See also: IRC log
<hober> semi-regrets for today: I won't be on the call but will be here in IRC.
<aleecia> i'm having insane mouse issues; may not be able to type on IRC depending on how things go
time to get started?
<clp> This is Charles L. Perkins, Virtual Rendezvous.
<aleecia> scribe: tom
aleecia: reviewing minutes from boston
<npdoty> http://www.w3.org/2011/09/21-dnt-minutes.html
aleecia: links sent out
<npdoty> http://www.w3.org/2011/09/22-dnt-minutes.html
aleecia: any comments?
<jkaran> Sorry - how do you get the audio?
aleecia: no comments. minutes are approved.
<jkaran> The email had a different code.
npdoty: if you have photos, please send them to nick
<npdoty> Please send me (npdoty@w3.org) any photos.
<npdoty> Sorry about confusion over the code, I sent a correction via email.
<clp> (can hear audio now, had wrong code)
aleecia: announcing some editors
... Justin Brookman [with] Erica Newland editing compliance [specification]
... Roy Fielding, Adobe editing tracking preference expression
... techincal editor [for Selection List document] tba
... turn to pending action items
<npdoty> http://www.w3.org/2011/tracking-protection/track/
aleecia: please review the issues list online
<npdoty> http://www.w3.org/2011/tracking-protection/track/actions/open
aleecia: aleecia has one overdue action
... currently overdue on producing a summary contrasting several input documents
... could anyone volunteer to assist with that action over the next week
<clp> I can try to help you, Aleecia.
aleecia: the rest is silence
... clp volunteers to assist aleecia
... more assistance always useful
aleecia: move on to look at some of the issues which have been merged and deduplicated
<npdoty> http://www.w3.org/2011/tracking-protection/track/issues
aleecia: there are some closed issues. if you have comments, enqueue yourself in irc.
... issue 16,18 are pure entry error duplicates
... four other duplicate pairs
... 3,33 == about user choice & complexity
... 7,11 == both documenting use cases
jonathan: 34,23: want to note difference between subcontractor exemption and analytics exemption
aleecia: yes, but one could be removed without the other
... renaming issues 19, 37
<dsinger_> Wants to know how you would like discussion of the issues handled. In email, on a wiki, or…?
tl: can we be automatically notified to issue changes?
aleecia: unknown
npdoty: can do atom feeds. we don't want emails, because that's tiresome.
aleecia: prefer to discuss, rather than notify, at least to start
aleecia: new business
... base cases!
... #1 when you know you're a third party, and you know you're serving targeted ads
... #2 when you know you're a first party
... the two extremes
... nb issues 19 & 17
<dsinger_> Nothing that COULD be associated with a single user may be recorded
<dsinger_> ?
tl: propose: case #1 do not record any information about dnt user, except for minimized security & performance logs not used for any other purpose
jonathan: question: is the 3p making behavioral advertising use of information, a 3p only doing behavioral ads, or any 3p
aleecia: just a 3p doing only behavioral ads
<npdoty> ISSUE-19?
<trackbot> ISSUE-19 -- Data collection / Data use (3rd party) -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/19
<schunter> Matthias: I would rephrase the question as ¨what (technical) means should a 3rd party instantiate in order to ensure that it satisfies the desire of a user not to be tracked¨.
jmayer: i think we can all agree that data cannot be used
<jmayer> My underlying concern here: there's no company that does *just* behavioral advertising use of data.
<jkaran> Yes
aleecia: repeat: proposal: data cannot be used to target ads when dnt is on
<npdoty> ACTION: Jonathan to clarify distinctions on "opt back in" between ISSUE-27 and ISSUE-63 [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action01]
<trackbot> Created ACTION-7 - Clarify distinctions on "opt back in" between ISSUE-27 and ISSUE-63 [on Jonathan Mayer - due 2011-10-05].
jkaran: agree kinda, but we already have self-reg using cookies
... then check to look at cookies
<npdoty> ACTION-7 due 9-30
<trackbot> ACTION-7 Clarify distinctions on "opt back in" between ISSUE-27 and ISSUE-63 due date now 9-30
jkaran: and possibly see if user is opted in
aleecia: are there actually any opt in cookies?
jkaran: no, only opt-out cookies
<jmayer> For the moment we're discussing whether Do Not Track does at least as much as opt-out cookies; does that require figuring out how to reconcile DNT and opt-out cookies?
<schunter> If a cookie is opt-out only, then expressing a prefernce not to be tracked via cookie OR DNT should stop tracking.
jkaran: my opinion: either dnt or cookie is sufficient
<npdoty> I think we're discussing ISSUE-56 and ISSUE-58 now
davidwai: the us does not include opt-in. some companies may use opt in. companies might implement opt-in by deleting an opt-out cookie
<schunter> Only potential conflict is opt-out cookie + DNT expression that tracking is OK (from my perspective).
aleecia: sounds like we're talking about future-proofing against affirmitive opt-in
<npdoty> ISSUE-27?
