IRC log of dnt on 2011-10-19

Timestamps are in UTC.

15:33:20 [RRSAgent]
RRSAgent has joined #dnt
15:33:20 [RRSAgent]
logging to
15:33:22 [trackbot]
RRSAgent, make logs world
15:33:24 [trackbot]
Zakim, this will be
15:33:24 [Zakim]
I don't understand 'this will be', trackbot
15:33:25 [trackbot]
Meeting: Tracking Protection Working Group Teleconference
15:33:25 [trackbot]
Date: 19 October 2011
15:33:29 [tlr]
zakim, this will be track
15:33:29 [Zakim]
ok, tlr; I see T&S_Track(dnt)12:00PM scheduled to start in 27 minutes
15:37:35 [aleecia]
agenda + administrative
15:37:42 [aleecia]
15:38:01 [aleecia]
agenda =
15:38:14 [aleecia]
15:38:34 [aleecia]
next agendum
15:38:36 [aleecia]
next agendum
15:38:54 [aleecia]
next agendum
15:38:57 [aleecia]
15:38:58 [tlr]
zakim, clear agenda
15:38:58 [Zakim]
agenda cleared
15:39:01 [aleecia]
thank you
15:39:21 [aleecia]
agenda + administrative
15:39:30 [aleecia]
agenda + old business
15:40:10 [aleecia]
zakim, clear agenda
15:40:10 [Zakim]
agenda cleared
15:40:24 [aleecia]
agenda + administrative: selection of scribe
15:40:36 [aleecia]
agenda + administrative: comments on minutes
15:40:51 [aleecia]
agenda + administrative: strawman drafts & Santa Clara
15:41:08 [aleecia]
agenda + old business: review of action items
15:41:34 [aleecia]
agenda + new business: ISSUE-19: Data collection / Data use (3rd party)
15:41:48 [NinjaMarnau]
NinjaMarnau has joined #dnt
15:41:51 [aleecia]
agenda + new business: ISSUE-59: Should the first party be informed about whether the
15:41:52 [aleecia]
user has sent a DNT header to third parties on their site?
15:42:09 [aleecia]
agenda + new business: ISSUE-88: different rules for impression of and interaction with
15:42:09 [aleecia]
3rd-party ads/content
15:42:28 [aleecia]
agenda + new business: ISSUE-26: Providing data to 3rd-party widgets -- does that imply
15:42:29 [aleecia]
15:42:45 [aleecia]
agenda + Announce next meeting & Adjourn
15:42:51 [aleecia]
zakim, agenda?
15:42:51 [Zakim]
I see 9 items remaining on the agenda:
15:42:52 [Zakim]
1. administrative: selection of scribe [from aleecia]
15:42:55 [Zakim]
2. administrative: comments on minutes [from aleecia]
15:42:57 [Zakim]
3. administrative: strawman drafts & Santa Clara [from aleecia]
15:43:00 [Zakim]
4. old business: review of action items [from aleecia]
15:43:02 [Zakim]
5. new business: ISSUE-19: Data collection / Data use (3rd party) [from aleecia]
15:43:04 [Zakim]
6. new business: ISSUE-59: Should the first party be informed about whether the [from aleecia]
15:43:06 [Zakim]
7. new business: ISSUE-88: different rules for impression of and interaction with [from aleecia]
15:43:09 [Zakim]
8. new business: ISSUE-26: Providing data to 3rd-party widgets -- does that imply [from aleecia]
15:43:11 [Zakim]
9. Announce next meeting & Adjourn [from aleecia]
15:46:36 [alex]
alex has joined #dnt
15:49:35 [aleecia]
chair is aleecia
15:49:56 [aleecia]
Regrets: Kevin Trilli, Karl Dubost, Ed Felten, Kimon Zorbas
15:50:09 [aleecia]
zakim, code?
15:50:09 [Zakim]
the conference code is 87225 (tel:+1.617.761.6200, aleecia
15:50:39 [Zakim]
T&S_Track(dnt)12:00PM has now started
15:50:46 [Zakim]
15:51:20 [Zakim]
+ +1.212.565.aaaa
15:51:38 [aleecia]
zakim, aaaa is SeanH
15:51:38 [Zakim]
+SeanH; got it
15:52:01 [Zakim]
+ +1.813.366.aabb
15:52:04 [Zakim]
15:52:07 [rvaneijk]
Rob van Eijk
15:52:18 [aleecia]
Hi Rob, are you 813?
15:53:00 [alex]
zakim, 9593 is alex
15:53:00 [Zakim]
sorry, alex, I do not recognize a party named '9593'
15:53:34 [aleecia]
zakim, aabb is alex
15:53:34 [Zakim]
+alex; got it
15:53:34 [alex]
Zakim, aabb is alex
15:53:35 [Zakim]
sorry, alex, I do not recognize a party named 'aabb'
15:53:54 [aleecia]
zakim, who is on the call?
15:53:54 [Zakim]
On the phone I see aleecia, SeanH, alex, ??P35
15:54:16 [alex]
who is alex
15:54:27 [aleecia]
zakim, ??P35 is Rob
15:54:27 [Zakim]
+Rob; got it
15:54:53 [aleecia]
zakim, mute me
15:54:53 [Zakim]
aleecia should now be muted
15:55:01 [npdoty]
npdoty has joined #dnt
15:55:16 [alex]
zakim, mute me
15:55:16 [Zakim]
alex should now be muted
15:55:26 [Zakim]
+ +1.202.835.aacc
15:55:32 [Chuck]
Chuck has joined #dnt
15:55:55 [Zakim]
15:56:01 [aleecia]
zakim, unmute me
15:56:01 [Zakim]
aleecia should no longer be muted
15:56:15 [npdoty]
Zakim, aacc is ChuckCurran
15:56:15 [Zakim]
+ChuckCurran; got it
15:56:15 [aleecia]
zakim, aacc is Chuck
15:56:17 [Zakim]
sorry, aleecia, I do not recognize a party named 'aacc'
15:56:25 [npdoty]
Zakim, mute me
15:56:25 [Zakim]
npdoty should now be muted
15:56:30 [aleecia]
zakim, mute me
15:56:30 [Zakim]
aleecia should now be muted
15:56:48 [aleecia]
Nick: thanks, I'll let you add people
15:57:04 [WileyS]
WileyS has joined #DNT
15:57:57 [npdoty]
15:57:58 [dwainberg]
dwainberg has joined #dnt
15:58:29 [justin]
justin has joined #dnt
15:58:57 [aleecia]
zakim, agenda?
