Tracking Protection Working Group Teleconference

<karl> interesting I wonder if we have an official slot in the calendar. To ping nick about it http://www.w3.org/Guide/1998/08/teleconference-calendar#D20111005

<npdoty> [yes, for future teleconferences: http://www.w3.org/Guide/1998/08/teleconference-calendar#s_4971 ]

<aleecia> Good morning!

<aleecia> That joke never gets old

<aleecia> Hi, please use "aaff is aleecia" or similar syntax for your phone number

<scribe> scribenick: clp

Aleecia: agenda
... moving onto old business
... any comments on action items before?

Open action items

<aleecia> Sean did complete action-5

clp asks about the help aleecia needed last week, I did not get email to help you?

<jmayer> http://www.w3.org/2011/tracking-protection/track/actions/5

Aleecia: checking on text in email for Action-5 (shane)
... NOTE: send things to the mailing list
... don't set things in the system itself
... Nick has something for David
... David will speak later we think about it.

clp: reminds Aleecia of help with text
... comparison document.

First and Third Party proposals

aleecia: new business:
... regarding the proposals that went out to the list
... 1st and 3rd parties... Jonathan begins

jmayer: His definition has three parts
... first is technical precautions
... same origin policy maps directly to the things we want
... second: internal controls
... within a company, to make sure that 3rd party things aren't going on
... cross site data, ability to track across them
... third: should be some legally enforceable committments
... some overlap to where Shane and he went
... also have to be enforceable by individual users
... list there should be no surprise

clay: he can't speak to legal enforcement
... your definition of cross site... what were you thinking exactly?

jmayer: I meant that in the sense that this is information that could be used to identify individual or devices across sites
... hard to define clearly, can be jumbled, should be clear

clay: across domains? businesses?

jmayer: across first party

clay: same as definition of 1st party, thanks.

dwainberg: not clear how 3rd party would make legally enforceable agreements to 1sr party?
... why technical sep. and public commitment rather than contracts?

<ShaneW> Unable to join bridge - was kicked out and number is no longer accepting calls

<ShaneW> Trying VOIP and Mobile

jmayer: part 1 of question was...?
... resolve with just a contract
... commitments other than web site?

dwainberg: how would it work, and why choose this form, public and enforceable, how and why?

<aleecia> (Phone +1617761.6200 passcode TRACK (87225)) -- if that's not working, I'll see what we can do on capacity

<aleecia> And let W3C know we're running into trouble with only 33 people

<ShaneW> That's the number I'm trying - not working through multiple modes

dwainberg: why not instead just look at whether data is proprietary to 1st party.

jmayer: <response lost by scribe>

Tom: ... 1st party doesn't have same incentives as the user
... harm to user won't hurt them
... imagine a third party who instead of following the requirement to download and keep it propritary
... the first party has no harm, but user could be hurt, tracked
... the user also has a right of action in that situtaion

dwainberg: does the user really have right of action here?

<ShaneW> Any updates on phone call access? Still unable to join through multiple channels and attempts [frustrating]

<jmayer> dwainberg, that's a messy issue of law that I tried to avoid getting into in the definition

Aleecia: on to Tom

tom: my 3rd party proposal says they may not store user or transmit any info received except

<dwainberg> jmayer, the problem is, once you start adding contractual reqs to the standard you are into meesy issues of law

tom: intermittet storange and use just for this response is allowed
... or if truly anonmized
... or if other exemption explicitly

<jmayer> dwainberg, no specific legal forms required, just an outcome

tom: then data for that must be limited to that exemption

<jmayer> dwainberg, let companies that comply satisfy the legal requirement in whatever form works for them

tom: in addition, of the 3rd party *know* that user has opted back in, they can resume normal tracking

<ShaneW> Back on the phone call

tom: they can use the info planing transmitted like IP, referred, etc. as long as they don't use it for detailed indexes into further targeted advertising

<npdoty> tl is describing https://people.mozilla.com/~tlowenthal/dnt/tpwg_action-8_proposal.md

<aleecia> Good, thanks. Sorry for that. I'll ask Nick to look into that.

tom: region coding good, but something with details of user income etc not OK

Shane: IP address look is country level

Tom: that is absolutely OK

Shane: where is the point where it is no longer acceptable?
... somewhere in greater LA?