<trackbot> ISSUE-27 -- Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/27
pde: let's talk about opt-back-in later, on that issue
aleecia: so let it be done!
<jmayer> This doesn't sound like it falls within OBA use of data.
<schunter> Can you post the final phrasing in IRC?
pde: largely agree with tom: 3p must stop retaining data. also link to another issue: scope of security/ fraud data. that sec/fraud &c data must be protected from misuse. let's talk about that excep later.
aleecia: can talk about both use and collection. let's start first by agreeing on use.
... so, to begin: assert: 3p should not use any ob data aforeobtained to serve an ad
<npdoty> '3rd party that receives a DNT header, modulo some exemptions and opt-back-in options, should not use any behavioral data to target an ad' -- was that the language we're discussing?
<clp> Yes
amyc: there may need to be ad tracking exemptions, some add may need to be served
aleecia: exemptions later. does anyone disagree with the basic principle
<efelten> Not sure what is on the table now. Is it "no use for OBA, other uses to be discussed later" or "no use for OBA, other uses are allowed"?
<jmayer> efelten, the former
<pde> amyc: do you think that ad delivery needs exemptions beyond the exemption for anonymized, statistical reporting, and the exemption for clickfraud?
<jmayer> efelten, and "collection to be discussed later"
dsinger: important to separate the data already collected from data to be collected now.
<jmayer> The question on the table is, in essence, "Does Do Not Track do at least as much as current self-regulation?"
dsinger: i think it would be unacceptable to collect but not use, let's talk about that
aleecia: yes, later
... so are we saying that you can't use data from (current transaction|all time)
... does anyone disagree with a prohibition on using all historical data
<jmayer> Historical data for OBA purposes
david: do we mean any historical data, any historical *oba* data...?
<jmayer> everything!
aleecia: if you are a 3p, seeing dnt, does it it merely mean that you cannot use this session's data, or all history data... to serve ads
<pde> it's /tracking/ data
<pde> anything that is linkable
<jmayer> any data about an individual user
david: oba data, or any data?
... should it mean no use of ob data for ob ads, or anything else?
aleecia: yes
david: sounds like industry opt out
aleecia: yes. starting here
<jmayer> unsure what "OBA data" means
aleecia: potentially moving further later
<jmayer> industry self-regulatory language is absurdly slippery, would want some clarification there
pde: further: re: past records. but first, should verify consensus on first point
aleecia: does anyone disagree with the current point?
... no disagreement
<npdoty> agreed: a third party receiving a do not track signal should not use the current data from the current interaction to serve a targeted ad
aleecia: CONSENSUS: a 3p receiving the dnt signal must not use data from the current transaction to serve a targeted ad
pde: retaining data is the crux of ads
<jmayer> what is this "current transaction" thing?
<jmayer> because i'm totally cool with contextual and demographic advertising
<amyc> what about use of IP address?
pde: if you see a dnt header, you should cease retaining data for other transactions.
aleecia: will deal with that later
... so: is ip address information in question
pde: obvs, you need to use ip in order to send
<amyc> qustion is about geo target of IP address for current ad only
<pde> amyc, IMO it's not tracking if you don't retain it
aleecia: yes, but question is whether ip can be used for targeting
<jmayer> Rationale: if an advertising company gets the IP and referrer no matter what, why not allow some advertising use?
tl: any current info, including ip, may not be used to target an ad
jonathan: perhaps advertising people will like this.
... using current ip or referrer , without collection, would be ok
... i'm ok with uncollected session information used to target
tl: i can live with jonathan's definition
<pde> and let's focus on the privacy problem we need to address here, which is the /retention/ of the IP and referrer by the advertiser
aleecia: what about the user interaction of showing a geotargeted ad to user with dnt on. is that good?
amy: using current ip doesn't seem like tracking or oba
pde: do we have consensus to use ip, referrer in a fleeting manner to target ads
<aleecia> noted
<pde> clp: worried that users would perceive geotargetting as "tracking", even though behind the scenes nothing was being retained about them
jules: distinguish between geo-targeting (which is important) for say region-coding by country, rather than targeting based on aggregate demographics assoociated with ip/zip
... the latter is a de-facto profile
hear hear!
jmayer: jules, taking an ip, and using that as the index for profiles would count as oba, and excluded
jules: yes
dsinger_: it may not be prudent to offer ads that may nonetheless be allowed, because the user thinks that creepy. nonetheless, treating user as if you know nothing else about them than what you see right now
<davidwai_> will the standard include best practice recommendations?