15:58:57 [Zakim]
I see 9 items remaining on the agenda:
15:58:59 [Zakim]
1. administrative: selection of scribe [from aleecia]
15:59:01 [Zakim]
2. administrative: comments on minutes [from aleecia]
15:59:06 [Zakim]
3. administrative: strawman drafts & Santa Clara [from aleecia]
15:59:10 [Zakim]
4. old business: review of action items [from aleecia]
15:59:12 [Zakim]
5. new business: ISSUE-19: Data collection / Data use (3rd party) [from aleecia]
15:59:13 [jmayer]
jmayer has joined #dnt
15:59:14 [Zakim]
6. new business: ISSUE-59: Should the first party be informed about whether the [from aleecia]
15:59:16 [Zakim]
7. new business: ISSUE-88: different rules for impression of and interaction with [from aleecia]
15:59:18 [Zakim]
8. new business: ISSUE-26: Providing data to 3rd-party widgets -- does that imply [from aleecia]
15:59:20 [Zakim]
9. Announce next meeting & Adjourn [from aleecia]
15:59:21 [Zakim]
+ +1.516.695.aadd
15:59:24 [Zakim]
15:59:33 [aleecia]
zakim, unmute me
15:59:33 [Zakim]
aleecia should no longer be muted
15:59:55 [Zakim]
15:59:55 [npdoty]
Zakim, aadd is Lia_FPF
15:59:56 [Zakim]
+Lia_FPF; got it
16:00:07 [npdoty]
Zakim, who is on the phone?
16:00:07 [Zakim]
On the phone I see aleecia, SeanH, alex (muted), Rob, ChuckCurran, npdoty (muted), Lia_FPF, dwainberg, jmayer
16:00:10 [Zakim]
+ +1.949.483.aaee
16:00:17 [dsriedel]
dsriedel has joined #dnt
16:00:27 [npdoty]
Zakim, aaee is Frank_BlueCava
16:00:27 [Zakim]
+Frank_BlueCava; got it
16:00:30 [Zakim]
+ +1.202.629.aaff
16:00:31 [Zakim]
16:00:51 [npdoty]
Zakim, aaff is Carmen
16:00:51 [Zakim]
+Carmen; got it
16:01:10 [aleecia]
If you are on IRC and not on the call yet, please call in: we're about to get started
16:01:15 [Zakim]
+ +1.813.366.aagg
16:01:16 [CarmenBalber]
CarmenBalber has joined #dnt
16:01:17 [aleecia]
zakim, code?
16:01:17 [Zakim]
the conference code is 87225 (tel:+1.617.761.6200, aleecia
16:01:19 [hefferjr]
hefferjr has joined #dnt
16:01:30 [Zakim]
16:01:36 [Zakim]
+ +1.408.349.aahh
16:01:37 [Zakim]
16:01:38 [Vincent]
Vincent has joined #dnt
16:01:45 [Zakim]
16:01:46 [Zakim]
16:01:52 [Chris]
Chris has joined #dnt
16:02:02 [dsriedel]
zakim, mute me
16:02:02 [Zakim]
dsriedel should now be muted
16:02:09 [NinjaMarnau]
Sorry, I won't be able to call in. Apparently the number is blocked
16:02:13 [Zakim]
16:02:25 [aleecia]
next agendum
16:02:28 [NinjaMarnau]
but I will read the IRC chat, and will fix my telephone
16:02:33 [npdoty]
Sorry, I missed aagg…. can 813 repeat their name?
16:02:54 [npdoty]
Zakim, aagg is Heffernen
16:02:54 [Zakim]
+Heffernen; got it
16:02:55 [Zakim]
+ +1.202.744.aaii
16:03:05 [npdoty]
Zakim, aahh is WileyS
16:03:05 [Zakim]
+WileyS; got it
16:03:34 [npdoty]
Zakim, aaii is Chris
16:03:34 [Zakim]
+Chris; got it
16:03:37 [npdoty]
good to go
16:03:41 [npdoty]
Zakim, unmute me
16:03:41 [Zakim]
npdoty should no longer be muted
16:03:58 [npdoty]
Zakim, [IPcaller] has Vincent
16:03:58 [Zakim]
+Vincent; got it
16:04:20 [npdoty]
Zakim, mute me
16:04:20 [Zakim]
npdoty should now be muted
16:04:37 [aleecia]
zakim, select victim
16:04:37 [Zakim]
I don't understand 'select victim', aleecia
16:04:47 [adrianba]
adrianba has joined #dnt
16:05:03 [npdoty]
scribenick: dwainberg
16:05:33 [Zakim]
+ +49.157.884.8.aajj
16:05:53 [Zakim]
16:06:00 [npdoty]
Zakim, aajj is schunter
16:06:00 [Zakim]
+schunter; got it
16:06:02 [aleecia]
next agendum
16:06:15 [npdoty]
16:06:16 [Zakim]
+ +1.415.200.aakk
16:06:17 [adrianba]
zakim, [Microsoft] has me
16:06:18 [Zakim]
+adrianba; got it
16:06:19 [aleecia]
next agendum
16:06:21 [Zakim]
+ +1.212.673.aall
16:06:24 [aleecia]
next agendum
16:06:24 [dwainberg]
aleecia: any comments on last week's minutes?
16:06:33 [aleecia]
next agendum
16:06:37 [Zakim]
+ +1.334.703.aamm
16:06:37 [jkaran]
jkaran has joined #dnt
16:06:38 [npdoty]
Zakim, close this agendum
16:06:41 [Zakim]
agendum 2 closed
16:06:43 [Zakim]
I see 6 items remaining on the agenda; the next one is
16:06:44 [dwainberg]
... moving on to next agenda item
16:06:44 [npdoty]
Zakim, next agendum
16:06:47 [Zakim]
4. old business: review of action items [from aleecia]
16:06:49 [Zakim]
agendum 4. "old business: review of action items" taken up [from aleecia]
16:06:59 [pde]
hi all
16:07:03 [aleecia]
16:07:09 [dwainberg]
... We will go through old biz, and look at open action items.
