W3C

Tracking Protection WG F2F - Day 2

22 Sep 2011

Agenda

See also: IRC log

Attendees

Present
+1.617.715.aaaa, +1.202.263.aabb, +1.202.263.aacc, BrianTschumper, +1.425.681.aadd, WG-Live, adrianba, [Microsoft]
Regrets
Chair
Aleecia M. McDonald (aleecia), Matthias Schunter (schunter)
Scribe
npdoty, amyc, enewland, KevinT, tl

Contents


detailed discussion of issues

<tlr> ISSUE-23: general case of ISSUE-34

<trackbot> ISSUE-23 Possible exemption for analytics notes added

<tlr> ISSUE-34: special case of ISSUE-23

<trackbot> ISSUE-34 Possible exemption for aggregate analytics notes added

<tlr> issue-28?

<trackbot> ISSUE-28 -- Exception for mandatory legal process -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/28

<tlr> issue-29?

<trackbot> ISSUE-29 -- Tracking that may be required by law enforcement -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/29

<tlr> issue-28: duplicate of issue-29?

<trackbot> ISSUE-28 Exception for mandatory legal process notes added

<tlr> issue-29: duplicate of issue-28?

<trackbot> ISSUE-29 Tracking that may be required by law enforcement notes added

<tlr> ISSUE: third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party?

<trackbot> Created ISSUE-49 - Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/49/edit .

<npdoty> issue-49?

<trackbot> ISSUE-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/49

matthias: welcome
... quite some progress yesterday, identified almost 50 issues
... thanks to the scribes from yesterday

<applause>

amy, erika, kevin, tl

matthias: go through each issues, discuss, hope to resolve each of the issues

ISSUE-17?

<trackbot> ISSUE-17 -- Data use by 1st Party -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/17

aleecia: rather than deciding whether part of the key definition or exemptions, we just want to know whether it's covered or not
... if I visit a first party with Do Not Track on, should there be any difference

fielding: will browsers send the DNT header to first party sites, if they make first party requests?

aleecia: as it stands today, I think first parties get the header

Shane: 2 things
... starting position should be 1st party not do anything
... 1st party to receive signal and pass on

Nick: NYT should tell that signal received
... NYT can request pay or registration

Shane: first party may serve diff type of ad to user sending DNT

<ifette> ISSUE: Are DNT headers sent to first parties?

<trackbot> Created ISSUE-50 - Are DNT headers sent to first parties? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/50/edit .

ISSUE: should 1st party have any response to DNT signal

<trackbot> Created ISSUE-51 - Should 1st party have any response to DNT signal ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/51/edit .

tl: just because does not want targeted ads, not owrthless customer
... still possible to monetize

Shane: not that extreme, industry research shows OBA does provide increase in value over other ads

jmayer: has been discredited

<jmayer> I have a brief writeup on the Beales study at http://donottrack.us/bib/#sec_economics

<jmayer> There was lengthy discussion of the study at the Yale ISP Symposium "From Mad Men to Mad Bots"

<jmayer> Video may be available

DavidWainberg: if first parties are monetizing they need this information and to pass

Jennifer: in terms of 1st party receiving info, need to to know what to do because work with third parties

<WileyS> Beales Study: http://www.networkadvertising.org/pdfs/Beales_NAI_Study.pdf

Jennifer: may need to deliver button or call to ad server, response depends on signal

<jmayer> By way of background, the Beales study was paid for by an industry group and not peer reviewed.

Jennifer: whatever user says, what if user has different cookies from self-reg program?
... DNT turned off, but user has opted out of that entity / site
... what if user has registered with company and provded demo info through registration
... can ads be provided on demo, rather than BT

ISSUE: what if conflict between opt-out cookie and DNT?

<trackbot> Created ISSUE-52 - What if conflict between opt-out cookie and DNT? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/52/edit .

ISSUE: How should opt-out cookie and DNT signal interact?

<trackbot> Created ISSUE-53 - How should opt-out cookie and DNT signal interact? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/53/edit .

ISSUE: can first party provide targeting based on registration information even while sending DNT

<trackbot> Created ISSUE-54 - Can first party provide targeting based on registration information even while sending DNT ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/54/edit .

Ed: clarifying question - how would cookie conflict?

Jennifer: can opt out of individual companies on opt-out page
... and default DNT is sent to all sites

Ed: does absence of opt-out cookie reflect consent to be tracked?

Jennifer: if DNT is turned on, and user hasn't opted out, then tracking should not happen
... if DNT is on, but user has opted in to customization, then may have conflict

Ed: self reg does not offer opt-in

Shane: rferences w3c submission, agrees with Ed
... if you receive opt-out cookie or DNT signal, honor it
... only race condition is that user has set opt out cookie, but through DNT quid pro quo dialogue
... would user consent to that dialogue override opt-out?

CBS: BT opt out is different than tracking

Thomas: can't have BT without tracking

Jonathan: can do BT without tracking, references research

ISSUE: What is relationship between behavioral advertising and tracking, subset, different items?

<trackbot> Created ISSUE-55 - What is relationship between behavioral advertising and tracking, subset, different items? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/55/edit .

Aleecia: six possible conditions with chart

<jmayer> Several papers on interest-targeted advertising without server-side third-party tracking at http://donottrack.us/bib/#sec_technology

Shane: if DNT definition equates to opt-out definition, then treat the same

Aleecia: what if user has opt out cookie and DNT off?

Jennifer: opting back in may be equivalent to removal of opt-out cookie

Aleecia: we agree on two things, open issue what happens when DNT/opt out doesnt agree
... what happens when users opt back in

Chris: do we have dispute where DNT is on, and no opt out cookie? just honor DNT

<npdoty> ISSUE: what if DNT is unspecified and an opt-out cookie is present?

<trackbot> Created ISSUE-56 - What if DNT is unspecified and an opt-out cookie is present? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/56/edit .

Jonathan: possible first party issue

<npdoty> ISSUE: What if an opt-out cookie exists but an "opt back in" out-of-band is present?

<trackbot> Created ISSUE-57 - What if an opt-out cookie exists but an "opt back in" out-of-band is present? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/57/edit .

Jonathan: one approach is that first party may or should do something, leave discretion
... example, Google could disable web search history feature if DNT is on

Aleecia: example is that Google just uses its existing Google optout for analytics

Sue: does that have possiblity of confusing user, and companies choose to go above and beyond
... how will users know what to expect

<karl> | DNT: 1 | DNT unspec | DNT: 0 | OptBackIn|

<karl> ---------------------------------------------------

<karl> OOC | | | | |

<karl> ---------------------------------------------------

<karl> NO OCC | | | | |

<karl> ---------------------------------------------------

<karl> OOC=Opt-Out Cookies

Sue: area of competition

<npdoty> tl: rather than an area of confusion, maybe it's an area of competition for sites to respond to users who express a preference for more privacy and less tracking

Kimon: who knows what users want, many different things
... may want services and customizaiton on website
... should be technology neutral, perhaps not refer to opt-out cookie, but all technologies used for tracking

Matthias: problem is generic
... finish table and discuss by email, then document as issue

<npdoty> ISSUE: what if DNT is explicitly set to 0 and an opt-out cookie is present?

<trackbot> Created ISSUE-58 - What if DNT is explicitly set to 0 and an opt-out cookie is present? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/58/edit .

Matthias: OK to send DNT header to first party?
... seems like agreement on that point

Kimon: should first party know?

Nick: two question - should we send to first party; should first party do something

Aleecia: just looking at first question

David: what if client has logic about what DNT signal to send to whom
... should first party also know what signals sent to third parties on page

<npdoty> ISSUE: should the first party be informed about whether the user has sent a DNT header to third parties on their site?

