughts

<karl> (laughing about doing a show of hands or a hummmm)

lfc: what would your first choice be out of these three choices?

<jeff> Each approach got some hums

lfc: are people willing to proceed in the process even if the definition isn't the one that they most like?

let the record show that nobody hummed to say that the CDT definition is unacceptable for work

tlr: working groups are for the purpose of negotiating between the participants about the technical and sometimes policy decisions
... could also have an interest group as a forum for additional discussion, including future work
... W3C is prepared to run and staff a Working Group
... we have limited time, some questions that need to be resolved relatively quickly in a way that's visible and accountable to the public
... I have heard that we need a process that will address several of these questions within a set time, and if that doesn't happen then we need to accept that maybe there is no consensus on this particular topic
... whatever we do needs to be time-limited and tightly-scoped
... what is that scope and that timeline?

karl: Incubator Group (very time-limited) good for documenting the state of existing work, definitions of terms, conclusions about next steps

jeff: I don't think we should plan for failure, we should set a scope that can be done in a year and then do it
... would hate to only have an Incubator Group out of this, I think it's important that we move quickly on whatever we do
... regarding criticisms of W3C openness: we make extensive use of Invited Experts in order to ensure that we get stakeholders involved even when not members

tlr: +1, that's part of our job as staff

alissa: via asoltani, hard to define the scope and timeline differently; if the scope is very small (bits on the wire) can do it quickly, with a larger scope it will take longer

DavidSinger: we have got to do something soon for Do Not Track, within the year; we need to make it quite obvious that this is not the only problem
... need an Interest Group to consider privacy problems on an ongoing basis and spawn specific projects as necessary

Aleecia: given that there are implementations already, we are already late. it takes at least a year to define what tracking means, get a consensus, etc. but there's a value in a beta definition to be out in the very near term
... and then have a full process on the definition that takes as long as it takes
... beta definition should be within 6 weeks

jmayer: skeptical that we can get full consensus of Do Not Track meaning (to the level that W3C and IETF usually use)
... but can get consensus now that just not-targeting-ads isn't sufficient
... and that there's a clear definition now, so at least there's a process for airing your grievances
... bad for everyone for people to continue to say that they don't know what Do Not Track means and as a result won't respond to it

tlr: want to build a process that can handle disagreement and find the points that have broad consensus and address objections

Bryan: look at this from an ecosystem perspective and the various entities, what are the parties and how does this affect them?

vinaygoel: I think W3C/IETF should focus on the technical and leave up the policy decision to other groups (including self-regulatory groups)
... there is low-hanging fruit or easy consensus to get DNT as meaning OBA opt-out

xxx: +1 on an interest group for ongoing

<karl> http://tools.ietf.org/html/draft-mayer-do-not-track-00

<karl> there is already a draft for the DNT header

xxx: need some consensus on the definition before we expect to make a significant impact

asoltani: need a process for defining both technical standards and definitions
... there are a few bills: a California bill, some in DC, etc., that's one limit on the timeline

csoghoian: pushback on Yahoo! (vinaygoel), people in DC would pat themselves on the back if we agreed on that, but we actually only get one shot now until 10 years from now
... ad networks know this, so want to make this not very useful now so that the pressure will be off

harlan: how do we know when we have consensus?

tlr: it depends.
... it's the skill of the chair so sometimes there are no major objections, but in contentious issues you can use things like a hum or a vote
... the chairs are particularly important because they will lead the way to consensus
... W3C has the process of Formal Objections for cases of vehement dissent, an appeal to the director TBL

PeterSaintAndre: IETF has similar processes; rough consensus doesn't have unanimity, but if you vehemently disagree you can appeal
... +1 that the chair is very important

alissa: DAA members aren't here, and they need to be in whatever room the definition is decided on

<karl> http://lists.w3.org/Archives/Public/ietf-http-wg/2011AprJun/0133

alissa: legislative season ends in the fall, so would recommend an extremely quick technical spec with little definition

jeff: I'd like to get something done soon
... is there a policy definition that can be defined in the very short term that is a good one?

DavidSinger: is OBA opt-out just the same as tracking everything but not building a profile?

vinaygoel: no, OBA opt-out means collecting data for some purposes (measurement, etc.) but not building profiles

lfc: that's not the official OBA definition, that must be a new one

karl: jmayer has already submitted a draft in March, it's there, push it!