<aleecia> ?
dsinger_: ex, if historical data is used, user may see no difference, =[
aleecia: propositon: a 3p seeing dnt, barring conflict w/ opt-back in or exemptions, may not us current data to target ad, except ip or referrer
<dsinger_> I think the basic principle is that you are treating me as someone about whom you know nothing except what is visible in this transaction, and remember nothing.
aleecia: (at a minimum, may add to this later)
... to serve a targeted ad
<pde> Zakim: pde is Peter Eckersley
davidwai_: i am not aware of a definition of tracking which includes current session info
aleecia: does anyone agree with david?
tl: propose that definition, because users find it creepy
BrianTs: query string is passed to third party. what about additional information passed by first party
... may see a targeted ad on that
<amyc> I agree with David
jmayer: some agreement with david
<dmckinney> I agree that this is Targeting, not Tracking
jmayer: what if a 1p passes say gender to a 3p? i'm okay with that, probably. but not more info.
... say name
<aleecia> is davidwai_
<dsinger_> I feel we need a strawman and more email discussion
<aleecia> I'm noticing that too
davidwai_, tom, srsly?
tl: reiterate, assertion.
aleecia: users are asking to have ads not personalized to them
... dnt is the ui for that
<jkaran> disagree with aleecia
aleecia: folks should write up proposals
<dsinger> users are asking not to have databases built about them; targetting is a symptom, not the core problem, IMHO
<aleecia> will be asking for proposals
<aleecia> think about if you'd like to make one
pde: what part of this consensus do you not agree with
j: i don't understand the exemption for ip & referrer
pde: not an exemption, it's an explanation
<dmckinney> what about lat/long info from a mobile device?
pde: you always get ip & referrer with that specific request. that's not tracking. the real question is whether you can use info from five minutes ago.
<justin> Agree with PDE
<dsinger> you should treat me as a person about whom you know nothing, have been told nothing, and remember nothing, using only data that is not remembered and not associated with me. So it's OK to notice I am in California, where it is evening, on a web site that sells bar snacks. Maybe I have a party this evening....
<aleecia> action tl Tom to write a proposal on what DNT means to 3rd parties due by tuesday
<trackbot> Created ACTION-8 - Tom to write a proposal on what DNT means to 3rd parties due by tuesday [on Thomas Lowenthal - due 2011-10-05].
<jmayer> dsinger, what about other things the bar snacks site says about the user?
aleecia: any competing proposals
<pde> pde: I also said (to which several ppl agreed) that allowing the 3rd party to use data from 5 minutes ago /would/ be tracking, and we'd need to talk about a special exception for that
<npdoty> ACTION: Write a proposal on what DNT means to 3rd parties (for davidwainberg) - due Tuesday [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action02]
<trackbot> Created ACTION-12 Write a proposal on what DNT means to 3rd parties (for davidwainberg) [on Nick Doty - due 2011-10-04].
aleecia: pure 1p interaction, what to do when seeing a dnt header
pde: 1ps should get may or should rather than must
... more advice & best practices rather than requirements
dsinger: 1p must not relay personal info to 3p
jmayer: i do not believe in a must for 1ps
<dsinger> ok, I can live with the onus being on the 3rd party to ignore it, and only recommend that the 1st party not relay it
jmayer: probably, dsinger's suggestions should be shoulds, not musts
<amyc> dsinger - that would mean first party would not be able to display any ads, right?
jmayer: most info handoff code is from 3ps
action tl to proposal for what 1ps must do, by tuesday
<trackbot> Created ACTION-9 - Proposal for what 1ps must do, by tuesday [on Thomas Lowenthal - due 2011-10-05].
aleecia: any other proposals, suggestions?
<pde> we seem to have some problems with the relationship between our IRC nicks and our identities in W3C systems. I bet Aleecia told us about what to do about this right at the start of the process :)
<tlr> ACTION: mayer to draft a proposal for the obligations (or not) on first parties [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action03]
<trackbot> Created ACTION-10 - Draft a proposal for the obligations (or not) on first parties [on Jonathan Mayer - due 2011-10-05].
dsriedel: what are 1p, 3p?
<pde> ACTION: Jonathan to write 2(+?) sentence proposal that no MUSTs for first parties - due Tuesday [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action04]
<trackbot> Created ACTION-11 - write 2(+?) sentence proposal that no MUSTs for first parties [on Jonathan Mayer - due 2011-10-04].
<pde> oops
aleecia: we have not agreed, there are open issues, that is deferred.
... we'll get to that later
<tlr> to fix this: http://www.w3.org/2011/tracking-protection/track/users?login
<aleecia> davidwai_ for example
tl: account-nick pairings?
aleecia: will fix
... watch this space: next week, same time, same place. you know where to find us.
<jmayer> thanks aleecia
aleecia: adjourned!
<clp> bye
<pde> tlr: how do I add myself to the list of TPWG participants?