<trackbot> Created ISSUE-59 - Should the first party be informed about whether the user has sent a DNT header to third parties on their site? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/59/edit .

Aleecia: should or must first parties know what is sent to third parties on their site
... parties may not know if 1st or third party

<npdoty> ISSUE: will a recipient know if it itself is a 1st or 3rd party?

<trackbot> Created ISSUE-60 - Will a recipient know if it itself is a 1st or 3rd party? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/60/edit .

<npdoty> close ISSUE-17, DNT signal will be sent to first parties

Aleecia: no disagreement, closes issue
... anyone who disagrees that first party must receive signal?

<clp> Charles L. Perkins, Virtual Rendezvous, arriving.

<jmayer> One easy approach to sharing Do Not Track status across domains is postMessage, see http://donottrack.us/cookbook

<karl> ISSUE-51?

<trackbot> ISSUE-51 -- Should 1st party have any response to DNT signal -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/51

ifette: how would you tell a site whether they are first party or not?

<fielding> ISSUE-50?

<trackbot> ISSUE-50 -- Are DNT headers sent to first parties? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/50

<karl> ISSUE-50?

<trackbot> ISSUE-50 -- Are DNT headers sent to first parties? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/50

<npdoty> close ISSUE-50

<trackbot> ISSUE-50 Are DNT headers sent to first parties? closed

<karl> ISSUE-50: The answer is yes. It has been decided to close it through consensus at WG F2F on September 22.

<trackbot> ISSUE-50 Are DNT headers sent to first parties? notes added

<npdoty> effectively, ISSUE-17 has been split into 50 and 51

<npdoty> ifette: it may be a difficult engineering challenge to determine whether an iframe is actually in a first party or third party context (as in Google embedding iframes of other Google domains)

Kevin: can provide meta data around domains
... won't solve first party or third party, but browser may be able to look in registry

clp: can separate whether information is known externally, whether what is going on in browser
... interesting to know relationships

ifette: a site could publish something that shows everything that it considers part of itself

Charles: right, then could hide information in case iframe does not want to be known

Aleecia: sites could publish everything it considers to be part of a site, could be part of reco

Kevin_Adobe: significant implementation cost

<clp> I.e., RDF, site publishes metdata, useful for research auditing sep. from issue within the browser

<npdoty> just fyi: http://www.w3.org/P3P/2003/12-domain-relationsships.html#Proposed

<clp> Yes, but amazingly useful.

Thomas: cookies that are not domain in browser bar
... know same domain, don't know domains owned by same company

<karl> domains != companies

Charles: may solve problem, can list vendors
... can publish all service providers
... to a single site

Aleecia: sites could publish what they are

<npdoty> ISSUE: a site could publish a list of the other domains that are associated with them

<trackbot> Created ISSUE-61 - A site could publish a list of the other domains that are associated with them ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/61/edit .

Aleecia: some info could be sent by iframes, not clear what that would look like
... third possibility, no idea whether content knows it is third party or first party

<npdoty> ISSUE: the browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context

<trackbot> Created ISSUE-62 - The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/62/edit .

Aleecia: third is current state, we don't do anything
... another issue is meta data in registry, but may not solve issue
... deeper technical issue, need to discuss more
... even if goal is that first party exempt

<tl> users can't tell the difference between first and third parties, and nor can we, so why talk about them at all?

Matthas: separate technology from policy, if technology is able to detect third party vs first party

Aleecia: request photo of white board

<jmayer> it would be fairly straightforward to engineer websites so they know whether they're a first party or third party

<npdoty> ISSUE-27?

<trackbot> ISSUE-27 -- Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/27

<jmayer> example: use gstatic1.com for google's static first-party content, gstatic3.com for google's static third-party content

Aleecia: maybe move to issue 27, skipping issue 49 that is treating 3rd party as 1st party

Nick: provides summary of issues

<jmayer> only issue is mishandling embeds google didn't intend, which i'm ok with

<clp> Awesome readback :)

<npdoty> open list of issues is here: http://www.w3.org/2011/tracking-protection/track/issues/raised

<clay> Charles idea wrt site publishing the way to determine 1st party solves many problems and makes a lot more possible.

Kevin: related issue is embedded first party things in site, like weather widget
... users interacting directly
... with widget, providing information directly
... should be treated as first party

<npdoty> ISSUE-26?

<trackbot> ISSUE-26 -- Providing data to 3rd-party widgets -- does that imply consent? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/26

Aleecia: this is existing issue
... many things fall into widget example

TL: not clear that widgets should be treated as first party

<karl> widgets, extensions, iframe, add-ons, etc.

Charles: should consider whether user has intention of interacting of widget or service

<jmayer> how the user interacts with a widget is also important to consider

<jmayer> is scrolling a weather timeline enough to be tracked? (i think not.)

<npdoty> jkaran to send out a summary of the discussion for issue 17

<npdoty> ACTION: jkaran to summarize issue 17 and provide excel sheet [recorded in http://www.w3.org/2011/09/22-dnt-minutes.html#action01]

<trackbot> Sorry, couldn't find user - jkaran

Charles: volunteer to summarize for Issue 27

<fielding> Please use the projector to display the issue list.

<karl> ISSUE-27?

<trackbot> ISSUE-27 -- Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/27

Dan: volunteers to create summary of issue 27

Jonathan: starting point is using standard web technologies - no need for new technical mechanism - has examples
... will post link
... example of NYT pops up box asking for subscription or agreement to tracking
... consent overrides DNT signal

Shane: technical details about where stored?

<jmayer> Some examples at http://donottrack.us/cookbook

TL: challenge response system designed to deal with this situation; site responds with DNT 1 or DNT 0
... this site thinks you consented to be tracked, do you agree
... then user continues

<ifette> ISSUE: should there be a popup dialog or something like that which should override DNT?

<trackbot> Created ISSUE-63 - Should there be a popup dialog or something like that which should override DNT? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/63/edit .

Jonthan: pop up is example

<npdoty> ISSUE-63: a "popup" is just an example, the proposal from jmayer is that a site can use existing HTML to show the user a form to opt back in

<trackbot> ISSUE-63 Should there be a popup dialog or something like that which should override DNT? notes added

Clay: is user opting into NYT or all third parties on NYT?

ifette: How to communicate to third parties on NYT

Jonathan: could be any of these

Clay: could NYT be third party tracker on other sites?

Charles: what does it mean to say ok to track dialogue
... in site registration issue
... who is user, may be multiple people using same browser
... have to support that in general

ifette: expectations in having DNT on; click something when visit a site
... should explore how that interacts with DNT, uses example of language setting
... what is reasonable expectation

Aleecia: thinks this is new issue, logged in vs logged out is relevant and another issue

ISSUE: how does preference management work with DNT

<trackbot> Created ISSUE-64 - How does preference management work with DNT ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/64/edit .

ISSUE: how does logged in and logged out state work

<trackbot> Created ISSUE-65 - How does logged in and logged out state work ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/65/edit .

Dan: go to site, pop up window agree to what is in dialogue

<laurengelman> if third party service provides service (collects data) for 1st party, it can provide the opt-in backend

Dan: does this carry over to third party site or apply only to first party

Aleecia: if you consent how and how long does consent exist?

ISSUE: can user be allowed to consent to both third party and first party to override general DNT?

<trackbot> Created ISSUE-66 - Can user be allowed to consent to both third party and first party to override general DNT? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/66/edit .