16:07:46 [Frank]
Frank has joined #dnt
16:07:52 [BrianTs]
BrianTs has joined #dnt
16:08:05 [PMagee]
PMagee has joined #dnt
16:08:08 [dwainberg]
... David Wainberg had open action to create a proposal.
16:08:26 [dwainberg]
dwainberg: I think that's closed, but aleecia and matthias were to discuss.
16:08:36 [dwainberg]
aleecia: We'll assume it's closed.
16:08:45 [aleecia]
member:Zakim, close this agendum
16:08:45 [clp]
clp has joined #dnt
16:08:48 [npdoty]
Zakim, next agendum
16:08:48 [Zakim]
agendum 5. "new business: ISSUE-19: Data collection / Data use (3rd party)" taken up [from aleecia]
16:09:13 [dwainberg]
aleecia: giving a sense of what's coming up next 2 weeks.
16:09:21 [npdoty]
Zakim, take up agendum 3
16:09:21 [Zakim]
agendum 3. "administrative: strawman drafts & Santa Clara" taken up [from aleecia]
16:09:27 [dwainberg]
... 2 strawman docs by the end of this week, with lots of placeholders.
16:10:13 [Zakim]
16:10:17 [dwainberg]
... please take a close look. Procedure is we look at the first draft, discuss whether there's anything we disagree with to prevent it from
16:10:24 [dwainberg]
... going out as first public working draft.
16:10:29 [clp]
(on call at last)
16:10:48 [npdoty]
Zakim, ??P12 is clp
16:10:50 [Zakim]
+clp; got it
16:11:30 [Zakim]
- +1.334.703.aamm
16:11:36 [Zakim]
16:11:37 [dwainberg]
... last call for issues is quite a ways out, but this will give us a structure for the docs (will discuss in SC).
16:11:59 [ksmith]
ksmith has joined #DNT
16:12:31 [dwainberg]
... one of the other pieces to look at in SC, is whether to continue with 2 recommendations, or whether the tracking protection lists are something this group should move forward with.
16:12:54 [dwainberg]
... first working draft by early november? any objection? [none heard]
16:13:05 [npdoty]
Zakim, take up agendum 5
16:13:05 [Zakim]
agendum 5. "new business: ISSUE-19: Data collection / Data use (3rd party)" taken up [from aleecia]
16:13:14 [npdoty]
16:13:15 [Zakim]
16:13:28 [clp]
16:13:36 [npdoty]
ack clp
16:13:38 [Zakim]
+ +1.801.830.aann
16:13:41 [dwainberg]
... Any suggestions on what a 3rd party should do when it receives a DNT header?
16:14:04 [KevinT]
KevinT has joined #dnt
16:14:11 [BrianTs]
Zakim, [Microsoft.a] has BrianTs
16:14:11 [Zakim]
+BrianTs; got it
16:14:21 [dwainberg]
clp: a party consults its relationship, to discover whether it's been exempted by anything in place?
16:14:31 [dwainberg]
aleecia: exactly what we don't want to get into.
16:14:39 [Zakim]
+ +1.334.703.aaoo
16:14:46 [dwainberg]
... so this is a 3rd party that knows it's a 3rd party.
16:14:52 [WileyS]
16:14:56 [jkaran]
16:15:06 [Zakim]
- +1.334.703.aaoo
16:15:48 [aleecia]
16:15:54 [clp]
When 3rd party gets DNT:
16:15:55 [npdoty]
ack WileyS
16:15:58 [dwainberg]
clp: [will type it in]
16:16:15 [clp]
Do not show any tracking behavior user might interpret as tracking
16:16:31 [clp]
Can use geographics or language preferences though
16:16:38 [Lia]
Lia has joined #dnt
16:16:40 [clp]
and no data collected from current session
16:16:41 [dwainberg]
shane: 3rd paryt would 1) halt profiling of that particular event (info collected only for operational or fraud prevention) 2) would no longer target the user with OBA advertising.
16:16:46 [jmayer]
16:16:47 [pde]
16:16:51 [dwainberg]
... other approaches would still be allowable.
16:17:32 [dwainberg]
shane: demo ok: age and gender
16:17:41 [dwainberg]
aleecia: does that include zip+4?
16:17:48 [dwainberg]
shane: it's too granular.
16:18:01 [aleecia]
16:18:30 [dwainberg]
shane: had this discussion previously. Propose that zip is as granular as you could get.
16:18:40 [clp]
5 digit code only
16:18:42 [npdoty]
ack jkaran
16:19:11 [dwainberg]
jkaran: 3rd parties used in other instances. Need to be clear that 3rd parties are not just advertisers.
16:19:37 [dwainberg]
aleecia: what should those companies do when receiving a DNT?
16:19:57 [pde]
jkaran, IP address plus user agent is sufficient for powerful tracking methods
16:20:10 [dwainberg]
jkaran: nothing. They're just recording the domain and an IP address -- whether the ad met the geo and site requirements of a campaign.
16:20:27 [pde]
jkaran, a cookie is only slightly more precise than IP + user agent
16:20:39 [dwainberg]
aleecia: one of your arguments is that only cookies are affected by DNT, 2 ???
16:20:49 [dwainberg]
jkaran: not necessarily
16:21:01 [justin]
agree with pde
16:21:25 [dwainberg]
jkaran: they aren't tracking anything about that user.
16:21:36 [dwainberg]
aleecia: we're going to run into difference about what is tracking or not.
16:21:46 [rvaneijk]
recording an IP address is tracking in the Netherlands
16:22:16 [dwainberg]
... so is the distinction that because of the type of business that it's something different from the other companies?
16:22:25 [WileyS]
16:22:28 [ksmith]
Sounds like they are not doing cross site tracking
16:22:55 [jmayer]
um, how about ip addresses?
16:23:09 [pde]
ksmith, if they have IP + user agent + referrer, that sounds like it would amount to an extensive cross-site profile
16:23:16 [justin]
If they're logging multiple domains by IP address, that's tracking.
