15:33:20 RRSAgent has joined #dnt 15:33:20 logging to http://www.w3.org/2011/10/19-dnt-irc 15:33:22 RRSAgent, make logs world 15:33:24 Zakim, this will be 15:33:24 I don't understand 'this will be', trackbot 15:33:25 Meeting: Tracking Protection Working Group Teleconference 15:33:25 Date: 19 October 2011 15:33:29 zakim, this will be track 15:33:29 ok, tlr; I see T&S_Track(dnt)12:00PM scheduled to start in 27 minutes 15:37:35 agenda + administrative 15:37:42 agenda? 15:38:01 agenda = 15:38:14 agenda? 15:38:34 next agendum 15:38:36 next agendum 15:38:54 next agendum 15:38:57 hm. 15:38:58 zakim, clear agenda 15:38:58 agenda cleared 15:39:01 thank you 15:39:21 agenda + administrative 15:39:30 agenda + old business 15:40:10 zakim, clear agenda 15:40:10 agenda cleared 15:40:24 agenda + administrative: selection of scribe 15:40:36 agenda + administrative: comments on minutes 15:40:51 agenda + administrative: strawman drafts & Santa Clara 15:41:08 agenda + old business: review of action items 15:41:34 agenda + new business: ISSUE-19: Data collection / Data use (3rd party) 15:41:48 NinjaMarnau has joined #dnt 15:41:51 agenda + new business: ISSUE-59: Should the first party be informed about whether the 15:41:52 user has sent a DNT header to third parties on their site? 15:42:09 agenda + new business: ISSUE-88: different rules for impression of and interaction with 15:42:09 3rd-party ads/content 15:42:28 agenda + new business: ISSUE-26: Providing data to 3rd-party widgets -- does that imply 15:42:29 consent? 15:42:45 agenda + Announce next meeting & Adjourn 15:42:51 zakim, agenda? 15:42:51 I see 9 items remaining on the agenda: 15:42:52 1. administrative: selection of scribe [from aleecia] 15:42:55 2. administrative: comments on minutes [from aleecia] 15:42:57 3. administrative: strawman drafts & Santa Clara [from aleecia] 15:43:00 4. old business: review of action items [from aleecia] 15:43:02 5. new business: ISSUE-19: Data collection / Data use (3rd party) [from aleecia] 15:43:04 6. new business: ISSUE-59: Should the first party be informed about whether the [from aleecia] 15:43:06 7. new business: ISSUE-88: different rules for impression of and interaction with [from aleecia] 15:43:09 8. new business: ISSUE-26: Providing data to 3rd-party widgets -- does that imply [from aleecia] 15:43:11 9. Announce next meeting & Adjourn [from aleecia] 15:46:36 alex has joined #dnt 15:49:35 chair is aleecia 15:49:56 Regrets: Kevin Trilli, Karl Dubost, Ed Felten, Kimon Zorbas 15:50:09 zakim, code? 15:50:09 the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), aleecia 15:50:39 T&S_Track(dnt)12:00PM has now started 15:50:46 +aleecia 15:51:20 + +1.212.565.aaaa 15:51:38 zakim, aaaa is SeanH 15:51:38 +SeanH; got it 15:52:01 + +1.813.366.aabb 15:52:04 +??P35 15:52:07 Rob van Eijk 15:52:18 Hi Rob, are you 813? 15:53:00 zakim, 9593 is alex 15:53:00 sorry, alex, I do not recognize a party named '9593' 15:53:34 zakim, aabb is alex 15:53:34 +alex; got it 15:53:34 Zakim, aabb is alex 15:53:35 sorry, alex, I do not recognize a party named 'aabb' 15:53:54 zakim, who is on the call? 15:53:54 On the phone I see aleecia, SeanH, alex, ??P35 15:54:16 who is alex 15:54:27 zakim, ??P35 is Rob 15:54:27 +Rob; got it 15:54:53 zakim, mute me 15:54:53 aleecia should now be muted 15:55:01 npdoty has joined #dnt 15:55:16 zakim, mute me 15:55:16 alex should now be muted 15:55:26 + +1.202.835.aacc 15:55:32 Chuck has joined #dnt 15:55:55 +npdoty 15:56:01 zakim, unmute me 15:56:01 aleecia should no longer be muted 15:56:15 Zakim, aacc is ChuckCurran 15:56:15 +ChuckCurran; got it 15:56:15 zakim, aacc is Chuck 15:56:17 sorry, aleecia, I do not recognize a party named 'aacc' 15:56:25 Zakim, mute me 15:56:25 npdoty should now be muted 15:56:30 zakim, mute me 15:56:30 aleecia should now be muted 15:56:48 Nick: thanks, I'll let you add people 15:57:04 WileyS has joined #DNT 15:57:57 Agenda: http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0137.html 15:57:58 dwainberg has joined #dnt 15:58:29 justin has joined #dnt 15:58:57 zakim, agenda? 15:58:57 I see 9 items remaining on the agenda: 15:58:59 1. administrative: selection of scribe [from aleecia] 15:59:01 2. administrative: comments on minutes [from aleecia] 15:59:06 3. administrative: strawman drafts & Santa Clara [from aleecia] 15:59:10 4. old business: review of action items [from aleecia] 15:59:12 5. new business: ISSUE-19: Data collection / Data use (3rd party) [from aleecia] 15:59:13 jmayer has joined #dnt 15:59:14 6. new business: ISSUE-59: Should the first party be informed about whether the [from aleecia] 15:59:16 7. new business: ISSUE-88: different rules for impression of and interaction with [from aleecia] 15:59:18 8. new business: ISSUE-26: Providing data to 3rd-party widgets -- does that imply [from aleecia] 15:59:20 9. Announce next meeting & Adjourn [from aleecia] 15:59:21 + +1.516.695.aadd 15:59:24 +dwainberg 15:59:33 zakim, unmute me 15:59:33 aleecia should no longer be muted 15:59:55 +jmayer 15:59:55 Zakim, aadd is Lia_FPF 15:59:56 +Lia_FPF; got it 16:00:07 Zakim, who is on the phone? 