<ifette> ISSUE-64: As an example, if a user has DNT on and clicks something that sets a preference (e.g. clicking "German" as a language setting) what is the implication for that? Should the site have to gather explicit opt-in to be able to set a cookie, or are there implicit exemptions

<trackbot> ISSUE-64 How does preference management work with DNT notes added

<tlr> the yahoo paper: http://www.w3.org/2011/track-privacy/papers/Yahoo.pdf

Shane: should be stored client side so that users can see what exceptions were granted
... blend of TPL and DNT; DNT is overriding no, then user comes back to say yes to particular sites
... can first party get permission for tracking Internet wide, as where rich media vendor collects consent on behalf of others

<npdoty> ISSUE: should opt-back-in be stored on the client side?

<trackbot> Created ISSUE-67 - Should opt-back-in be stored on the client side? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/67/edit .

Aleecia: should we specify that consent stored client side in human readable way, should first party be able to collect consent web wide

David: is there a time dimension to conflict, as where user sets DNT after consent?

<npdoty> ISSUE-67: as proposed by Shane, this would allow interrogation on the client, changing these preferences by user on a browser, etc.

<trackbot> ISSUE-67 Should opt-back-in be stored on the client side? notes added

Aleecia: should add new column to table
... thinks explicit consent should trump

<pde> ifette, from our point of view, logging into a site could be made equivalent to optting-back-in (provdided the user is clear on this), while setting a language preference /ought/ not require those things

<pde> why set a high-entropy cookie for a language setting?

Jennifer: company could be doing many different things with cookies, from ads to content customization

<pde> why not just LANG=de?

Jennifer: are you opting out of all cookie uses, or just tracking (not defined)
... related to discussion about opting out of data type

Brett: two dialogue boxes from pop up plus challenge respons
... better user experience if a single choice

<ifette> pde, many sites have a system where rather than enumerating all the preferences a user may have set in the cookie, they simply list an id

Shane: challenge response does not have to have dialogue box
... may not have UI

<ifette> pde, the cookies and values get sent with each request, so if you send a ton of crap with each request it's problematic

Aleecia: we are not designing dialog boxes

<pde> jmayer, okay, so what we're talking about here is whether Facebook's 3rd party widgets are translated into german?

<jmayer> ifette, pde - recall this is about third parties, limited set of sites and options

Cris: need to import features between browsers, as in saving preferences and favorites across browsers
... one user with multiple browsers

<pde> since facebook as a 1st party can track the user for whatever purpose it wants

Aleecia: in scope?

<jmayer> sure, there's an example - i think it's plenty reasonable to ask facebook to use a language cookie

TL: should be out of scope

<pde> or alternatively,

Shane: adds argument for client side storage

<npdoty> ISSUE: should there be functionality for syncing preferences about tracking across different browsers?

<trackbot> Created ISSUE-68 - Should there be functionality for syncing preferences about tracking across different browsers? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/68/edit .

Charles: even if out of scope, perhaps footnote analogizing to how bookmarks

<enewland> Facebook will suggest that you change your language on facebook.com based on your visits on different sites (e.g., suggest that you change your facebook.com experience to a german one after you visit a german-language site)

<pde> when I log into a small 1st party site, it can use tracking methods to set complex prefrences for its 3rd parties (not sure when that would occur, though)

<npdoty> ISSUE-68: tl: suggests this syncing feature is out of scope

<trackbot> ISSUE-68 Should there be functionality for syncing preferences about tracking across different browsers? notes added

Jonathan: even though not designing UI, need to specify adequate notice and consent

Aleecia: FTC would define this

Jonathan: we should specify cannot hide in privacy policy

<npdoty> ISSUE-68: Shane: even if this is out of scope, it might be another advantage of storing the opt-back-in on the client side

<trackbot> ISSUE-68 Should there be functionality for syncing preferences about tracking across different browsers? notes added

Matthias: seems like we can address

<laurengelman> specification for mechanism for good notice is useful

Charles: may, should, must possible

Aleecia: do we say anything about double notice

<npdoty> ISSUE: should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)

<trackbot> Created ISSUE-69 - Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/69/edit .

Aleecia: requests picture of whiteboard before break

<clp> Break after this last question

<jmayer> i'm not seeing an issue it duplicates

<npdoty> WileyS suggests that issues 42, 43, 44 may be similar to 69

cris: regarding persistence of opt-in, could there be a discussion of how long DNT asks
... do sites have to ask again
... after a certain period of time

<karl> FTR, usage of MUST, MAY, SHOULD, etc. "For example, they must not be used to try to impose a particular method on implementors where the method is not required for interoperability." &mdash; http://www.ietf.org/rfc/rfc2119.txt

Aleecia: for example, could require sites to seek additional consent after a certain period of time

Jennifer: what happens when upgrade browser
... does DNT persist across upgrades

TL: out of scope

<npdoty> ISSUE-68: should DNT persist across browser updates as well? (this may be out of scope)

<trackbot> ISSUE-68 Should there be functionality for syncing preferences about tracking across different browsers? notes added

Thomas: does it persist in client is out of scope

<npdoty> ISSUE: does a past HTTP request with DNT set affect future HTTP requests? (expiration)

<trackbot> Created ISSUE-70 - Does a past HTTP request with DNT set affect future HTTP requests? (expiration) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/70/edit .

<clp> Maybe not, if a policy decision needs to be made, like Do Not Call, DMA timout after 5 years

<clp> ^^Charles

<npdoty> ISSUE: does DNT also affect past collection or use of past collection of info?

<trackbot> Created ISSUE-71 - Does DNT also affect past collection or use of past collection of info? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/71/edit .

Aleecia: do I honor preivously on

<pde> jmayer, so imagine I'm a 1st party and I get some logs along with DNT. I am allowed to keep the logs, but I'm not allowed to send them to 3rd parties. I think I need to keep a record of the DNT header for as long as I keep the logs

Shane: take the most recent state

David: from single client or across devices?

<npdoty> ISSUE-70?

<trackbot> ISSUE-70 -- Does a past HTTP request with DNT set affect future HTTP requests? (expiration) -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/70

<npdoty> close ISSUE-70

<trackbot> ISSUE-70 Does a past HTTP request with DNT set affect future HTTP requests? (expiration) closed

Aleecia: subsequent visits where DNT is off, treat as DNT off

<npdoty> ISSUE-70: take the most recent answer

<trackbot> ISSUE-70 Does a past HTTP request with DNT set affect future HTTP requests? (expiration) notes added

<ifette> RESOLUTION: If a user visits a site with DNT ON, and subsequently visits with DNT OFF, that subsequent visit is treated as DNT OFF

<clp> Reconvene at 10:50 am

<karl> ISSUE-70: HTTP is stateless, and so the server based its responses on each message.

<trackbot> ISSUE-70 Does a past HTTP request with DNT set affect future HTTP requests? (expiration) notes added

<clp> Back at 10 before 11 am

<Lia> Hi Lia Sheena from FPF is here

<clp> coming back soon?

<karl> ISSUE-70, close

<clp> Coming back now

Aleecia: Two issues to start with. First, do we exempt analytics. Second, do we exempt aggregate analytics

<npdoty> ISSUE-23?

<trackbot> ISSUE-23 -- Possible exemption for analytics -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/23

<npdoty> ISSUE-34?

<trackbot> ISSUE-34 -- Possible exemption for aggregate analytics -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/34

Tom: Analytics by a first party on itself should be excepted. Analytics by a third party acting as a contractor and stores information appropriately, it should be siloed. Siloed as specified by contract and by technology as well.
... To clarify. Where an analytics program is operated by a third party that is acting as a contractor and stores information appropriately, this analytics should be excepted

jmayer: Siloing by tech is not sufficient. Information should be siloed by technology AND contractually

<npdoty> ISSUE-34?