16:23:20 [dwainberg]
jkaran: just that there are companies that are third parties that might be exempt because they're not doing behavioral advertising. How do we want to define who is a 3rd party that needs to follow DNT?
16:23:33 [justin]
But we may want to discuss whether there is an exception for ad reporting.
16:23:38 [dwainberg]
aleecia: you're saying that because the info is not collected and used over time, that it's not tracking?
16:23:44 [dwainberg]
jkaran: potentially.
16:24:37 [npdoty]
ack jmayer
16:25:22 [dwainberg]
jmayer: threat model is that a company the user doesn't expect to interact with gets a copy of the user's browsing history.
16:25:25 [aleecia]
issue: If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?
16:25:26 [trackbot]
Created ISSUE-92 - If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking? ; please complete additional details at .
16:25:31 [Zakim]
+ +1.334.703.aapp
16:25:56 [npdoty]
Zakim, who is talking?
16:26:06 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: clp (5%), Lia_FPF (25%), jmayer (50%)
16:26:07 [dwainberg]
... the 1st big implication is that it doesn't matter how the info is used.
16:26:28 [dwainberg]
... the fact that the data exists is the privacy risk. So as long as the data exists, the company is a 3rd party.
16:26:36 [ksmith]
they certainly have the info available to do cross site tracking, but if they check campaign restraints and then throw the data away (do not store it) it seems better to me. I am not sure if that is what they are doing. But that sounds like what she was describing.
16:27:05 [dwainberg]
... 2nd: it's backwards to pigeon hole use-based definitions. Silly to have a definition that takes tech off the table, if it can be used w/ out tracking.
16:27:10 [pde]
ksmith, if they do not store it, I agree with you
16:27:15 [aleecia]
ksmith: feel free to add that to the issue, that's good background to capture
16:27:27 [dwainberg]
... that means that what tracking means will change over time.
16:27:33 [pde]
for that reason I think the verb "collect" is a bit confusing -- "retain" is better IMO
16:27:46 [Zakim]
+ +1.916.212.aaqq
16:28:05 [ksmith]
good point
16:28:10 [dwainberg]
... 3 high level points about what DNT has to do.
16:28:28 [WileyS]
Tracking = cross-site accumulation of site activity? Or rather, if a 3rd party receives the DNT signal they would no longer accumulate cross-site activity AND not leverage previously collected cross-site activty to modify the user's experience.
16:29:32 [dwainberg]
aleecia: summary: rather than have an exemption based on biz model there may be more or less privacy protective ways to do certain things so we should look at that.
16:29:39 [aleecia]
16:29:47 [npdoty]
ack pde
16:29:50 [justin]
Right, but could it be retained for SOME period for, say, frequency capping?
16:31:02 [dwainberg]
pde: if a company has a truly anonymous way of doing OBA that's fine as long as they're not retaining clickstream. So that means if you're a 3rd party and you see DNT you need to anonymize distinguishing unique identifiers in your logs.
16:31:12 [Zakim]
16:31:22 [NinjaMarnau]
justin, what period of time are we talking about?
16:31:33 [hwest]
hwest has joined #dnt
16:31:52 [npdoty]
16:31:56 [npdoty]
ack WileyS
16:32:26 [pde]
pde: so if you're a 3rd party without an operating exception,
16:32:37 [dwainberg]
WileyS: sounds like where we're resolving: 3rd party would no longer accumlate cross site activity server side and would no longer leverage previously collected cross site activity.
16:32:46 [pde]
pde: you must not be logging high-entropy cookies
16:32:56 [justin]
Ha, that's the question, isn't it? I've heard use cases for 90 days, but that might sit outside reasonable user's expectations, even if data wasn't leveraged to modify user experience.
16:33:07 [Zakim]
16:33:09 [dsriedel]
dsriedel has joined #dnt
16:33:17 [dsriedel]
zakim, mute me
16:33:17 [Zakim]
dsriedel was already muted, dsriedel
16:33:20 [jmayer]
jmayer: 1) cuts across uses, business models; 2) will change over time; 3) if there are thing we'll allow, make them narrow exceptions - not tracking
16:33:55 [dwainberg]
pde: quick reply: server side stuff: can someone looking at the server extract a meaningful portion of the user's history?
16:34:34 [dwainberg]
shane: to jmayer's question: is it the issue that we're more concerned with accumlation of cross site data?
16:34:40 [pde]
pde: (continuing from before... in addition to cookies, you should be not retaining IP addresses)
16:34:49 [pde]
pde: (or encrypting them with a rotating key)
16:34:52 [dwainberg]
jmayer: yes, but when I say cross site data, I have something different in mind than others.
16:34:53 [Zakim]
+ +1.202.263.aarr
16:35:10 [pde]
pde: and you should be discarding all but the most common User Agent strings
16:35:34 [rvaneijk]
cross site data is data containing unique identifiers that can be correlated across websites
16:35:34 [dwainberg]
shane: we keep pushing and pulling on definitions, but I agree that we should cement perspectives and then go into definitions.
16:35:37 [pde]
pde: (or extracting only the most relevant portions of them)
16:35:44 [jules]
jules has joined #dnt
16:36:00 [dwainberg]
ACTION: Shane to write a concrete proposal re 3rd party response.
16:36:00 [trackbot]
Created ACTION-17 - Write a concrete proposal re 3rd party response. [on Shane Wiley - due 2011-10-26].
16:36:10 [NinjaMarnau]
rvaneijk, I agree, and this also includes IP addresses
16:36:18 [jules]
jules is here
16:36:43 [WileyS]
16:36:50 [dwainberg]
aleecia: trying something else: w3c is in a position to ask browsers to do something. Any use in asking browsers to change behavior for 3rd parties?
16:37:27 [npdoty]
ack WileyS
16:37:57 [dwainberg]
WileyS: assume we wouldn't want to do this because if we are going to have use exemptions, browser wouldn't understand that.
16:38:11 [jkaran]
16:38:21 [npdoty]
ack jkaran
16:38:47 [dwainberg]
jkaran: probably will be situations where a company has different use cases depending on the role they're playing in that particular request.
