W3C

Tracking Protection Working Group Teleconference

19 Oct 2011

Agenda

See also: IRC log

Attendees

Present
aleecia, +1.212.565.aaaa, SeanH, +1.813.366.aabb, alex, Rob, +1.202.835.aacc, npdoty, ChuckCurran, +1.516.695.aadd, dwainberg, jmayer, Lia_FPF, +1.949.483.aaee, Frank_BlueCava, +1.202.629.aaff, PederMagee, Carmen, +1.813.366.aagg, +1.408.349.aahh, Justin, dsriedel, fielding, Heffernen, +1.202.744.aaii, WileyS, Chris, Vincent, +49.157.884.8.aajj, schunter, +1.415.200.aakk, adrianba, +1.212.673.aall, +1.334.703.aamm, clp, [Microsoft], +1.801.830.aann, BrianTs, +1.334.703.aaoo, +1.334.703.aapp, +1.916.212.aaqq, heather, +1.202.263.aarr
Regrets
Kevin_Trilli, Karl_Dubost, Ed_Felten, Kimon_Zorbas
Chair
aleecia
Scribe
dwainberg, hwest

Contents


<trackbot> Date: 19 October 2011

<aleecia> user has sent a DNT header to third parties on their site?

<aleecia> 3rd-party ads/content

<aleecia> consent?

<aleecia> If you are on IRC and not on the call yet, please call in: we're about to get started

<npdoty> scribenick: dwainberg

<npdoty> http://www.w3.org/2011/10/12-dnt-minutes.html

aleecia: any comments on last week's minutes?
... moving on to next agenda item

old business: review of action items

<aleecia> http://www.w3.org/2011/tracking-protection/track/actions/open

aleecia: We will go through old biz, and look at open action items.
... David Wainberg had open action to create a proposal.

dwainberg: I think that's closed, but aleecia and matthias were to discuss.

aleecia: We'll assume it's closed.

administrative: strawman drafts & Santa Clara

aleecia: giving a sense of what's coming up next 2 weeks.
... 2 strawman docs by the end of this week, with lots of placeholders.
... please take a close look. Procedure is we look at the first draft, discuss whether there's anything we disagree with to prevent it from
... going out as first public working draft.
... last call for issues is quite a ways out, but this will give us a structure for the docs (will discuss in SC).
... one of the other pieces to look at in SC, is whether to continue with 2 recommendations, or whether the tracking protection lists are something this group should move forward with.
... first working draft by early november? any objection? [none heard]

new business: ISSUE-19: Data collection / Data use (3rd party)

aleecia: Any suggestions on what a 3rd party should do when it receives a DNT header?

clp: a party consults its relationship, to discover whether it's been exempted by anything in place?

aleecia: exactly what we don't want to get into.
... so this is a 3rd party that knows it's a 3rd party.

<clp> When 3rd party gets DNT:

clp: [will type it in]

<clp> Do not show any tracking behavior user might interpret as tracking

<clp> Can use geographics or language preferences though

<clp> and no data collected from current session

shane: 3rd paryt would 1) halt profiling of that particular event (info collected only for operational or fraud prevention) 2) would no longer target the user with OBA advertising.
... other approaches would still be allowable.
... demo ok: age and gender

aleecia: does that include zip+4?

shane: it's too granular.
... had this discussion previously. Propose that zip is as granular as you could get.

<clp> 5 digit code only

jkaran: 3rd parties used in other instances. Need to be clear that 3rd parties are not just advertisers.

aleecia: what should those companies do when receiving a DNT?

<pde> jkaran, IP address plus user agent is sufficient for powerful tracking methods

jkaran: nothing. They're just recording the domain and an IP address -- whether the ad met the geo and site requirements of a campaign.

<pde> jkaran, a cookie is only slightly more precise than IP + user agent

aleecia: one of your arguments is that only cookies are affected by DNT, 2 ???

jkaran: not necessarily

<justin> agree with pde

jkaran: they aren't tracking anything about that user.

aleecia: we're going to run into difference about what is tracking or not.