<trackbot> ISSUE-34 -- Possible exemption for aggregate analytics -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/34

Shane: For aggregate and anonymous reporting, contractual and technological requirements may not be necessary.

Aleecia: what do we mean by aggregate?

Shane: Yahoo analytics may be used by site owners. Yahoo may use information collected across sites but used in the aggregate. And that should be exempted from DNT

Aleecia: to clarify -- as long as data is aggregated, DNT does not apply

Shane: yes

Matthias: Is it our job to set out the specific mechanisms of isolation?

David: What is the rationale for exempting analytics?

jmayer: We want to preserve comparative advantage on the web.
... we may want an exception for analytics and related stuff. eg ad serving too

matthias: so we need a distinction between those who are processing the data as contractors and those who are collecting/using it for their own purposes
... if we can guarantee that such where data is not being connected by these contractors, then this is an exemption and a principle we can apply

shane: if there are no independent rights to use that information, then yes, they should be excepted. but if they are using that info themselves, then the exception shoudlnt apply

<BrianTschumper> [Microsoft] is Brian Tschumper

aleecia: independent use --- agent of first party

<npdoty> ISSUE: basic principle: independent use as an agent of a first party

<trackbot> Created ISSUE-72 - Basic principle: independent use as an agent of a first party ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/72/edit .

aleecia: analytics is a special case, a subset of a larger case. About the role of a contractor where the contractor is taking data that is siloed and only using it for the purposes specified by the first party. is analytics worth treating separately from everything else within this larger case?

<Jules> Jules Polonetsky is here on IRC and on and off the phone

shane: we still have to talk about analytics in the third party context

<npdoty> enewland: are we basically drawing the data controller / data processor distinction from EU law?

erica: are we drawing a distinction here that is basically the data controller/data processor distinction in the EU

<Justin-CDT> This is Justin Brookman, following on IRC, will call in after lunch.

Kimon: the controller is the entity that makes the decisions. Can outsource activities to processor and retains responsibility for how the processor uses that information. But different countries may define roles a bit differently. There are also co-controllers
... We also have to figure out what is data? how do we define data

<BrianTschumper> ?

<fielding> http://en.wikipedia.org/wiki/Analytics

<tl> clarification from me: the data controller is the "owner" of the data, and responsible for it to the customers. a data processor is someone who is contracted to do something with that data, as an agent of the controller.

Aleecia: Charles is saying that there is a sub issue to the bound by siloed contract does the contract persist after sale?

<npdoty> Charles: what if a first party collects data and then is bought out by another party who can then try to reuse the data?

<laurengelman> owner is not going to be a super helpful term unless it is defined

Matthias: If a first party contract results in first party outsourcing functionality to an agent. Is that agent exempt from the DNT requirement provided it does not use that data for other purposes?

<fielding> http://en.wikipedia.org/wiki/Web_analytics

SeanHarvey: Google Analytics -- In some cases the publisher agrees to share the data with google for aggregate usage, but the publisher can opt out of this

Aleecia: we have an open issue that hasn'tt been resolved as to whether these parties need to be bound by contract, technology or both
... so do we have agreement that an agent that is bound in whatever way we determine to only use the data on behalf of the site should be treated as the site itself?

Shane: this can bleed into operational use case as well.

<Jules> i agree!

Aleecia: Whether you are a contractor doing analytics or shipping, this principle applies.

<laurengelman> what if you transfer it at the command of the first party to their partner?

jmayer: Clarifying Question. To vote on this issue, we need to first resolve whether the third party agent needs to be bound by contract, technology, or both

Aleecia: We are going to vote. Three options.

<Jules> can we vote via IRC?

Aleecia: We can say the agent must be bound by contract, bound by technology - open issue as to what it means, or both.

Matthias: A fourth option. Unspecified. Raise the policy objective in a technology neutral way.

Shane: or we could have a fourth option. Which is either (contract and technology) OR (technology)

<npdoty> ISSUE: in order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract

<trackbot> Created ISSUE-73 - In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/73/edit .

Peter: So is a contract necessary on top of the technology? This can raise thorny issues with regards to existing contracts.

jmayer: It can be any sort of legal commitment, so long as it's enforceable by both customers and regulators.

Aleecia: Can W3C create a contract requirement?
... question of authority here.

Matthias: We should say that the agent must ensure that the data can't be used in other contexts. And then just list some potential ways this could be achieved. Describe the ends that must be satisfied by these technologies rather than the means.

Brett: if the data CAN be combined, even if it's not combined. This is a privacy risk. eg, government access. So there should be no exception here, where the data can be combined

Kimon: That will be difficult to enforce. Hard to separate law from technology here.

<fielding> I agree with Matthias

Shane: we need to be able to use data in the aggregate. useful for companies, society, etc. We don't want to be too overly prescriptive.

npdoty: If we say that analytics providers can track you across multiple sites such that they use the data in the aggregate, then the government can go to the site, request the data, which is used in the aggregate but not held in the aggregate, and then DNT has provided no protection.

Peter: if we postpone here, are we postponing the question of what kind of technology should be used?

Tom: On the question of people being bound legally. We can write in a specification what you need to do to comply with the specification. We can say that for a server to be in compliant with a certain standard, the CEO has to be wearing a blue hat. We can determine what is and is not compliance. Then if someone says they are compliant and they are not, then that is between the entity making that assertion and whoever they are making a false promise to

Kimon: If we exempt something, how much do we need to define it?

<npdoty> David Wainberg: are there any examples of W3C or other technical specifications that make a requirement on companies of this type?

<tl> we need to define it completely, otherwise anything can get in under the exemption

Kimon: If we agree that A is tracking and then we see web analytics is excluded and then define web analytics, we may impose a definition on the market that does not really accord with how the market is used today.

<npdoty> fielding, can you help us scribe your last statement

Charles: We don't have to say do or don't do something. We can say should or may.

Matthias: We have been talking about must

Brett: If we are going to carve out an exception in this case, then the data must truly remain in a first party contract. If i am saying do not track me and i am retaining the same user id across sites, then i am being tracked across site. Period.
... there has to be no way to combine the information across different contexts if we are going to create an exception here.

tlr: We are talking about an exchange of signals. Communication that when that byte or set of bytes goes over the wire, then here is what we expect you to do. There can be many ways to achieve the expected effect. We do not want to get too specific about how entities are supposed to achieve that effect.

<karl> agree++ to what tlr said

tlr: This is a technical document. Let's focus on what the meaning of the messages is. The meaning of the messages that go over the wire. We can provide implementation guidance, but let's think to the effect that actually matters to the intent.

Aleecia: I would like to see if we have something we can get consensus on right now. If not, then I want someone to take action items to draft text, possibly competing proposals, and we will discuss this further on calls.
... I suggest that we start by looking to see if we have rough consensus around the idea that we will not specify whether the requirement is technical or contract. Instead that it is based on intent that contractors are bound not to use data in other contracts and must only use data on behalf of the first party site if they are to be treated as a first party themselves.
... is this something that, roughly, people in the room support?

David: we are talking about user level data, right? Not aggregate.

Aleecia: Yes.
... This is not just analytics

<fielding> I was agreeing with Matthias that we should say that the agent must ensure that the data can't be used in other contexts -- the various ways in which the agent could ensure such a thing does not matter for the standard because only the effect is measurable and only the effect matters in terms of compliance.

Kimon: I might have reservations if this is broader than analtytics

Matthias: This is a question of principle. We know it is not articulated completely.

Kimon: We may need more clarification than a commahere.

David: What do we mean by use?