16:39:05 [aleecia]
16:40:12 [jmayer]
clarification to earlier comments: change will happen over time in what dnt covers, but that's an issue for definitions of exemptions - the high-level definition of tracking won't change
16:40:24 [npdoty]
scribenick: hwest
16:40:42 [npdoty]
Zakim, close agendum 5
16:40:43 [Zakim]
agendum 5, new business: ISSUE-19: Data collection / Data use (3rd party), closed
16:40:45 [Zakim]
I see 4 items remaining on the agenda; the next one is
16:40:46 [Zakim]
6. new business: ISSUE-59: Should the first party be informed about whether the [from aleecia]
16:40:48 [WileyS]
16:40:54 [npdoty]
16:40:54 [trackbot]
ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised
16:40:54 [trackbot]
16:40:55 [hwest]
aleecia: moving on to ISSUE-59, whether the third party receives do not track
16:41:09 [jmayer]
16:41:18 [aleecia]
ack WileyS
16:41:20 [hwest]
swiley: this is an issue around the first party being informed if the third party is being subjected to the dnt signal
16:41:48 [pde]
16:42:01 [hwest]
... when does the first party know to ask for an exception from the user. use case is that hte first party is the part in a position to request the exception from a user if they see dnt, and does that apply to all third parties defacto for hte first party? If not, how does the first party know that one of the first parties is excepted?
16:42:03 [npdoty]
Zakim, unmute me
16:42:03 [Zakim]
npdoty should no longer be muted
16:42:16 [hwest]
... from Yahoo, we would absolutely want to know if we could
16:42:38 [hwest]
... if we set up the ruleset such that the first party exception is received by all third parties, then perhaps the first party doesn't know
16:43:11 [hwest]
aleecia: in Boston, we discussed exemptions; if a first party gets an exception, does that transfer all over the net when they're a third party?
16:43:26 [Zakim]
16:43:34 [hwest]
... this isn't something we can resolve quickly or cleanly. Best bet is to assume that at least some third parties will not inherit those exceptions
16:43:54 [hwest]
swiley: with that assumption, then first party should be made aware that that is occuring.
16:43:57 [clp]
16:44:06 [aleecia]
ack jmayer
16:44:06 [hwest]
aleecia; presumably, if first party isseeing DNT, so is third?
16:44:22 [JC]
JC has joined #DNT
16:44:42 [hwest]
jmayer: I take no issue with entities throughout the ecosystem to know what the user has set DNT to; if NYT wants to throw up the paywall for a DCLK excemption, ok.
16:45:10 [hwest]
... technical mechanisms: use standard web technologies - DCLK can tell NYT using a post message, they would have to agree on what that message looks like
16:45:18 [hwest]
... an example in the DNT Cookbook
16:45:32 [hwest]
(jmayer: can you make sure I got that right given the breakup in the audio?)
16:45:51 [pde]
jmayer, since your audio keeps breaking, fix things in IRC :)
16:45:51 [hwest]
jmayer: first and third parties can negotiate standards around that message
16:46:09 [hwest]
aleecia: so you're saying it's fine to have that communication but the parties will have to figure out how to do that
16:46:11 [WileyS]
16:46:38 [hwest]
pde: I think that there aer several different ways that we could have gone with this design question. JMayer's way is one of them. You could lead with the third party, or with the first party.
16:46:56 [hwest]
... if you're Yahoo and you want to manage how DNT affects your third parties, one way to do that is get a message back from third parties abotu receipt and compliance.
16:47:17 [hwest]
... another is an opt from users to the parties, send it as a URL primer if you're sure that this third party is excepted on your domain
16:47:38 [hwest]
... that's one design philosophy to solve this. There are other ones, in particular, could have gone with something that was more heavyweight on the browser side.
16:48:05 [hwest]
... browser could know that when you opt in, which parties are included in it. That design direction basically got cut off at the last meeting
16:48:17 [hwest]
... which leaves us looking at JMayer's approach
16:48:48 [hwest]
aleecia: since it's unclear that Google is implementing DNT into their browser, I am not as concerned as I might be, but that's a concern if browsers are not interested, then coming up with that spec is a waste of time
16:48:49 [aleecia]
ack pde
16:48:55 [aleecia]
ack clp
16:49:20 [WileyS]
16:49:28 [pde]
16:49:29 [hwest]
clp: seems to me that there is a symmetrical view of the first and third party in charge. It's a business technical question. We can decide that separately. Third point is optimization or cost.
16:50:08 [hwest]
... first we should decide what the symmetrical model we care about is, then what we want to do, and then as a third option we say what best practices/suggestions are
16:50:12 [dsriedel]
This might break our goal of feasability of implementation, no?
16:50:26 [aleecia]
dsriedel, please expand?
16:50:33 [hwest]
... seems to me that the priority is to get a simple clear description of what the world should think about this, and then we have all these issues
16:50:37 [aleecia]
ack pde
16:51:04 [hwest]
pde: do we want to recommend or standardize the way that a first party would signal to a third party that they believe the third party is covered by an exception or opt in/
16:51:11 [hwest]
... could be picking a standard name for a parameter
16:51:32 [hwest]
... if we pick a standard parameter name then clients can choose to build a UI to watch those transactions
16:51:59 [hwest]
aleecia: great way to frame where we are. going to take one step back
16:52:03 [dsriedel]
Considering that a 1st party works with a range of 3rd parties for different purposes, this would require a huge amount of work and coordination between those parties to figure out technical solutions for realizing communication through the websites
16:52:23 [hwest]
... in this discussion we have been going with the assumption that it's useful for first parties to know whether third parties get exception
16:52:34 [hwest]
... please note any disagreement with that view
16:52:36 [pde]
dsriedel, would that not be a good reason to standardise the parameter name?
16:52:44 [Chris]
Not sure we agree with this.