<rvaneijk> recording an IP address is tracking in the Netherlands

aleecia: so is the distinction that because of the type of business that it's something different from the other companies?

<ksmith> Sounds like they are not doing cross site tracking

<jmayer> um, how about ip addresses?

<pde> ksmith, if they have IP + user agent + referrer, that sounds like it would amount to an extensive cross-site profile

<justin> If they're logging multiple domains by IP address, that's tracking.

jkaran: just that there are companies that are third parties that might be exempt because they're not doing behavioral advertising. How do we want to define who is a 3rd party that needs to follow DNT?

<justin> But we may want to discuss whether there is an exception for ad reporting.

aleecia: you're saying that because the info is not collected and used over time, that it's not tracking?

jkaran: potentially.

jmayer: threat model is that a company the user doesn't expect to interact with gets a copy of the user's browsing history.

<aleecia> issue: If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?

<trackbot> Created ISSUE-92 - If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/92/edit .

jmayer: the 1st big implication is that it doesn't matter how the info is used.
... the fact that the data exists is the privacy risk. So as long as the data exists, the company is a 3rd party.

<ksmith> they certainly have the info available to do cross site tracking, but if they check campaign restraints and then throw the data away (do not store it) it seems better to me. I am not sure if that is what they are doing. But that sounds like what she was describing.

jmayer: 2nd: it's backwards to pigeon hole use-based definitions. Silly to have a definition that takes tech off the table, if it can be used w/ out tracking.

<pde> ksmith, if they do not store it, I agree with you

<aleecia> ksmith: feel free to add that to the issue, that's good background to capture

jmayer: that means that what tracking means will change over time.

<pde> for that reason I think the verb "collect" is a bit confusing -- "retain" is better IMO

<ksmith> good point

jmayer: 3 high level points about what DNT has to do.

<WileyS> Tracking = cross-site accumulation of site activity? Or rather, if a 3rd party receives the DNT signal they would no longer accumulate cross-site activity AND not leverage previously collected cross-site activty to modify the user's experience.

aleecia: summary: rather than have an exemption based on biz model there may be more or less privacy protective ways to do certain things so we should look at that.

<justin> Right, but could it be retained for SOME period for, say, frequency capping?

pde: if a company has a truly anonymous way of doing OBA that's fine as long as they're not retaining clickstream. So that means if you're a 3rd party and you see DNT you need to anonymize distinguishing unique identifiers in your logs.

<NinjaMarnau> justin, what period of time are we talking about?

<pde> pde: so if you're a 3rd party without an operating exception,

WileyS: sounds like where we're resolving: 3rd party would no longer accumlate cross site activity server side and would no longer leverage previously collected cross site activity.

<pde> pde: you must not be logging high-entropy cookies

<justin> Ha, that's the question, isn't it? I've heard use cases for 90 days, but that might sit outside reasonable user's expectations, even if data wasn't leveraged to modify user experience.

<jmayer> jmayer: 1) cuts across uses, business models; 2) will change over time; 3) if there are thing we'll allow, make them narrow exceptions - not tracking

pde: quick reply: server side stuff: can someone looking at the server extract a meaningful portion of the user's history?

shane: to jmayer's question: is it the issue that we're more concerned with accumlation of cross site data?

<pde> pde: (continuing from before... in addition to cookies, you should be not retaining IP addresses)

<pde> pde: (or encrypting them with a rotating key)

jmayer: yes, but when I say cross site data, I have something different in mind than others.

<pde> pde: and you should be discarding all but the most common User Agent strings

<rvaneijk> cross site data is data containing unique identifiers that can be correlated across websites

shane: we keep pushing and pulling on definitions, but I agree that we should cement perspectives and then go into definitions.