Peter: We need to put a technical component into that commitment.

<dwainberg> aleecia: yes, we're talking about use constrained to the first party

Peter: There are low hanging technical ways to do it. Our wording should specify that. As well as requiring a commitment as an actor
... Must on the technical and should on the other commitment. But I would be ok in swapping that around.

Aleecia: We need some people to take action items for people to draft text.

Matthias: We have consensus that if the binding is sufficiently strong, then it is ok to treat these third party agents as first parties, it seems. But what is sufficiently strong?

Aleecia: But this question of what is sufficiently strong is a big deal. We need to resolve that first.

<npdoty> "once Shane and Jonathan agree, then we're all set"

Shane: I am fine with us not specifying too specifically what sufficiently strong means.

Aleecia: Maybe we should assign action items and move on?

Thomas: I think we have some agreement. We have consensus on the general principle and what piece of this still needs to be worked out

Matthias: So do we call this issue closed?

Aleecia: I want us to move on, but I do not want us to close this issue.
... Jonathan and Shane will draft action items.

<ifette> ISSUE-23?

<trackbot> ISSUE-23 -- Possible exemption for analytics -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/23

<ifette> ISSUE-34?

Aleecia: for Issues 23 and Issues 34

<trackbot> ISSUE-34 -- Possible exemption for aggregate analytics -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/34

<fielding> I argue that "tech" cannot be defined in any meaningful way that could reach consensus ... that is a rathole

<npdoty> <Shane and Jonathan agree on delaying deadlines>

Shane: How about writing up the issue by 9/30?

<ifette> ACTION: Shane to draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) - due 2011-09-30 [recorded in http://www.w3.org/2011/09/22-dnt-minutes.html#action02]

<trackbot> Created ACTION-5 - draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) [on Shane Wiley - due 2011-09-30].

<ifette> ACTION: Mayer to draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) - due 2011-09-30 [recorded in http://www.w3.org/2011/09/22-dnt-minutes.html#action03]

<trackbot> Created ACTION-6 - draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) [on Jonathan Mayer - due 2011-09-30].

<tlr> action-5 due 2011-10-03

<trackbot> ACTION-5 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-10-03

<tlr> action-6 due 2011-10-03

<trackbot> ACTION-6 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-10-03

<ifette> tlr I thought we said next friday?

<tlr> whooops, right

<tlr> sorry

<karl> http://www.w3.org/2011/tracking-protection/track/actions/open

Shane: I am going to be saying that you must sign up for something in here, must obligate your organization to do something, whether that be contract or technology. Different organizations will meet the obligation in differentw ays.

<ifette> ACTION-5 due 2011-09-30

<trackbot> ACTION-5 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-09-30

<ifette> ACTION-5 due 2011-10-03

<trackbot> ACTION-5 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-10-03

Aleecia: Next we will talk about Issue 25, and then Issue 22

<npdoty> ISSUE-73 may also apply to ISSUE-23 and -34

<ifette> ISSUE-25?

<trackbot> ISSUE-25 -- Possible exemption for research purposes -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25

ISSUE-25?

<trackbot> ISSUE-25 -- Possible exemption for research purposes -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25

ISSUE-22?

<trackbot> ISSUE-22 -- Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.) -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/22

Aleecia: Starting with Issue 25.

Shane: Many see 'analytics' and 'research' differently
... Information being used for research is not being used to directly impact an individual's experience. To us that is the difference between the two. The information might be at the individual level, but it's only used for the research purpose.

Aleecia: We have a suggested definition. That research is data that does not used to affect's a user's experience.

[disagreement]

<fielding> What if the research is on how an individual uses the Web?

Jonathan: Data that does not identify the web history of an individual user. In a technical sense.

<jmayer> Research or aggregate analytics.

Charles: but even if it's not used to directly impact a user's experience, the collection can affect how a user experiences the web, her feelings about privacy, etc.

<amyc> jonathan, does that specifically mean, for example, that data set would not include IP addresses or cookie identifiers?

efelten: If we say yes to this exemption, is all collection for this purpose ok? Are there retention limits?
... This is an issue that may arise for a lot of our proposed exemptions

ifette: So this is an exemption based on use?

<jmayer> amyc, cookie identifiers for sure, ip addresses are a technical question where we need more research

Shane: Yes. There will be continued collection for a limited use exemption.

ifette: the point of doing research is to improve the user experience

Shane: Direct user experience. Like OBA
... I can learn about a specific cookie and then change an experience in response to that specific cookie. That is OBA. In the research example, I collect information about individuals, and then apply the things i learn to the general population

<jmayer> schunter: i'm not sure what we're talking about

<npdoty> Scott: how about "not directly addressable"?

Shane: This is general use exemptions for DNT. not related to collection
... this is product improvement, etc.

Aleecia: Are you also seeing this as things like surveys

Shane: We have been discussing observed data. Surveys to me are declared information. That is different.

Scott: With surveying, would someone with DNT on never see a survey invite?

Aleecia: We have an issue, are surveys out of scope

ISSUE: Are surveys out of scope?

<trackbot> Created ISSUE-74 - Are surveys out of scope? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/74/edit .

Shane: I posit that all declared data is out of scope. For the entire DNT conversation

Aleecia: that is already an issue

Roy: I am confused. We are talking about web analytics here? Not analytics in general? What do we mean by research? Think about legitimate research institutions. These require consent from individuals. Tracking someone across the web requires consent for legitimate research.

<tlr> shane: we didn't really get to the aggregation question

<tlr> erica: if the collection still records an individual history across the web, then there are still privacy concerns

<npdoty> shane: "lots of ways to solve the government bogeyman problem"

<npdoty> shane: different technical measures (blinding, one-way hash, destroying keys, etc.) so that the data can be collected in such a way that even if the government accessed it they couldn't find the person's name

<npdoty> erica: but even if it's not connected to a particular name, a pseudonym could allow for re-identification

<jmayer> i completely agree with erica on this

<npdoty> shane: well, there are questions of anonymization

Sean: we are getting to a fundamental disagreement. Collection vs use. What does collection mean? What collection is permissible and what is not.
... It is not appropriate to say DNT is on but let people collect information about you around the web for research purposes.

Charles: what about ISPs? Then we already have collection and logging.

Aleecia: so this raises an issue. Are ISPs in or out of scope?

Thomas: we should stay on the application layer
... and not raise this as an issue

<laurengelman> I am on the phone 415

fjh: I'm concerned about the idea that hashing IDs is the same as anonymity. If we are talking individual records for individual entities. This is a privacy problem. Maybe we should use a 'should' here.

Shane: to get aggregate, you have to start with somethign else

<npdoty> ... there is a point in time when you don't have aggregate data, even if you will at some point

fjh: So maybe it's a retention issue

Aleecia: Is hashing or trying to de-ietntify enough to be anonymous or should we require aggregate only?

<fielding> I am talking too fast today. If "research" includes the study of humans activity (data collection of individual behavior for the sake of understanding that behavior), then legitimate research that complies with universally accepted human studies policies MUST obey the DNT preference because it expresses an opt-out. If "research" means studying something other than human activity, such as an aggregate set of paths from other sites and statistics regarding th

<fielding> paths, then this should fall into the category of exemption by aggregation (i.e., we only want to exempt research if it is only stored in aggregate form).

<laurengelman> <thanks for fixingthe beeping>

fjh: so-called anonymization may not work as well as want it to.

Kevin: what is the mechanism of exemption?

<npdoty> fjh: we could have a SHOULD requirement about anonymization or measures against de-identification

Kevin: How do companies claim exemptions?

ISSUE: How co companies claim exemptions and is that technical or not?