16:53:15 [CarmenBalber]
Not sure we agree either
16:53:16 [hwest]
cle: as long as it's not TOO hard to implement
16:53:17 [ksmith]
I am not necessarily against it, but it seems like it would add quite a bit of complexity, so I would not want to require it
16:53:23 [pde]
so that all of these companies know that if they get dnt-override=1, that's a 1st party telling them they're covered by an exception
16:53:35 [hwest]
aleecia: different views as to whether it's a must, best practices, etc - just want to see whether it's a useful thing
16:54:07 [dsriedel]
pde, sure it is. but so far I understood that this would be a web technology like postMessage or any that relies on XHR for example
16:54:07 [Frank]
Not sure agree with this
16:54:09 [hwest]
someone: first reaction is that implies that first parties will police or ensure compliance, don't want to put first parties in that role necessarily
16:54:20 [hwest]
... need to give that more thoguht and figure out what our role would be there
16:54:46 [hwest]
aleecia: use case earlier was that I'm a first party, third party on my site is going to be blocked by DNT, and that means I want to take some action based on that
16:55:16 [dsriedel]
So this would require a draft on how this could work and then some entity to implement the libraries in distinct programming languages providing it to the parties to implement
16:55:22 [dsriedel]
is that where this would go?
16:55:31 [hwest]
... the idea that first parties might be liable for what a third party does wrong?
16:56:20 [hwest]
carmen: not something we have considered, makes sense that first parties would want to know
16:56:32 [pde]
dsriedel, libraries is a strong word. To my knowledge all web programming libraries have extremely easy ways to check for the presence of value of a URL parameter
16:56:37 [hwest]
... at the same time, we'd be leery of a notification that would enable a first party to penalize consumers because they've implemented DNT
16:56:50 [pde]
s/programming libraries/programming environments/
16:57:03 [hwest]
aleecia: first parties will still either receive or not receive DNT so may not change the issue
16:57:13 [dwainberg]
16:57:14 [JC]
If a third-party is being blocked because of DNT I would expect the client to have a list of them.
16:57:21 [hwest]
... having a communication from first and third party probably doesn't change issue
16:57:44 [dsriedel]
pde, agreed
16:57:56 [hwest]
... if we wind up with this, are you ok with the idea of communication between a first and third party?
16:58:08 [hwest]
someone: I think it would be fine for us
16:58:16 [hwest]
... there would be cases where we'd definitely want to know
16:58:21 [Zakim]
16:58:25 [hwest]
... where a third party had been blocked
16:58:33 [JC]
I would not see sites to have to develop communications between third parties. Seems like an unnecessary complication.
16:58:37 [dwainberg]
16:59:06 [hwest]
Frank: I think that we could understand where someone would want to broadcast an exception where they're compliant
16:59:15 [hwest]
... not sure about implementation details
16:59:43 [hwest]
aleecia: lets not discuss whether this is option, must, best practices, etc
16:59:55 [dwainberg]
16:59:59 [Vincent]
I have to leave the call, still following on irc
17:00:06 [Zakim]
17:00:07 [hwest]
... instead lets figure out what the best technical approach is to allow getting that information
17:00:25 [hwest]
... unless anyone has objections, that's the direction we'll take
17:00:25 [aleecia]
17:00:33 [aleecia]
ack dwainberg
17:00:41 [hwest]
dwainberg: is that a conversation that's dependant on determining how to manage consent?
17:00:59 [hwest]
... if we don't know how exceptions are managed, doesn't that make it hard to discuss how those choices are communicated between parties?
17:01:16 [hwest]
aleecia: we may need to change decisions later but need to start the decisions somewhere
17:01:24 [aleecia]
17:01:56 [hwest]
Kevin: wanted to talk about implementation. Doesn't really seem that conceivable to get that communication, typically 1st and 3rd parties are not communicating
17:02:09 [hwest]
... different requests for each content
17:02:20 [dsriedel]
Correct, Kevin.
17:02:28 [hwest]
... would require pages to change their implementation (AJAX maybe)
17:02:39 [jmayer]
17:02:41 [hwest]
... there could be some benefit, but it's a lot of work and might require overhaul of the web
17:02:43 [pde]
was that ksmith speaking?
17:02:55 [aleecia]
ack jmayer
17:03:03 [ksmith]
yes, ksmith
17:03:14 [hwest]
jmayer: wanted to briefly respond, don't agree that this would be a rewrite of lots of websites. Lots of light touch ways to implement
17:03:31 [hwest]
... in your add tag, you could add a message handler that ersponds with the site's DNT status
17:03:45 [hwest]
... lots of good ways to do this
17:03:58 [clp]
17:04:01 [hwest]
aleecia: were you talking about a third party finding out first party status?
17:04:10 [hwest]
jmayer: it was one possible example
17:04:33 [hwest]
... if you wanted to have a third party status provided to a first party, could query it's iframes and figure out it's dnt status
17:04:44 [pde]
pde: I also disagree with ksmith's characterisation of AJAX as being a large, difficult change for this particular purpose. You don't need to do AJAX everywhere -- a few lines of JavaScript somewhere for this particular purpose is all that's required
17:04:47 [aleecia]
ack clp
17:05:03 [hwest]
cle: wanted to underline what aleecia has tried tos ay - we need to separate consensus that we have - that it could be useful
17:05:09 [hwest]
... from how we accmplish that on the tech side
17:05:27 [hwest]
... seems like we have consensus that this could be ueful, depending on the implementation
17:05:35 [Zakim]
17:05:45 [hwest]
... so lets just move forward with that
17:05:52 [hwest]
aleecia: worth adding the symmetrical case as an issue
17:05:57 [npdoty]
npdoty has joined #dnt
17:06:03 [pde]
pde: all that's required /if/ you really want to know whether your third parties are DNT'd
17:06:13 [Zakim]
- +1.334.703.aapp
17:06:14 [hwest]
... agree that we have consensus as well as concerns around implemetation
17:06:19 [hwest]
... we can come back to that later
17:06:36 [hwest]
... it is useful for a first party to know the status of third parties on the site
17:06:59 [hwest]
... I'll ask a few people to take an action item to send a propsoal for how this would work to the mailing list.
17:07:05 [ksmith]
Disagree with Jmayer. An an individual call would not be hard, but doing this for all 3rd party requests would be effort and performance prohibitive
17:07:07 [hwest]
... JMayer, PDE?
17:07:19 [hwest]
...c an you write something up by next Tuesday?
17:07:23 [hwest]
jmayer: yes
17:07:30 [hwest]
pde: I'll write about DNT override solution
17:07:47 [Zakim]
- +1.916.212.aaqq
17:07:55 [aleecia]
action: jmayer to write a summary of options for how 1st parties hear 3rd party status by tuesday
17:07:56 [trackbot]
Created ACTION-18 - Write a summary of options for how 1st parties hear 3rd party status by tuesday [on Jonathan Mayer - due 2011-10-26].