16:00:07 On the phone I see aleecia, SeanH, alex (muted), Rob, ChuckCurran, npdoty (muted), Lia_FPF, dwainberg, jmayer 16:00:10 + +1.949.483.aaee 16:00:17 dsriedel has joined #dnt 16:00:27 Zakim, aaee is Frank_BlueCava 16:00:27 +Frank_BlueCava; got it 16:00:30 + +1.202.629.aaff 16:00:31 +PederMagee 16:00:51 Zakim, aaff is Carmen 16:00:51 +Carmen; got it 16:01:10 If you are on IRC and not on the call yet, please call in: we're about to get started 16:01:15 + +1.813.366.aagg 16:01:16 CarmenBalber has joined #dnt 16:01:17 zakim, code? 16:01:17 the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), aleecia 16:01:19 hefferjr has joined #dnt 16:01:30 +??P40 16:01:36 + +1.408.349.aahh 16:01:37 +Justin 16:01:38 Vincent has joined #dnt 16:01:45 +dsriedel 16:01:46 +fielding 16:01:52 Chris has joined #dnt 16:02:02 zakim, mute me 16:02:02 dsriedel should now be muted 16:02:09 Sorry, I won't be able to call in. Apparently the number is blocked 16:02:13 +[IPcaller] 16:02:25 next agendum 16:02:28 but I will read the IRC chat, and will fix my telephone 16:02:33 Sorry, I missed aagg…. can 813 repeat their name? 16:02:54 Zakim, aagg is Heffernen 16:02:54 +Heffernen; got it 16:02:55 + +1.202.744.aaii 16:03:05 Zakim, aahh is WileyS 16:03:05 +WileyS; got it 16:03:34 Zakim, aaii is Chris 16:03:34 +Chris; got it 16:03:37 good to go 16:03:41 Zakim, unmute me 16:03:41 npdoty should no longer be muted 16:03:58 Zakim, [IPcaller] has Vincent 16:03:58 +Vincent; got it 16:04:20 Zakim, mute me 16:04:20 npdoty should now be muted 16:04:37 zakim, select victim 16:04:37 I don't understand 'select victim', aleecia 16:04:47 adrianba has joined #dnt 16:05:03 scribenick: dwainberg 16:05:33 + +49.157.884.8.aajj 16:05:53 +[Microsoft] 16:06:00 Zakim, aajj is schunter 16:06:00 +schunter; got it 16:06:02 next agendum 16:06:15 http://www.w3.org/2011/10/12-dnt-minutes.html 16:06:16 + +1.415.200.aakk 16:06:17 zakim, [Microsoft] has me 16:06:18 +adrianba; got it 16:06:19 next agendum 16:06:21 + +1.212.673.aall 16:06:24 next agendum 16:06:24 aleecia: any comments on last week's minutes? 16:06:33 next agendum 16:06:37 + +1.334.703.aamm 16:06:37 jkaran has joined #dnt 16:06:38 Zakim, close this agendum 16:06:41 agendum 2 closed 16:06:43 I see 6 items remaining on the agenda; the next one is 16:06:44 ... moving on to next agenda item 16:06:44 Zakim, next agendum 16:06:47 4. old business: review of action items [from aleecia] 16:06:49 agendum 4. "old business: review of action items" taken up [from aleecia] 16:06:59 hi all 16:07:03 http://www.w3.org/2011/tracking-protection/track/actions/open 16:07:09 ... We will go through old biz, and look at open action items. 16:07:46 Frank has joined #dnt 16:07:52 BrianTs has joined #dnt 16:08:05 PMagee has joined #dnt 16:08:08 ... David Wainberg had open action to create a proposal. 16:08:26 dwainberg: I think that's closed, but aleecia and matthias were to discuss. 16:08:36 aleecia: We'll assume it's closed. 16:08:45 member:Zakim, close this agendum 16:08:45 clp has joined #dnt 16:08:48 Zakim, next agendum 16:08:48 agendum 5. "new business: ISSUE-19: Data collection / Data use (3rd party)" taken up [from aleecia] 16:09:13 aleecia: giving a sense of what's coming up next 2 weeks. 16:09:21 Zakim, take up agendum 3 16:09:21 agendum 3. "administrative: strawman drafts & Santa Clara" taken up [from aleecia] 16:09:27 ... 2 strawman docs by the end of this week, with lots of placeholders. 16:10:13 +??P12 16:10:17 ... please take a close look. Procedure is we look at the first draft, discuss whether there's anything we disagree with to prevent it from 16:10:24 ... going out as first public working draft. 16:10:29 (on call at last) 16:10:48 Zakim, ??P12 is clp 16:10:50 +clp; got it 16:11:30 - +1.334.703.aamm 16:11:36 +[Microsoft.a] 16:11:37 ... last call for issues is quite a ways out, but this will give us a structure for the docs (will discuss in SC). 16:11:59 ksmith has joined #DNT 16:12:31 ... one of the other pieces to look at in SC, is whether to continue with 2 recommendations, or whether the tracking protection lists are something this group should move forward with. 16:12:54 ... first working draft by early november? any objection? [none heard] 16:13:05 Zakim, take up agendum 5 16:13:05 agendum 5. "new business: ISSUE-19: Data collection / Data use (3rd party)" taken up [from aleecia] 16:13:14 q? 16:13:15 -schunter 16:13:28 +q 16:13:36 ack clp 16:13:38 + +1.801.830.aann 16:13:41 ... Any suggestions on what a 3rd party should do when it receives a DNT header? 16:14:04 KevinT has joined #dnt 16:14:11 Zakim, [Microsoft.a] has BrianTs 16:14:11 +BrianTs; got it 16:14:21 clp: a party consults its relationship, to discover whether it's been exempted by anything in place? 16:14:31 aleecia: exactly what we don't want to get into. 16:14:39 + +1.334.703.aaoo 16:14:46 ... so this is a 3rd party that knows it's a 3rd party. 