<trackbot> Created ISSUE-75 - How co companies claim exemptions and is that technical or not? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/75/edit .

Aleecia: We do not have consensus on this.

<clp> lunch

Lunch time

<npdoty> ... confusion by talking about different layers (SSL for example separates into two layers)

<clp> Back

Tracking Preference Expression

<KevinT> kick off

referring to intro schematic around browser/server - focusing on message exchange details

matthias leading

goal - find areas of fundamental agreement and build with those smaller pieces into the larger picture

this should be more technical than last discussion

tracking lists not in this discussion (next one)

Thomas starting with FF proposal around challenge response

<npdoty> IETF draft (from jmayer et al.) here -- http://datatracker.ietf.org/doc/draft-mayer-do-not-track/

browser send DNT 0 or 1, server responds {0|1} <&mdash; what it thinks the browser said {0,1} <&mdash; confirmation of consumer actions (possible opt-in)

<npdoty> <tl sketching DNT header and response header>

<applause>

<npdoty> tl: essentially Harlan Yu's position paper at the Princeton workshop

ThomasPottjegort - offering his proposal

<tl> yu's paper: http://www.w3.org/2011/track-privacy/papers/yu.pdf

<tl> tlr; do you have a copy of harlan yu's slide deck?

scribe: server response (0,1) only (user desire, server reply)

<npdoty> adrianba, is there anyone on the phone from microsoft to describe the DOM proposal?

next proposal from fielding

<adrianba> npdoty, the proposal is simply to make the value that would be sent available in script - there was lots of discussion at Princeton about whether that is a good idea or not

scribe: use Link: <policy>

<adrianba> npdoty, i think at this point it suffices to say that there is a proposal that this MAY be made available to script somehow

next proposal from Charles

<adrianba> npdoty, i can speak to that briefly if necessary but i don't have much more to say :)

scribe: include strings and ability to respond with a subset

next proposal from Ian

scribe: in server response include a 3rd field for "I don't know" field

next proposal from Jonathan &mdash; IETF submission - server just replies with just user request confirmation

shane: include a response of providing an already expressed consent signal

dave: how do we communicate states among parties?

charles: this is in my proposal

<npdoty> david: ... as in communicating to a first party whether one of the third parties is blocked

<clp> clp: A set of requested String the encode: Desired things to NOT be tracked, shared, relationships of trust etc.

<clp> ... reply is subset that the server can do

<karl> P1 - C "DNT: {0|1}" - S "DNT: {0|1},{0,1}"

<karl> P2 - C "DNT: {on,<strings>|off}" - S "DNT: {off|on,<subset of X>}"

<npdoty> ISSUE: should a server echo the DNT header to confirm receipt?

<karl> P3 - C "DNT: {0|1}" - S "DNT: {0,1}"

<trackbot> Created ISSUE-76 - Should a server echo the DNT header to confirm receipt? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/76/edit .

<karl> P4 - C "DNT: {0|1}" - S "DNT: <policyURI>;rel=tracking;state=on"

<karl> P5 - C "DNT: {0|1}" - S "DNT: {0|1},{0,1,?}"

<tl> the concern is that http proxies suck, and have a poor habit of removing headers that they don't recognise

<jmayer> actually, custom headers almost always traverse the net

<npdoty> tl, how is this handled for other HTTP headers?

<jmayer> there's a study on this by collin jackson

<karl> jmayer, by custom headers do you mean X-foo

<tl> jmayer, link?

ISSUE: how does a website determine if a first or third party and should this be included in the protocol?

<trackbot> Created ISSUE-77 - How does a website determine if a first or third party and should this be included in the protocol? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/77/edit .

<npdoty> ISSUE-77: connected to ISSUE-60

<trackbot> ISSUE-77 How does a website determine if a first or third party and should this be included in the protocol? notes added

<jmayer> last paper in http://donottrack.us/bib/#sec_technology

wileys: add link back to where your DNT policy exists

jkaran: +1

roy: do we need have to send DNT=0 or just skip?

<npdoty> ISSUE: what is the difference between absence of DNT header and DNT = 0?

<trackbot> Created ISSUE-78 - What is the difference between absence of DNT header and DNT = 0? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/78/edit .

KevinSmith: raised issue of whether to send a shortcut instead of string (well known location, e.g.)

<npdoty> ISSUE: should a server respond if a user sent DNT:0?

<trackbot> Created ISSUE-79 - Should a server respond if a user sent DNT:0? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/79/edit .

<npdoty> pde: put the browser back in the loop, knowledge of the opt back ins

KevinSmith: include a domain field

<npdoty> ISSUE: instead of responding with a Link: header URI, does it make sense to use a well-known location for this policy?

<trackbot> Created ISSUE-80 - Instead of responding with a Link: header URI, does it make sense to use a well-known location for this policy? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/80/edit .

<karl> P6 - C "DNT: {0|1}" - S "DNT: {1|0},domain, ..."

ISSUE: Do we need a response at all from server?

<trackbot> Created ISSUE-81 - Do we need a response at all from server? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/81/edit .

<npdoty> ISSUE-81: ifette suggests that the user either trusts the site or doesn't, so why would the browser bother to expose this response to the user?

<trackbot> ISSUE-81 Do we need a response at all from server? notes added

matthias: reframe client -> server and server -> client core payload
... client -> server: DNT preference to be set by client as 0 or 1 (agree)

fjh: extensibility &mdash; user can specify any limitations

<npdoty> does anyone know the number of that issue on extensibility?

<karl> npdoty, not sure there is an issue open yet. I'm checking

<npdoty> issue-59?

<trackbot> ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/59

<karl> npdoty, no issue open for extensibility of DNT header

<npdoty> Shane: just raising the problem, not a solution, that the first party will want to know which 3rd-parties are being blocked

<karl> ISSUE: Should the DNT header be extensible with additional parameters?

<trackbot> Created ISSUE-82 - Should the DNT header be extensible with additional parameters? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/82/edit .

matthias: from board generally: extensions include: 1) 1st or 3rd party, 2) fine grained controls, 3) identities, 4) blocking info

<npdoty> ChrisOlsen: what if the user wants to opt back out after they've opted back in?

issue: how do you opt out if already opted in?

<trackbot> Created ISSUE-83 - How do you opt out if already opted in? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/83/edit .

ifette: not thrilled around creating a bunch of UI in browser to manage these features

amyc: web based applications? is there a way to access the header?

<npdoty> ISSUE: do we need a JavaScript API / DOM property for client-side js access to Do Not Track status?

<trackbot> Created ISSUE-84 - Do we need a JavaScript API / DOM property for client-side js access to Do Not Track status? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/84/edit .

jmayer: DOM sets boolean flag but longer conversation

ISSUE: DOM property and its access generally and specifically to web apps

<trackbot> Created ISSUE-85 - DOM property and its access generally and specifically to web apps ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/85/edit .

<npdoty> close issue-85

<trackbot> ISSUE-85 DOM property and its access generally and specifically to web apps closed

<npdoty> issue-85: duplicate of issue-84

<trackbot> ISSUE-85 DOM property and its access generally and specifically to web apps notes added

<pde> npdoty, it wasn't a formal vote

<npdoty> ISSUE-78?

<trackbot> ISSUE-78 -- What is the difference between absence of DNT header and DNT = 0? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/78

<npdoty> tl: there are two states, DNT:1 and the other state

<npdoty> David: there seems like an important distinction here if the header doesn't get sent at all

aleecia: reality is that most browser do not have this feature

<npdoty> efelten: are there any current implementations with DNT set to 0?