17:08:19 [aleecia]
action: pde to write an option for how 1st parties hear 3rd party status by tuesday
17:08:19 [trackbot]
Sorry, couldn't find user - pde
17:08:40 [hwest]
cle: W3C question: my impression is that we're in the center of what everyone cares about?
17:08:54 [hwest]
aleecia: not sure, this WG is central yes, but conversation may be better offline
17:09:42 [aleecia]
action: aleecia to summarize progress on this issue
17:09:43 [trackbot]
Created ACTION-19 - Summarize progress on this issue [on Aleecia McDonald - due 2011-10-26].
17:09:43 [pde]
aleecia, I'm going to write an proposal for how 1st parties /set/ 3rd party status (for a specific request/operation)
17:09:44 [hwest]
aleecia: not going to close this issue, but we are moving forward
17:09:56 [aleecia]
17:10:02 [pde]
in a standardised, observable way
17:10:19 [aleecia]
17:10:19 [trackbot]
ISSUE-88 -- different rules for impression of and interaction with 3rd-party ads/content -- raised
17:10:19 [trackbot]
17:10:24 [hwest]
aleecia: ok, ISSUE-88
17:10:39 [npdoty]
npdoty has joined #dnt
17:10:47 [hwest]
... are there different rules for impression versus interactin? Tied to ISSUE-26, third party widget interactions
17:11:05 [hwest]
... so does interaction with an ad or a widget change how they classify under DNT?
17:11:10 [WileyS]
17:11:14 [hwest]
... does that make it a first party once you've interacted with it?
17:11:44 [hwest]
WileyS: just to pick up where we were over email, between impressiona nd interaction seems to be agreement that interaction is a first party
17:11:51 [hwest]
... some are hard rules, some are soft
17:12:04 [hwest]
... need appropriate branding and linkage to widget owner privacy policy
17:12:29 [hwest]
... jmayer modified that there would be certain times where something is so ubiquitous that direct branding isn't necessary, ubut in some cases it would be
17:12:45 [hwest]
... everyone knows what the FB like button is, but it's carried the branding with it
17:12:53 [hwest]
... would we all agree on linkage back to privacy policy?
17:13:13 [hwest]
... if we agree on interaction is first party, with conditions, then that's a good starting point
17:13:17 [hwest]
17:14:05 [hwest]
aleecia: user expectation is met if the user really know it's not the first party, and when user interacts with that in a meaningful way, then first party interaction
17:14:11 [Zakim]
17:14:23 [aleecia]
ack WileyS
17:14:37 [clp]
17:14:42 [hwest]
seanharvey: is there a difference in state if a user is or isn't logged in to a service?
17:14:48 [aleecia]
ack hwest
17:14:59 [Zakim]
17:15:04 [hwest]
... logged in state with relevant service - if you're not logged in, then do you have different obligations?
17:15:25 [hwest]
... i think there has to be some difference in how those standards interact
17:15:27 [Zakim]
17:15:34 [aleecia]
17:15:44 [WileyS]
17:15:45 [hwest]
... if you're logged in, then there's a much better chance that they know the service, etc
17:15:58 [jmayer]
17:16:03 [hwest]
... in those cases where you're not logged in, then users might be surprised that they're being associated with activities off those sites
17:16:16 [hwest]
... something that's been raised recently
17:16:26 [jmayer]
i think the recent facebook issues show logout = don't track, not login = tracking more ok
17:16:35 [justin]
I don't believe there should be a difference between logged in/logged out third parties.
17:16:51 [hwest]
aleecia: not as the chair, what I've seen in research is that users are surprised that login credentials persist from tab to tab or even more surprised when data is collected when they're not logged in
17:16:55 [aleecia]
ack clp
17:17:04 [hwest]
cle: wanted to make a mathematical observation. Hearing that this new idea could be recursively applied
17:17:30 [hwest]
... that would mean user thinkgs they're on site A, then parts of the website that the user might interact with, then they become a first party
17:17:36 [hwest]
... just pointing out that that recussively continues
17:17:49 [hwest]
... now that part of the page is first party, parts of IT may be third party
17:17:58 [pde]
action: peckersl to write an option for how 1st parties set 3rd party DNT status in an observable way
17:17:58 [trackbot]
Sorry, couldn't find user - peckersl
17:17:58 [hwest]
... this would allow all sorts of agent relationships
17:18:19 [aleecia]
ack wileyS
17:18:29 [hwest]
WileyS: did bring this up over email; this owuld be part of the conditions conversation
17:18:37 [hwest]
... interaction should be first party on the conditions that
17:18:45 [hwest]
... must side: branding and link back to privacy policy
17:18:55 [tl]
tl has joined #dnt
17:18:59 [hwest]
...agree with JMayer that there are situations where something may be so ubiquitous that it's not necessary
17:19:09 [hwest]
... should: if user is logged in, widget could represent that to the user
17:19:15 [tlr]
action: nick to get PeterE to write an option for how first parties set third party DNT status in an observable way
17:19:16 [trackbot]
Created ACTION-20 - Get PeterE to write an option for how first parties set third party DNT status in an observable way [on Nick Doty - due 2011-10-26].
17:19:23 [hwest]
... so that when they interact with the widget they know that they're logged in and the context of the interact3ion
17:19:38 [hwest]
... but then user might think that impression could be tied back to logged in state
17:19:51 [aleecia]
17:19:59 [aleecia]
ack jmayer
17:20:04 [hwest]
jmayer: one of the two points on this
17:20:19 [hwest]
... in the referenced email talked about the FB like button
17:20:28 [hwest]
... other side of the coin is stuff that's very subtle
17:20:35 [hwest]
... generic sharing widgets, for example
17:20:55 [hwest]
... seems likely that users understand that they're sharing through a third party service, but not that the widget is itself a third party
17:21:43 [hwest]
... second, an alternative here is to put something next to the widget saying "hey if you let us, we'll do XYZ"
17:21:58 [hwest]
aleecia: also talking abotu mechanics of opting back in, let's have that conversation at a later time
17:22:31 [hwest]
... so if you click on third party content and have a meaningful interaction, we will treat that as a first party, subject to possible conditions
17:23:01 [hwest]
.. make sure that muting isn't interaction, etc
17:23:13 [hwest]
... does this sound like the point that we're in agreement on?