16:14:52 +q 16:14:56 q+ 16:15:06 - +1.334.703.aaoo 16:15:48 q? 16:15:54 When 3rd party gets DNT: 16:15:55 ack WileyS 16:15:58 clp: [will type it in] 16:16:15 Do not show any tracking behavior user might interpret as tracking 16:16:31 Can use geographics or language preferences though 16:16:38 Lia has joined #dnt 16:16:40 and no data collected from current session 16:16:41 shane: 3rd paryt would 1) halt profiling of that particular event (info collected only for operational or fraud prevention) 2) would no longer target the user with OBA advertising. 16:16:46 +q 16:16:47 q+ 16:16:51 ... other approaches would still be allowable. 16:17:32 shane: demo ok: age and gender 16:17:41 aleecia: does that include zip+4? 16:17:48 shane: it's too granular. 16:18:01 q? 16:18:30 shane: had this discussion previously. Propose that zip is as granular as you could get. 16:18:40 5 digit code only 16:18:42 ack jkaran 16:19:11 jkaran: 3rd parties used in other instances. Need to be clear that 3rd parties are not just advertisers. 16:19:37 aleecia: what should those companies do when receiving a DNT? 16:19:57 jkaran, IP address plus user agent is sufficient for powerful tracking methods 16:20:10 jkaran: nothing. They're just recording the domain and an IP address -- whether the ad met the geo and site requirements of a campaign. 16:20:27 jkaran, a cookie is only slightly more precise than IP + user agent 16:20:39 aleecia: one of your arguments is that only cookies are affected by DNT, 2 ??? 16:20:49 jkaran: not necessarily 16:21:01 agree with pde 16:21:25 jkaran: they aren't tracking anything about that user. 16:21:36 aleecia: we're going to run into difference about what is tracking or not. 16:21:46 recording an IP address is tracking in the Netherlands 16:22:16 ... so is the distinction that because of the type of business that it's something different from the other companies? 16:22:25 +q 16:22:28 Sounds like they are not doing cross site tracking 16:22:55 um, how about ip addresses? 16:23:09 ksmith, if they have IP + user agent + referrer, that sounds like it would amount to an extensive cross-site profile 16:23:16 If they're logging multiple domains by IP address, that's tracking. 16:23:20 jkaran: just that there are companies that are third parties that might be exempt because they're not doing behavioral advertising. How do we want to define who is a 3rd party that needs to follow DNT? 16:23:33 But we may want to discuss whether there is an exception for ad reporting. 16:23:38 aleecia: you're saying that because the info is not collected and used over time, that it's not tracking? 16:23:44 jkaran: potentially. 16:24:37 ack jmayer 16:25:22 jmayer: threat model is that a company the user doesn't expect to interact with gets a copy of the user's browsing history. 16:25:25 issue: If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking? 16:25:26 Created ISSUE-92 - If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/92/edit . 16:25:31 + +1.334.703.aapp 16:25:56 Zakim, who is talking? 16:26:06 npdoty, listening for 10 seconds I heard sound from the following: clp (5%), Lia_FPF (25%), jmayer (50%) 16:26:07 ... the 1st big implication is that it doesn't matter how the info is used. 16:26:28 ... the fact that the data exists is the privacy risk. So as long as the data exists, the company is a 3rd party. 16:26:36 they certainly have the info available to do cross site tracking, but if they check campaign restraints and then throw the data away (do not store it) it seems better to me. I am not sure if that is what they are doing. But that sounds like what she was describing. 16:27:05 ... 2nd: it's backwards to pigeon hole use-based definitions. Silly to have a definition that takes tech off the table, if it can be used w/ out tracking. 16:27:10 ksmith, if they do not store it, I agree with you 16:27:15 ksmith: feel free to add that to the issue, that's good background to capture 16:27:27 ... that means that what tracking means will change over time. 16:27:33 for that reason I think the verb "collect" is a bit confusing -- "retain" is better IMO 16:27:46 + +1.916.212.aaqq 16:28:05 good point 16:28:10 ... 3 high level points about what DNT has to do. 16:28:28 Tracking = cross-site accumulation of site activity? Or rather, if a 3rd party receives the DNT signal they would no longer accumulate cross-site activity AND not leverage previously collected cross-site activty to modify the user's experience. 16:29:32 aleecia: summary: rather than have an exemption based on biz model there may be more or less privacy protective ways to do certain things so we should look at that. 16:29:39 q? 16:29:47 ack pde 16:29:50 Right, but could it be retained for SOME period for, say, frequency capping? 16:31:02 pde: if a company has a truly anonymous way of doing OBA that's fine as long as they're not retaining clickstream. So that means if you're a 3rd party and you see DNT you need to anonymize distinguishing unique identifiers in your logs. 16:31:12 +heather 16:31:22 justin, what period of time are we talking about? 