<npdoty> tom_comscore: AdBlock Plus does (?)

tlr: if header is present - then 0 or 1, open question is whether absence of header a different meaning for user?

<npdoty> ISSUE-58?

<trackbot> ISSUE-58 -- What if DNT is explicitly set to 0 and an opt-out cookie is present? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/58

<tlr> RESOLUTION: if a DNT header is present, its value is either 1 or 0

<npdoty> or at least, it's no options other than 0 or 1

<pde> DNT: the children

issue: do we have general extensibility capability for header response?

<trackbot> Created ISSUE-86 - Do we have general extensibility capability for header response? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/86/edit .

<npdoty> issue-82?

<trackbot> ISSUE-82 -- Should the DNT header be extensible with additional parameters? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/82

<npdoty> close issue-86

<trackbot> ISSUE-86 Do we have general extensibility capability for header response? closed

<npdoty> issue-86: duplicate of issue-82

<trackbot> ISSUE-86 Do we have general extensibility capability for header response? notes added

<tlr> did we capture the scope of David's reservation?

matthias: moving to Server response side

<npdoty> I'm not sure I understand David's reservation regarding the resolution

<fjh> should ISSUE-82 be simply, "Should the DNT header be extensible"

<npdoty> davidwainberg, can you give more detail on your reservation?

<npdoty> "a server could use this to say the server does not know or will not tell you"

<npdoty> fielding: as a server developer I would never do this

<npdoty> ifette: for very small sites, I might say that I understand but I don't know if I'm cooperating or not

matthias: list of options 1) bouncing user preference, 2) sending server choice, 3) extensions...

efelten: isn't is assumed the server receives this?

<npdoty> ... what's the practical difference between not responding at all or responding with a ?

<npdoty> ifette: well, I don't think any of the responses will matter to the end user....

fielding: would not send "I don't know" other downstream servers or external processes that could be overridden erroneously

karl: is response useful to browser or user (filter)

<npdoty> ... if a response won't be useful to a user, then why send it?

pde: for user opting back in, need server response

<fielding> other components of the server (application filters or subrequests) may know what they are doing or external components (TCP routers that do logging external to the web server) may know what they are doing, and I wouldn't want my clueless response to override the others

KevinAdobe: don't define response if can't define use

<fielding> OTOH, I agree with ifette that it would be better not to respond at all and just rely on the published policy for indicating compliance

cris: policy reputation might be a good response for consumers to trust

clay: server response &mdash;> claim 1st or 3rd party

ifette: p3p ui not understood &mdash;> why create DNT UI ?

brett: server response bring enforceability (base contract)

ifette: argue in privacy policy already

<npdoty> ISSUE-82?

<trackbot> ISSUE-82 -- Should the DNT header be extensible with additional parameters? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/82

<ifette> ISSUE: Should there be an option for the server to respond with "I don't know what my policy is"

<trackbot> Created ISSUE-87 - Should there be an option for the server to respond with "I don't know what my policy is" ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/87/edit .

<pde> ifette, so you're okay with 0|1|?|no response ?

<pde> ifette, what about 0|1|no header ?

<ifette> pde, i would prefer there be no server response. If as a group we decide there should be a server response, I would prefer the list of acceptable responses to include a '?' value

<ifette> no header is not the same as "?"

<ifette> no header could be just "I don't understand what DNT is"

<tl> ifette, i can think of a whole load of ui things that i like, and a whole load of non-ui things that browser might do....

clp: other extensions &mdash; fine grained preferences

<ifette> tl, happy to hear suggestions

<pde> ifette, so I think you do think the response should have 4 values rather than 3 (if there is going to be a response at all)

<ifette> pde, if there is a response header, i was saying 3 values (0/1/?)

<pde> I would have been okay as leaving "not sure" and "I don't know about DNT" as the same case (the server sends no header)

<tl> ifette, for instance: i might enable or disable features that facilitate tracking. perhaps i treat third-party cookies, differently, or change my signature

efelten: other extension: URL of policy/link header

<pde> ifette, changing topics slightly -- I think your points about bad privacy UI design are well taken

<tl> ifette, incidentally, it's an eye, not a whirlpool in IE

<pde> and it's certainly dangerous/tricky/hard to put anything in browser chrome about this

<pde> but for us it's a good avenue to leave open if any browsers want to try it

<ifette> tl i realize it's an eye, but it looks like a whirlpool to me and if I say an eye it might bias responses :)

<pde> while certainly avoiding any SHOULDs or MUSTs on the subject

<tl> "browsers MAY tell or ask users about this, or choose do anything else"

<npdoty> I thought efelten's suggestion was a response header that included a string about why the server is responding DNT:0

clp: other extension: Identity response

<tl> ifette, one big thing is that the browser might make really different choices in private browsing mode

<tl> ifette, the browser might ignore "DNT:1,0" in regular mode, but warn the user with a doorhanger notice in private browsing mode...

jkaran: include info around sub-domains

<ifette> tl we explicitly say in our private mode that "Going incognito doesn't affect the behavior of other people, servers, or software"

<ifette> for us, private browsing is about reducing the traces left on the user's computer

<tl> ifette, true enough, but that doesn't mean that you shouldn't do as much as possible

<ifette> we don't want to give a false sense of security

<tl> ifette, we're considering how to adapt our private mode to local, remote, and network threats

<ifette> short of using tor, it's not clear we're not giving users a false sense of security

<ifette> (we've talked about tor...)

<tl> there's a lot you'd have to do to use tor safely...

<tl> </offtopic>

winding down discussion, deciding on action items

use cases around "?" will hold after documentation of protocol to see if necessary

Tracking Selection Lists

<npdoty> adrianba, does anyone on the phone from MSFT want to talk during the next session on Lists?

<adrianba> npdoty, we don't have anything specific to present - our proposal is the list section of our submission

<adrianba> npdoty, our preference would be to start there and iterate based on feedback but want to hear what the group thinks

<adrianba> npdoty, for example karl has sent feedback to the list, which we're preparing a reply to

<npdoty> thanks, adrianba, you don't have any other specific comments for the live meeting?

<adrianba> npdoty, not at the moment

<npdoty> gotcha

<jmayer> Want to make sure the Adblock Plus format gets significant consideration.

<jmayer> It is hands down the most popular content blacklist format.

<npdoty> the input documents I see are:

<npdoty> * http://www.w3.org/Submission/web-tracking-protection/

<npdoty> * http://adblockplus.org/en/filters

<npdoty> * http://www.opera.com/support/mastering/kiosk/#url-filter

matthias: last technical session: tracking selection list

karl: microsoft tsl proposal
... simple text file where each line lists a domain, and whether it should be allowed or blocked
... ex: "-d rogue.example.com" blocks
... and: "+d splendid.example.com" allows
... already in IE
... opera "url filters" proposal
... uses an .ini file, has dom api
... in ms proposal, can have many lists
... in firefox, there is another api

<tl_> i think karl is referring to adblock plus, not firefox

david: clarification: after parsing list, if a domain is to be blocked, all third-party requests to that domain are ignored
... if a domain is allowed on one list but blocked on another, it is allowed

<adrianba> the other reason for having an allow is so that you can have a simple general block rule and then allow exceptions

<KevinT> http://tplviewer.com/

aleecia: you can use your own custom list, and your list overrides all others

karl: no, your own list does not override

<adrianba> http://www.w3.org/Submission/web-tracking-protection/#processing-multiple

<adrianba> merging lists, all allow rules merge at the top

tl: clarification, the "mozilla" mechanism is actually abp

ifette: this seems a lot more than tracking protection, it seems like an ad-blocker in the browser, and we don't want to ship one of those

davidwainberg: this standard is about dropping http requests. what else should i know about this?