Tom: not familiar with details of the existing databases
... not a bright line yet in proposal
... precise is bad for now, general is good

jkaran: sounds like it will be sep discussion, another IP adds usage question

aleecia: bright line on IP / geography again

<npdoty> do we need a separate issue on IP geolocation precision? or is there some more generic description of that issue?

jmayer: restrictions on use... what limitations on retention?

<aleecia> I think we should see if we're going down this path at all first, but if we are, we will need an issue there

jmayer: hash referer, drop IP?

tom: great question
... come at it from other direction, any storage disallowed except emphemeral
... types of logging that are acceptable

justin: treats cross site anayltics?
... if data is collected and perfectly anonmized, neilsen can use?

Tom: Yes

justin: may be stored, but can it be used?

tom: things that may or may not be done at time of request
... 5 minutes later, you can do whatever you want
... eg fraud records, anonymous data, use later OK

dwainberg: the party must not use *any* info to target ad
... two related ?s
... definie targeted ad
... expalain rationale... concern is about profile build up
... limitations in this proposal ... seems to go beyond what we discussed before

tom: talking about serving a targeted ad...
... others chime in if not right
... serving an Ad using knowledge you had about the user before this transcation

dwainberg: so no info from this session?

tom: from this request, yes
... people don

<aleecia> so this gets to a big question of what DNT is: does it mean no targeted ads, or does it mean no information between sites, or some mix of both

tom: want profiles built up, but sometimes users browse with DNT on, or off
... user wants no Ads when DNT is on, even if collected when DNT was on previously
... off above

<ShaneW> Agreed - both further profiling should be halted and OBA targeting should be halted

jmayer: suggestion for structure
... gets to some other issues in addition

<karl> Is it "no ads" or "no targeted ads" not the same thing

jmayer: as this evolves, break up some of the sections into the other issues / separate them as stand alone

<ShaneW> No "OBA Targeted" Ads

tom: give me some red lines, suggested section please

jkaran: about the 3rd party tom mentioned...
... if that means not using stored data, so other types of targeting is open, OK

<vincent> why users should not see targetted ads if the profile was built when DNT was off?

aleecia: what is the user experience?
... does it make it feel like DNT works for them? or not works for them?
... the two proposals vary greatly on this

<dsinger> I agree with the proposer; advertising per se is not tracking; tracking is remembering data or using remembered data. DNT means treat me as someone about whom you previously knew nothing, and about whom you are remembering nothing

<karl> vincent, because I suppose once DNT is on, they are not supposed to be known in the context of that transaction. A bit like a mask you would put on your face entering in a shop

dwaingberg: find it hard to generate proposals or comment on them without the definitions in place
... get consensus early on meaning of terms

aleecia: for framing... trying to take up obvious cases
... this is the URL you typed in, 1st party, seemed clear, vs. 3rd party
... looking for base cases, as easy as possible, to get early starting point
... if we all agree for 1st party, how they respond, not what it is yet
... not word smithing yet
... we all haven't had enough time to compare them side by side yet
... true?

<ShaneW> +1 - Need more time

<fielding> +1

<clp_> +1

<Kimon> +1

<dwainberg> +1

<BrianTs> +1

<dsriedel_> +1

<cris> +1

<adrianba> +1

<KevinT> +1

<dsinger> +1 needs time

<jkaran> +1

<clay_opa_cbs> +1

<jmayer> -1?

<Alex> +1

<ShaneW> LOL

<dmckinney> +1

<karl> -----------

<jmayer> +1

<Justin> The two proposals look at different things

<tl> +1

<Justin> Jonathan's is a subset of what Thomas writes about

<Justin> Not remotely!

aleecia: suggest we take the rest of this discussion to mailing list

<vincent> karl, ok but implicit assumption that profile is stored by the third party (might be by the client)

aleecia: not just clarifying question but different viewpoints, get into open, work thru them, more time with text, and more text welcome
... moving forward to 1st party
... tom proposal summary

<ShaneW> Could someone please post link to Tom's proposal in IRC?

tom: had should should Not and Mays
... protect user's privacy and anonymity if possible
... give user info about steps they take, or give user options to better protect
... closely align with Jonathon's 3rd party propsal
... the should not section similar to the above

<Justin> https://people.mozilla.com/~tlowenthal/dnt/tpwg_action-9_proposal.md is Thomas's proposal

tom: the only hard rule is: only store pieces of info for a particular purpose
... state exactly what is collected and why when DNT is on

shane: is it that w3c not say what to do in operationally with DNT?
... they define it in privacy policy?
... a consolidate approach? or individuals orgs. do it on their own?

tom: I have a very different opinions of 1st and 3rd parties
... user choice, and transparent, saying what you are going to do, with 1st party
... user has little choice for 3rd parties
... so strong restrictions should be in place for them
... for example, fraud exceptions for 3rd parties will be detailed
... but in 1st parry, they can use and do anything as long as they are up front about it

shane: trying to understand the breasth of the proposal...