<pde> pde: (or extracting only the most relevant portions of them)

<scribe> ACTION: Shane to write a concrete proposal re 3rd party response. [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action01]

<trackbot> Created ACTION-17 - Write a concrete proposal re 3rd party response. [on Shane Wiley - due 2011-10-26].

<NinjaMarnau> rvaneijk, I agree, and this also includes IP addresses

<jules> jules is here

aleecia: trying something else: w3c is in a position to ask browsers to do something. Any use in asking browsers to change behavior for 3rd parties?

WileyS: assume we wouldn't want to do this because if we are going to have use exemptions, browser wouldn't understand that.

jkaran: probably will be situations where a company has different use cases depending on the role they're playing in that particular request.

<jmayer> clarification to earlier comments: change will happen over time in what dnt covers, but that's an issue for definitions of exemptions - the high-level definition of tracking won't change

<npdoty> scribenick: hwest

new business: ISSUE-59: Should the first party be informed about whether the [from aleecia]

<npdoty> ISSUE-59?

<trackbot> ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/59

aleecia: moving on to ISSUE-59, whether the third party receives do not track

swiley: this is an issue around the first party being informed if the third party is being subjected to the dnt signal
... when does the first party know to ask for an exception from the user. use case is that hte first party is the part in a position to request the exception from a user if they see dnt, and does that apply to all third parties defacto for hte first party? If not, how does the first party know that one of the first parties is excepted?
... from Yahoo, we would absolutely want to know if we could
... if we set up the ruleset such that the first party exception is received by all third parties, then perhaps the first party doesn't know

aleecia: in Boston, we discussed exemptions; if a first party gets an exception, does that transfer all over the net when they're a third party?
... this isn't something we can resolve quickly or cleanly. Best bet is to assume that at least some third parties will not inherit those exceptions

swiley: with that assumption, then first party should be made aware that that is occuring.

aleecia: presumably, if first party isseeing DNT, so is third?

jmayer: I take no issue with entities throughout the ecosystem to know what the user has set DNT to; if NYT wants to throw up the paywall for a DCLK excemption, ok.
... technical mechanisms: use standard web technologies - DCLK can tell NYT using a post message, they would have to agree on what that message looks like
... an example in the DNT Cookbook

(jmayer: can you make sure I got that right given the breakup in the audio?)

<pde> jmayer, since your audio keeps breaking, fix things in IRC :)

jmayer: first and third parties can negotiate standards around that message

aleecia: so you're saying it's fine to have that communication but the parties will have to figure out how to do that

pde: I think that there aer several different ways that we could have gone with this design question. JMayer's way is one of them. You could lead with the third party, or with the first party.
... if you're Yahoo and you want to manage how DNT affects your third parties, one way to do that is get a message back from third parties abotu receipt and compliance.
... another is an opt from users to the parties, send it as a URL primer if you're sure that this third party is excepted on your domain
... that's one design philosophy to solve this. There are other ones, in particular, could have gone with something that was more heavyweight on the browser side.
... browser could know that when you opt in, which parties are included in it. That design direction basically got cut off at the last meeting
... which leaves us looking at JMayer's approach

aleecia: since it's unclear that Google is implementing DNT into their browser, I am not as concerned as I might be, but that's a concern if browsers are not interested, then coming up with that spec is a waste of time

clp: seems to me that there is a symmetrical view of the first and third party in charge. It's a business technical question. We can decide that separately. Third point is optimization or cost.
... first we should decide what the symmetrical model we care about is, then what we want to do, and then as a third option we say what best practices/suggestions are

<dsriedel> This might break our goal of feasability of implementation, no?