<karl> ... see http://lists.w3.org/Archives/Public/ietf-http-wg/2011AprJun/0133

jmorris: on behalf of CDT and without making any predictions or commitments, CDT is actively thinking about whether they can handle a policy process like this, which would be a possibility

aleecia: (this might not be a good idea, but,) could at least come up with a basic user communication a la: "hi, I see that you have a DNT header turned on, here's what it means for this site"

Shawn: we would really need the W3C to come out with prescriptive rules about what you have to do in response to the header

AlexF: really need a definition on 1st party vs 3rd party
... from a Mozilla perspective, we are coming up with an implementation guide for what servers should do
... this could be an incubator

Andy_Paypal: what about reducing the scope? (concerned about having exemptions for fraud/security)
... if those are exempt, I don't need to participate as much

DavidSinger: response headers or responding with consequences from the site sounds good; supporting Aleecia's suggestion

asoltani: don't want to add more confusion

<npdoty_> Yahoo! points to http://aboutads.info/choices in particular the bottom of the page

Andy_Evidon: need more research projects

jmorris: a beta definition that changes later might upset users about things changing underneath them

vinaygoel: without granular control, users might opt out completely instead of just opting out of brands they don't trust

csoghoian: but consumers don't have the time to opt out of every single brand
... and haven't heard of any of these companies (ad networks)

vinaygoel: what I mean instead is that if Yahoo! requires them to opt back in (a quid pro quo), they should be able to opt back in only for a single party

csoghoian: but what if the quid-pro-quo requirement is about unknown companies?

tlr: how do we get this pile of work into something that happens in a reasonable amount of time? what are the direct next steps?

AlexF: we have been talking to ad networks / trade associations
... that could be one of our first action items

Bryan: a typical first step is to create a landscape document (entities, technologies involved) would demonstrate to the market that we have a good understanding

jeff: concern about not getting the right thing, concern about not having all the important stakeholders
... we the W3C want to have as many stakeholders as possible, happy about Alex's suggestion, we'll go wherever we need to go to have those meetings
... if for whatever reason we can't get all that together, we still need to do something, so we may end up with a beta definition anyway

jmayer: I don't disagree with CDT or other concerns about the beta, but there are opportunity costs in not going ahead quickly

xxx: the choice is not now or never

SueGlueck: there are alphas and there are betas; if it does feel uncertain or alpha, industry is less likely to embrace it or invest money/engineering into it
... a more robust or thoughtful beta would be more useful, even if it takes longer than 6 weeks

Andy: most of the bills introduced call for FTC rulemaking, so the legislative timeline may not be a specific limit on defining tracking

lfc: some people would like to do something before any bill gets passed; FTC has to issue a report by the end of the year

alissa: it's not about timeline of passage of specific legislation, but about general interest

DavidSinger: the time limit is the next major privacy incident

asoltani: we could have an opportunity to shape the language in some of these bills, smart guidance to policymakers might be helpful

Aleecia: if I were running an industry self-reg group, I would try to get a definition out as soon as possible, in order to beat a W3C definition and be the only voice

csoghoian: FTC rulemaking since you don't want Congress making specific technical requirements
... self-regulatory response will be that they get to avoid regulation altogether because of, for example, agreement on DNT == OBA opt-out

tlr: this is a global problem, what does coordination beyond the US need to look like?

<jeff> +1 to tlr

alissa: it's hard to say something nation-specific in an international standards body

kevin: tls/ssl was international, but then certificate authorities had national discretion

<karl> http://lists.w3.org/Archives/Public/public-privacy/

tlr: immediate action will be a report on what's on the board and this discussion
... questions of forum could be figured out through usual channels
... at least consensus on Interest Group
... have made progress on what the recommendation work should be, at W3C, IETF and elsewhere, but still needs to be finalized

<karl> you can subscribe by sending an email to public-privacy-request@w3.org with the word subscribe in the topic

lfc: a summary of the hums
... fairly evenly split about their first choice was
... but show-stoppers for both, but the CDT-style definition wasn't a show-stopper for anyone in the room

Bryan: related work in Device API disclosure, should look at the overlap of existing work (in W3C or outside)

jeff: thanks to tlr and lfc

<lots of applause>

jeff: what will we be seeing next?

<karl> BIG THANKS to npdoty and wseltzer

tlr: first record of the meeting will be out soon, perhaps a week; a summary report no later than mid-May (to tell the AC at Bilbao)
... strawman charter by the end of May
... announcements will go to the registration list, but eventually please subscribe to http://lists.w3.org/Archives/Public/public-privacy/

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2011/05/09 15:50:59 $