<aleecia> Clarification

shane: industry wide policy... what they won't do? or to the other side

<aleecia> I'm trying to nudge substance to the dlist

shane: uniform response, on DNT
... no variablilty?

tom: 3rd parties should be more strongly restricted, user choice limited, hard for them to even discover who they are, what policies are
... for first parties, it is stronger that the status quo
... stating exactly which pieces of data you collect, and for what use
... closer to Germany or UK rules, new to US

shane: out of scope?

<fielding> I think Tom has a very different view of what DNT means than I do. DNT should not have any effect on first parties. DNT only refers to cross-party tracking -- not targeting. The user is asking not to be tracked. They are not asking for a non-customized experience (directly).

fielding: I don't see DNT having anything to do with targeting
... user does not want to turn off customized experience

aleecia: there is a genuine difference about what the DNT is or does... two views

<dwainberg> agreed

<ShaneW> agreed

fielding: fair to say that I do not agree on what DNT is here... based on text / definition we have not talked about yet

aleecia: split in group of what DNT is / should be
... how and why the proposals differ reflect that

<dsinger> I agree that targeted is merely a symptom of tracking. Ideally we don't talk about ads at all.

dwainberg: how this proposal interacts with the contractual relationship between user and first party?
... contracts override?

tom: DNT signal is a contractual relationship

dwainberg: what about preexisting agreements?

tom: we have discussed opt-in, so the DNT is a default, they there can be opt-in when a site needs to do more, asks user

dwainberg: to be clear, user visits a site, registers to a site, agrees to TOS
... that allows them to collect certain data
... DNT then voids those terms?

<ShaneW> Out of SCOPE

<clay_opa_cbs> My question had been about Opt In, but I didn't see that as a clarifying question. ;-)

tom: users could be preemptively opted back in under some conditions...but illegible TOS that hide agreements not godo
... good

aleecia: what does DNT mean?

<ShaneW> Let's try to "fix" all online privacy in one pass :-)

aleecia: capture different views

<ShaneW> Let's NOT try to "fix"...

<fielding> ISSUE-2?

<trackbot> ISSUE-2 -- What is the meaning of DNT (Do Not Track) header? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/2

<JC> I assume that we restricting the definition to 3rd party personalization

<dsinger> strongly believe that "tracking" means collecting information about me and storing it (and using it later, sharing it with others to use)

aleecia: a more specific subset of Issue 2 here

<Justin> Are you saying that no customization = no first-party customization too?

aleecia: (a) no customization, users are seen for the first time every time

<aleecia> Issue: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.

<trackbot> Created ISSUE-89 - Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites. ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/89/edit .

aleecia: (b) data moving between sites

<ShaneW> Depends on context - 1st party vs. 3rd party

<npdoty> proposed issu: does DNT choice imply no customization (even on a single site) or does it refer to tracking across multiple sites?

clp: possible to have both opinions from the user's point of view

<aleecia> changing text on issue-89: Charles (clp) thinks it's not either/or but union view: some customization looks like tracking and it hasn't been turned off.

clp: certain customizations even on a single site may look to the user like tracking

dwainberg: customization, seen for the first time, are 2 different things
... eg geographical
... not lumped into the same thing

aleecia: so not seeing for the first time, more about personalized customized?

<ShaneW> Agree with David - DNT = Use of previously collected information outside of the current session

<npdoty> so customization -> customization based on past collected data?

dweinberg: customization can happen without tracking the user, just using the data of this interaction

<jmayer> or customization without collection

<jmayer> lots of work on this

<Justin> Agree with David/Shane if session ---> transaction

dweinberg: another layer to it...

<aleecia> Trying to refine wording on: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites.

dweinberg: what data exactly?