16:31:33 hwest has joined #dnt 16:31:52 q? 16:31:56 ack WileyS 16:32:26 pde: so if you're a 3rd party without an operating exception, 16:32:37 WileyS: sounds like where we're resolving: 3rd party would no longer accumlate cross site activity server side and would no longer leverage previously collected cross site activity. 16:32:46 pde: you must not be logging high-entropy cookies 16:32:56 Ha, that's the question, isn't it? I've heard use cases for 90 days, but that might sit outside reasonable user's expectations, even if data wasn't leveraged to modify user experience. 16:33:07 -fielding 16:33:09 dsriedel has joined #dnt 16:33:17 zakim, mute me 16:33:17 dsriedel was already muted, dsriedel 16:33:20 jmayer: 1) cuts across uses, business models; 2) will change over time; 3) if there are thing we'll allow, make them narrow exceptions - not tracking 16:33:55 pde: quick reply: server side stuff: can someone looking at the server extract a meaningful portion of the user's history? 16:34:34 shane: to jmayer's question: is it the issue that we're more concerned with accumlation of cross site data? 16:34:40 pde: (continuing from before... in addition to cookies, you should be not retaining IP addresses) 16:34:49 pde: (or encrypting them with a rotating key) 16:34:52 jmayer: yes, but when I say cross site data, I have something different in mind than others. 16:34:53 + +1.202.263.aarr 16:35:10 pde: and you should be discarding all but the most common User Agent strings 16:35:34 cross site data is data containing unique identifiers that can be correlated across websites 16:35:34 shane: we keep pushing and pulling on definitions, but I agree that we should cement perspectives and then go into definitions. 16:35:37 pde: (or extracting only the most relevant portions of them) 16:35:44 jules has joined #dnt 16:36:00 ACTION: Shane to write a concrete proposal re 3rd party response. 16:36:00 Created ACTION-17 - Write a concrete proposal re 3rd party response. [on Shane Wiley - due 2011-10-26]. 16:36:10 rvaneijk, I agree, and this also includes IP addresses 16:36:18 jules is here 16:36:43 +q 16:36:50 aleecia: trying something else: w3c is in a position to ask browsers to do something. Any use in asking browsers to change behavior for 3rd parties? 16:37:27 ack WileyS 16:37:57 WileyS: assume we wouldn't want to do this because if we are going to have use exemptions, browser wouldn't understand that. 16:38:11 q+ 16:38:21 ack jkaran 16:38:47 jkaran: probably will be situations where a company has different use cases depending on the role they're playing in that particular request. 16:39:05 agenda? 16:40:12 clarification to earlier comments: change will happen over time in what dnt covers, but that's an issue for definitions of exemptions - the high-level definition of tracking won't change 16:40:24 scribenick: hwest 16:40:42 Zakim, close agendum 5 16:40:43 agendum 5, new business: ISSUE-19: Data collection / Data use (3rd party), closed 16:40:45 I see 4 items remaining on the agenda; the next one is 16:40:46 6. new business: ISSUE-59: Should the first party be informed about whether the [from aleecia] 16:40:48 +q 16:40:54 ISSUE-59? 16:40:54 ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised 16:40:54 http://www.w3.org/2011/tracking-protection/track/issues/59 16:40:55 aleecia: moving on to ISSUE-59, whether the third party receives do not track 16:41:09 +q 16:41:18 ack WileyS 16:41:20 swiley: this is an issue around the first party being informed if the third party is being subjected to the dnt signal 16:41:48 q+ 16:42:01 ... when does the first party know to ask for an exception from the user. use case is that hte first party is the part in a position to request the exception from a user if they see dnt, and does that apply to all third parties defacto for hte first party? If not, how does the first party know that one of the first parties is excepted? 16:42:03 Zakim, unmute me 16:42:03 npdoty should no longer be muted 16:42:16 ... from Yahoo, we would absolutely want to know if we could 16:42:38 ... if we set up the ruleset such that the first party exception is received by all third parties, then perhaps the first party doesn't know 16:43:11 aleecia: in Boston, we discussed exemptions; if a first party gets an exception, does that transfer all over the net when they're a third party? 16:43:26 +[Microsoft.aa] 16:43:34 ... this isn't something we can resolve quickly or cleanly. Best bet is to assume that at least some third parties will not inherit those exceptions 16:43:54 swiley: with that assumption, then first party should be made aware that that is occuring. 16:43:57 +q 16:44:06 ack jmayer 16:44:06 aleecia; presumably, if first party isseeing DNT, so is third? 