17:23:18 [clp]
17:23:20 [jmayer]
17:23:33 [aleecia]
ack jmayer
17:24:09 [hwest]
jmayer: I don't disagree, I sideways agree - concern is that users understand what's going on. Framing it as interaction isn't how I see it, I see it as the point where a user understands that they're interacting with this company
17:24:25 [hwest]
... lots of cases and design considerations
17:24:29 [dsriedel]
How can the user understand about 3rd party elements and widgets if they are not "marked" in a certain way?
17:24:37 [hwest]
... lots of stuff here that has subtlety
17:24:39 [dsriedel]
Wouldnt you like to give the user a hint about it?
17:24:47 [hwest]
aleecia: better to refer to meaningful interaction rather than clicking?
17:25:03 [hwest]
jmayer; I think so, and would suggest that it be defined as reasonable expectation from the user
17:25:25 [WileyS]
+1 - agree with "meaningful interaction" meaning a user reasonably expects "interaction"
17:25:39 [hwest]
aleecia: any disagreement with the general direction?
17:26:11 [hwest]
... ok, then, I would like to move forward to what some of this should look like
17:26:20 [hwest]
... would like a more useful proposal for text in the strawman doc
17:26:32 [justin]
Are we agreeing on the flip side too? That without meaningful interaction, you're a third party?
17:26:54 [hwest]
aleecia: justin raises a good point
17:27:18 [jmayer]
justin - yes
17:27:18 [hwest]
action: jmayer writes up a third party interaction bit for the doc
17:27:18 [trackbot]
Created ACTION-21 - Writes up a third party interaction bit for the doc [on Jonathan Mayer - due 2011-10-26].
17:27:57 [justin]
I agree, but I thought Sean might be disagreeing.
17:27:58 [hwest]
aleecia: justin asks whether we're also at consensus on the flip side - no meaningful interaction means you're a third party
17:28:15 [hwest]
... even if signed in?
17:28:28 [justin]
Yes, even if signed in.
17:28:32 [hwest]
aleecia: lets try signed out for now
17:28:50 [jmayer]
agreed, justin
17:28:52 [hwest]
... even if you give info to the widget, is that first party?
17:29:10 [hwest]
I'm tempted to argue that would be meaningful interaction
17:29:27 [hwest]
aleecia: we'll postpone (as there was disagreement). Thanks!
17:29:28 [Zakim]
- +1.212.673.aall
17:29:30 [Zakim]
17:29:30 [Zakim]
17:29:30 [Zakim]
17:29:31 [Zakim]
17:29:31 [Zakim]
17:29:32 [Zakim]
17:29:33 [Zakim]
17:29:34 [clp]
Sorry Aleecia
17:29:35 [Zakim]
17:29:37 [Zakim]
- +1.801.830.aann
17:29:39 [Zakim]
17:29:41 [Zakim]
17:29:43 [Zakim]
17:29:45 [Zakim]
17:29:47 [Zakim]
17:29:49 [Zakim]
17:29:49 [clp]
Didn't mean to cut off another consensus
17:29:51 [Zakim]
- +1.415.200.aakk
17:29:53 [clp]
Bye all
17:29:57 [aleecia]
All good, no worries
17:29:57 [Zakim]
17:30:06 [Zakim]
17:30:11 [clp]
Contact me if I can help you
17:30:13 [clp]
Have time
17:30:21 [clp]
Au revoir aleecia All
17:30:23 [clp]
17:30:30 [aleecia]
17:30:40 [Zakim]
17:31:09 [Frank]
Frank has left #dnt
17:31:19 [aleecia]
RRSAgent, set logs world-visible
17:31:20 [dsriedel]
17:31:29 [aleecia]
RRSAgent, make minutes
17:31:29 [RRSAgent]
I have made the request to generate aleecia
17:32:15 [Zakim]
- +1.202.263.aarr
17:33:19 [adrianba]
adrianba has left #dnt
17:59:56 [Zakim]
18:15:18 [Zakim]
18:20:19 [Zakim]
disconnecting the lone participant, WileyS, in T&S_Track(dnt)12:00PM
18:20:20 [Zakim]
T&S_Track(dnt)12:00PM has ended
18:20:25 [Zakim]
Attendees were aleecia, +1.212.565.aaaa, SeanH, +1.813.366.aabb, alex, Rob, +1.202.835.aacc, npdoty, ChuckCurran, +1.516.695.aadd, dwainberg, jmayer, Lia_FPF, +1.949.483.aaee,
18:20:30 [Zakim]
... Frank_BlueCava, +1.202.629.aaff, PederMagee, Carmen, +1.813.366.aagg, +1.408.349.aahh, Justin, dsriedel, fielding, Heffernen, +1.202.744.aaii, WileyS, Chris, Vincent,
18:20:34 [Zakim]
... +49.157.884.8.aajj, schunter, +1.415.200.aakk, adrianba, +1.212.673.aall, +1.334.703.aamm, clp, [Microsoft], +1.801.830.aann, BrianTs, +1.334.703.aaoo, +1.334.703.aapp,
18:20:36 [Zakim]
... +1.916.212.aaqq, heather, +1.202.263.aarr
18:37:34 [aleecia]
18:37:51 [aleecia]
zakim, clear agenda
18:37:51 [Zakim]
agenda cleared
18:38:18 [npdoty]
npdoty has joined #dnt
18:44:00 [aleecia]
18:44:00 [trackbot]
ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised
18:44:00 [trackbot]
20:15:45 [KevinT]
KevinT has joined #dnt
20:16:32 [KevinT1]
KevinT1 has joined #dnt
20:30:37 [ksmith]
ksmith has joined #DNT
20:57:28 [Zakim]
Zakim has left #dnt
21:07:24 [tl]
tl has joined #dnt
21:28:35 [mischat]
mischat has joined #dnt
22:49:01 [KevinT]
KevinT has joined #dnt
23:25:38 [KevinT]
KevinT has left #dnt