<dsinger> agree with David; customize using data "presented in the current transaction" if you like; but don't store data, and don't use stored data, about me

dweinberg: does it make a difference if it s the web history? interest profile?
... interests only in cookie? vs server side store?

tom: I would break it down via 1st and 3rd parties
... tracking vs instant cusimization text?

aleecia: just trying to capture this

<fielding> Customization based on first-party data (data obtained previously directly from the user or provided by the user in this request) should not be impacted by DNT

tom: seeing the user for the first time, vs. cross site tracking, but in the context of 1st vs 3rd, and user experience and expectation being the factors

<ShaneW> Scope of DNT Appllication: Permitted uses irrespective of DNT signal vs. halted uses due to DNT signal

tom: if users sees an advert is uncannily accurate with DNT turned on, bad feeling for user

<dsinger> strongly believe that "tracking" means collecting information about me and storing it (and using it later, sharing it with others to use), or using stored data about me; using real-time data from the current transaction is ok; treat me as someone about whom you know nothing, and remember nothing

dsinger: ... missed some ... remember nothing, real-time vs..

<aleecia> know nothing and remember nothing -> first impression

aleecia: know nothing, and remember nothing, correct?

dsinger: yes

shane: agrees in the context in the delivery of an online Ad
... tehre will be a set of permissible data uses
... everyone agreed in theory

<JC> Can I respond to the statement?

shane: operational uses, fraud, etc

<aleecia> we're moving on

<dsinger> fully understands there are carve-outs (legal requirements, fraud, party-relationships etc.), yes

<JC> I don't feel that DNT should be tied to do not remember

clp: calendar went out said the calls are 1 hour long, please fix

jc: saying do not track, tracking, do not remember sounds like delete everything about me

<dsinger> ok, "do not remember anything about me from this transaction"

aleecia: back to the agenda

<clay_opa_cbs> +1

jmayer: clearest proposal, 1st party does not have to do anything with DNT

<ShaneW> Agreed (but will depend on definition of 1st party)

Aleecia: assuming we know what it is eventually, in this simple case

<dsinger> aside, there is dispute about who a 1st party is, but that is separate

Aleecia: summarizes
... jmayer: 1st party doesn't need to work about DNT
... tom: there are specific requirements, most on notice, but some other as well

Tom: notice, and suggestions
... reiterate: jmayer 3rd party silo'ing responsibilities should apply to both, should for 1st, must for 3rd

fielding: the 1st party should not be sending out different content depending on the DNT signal
... because there may be a contract that overrides the DNT signal
... eg, amazon data collection existing agreement
... user sending DNT to them won't override the agreement with them
... so in this case, 1st party should not change what is being sent out, since user could have 3rd party agreements

Aleecia: not actually suggested in either proposal
... what you are saying is a user can visit a site, and agree to the following
... agree to DNT not applying to this site
... worth thinking about how to resolve this
... but move on

clay: what the first party decides
... is out of scope

<dsinger> "I refuse your DNT because you are visiting a site whose terms state that their third parties can refuse it"?

<fielding> clp: agreed

DNT response header (ISSUE-81)

aleecia: take up issue 81
... when receiving a DNT does server respond?

shane: we had discussed this in Cambridge meeting
... agreed there would be a challenge/response
... should be response, yes i received what you said, or I will not honor it because of...

<dsinger> agrees that a response is hugely valuable; "I see your DNT and respect it", "No, I am the first party", "No, you have given me consent"

shane: techically, contractually puts you on the hook, is audit able, keeps the biz honest

jc: a great idea to have one, yet have it be optional?
... they have other ways to say I agree, for small sites

aleecia: it's really very easy to send back an answer
... small distinction not huge one
... so noted, optional

<dsinger> if you don't respond, I will presume the worst about you (that you don't understand DNT)...

aleecia: use case small biz / sites

tom: server should respond with what they heard, and what they will do
... just a 2-3 line changes to apache config, is very easy to fix
... in future will be ever easier
... response header is easiest part of complying

fielding: the people modifying the config files, and the policy, can be different groups

<tl> i have i direct response

fielding: could be harder to do one or other

<fielding> and they might not even be the same company

tom: if depts. can't agree, not a great company

dwainberg: two things

<fielding> see dreamhost.com

dwainberg: not sure it's so simple to implement, if contingent on prior user consent

<aleecia> yahoo stores is another good example along similar lines

<aleecia> and: they inherit priv policies no matter what from yahoo?

dwainberg: question: are there cases where 3rd parties not able or not capable of not sending a responce back?