16:44:22 JC has joined #DNT 16:44:42 jmayer: I take no issue with entities throughout the ecosystem to know what the user has set DNT to; if NYT wants to throw up the paywall for a DCLK excemption, ok. 16:45:10 ... technical mechanisms: use standard web technologies - DCLK can tell NYT using a post message, they would have to agree on what that message looks like 16:45:18 ... an example in the DNT Cookbook 16:45:32 (jmayer: can you make sure I got that right given the breakup in the audio?) 16:45:51 jmayer, since your audio keeps breaking, fix things in IRC :) 16:45:51 jmayer: first and third parties can negotiate standards around that message 16:46:09 aleecia: so you're saying it's fine to have that communication but the parties will have to figure out how to do that 16:46:11 +q 16:46:38 pde: I think that there aer several different ways that we could have gone with this design question. JMayer's way is one of them. You could lead with the third party, or with the first party. 16:46:56 ... if you're Yahoo and you want to manage how DNT affects your third parties, one way to do that is get a message back from third parties abotu receipt and compliance. 16:47:17 ... another is an opt from users to the parties, send it as a URL primer if you're sure that this third party is excepted on your domain 16:47:38 ... that's one design philosophy to solve this. There are other ones, in particular, could have gone with something that was more heavyweight on the browser side. 16:48:05 ... browser could know that when you opt in, which parties are included in it. That design direction basically got cut off at the last meeting 16:48:17 ... which leaves us looking at JMayer's approach 16:48:48 aleecia: since it's unclear that Google is implementing DNT into their browser, I am not as concerned as I might be, but that's a concern if browsers are not interested, then coming up with that spec is a waste of time 16:48:49 ack pde 16:48:55 ack clp 16:49:20 -q 16:49:28 q+ 16:49:29 clp: seems to me that there is a symmetrical view of the first and third party in charge. It's a business technical question. We can decide that separately. Third point is optimization or cost. 16:50:08 ... first we should decide what the symmetrical model we care about is, then what we want to do, and then as a third option we say what best practices/suggestions are 16:50:12 This might break our goal of feasability of implementation, no? 16:50:26 dsriedel, please expand? 16:50:33 ... seems to me that the priority is to get a simple clear description of what the world should think about this, and then we have all these issues 16:50:37 ack pde 16:51:04 pde: do we want to recommend or standardize the way that a first party would signal to a third party that they believe the third party is covered by an exception or opt in/ 16:51:11 ... could be picking a standard name for a parameter 16:51:32 ... if we pick a standard parameter name then clients can choose to build a UI to watch those transactions 16:51:59 aleecia: great way to frame where we are. going to take one step back 16:52:03 Considering that a 1st party works with a range of 3rd parties for different purposes, this would require a huge amount of work and coordination between those parties to figure out technical solutions for realizing communication through the websites 16:52:23 ... in this discussion we have been going with the assumption that it's useful for first parties to know whether third parties get exception 16:52:34 ... please note any disagreement with that view 16:52:36 dsriedel, would that not be a good reason to standardise the parameter name? 16:52:44 Not sure we agree with this. 16:53:15 Not sure we agree either 16:53:16 cle: as long as it's not TOO hard to implement 16:53:17 I am not necessarily against it, but it seems like it would add quite a bit of complexity, so I would not want to require it 16:53:23 so that all of these companies know that if they get dnt-override=1, that's a 1st party telling them they're covered by an exception 16:53:35 aleecia: different views as to whether it's a must, best practices, etc - just want to see whether it's a useful thing 16:54:07 pde, sure it is. but so far I understood that this would be a web technology like postMessage or any that relies on XHR for example 16:54:07 Not sure agree with this 16:54:09 someone: first reaction is that implies that first parties will police or ensure compliance, don't want to put first parties in that role necessarily 16:54:20 ... need to give that more thoguht and figure out what our role would be there 16:54:46 aleecia: use case earlier was that I'm a first party, third party on my site is going to be blocked by DNT, and that means I want to take some action based on that 16:55:16 So this would require a draft on how this could work and then some entity to implement the libraries in distinct programming languages providing it to the parties to implement 16:55:22 is that where this would go? 16:55:31 ... the idea that first parties might be liable for what a third party does wrong? 