ifette: ex: cross-origin http requests would have been dropped under some circumstances

ThomasPottjegort: or multiple redirects

npdoty: not from ms but, not for blocking advertising, more like one-pixel trackers

<karl> Mozilla nsIContentPolicy, Interface for content policy mechanism. https://developer.mozilla.org/En/NsIContentPolicy

kevin: as a web developer, i don't like being unable to control my site

<jmayer> (Firefox has a bunch of APIs you can use to block content.)

jkaran: often things are requested on a pathway through several servers, if we block an intermediary, it might affect revenue counts
... this list could be huge, and it's not clear to a user how these lists may interact

Brett: this is a terrible idea. you can end up blocking css and other site-critical elements. most of these lists actually are ad-blockers, and this is content theft.
... i love that this gives consumers choice, i hate that it takes choice from content providers

roy: i don't see any interoperability needs for these lists

<jmayer> tl, to block tracking, you have to block advertising http://cyberlaw.stanford.edu/node/6730

tl: web developers: i know that you like to control experience, but if you do something that users object to, they're entitled to be in on that conversation

<jmayer> re ad blocking as "theft," it's trivial to tier access to visitors who block ads

tl: it may be the case that billing is broken, but if billing depends on objectionable tracking, that's something that users should be involved in

<fielding> I don't see any interoperability issue here that can be standardized -- the browsers do not share these lists with other browsers, even those owned by the same user.

tl: re standards: the formats, one piece of content, that's entirely the point of a standard

ifette: browsers are user agents, they should follow user needs
... agree with tl's point re negotiation. we need to facilitate negotiations between users and sites
... someone couldn't just walk into a store and take without paying
... likewise, shouldn't do the same with content

<ifette> ifette: but the content belongs to the site. So, both party's interests need to be respected

ThomasPottjegort: lists seem unscalable, blunt instruments
... content publishers have some mechanisms to identify third part calls

kevin: is crazy-talk, nobody would ever do that.

ThomasPottjegort: yeah, but you could do it sometimes.

kimon: all about negotiation. publishers need to know about blocking when it happens.

KevinT: lists provide a way to make policy. there can be a system separate from policy
... exemptions can also be filtered
... this concept of reputation is important. users shouldn't have to decide who's trustworthy, they should be able to outsource that to list-authors (like with antivirus)

cris: need to have conversation between first party and advertisers, users

<cris> just to quote vp at bluecava, Eric Johannsen

<cris> "If tracking protection is implemented so that consumers cannot be tracked, there will be no free internet."

charles: if anyone wants to use these lists, we should agree on the format. if we have a better way to implement these lists, we should do that. negotiation is awesome, need a good way to express that

<cris> we need the ability for consumers to express a preference, not blocking, not protecting, to whether or not to allow website to track in exchange for service and content

karl: @ifette, sometimes opera and google disagree. you don't want to ship these lists; at the same time, chrome has an adblock extension. users may want the choice to install these addons, and these lists are the tools they need to do that effectively.
... i naysay to those who think that users who block ads will kill the web. arguing against this is arguing against reality: people already do this!

matthias: adblockers exist, and it's not our place to disallow those. we need to talk about the actual interoperability needs of these lists.

<jmayer_> Unclear that Do Not Track will get buy-in. We should standardize tools for consumers to help themselves if that doesn't happen.

matthias: c.v. antivirus, where there's lock-in on lists, and less competition.
... browser vendors are free to use these lists or not. from a standards perspective we need to decide whether we want to mandate these lists.

tl: we don't want to mandate the use of these lists, we just want to agree on the format

karl: concur

kevin: should we talk about this at all?

ifette: suggest: no no need for standards for blocking lists
... exist many adblockers, they don't seem to be suffering from a lack of standards
... why should we deal with helping them
... our time could be better spent

kimon: when you get on a bus, you see ads. there's bad advertising, but it's here to stay. agreeing on an industry standard to block ads is wrong, and it's an abuse by browser manufacturers

<ifette> s/no needs for standards/no need to standardize list format for ad blockers/

npdoty: this isn't "stealing". this is a good place to agree on a common format. we should not try to control what users do. standards exist to allow users to do what they want. some have disabilities or other problems. user agents should not be *forced* to make requests

<jmayer_> Would like to note that Chrome was once on track to support blocklists. http://code.google.com/p/chromium/issues/detail?id=16932

npdoty: re: notice and negotiation: good idea! the user-agent should fire-off a download error when blocking, so sites can react and monetize.

<fjh> +1 to npdoty

tlr: clarification requested by matthias: it is up to chair to make decisions about use of time & resources

matthias: we agree that we shouldn't mandate lists

karl: we couldn't

matthias: anyone want to do this?

tl: if there's so little interest, it should take no time

ifette: if there's little interest, perhaps some other group can do it

kevin: all conversation about lists moves to adblocking. perhaps we should listen to that

<fjh> not everyone is here that might be interested in this discussion, some had to leave early

karl: the list format is not content-specific. it could block malware, or anything else.

charles: we all agree that we do not want to mandate these lists

tl: clarification: we do not want to (and may not be able to) mandate the use of these lists. we shall speak of it no more!

matthias: if ads are blocked through an ad blocker, do we need some way to communicate this to a site

ifette: i thought we didn't care?

aleecia: we can later discuss whether we care

ifette: deal

charles: negotiation?

matthias: maybe

<jmayer_> It's really quite straightforward to detect ad blocking with current tools.

matthias: repeats "if ads are blocked through an ad blocker, do we need some way to communicate this to a site"
... straw poll:

ifette: who cannot live with continuing to work on it

aleecia: significant split

edfelten: also, ms is not here

matthias: session ended

<jmayer_> This is bogus. Advertising companies force users to choose between publisher monetization and privacy, then cry foul when users choose privacy.

<clp> Break until 4:30 pm for wrapup

<clp> Charles: take a look at this:

<clp> http://www.slate.com/id/2304404/pagenum/all/#p2

<clp> .... a la blocking issues

<clp> ... (it's nothing revolutionary, just thought the automated list abuse underlined earlier arguments made)

Wrapup

aleecia: we have aggressive deadlines at the moment and we don't have text yet
... we're planning to have editors before next Wednesday
... expecting to have straw man drafts at the same time
... need to turn minutes and the issues list into something useful (merging, grouping, removing duplicates)
... call on Wednesday start creating action items out of the issues list
... really enjoyed the energy level, people engaged
... comments have been constructive; heated, but not personal, working towards resolution
... we've been productive in raising issues
... and understanding the W3C process
... thx to the scribes! and nick and thomas
... thanks for coming on short notice and participating
... not everyone will make this Wednesday's call we know, but that will be the standing call

clp: recorded audio -- let me know if you're interested

tlr: better to announce recording of audio ahead of time

email pictures and links of pictures to npdoty@w3.org who will compile for the sake of the minutes

matthias: thanks as well, next wednesday call we'll take the issues and start assigning

<clp> bye all

matthias: liked this meeting a lot and had everyone engaged
... see you again in Santa Clara

<applause>

Summary of Action Items

[NEW] ACTION: jkaran to summarize issue 17 and provide excel sheet [recorded in http://www.w3.org/2011/09/22-dnt-minutes.html#action01]
[NEW] ACTION: Mayer to draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) - due 2011-09-30 [recorded in http://www.w3.org/2011/09/22-dnt-minutes.html#action03]
[NEW] ACTION: Shane to draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) - due 2011-09-30 [recorded in http://www.w3.org/2011/09/22-dnt-minutes.html#action02]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2011/09/26 23:40:04 $