<aleecia> whoops - I said David and dwainberg jumped in

<aleecia> sorry dsinger

tom: if user makes a HTTP request to a 3rd party, then gets some content back, that response can have the DNT response header in it
... no conceivable way it could not be sent

<dwainberg> sorry -- did I jump the line? apologies.

alex: clarification... 1st party or any whatsoever?

aleecia: next is 1st party

alex: from what I have been hearing... on some occasions, we will have to look at see if we have prior permission of user to not obey DNT
... not just turning on or off of static reponse
... am I wrong?

<adrianba> it may well be easy to add the header - it might not be easy to get the value from existing systems to add into the header - it's all software so it's possible but it's also work

aleecia: you are right

<fielding> yes, they are trivial to implement -- the problem is who knows what the response {0 | 1} should be. What part of the infrastructure for a site makes the decision that the entire party is compliant? I say that is the role of a business-wide policy document, not a header field.

aleecia: first doing any respond, then what it looks like
... send response seems OK, would it mandatory, what look like, etc. eventually
... consensus on OK to send response

?

<dsriedel_> for one site, the browser will also recieve multiple answers due to multiple requests within the same site, from 1st and 3rd parties. so another question might be how to visualize all the answers to the users

+1

<tl> +1

<jkaran> +1

<ShaneW> +1

<fielding> -1

<clay_opa_cbs> 0

<Justin> +1 (only if they're not going to follow on third-party basis)

<JC> -1

<jmayer> +1

<hefferjr> -1

<KevinT> +1

<dsinger> 0 - it's optional, but I will presume the worst without it

clay: sees it either way

<dwainberg> 0

<fielding> (we can't mandate things that are not true of existing deployed servers)

<tl> fielding, yes we can: those existing servers are non-compliant

<fielding> tl: no, their compliance is unknown

<tl> fielding, no: they aren't compliant with DNT

<dwainberg> I did not mean it as abtension

<fielding> tl: which means DNT cannot be mandated -- we can only mandate what DNT means

<aleecia> taking up: ISSUE-81 Do we need a response at all from server?

<Justin> The question aleecia asked wasn't "yes" to 81 --- it was "sometimes yes" to 81. Definitely not consensus to "yes" on 81.

<tl> fielding, any new web standard requires modification to deployed systems. that's the whole point

shane: talking about what 0 means

<efelten> Does this call for *should* / *may* rather than *must* approach?

shane: is it abstention? no

<tl> fielding, we can't force people to use dnt, only require them to respond if they use it

<JC> Should

<tl> must

<KevinT> one variation is that it could be sent once if it could be represented persistantly

<fielding> tl: HTTP is not a new web standard, but yes we can require them to respond *if* they implement DNT. That isn't the same as saying all parties must respond.

aleecia: should or must, on mailing list

<jmayer> -q

<tl> fielding, i completely agree. i think that we should make replying a condition of compliance

tom: happy to take an Action to take straw man about the response
... providing a response is a condition of complying with DNT, his side

<Justin> I'll volunteer

<JC> Okay

Aleecia: JC will write the other side

<clay_opa_cbs> Is the "?" aka "Don't Know" response on the table? ;-)

Aleecia: deadline?

jc: when do you need it?

aleecia: friday?

jc: yes
... should a header response be optional

<aleecia> tl?

aleecia: tom also by friday?

tom: more comfy for Tues

aleecia: monday?

tom: yes

<JC> Ok

<tl> ACTION: tl to propose a spec for a required dnt response by monday 9am [recorded in http://www.w3.org/2011/10/05-dnt-minutes.html#action01]

<trackbot> Created ACTION-13 - Propose a spec for a required dnt response by monday 9am [on Thomas Lowenthal - due 2011-10-12].

adjourned

<aleecia> ACTION: jc to write straw man proposal on response from server being optional (related to Issue-81) by monday [recorded in http://www.w3.org/2011/10/05-dnt-minutes.html#action02]

<trackbot> Created ACTION-14 - Write straw man proposal on response from server being optional (related to Issue-81) by monday [on JC Cannon - due 2011-10-12].