16:56:20 carmen: not something we have considered, makes sense that first parties would want to know 16:56:32 dsriedel, libraries is a strong word. To my knowledge all web programming libraries have extremely easy ways to check for the presence of value of a URL parameter 16:56:37 ... at the same time, we'd be leery of a notification that would enable a first party to penalize consumers because they've implemented DNT 16:56:50 s/programming libraries/programming environments/ 16:57:03 aleecia: first parties will still either receive or not receive DNT so may not change the issue 16:57:13 q+ 16:57:14 If a third-party is being blocked because of DNT I would expect the client to have a list of them. 16:57:21 ... having a communication from first and third party probably doesn't change issue 16:57:44 pde, agreed 16:57:56 ... if we wind up with this, are you ok with the idea of communication between a first and third party? 16:58:08 someone: I think it would be fine for us 16:58:16 ... there would be cases where we'd definitely want to know 16:58:21 -PederMagee 16:58:25 ... where a third party had been blocked 16:58:33 I would not see sites to have to develop communications between third parties. Seems like an unnecessary complication. 16:58:37 -q 16:59:06 Frank: I think that we could understand where someone would want to broadcast an exception where they're compliant 16:59:15 ... not sure about implementation details 16:59:43 aleecia: lets not discuss whether this is option, must, best practices, etc 16:59:55 q+ 16:59:59 I have to leave the call, still following on irc 17:00:06 -[IPcaller] 17:00:07 ... instead lets figure out what the best technical approach is to allow getting that information 17:00:25 ... unless anyone has objections, that's the direction we'll take 17:00:25 q? 17:00:33 ack dwainberg 17:00:41 dwainberg: is that a conversation that's dependant on determining how to manage consent? 17:00:59 ... if we don't know how exceptions are managed, doesn't that make it hard to discuss how those choices are communicated between parties? 17:01:16 aleecia: we may need to change decisions later but need to start the decisions somewhere 17:01:24 q? 17:01:56 Kevin: wanted to talk about implementation. Doesn't really seem that conceivable to get that communication, typically 1st and 3rd parties are not communicating 17:02:09 ... different requests for each content 17:02:20 Correct, Kevin. 17:02:28 ... would require pages to change their implementation (AJAX maybe) 17:02:39 +q 17:02:41 ... there could be some benefit, but it's a lot of work and might require overhaul of the web 17:02:43 was that ksmith speaking? 17:02:55 ack jmayer 17:03:03 yes, ksmith 17:03:14 jmayer: wanted to briefly respond, don't agree that this would be a rewrite of lots of websites. Lots of light touch ways to implement 17:03:31 ... in your add tag, you could add a message handler that ersponds with the site's DNT status 17:03:45 ... lots of good ways to do this 17:03:58 +q 17:04:01 aleecia: were you talking about a third party finding out first party status? 17:04:10 jmayer: it was one possible example 17:04:33 ... if you wanted to have a third party status provided to a first party, could query it's iframes and figure out it's dnt status 17:04:44 pde: I also disagree with ksmith's characterisation of AJAX as being a large, difficult change for this particular purpose. You don't need to do AJAX everywhere -- a few lines of JavaScript somewhere for this particular purpose is all that's required 17:04:47 ack clp 17:05:03 cle: wanted to underline what aleecia has tried tos ay - we need to separate consensus that we have - that it could be useful 17:05:09 ... from how we accmplish that on the tech side 17:05:27 ... seems like we have consensus that this could be ueful, depending on the implementation 17:05:35 -npdoty 17:05:45 ... so lets just move forward with that 17:05:52 aleecia: worth adding the symmetrical case as an issue 17:05:57 npdoty has joined #dnt 17:06:03 pde: all that's required /if/ you really want to know whether your third parties are DNT'd 17:06:13 - +1.334.703.aapp 17:06:14 ... agree that we have consensus as well as concerns around implemetation 17:06:19 ... we can come back to that later 17:06:36 ... it is useful for a first party to know the status of third parties on the site 17:06:59 ... I'll ask a few people to take an action item to send a propsoal for how this would work to the mailing list. 17:07:05 Disagree with Jmayer. An an individual call would not be hard, but doing this for all 3rd party requests would be effort and performance prohibitive 17:07:07 ... JMayer, PDE? 17:07:19 ...c an you write something up by next Tuesday? 17:07:23 jmayer: yes 17:07:30 pde: I'll write about DNT override solution 17:07:47 - +1.916.212.aaqq 17:07:55 action: jmayer to write a summary of options for how 1st parties hear 3rd party status by tuesday 17:07:56 Created ACTION-18 - Write a summary of options for how 1st parties hear 3rd party status by tuesday [on Jonathan Mayer - due 2011-10-26]. 17:08:19 action: pde to write an option for how 1st parties hear 3rd party status by tuesday 17:08:19 Sorry, couldn't find user - pde 17:08:40 cle: W3C question: my impression is that we're in the center of what everyone cares about? 17:08:54 aleecia: not sure, this WG is central yes, but conversation may be better offline 17:09:42 action: aleecia to summarize progress on this issue 17:09:43 Created ACTION-19 - Summarize progress on this issue [on Aleecia McDonald - due 2011-10-26]. 17:09:43 aleecia, I'm going to write an proposal for how 1st parties /set/ 3rd party status (for a specific request/operation) 17:09:44 aleecia: not going to close this issue, but we are moving forward 17:09:56 agenda? 17:10:02 in a standardised, observable way 17:10:19 issue-88? 17:10:19 ISSUE-88 -- different rules for impression of and interaction with 3rd-party ads/content -- raised 17:10:19 http://www.w3.org/2011/tracking-protection/track/issues/88 17:10:24 aleecia: ok, ISSUE-88 17:10:39 npdoty has joined #dnt 17:10:47 ... are there different rules for impression versus interactin? Tied to ISSUE-26, third party widget interactions 17:11:05 ... so does interaction with an ad or a widget change how they classify under DNT? 17:11:10 +q 17:11:14 ... does that make it a first party once you've interacted with it? 17:11:44 WileyS: just to pick up where we were over email, between impressiona nd interaction seems to be agreement that interaction is a first party 17:11:51 ... some are hard rules, some are soft 17:12:04 ... need appropriate branding and linkage to widget owner privacy policy 17:12:29 ... jmayer modified that there would be certain times where something is so ubiquitous that direct branding isn't necessary, ubut in some cases it would be 17:12:45 ... everyone knows what the FB like button is, but it's carried the branding with it 17:12:53 ... would we all agree on linkage back to privacy policy? 17:13:13 ... if we agree on interaction is first party, with conditions, then that's a good starting point 17:13:17 q+ 17:14:05 aleecia: user expectation is met if the user really know it's not the first party, and when user interacts with that in a meaningful way, then first party interaction 17:14:11 -jmayer 17:14:23 ack WileyS 17:14:37 +q 17:14:42 seanharvey: is there a difference in state if a user is or isn't logged in to a service? 17:14:48 ack hwest 17:14:59 +jmayer 17:15:04 ... logged in state with relevant service - if you're not logged in, then do you have different obligations? 17:15:25 ... i think there has to be some difference in how those standards interact 17:15:27 -??P40 17:15:34 q? 17:15:44 +q 17:15:45 ... if you're logged in, then there's a much better chance that they know the service, etc 17:15:58 +q 17:16:03 ... in those cases where you're not logged in, then users might be surprised that they're being associated with activities off those sites 17:16:16 ... something that's been raised recently 17:16:26 i think the recent facebook issues show logout = don't track, not login = tracking more ok 17:16:35 I don't believe there should be a difference between logged in/logged out third parties. 17:16:51 aleecia: not as the chair, what I've seen in research is that users are surprised that login credentials persist from tab to tab or even more surprised when data is collected when they're not logged in 17:16:55 ack clp 17:17:04 cle: wanted to make a mathematical observation. Hearing that this new idea could be recursively applied 17:17:30 ... that would mean user thinkgs they're on site A, then parts of the website that the user might interact with, then they become a first party 17:17:36 ... just pointing out that that recussively continues 17:17:49 ... now that part of the page is first party, parts of IT may be third party 17:17:58 action: peckersl to write an option for how 1st parties set 3rd party DNT status in an observable way 17:17:58 Sorry, couldn't find user - peckersl 17:17:58 ... this would allow all sorts of agent relationships 17:18:19 ack wileyS 17:18:29 WileyS: did bring this up over email; this owuld be part of the conditions conversation 17:18:37 ... interaction should be first party on the conditions that 17:18:45 ... must side: branding and link back to privacy policy 17:18:55 tl has joined #dnt 17:18:59 ...agree with JMayer that there are situations where something may be so ubiquitous that it's not necessary 17:19:09 ... should: if user is logged in, widget could represent that to the user 17:19:15 action: nick to get PeterE to write an option for how first parties set third party DNT status in an observable way 17:19:16 Created ACTION-20 - Get PeterE to write an option for how first parties set third party DNT status in an observable way [on Nick Doty - due 2011-10-26]. 17:19:23 ... so that when they interact with the widget they know that they're logged in and the context of the interact3ion 17:19:38 ... but then user might think that impression could be tied back to logged in state 17:19:51 q? 17:19:59 ack jmayer 17:20:04 jmayer: one of the two points on this 17:20:19 ... in the referenced email talked about the FB like button 17:20:28 ... other side of the coin is stuff that's very subtle 17:20:35 ... generic sharing widgets, for example 17:20:55 ... seems likely that users understand that they're sharing through a third party service, but not that the widget is itself a third party 17:21:43 ... second, an alternative here is to put something next to the widget saying "hey if you let us, we'll do XYZ" 17:21:58 aleecia: also talking abotu mechanics of opting back in, let's have that conversation at a later time 17:22:31 ... so if you click on third party content and have a meaningful interaction, we will treat that as a first party, subject to possible conditions 17:23:01 .. make sure that muting isn't interaction, etc 17:23:13 ... does this sound like the point that we're in agreement on? 17:23:18 +1 17:23:20 +q 17:23:33 ack jmayer 17:24:09 jmayer: I don't disagree, I sideways agree - concern is that users understand what's going on. Framing it as interaction isn't how I see it, I see it as the point where a user understands that they're interacting with this company 17:24:25 ... lots of cases and design considerations 17:24:29 How can the user understand about 3rd party elements and widgets if they are not "marked" in a certain way? 17:24:37 ... lots of stuff here that has subtlety 17:24:39 Wouldnt you like to give the user a hint about it? 17:24:47 aleecia: better to refer to meaningful interaction rather than clicking? 17:25:03 jmayer; I think so, and would suggest that it be defined as reasonable expectation from the user 17:25:25 +1 - agree with "meaningful interaction" meaning a user reasonably expects "interaction" 17:25:39 aleecia: any disagreement with the general direction? 17:26:11 ... ok, then, I would like to move forward to what some of this should look like 17:26:20 ... would like a more useful proposal for text in the strawman doc 17:26:32 Are we agreeing on the flip side too? That without meaningful interaction, you're a third party? 17:26:54 aleecia: justin raises a good point 17:27:18 justin - yes 17:27:18 action: jmayer writes up a third party interaction bit for the doc 17:27:18 Created ACTION-21 - Writes up a third party interaction bit for the doc [on Jonathan Mayer - due 2011-10-26]. 17:27:57 I agree, but I thought Sean might be disagreeing. 17:27:58 aleecia: justin asks whether we're also at consensus on the flip side - no meaningful interaction means you're a third party 17:28:15 ... even if signed in? 17:28:28 Yes, even if signed in. 17:28:32 aleecia: lets try signed out for now 17:28:50 agreed, justin 17:28:52 ... even if you give info to the widget, is that first party? 17:29:10 I'm tempted to argue that would be meaningful interaction 17:29:27 aleecia: we'll postpone (as there was disagreement). Thanks! 17:29:28 - +1.212.673.aall 17:29:30 -Justin 17:29:30 -dwainberg 17:29:30 -Lia_FPF 17:29:31 -SeanH 17:29:31 -clp 17:29:32 -Carmen 17:29:33 -[Microsoft] 17:29:34 Sorry Aleecia 17:29:35 -alex 17:29:37 - +1.801.830.aann 17:29:39 -ChuckCurran 17:29:41 -[Microsoft.aa] 17:29:43 -dsriedel 17:29:45 -Rob 17:29:47 -jmayer 17:29:49 -[Microsoft.a] 17:29:49 Didn't mean to cut off another consensus 17:29:51 - +1.415.200.aakk 17:29:53 Bye all 17:29:57 All good, no worries 17:29:57 -Heffernen 17:30:06 -heather 17:30:11 Contact me if I can help you 17:30:13 Have time 17:30:21 Au revoir aleecia All 17:30:23 :) 17:30:30 Thanks@ 17:30:40 -aleecia 17:31:09 Frank has left #dnt 17:31:19 RRSAgent, set logs world-visible 17:31:20 \quit 17:31:29 RRSAgent, make minutes 17:31:29 I have made the request to generate http://www.w3.org/2011/10/19-dnt-minutes.html aleecia 17:32:15 - +1.202.263.aarr 17:33:19 adrianba has left #dnt 17:59:56 -Frank_BlueCava 18:15:18 -Chris 18:20:19 disconnecting the lone participant, WileyS, in T&S_Track(dnt)12:00PM 18:20:20 T&S_Track(dnt)12:00PM has ended 18:20:25 Attendees were aleecia, +1.212.565.aaaa, SeanH, +1.813.366.aabb, alex, Rob, +1.202.835.aacc, npdoty, ChuckCurran, +1.516.695.aadd, dwainberg, jmayer, Lia_FPF, +1.949.483.aaee, 18:20:30 ... Frank_BlueCava, +1.202.629.aaff, PederMagee, Carmen, +1.813.366.aagg, +1.408.349.aahh, Justin, dsriedel, fielding, Heffernen, +1.202.744.aaii, WileyS, Chris, Vincent, 18:20:34 ... +49.157.884.8.aajj, schunter, +1.415.200.aakk, adrianba, +1.212.673.aall, +1.334.703.aamm, clp, [Microsoft], +1.801.830.aann, BrianTs, +1.334.703.aaoo, +1.334.703.aapp, 18:20:36 ... +1.916.212.aaqq, heather, +1.202.263.aarr 18:37:34 agenda? 18:37:51 zakim, clear agenda 18:37:51 agenda cleared 18:38:18 npdoty has joined #dnt 18:44:00 issue-59? 18:44:00 ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised 18:44:00 http://www.w3.org/2011/tracking-protection/track/issues/59 20:15:45 KevinT has joined #dnt 20:16:32 KevinT1 has joined #dnt 20:30:37 ksmith has joined #DNT 20:57:28 Zakim has left #dnt 21:07:24 tl has joined #dnt 21:28:35 mischat has joined #dnt 22:49:01 KevinT has joined #dnt 23:25:38 KevinT has left #dnt