<aleecia> dsriedel, please expand?

clp: seems to me that the priority is to get a simple clear description of what the world should think about this, and then we have all these issues

pde: do we want to recommend or standardize the way that a first party would signal to a third party that they believe the third party is covered by an exception or opt in/
... could be picking a standard name for a parameter
... if we pick a standard parameter name then clients can choose to build a UI to watch those transactions

aleecia: great way to frame where we are. going to take one step back

<dsriedel> Considering that a 1st party works with a range of 3rd parties for different purposes, this would require a huge amount of work and coordination between those parties to figure out technical solutions for realizing communication through the websites

aleecia: in this discussion we have been going with the assumption that it's useful for first parties to know whether third parties get exception
... please note any disagreement with that view

<pde> dsriedel, would that not be a good reason to standardise the parameter name?

<Chris> Not sure we agree with this.

<CarmenBalber> Not sure we agree either

clp: as long as it's not TOO hard to implement

<ksmith> I am not necessarily against it, but it seems like it would add quite a bit of complexity, so I would not want to require it

<pde> so that all of these companies know that if they get dnt-override=1, that's a 1st party telling them they're covered by an exception

aleecia: different views as to whether it's a must, best practices, etc - just want to see whether it's a useful thing

<dsriedel> pde, sure it is. but so far I understood that this would be a web technology like postMessage or any that relies on XHR for example

<Frank> Not sure agree with this

someone: first reaction is that implies that first parties will police or ensure compliance, don't want to put first parties in that role necessarily
... need to give that more thoguht and figure out what our role would be there

aleecia: use case earlier was that I'm a first party, third party on my site is going to be blocked by DNT, and that means I want to take some action based on that

<dsriedel> So this would require a draft on how this could work and then some entity to implement the libraries in distinct programming languages providing it to the parties to implement

<dsriedel> is that where this would go?

aleecia: the idea that first parties might be liable for what a third party does wrong?

carmen: not something we have considered, makes sense that first parties would want to know

<pde> dsriedel, libraries is a strong word. To my knowledge all web programming environments have extremely easy ways to check for the presence of value of a URL parameter

carmen: at the same time, we'd be leery of a notification that would enable a first party to penalize consumers because they've implemented DNT

aleecia: first parties will still either receive or not receive DNT so may not change the issue

<JC> If a third-party is being blocked because of DNT I would expect the client to have a list of them.

aleecia: having a communication from first and third party probably doesn't change issue

<dsriedel> pde, agreed

aleecia: if we wind up with this, are you ok with the idea of communication between a first and third party?

someone: I think it would be fine for us
... there would be cases where we'd definitely want to know
... where a third party had been blocked

<JC> I would not see sites to have to develop communications between third parties. Seems like an unnecessary complication.

Frank: I think that we could understand where someone would want to broadcast an exception where they're compliant
... not sure about implementation details

aleecia: lets not discuss whether this is option, must, best practices, etc

<Vincent> I have to leave the call, still following on irc

aleecia: instead lets figure out what the best technical approach is to allow getting that information
... unless anyone has objections, that's the direction we'll take

dwainberg: is that a conversation that's dependant on determining how to manage consent?
... if we don't know how exceptions are managed, doesn't that make it hard to discuss how those choices are communicated between parties?

aleecia: we may need to change decisions later but need to start the decisions somewhere

Kevin: wanted to talk about implementation. Doesn't really seem that conceivable to get that communication, typically 1st and 3rd parties are not communicating
... different requests for each content

<dsriedel> Correct, Kevin.

Kevin: would require pages to change their implementation (AJAX maybe)
... there could be some benefit, but it's a lot of work and might require overhaul of the web

<pde> was that ksmith speaking?

<ksmith> yes, ksmith

jmayer: wanted to briefly respond, don't agree that this would be a rewrite of lots of websites. Lots of light touch ways to implement
... in your add tag, you could add a message handler that ersponds with the site's DNT status
... lots of good ways to do this

aleecia: were you talking about a third party finding out first party status?

jmayer: it was one possible example
... if you wanted to have a third party status provided to a first party, could query it's iframes and figure out it's dnt status

<pde> pde: I also disagree with ksmith's characterisation of AJAX as being a large, difficult change for this particular purpose. You don't need to do AJAX everywhere -- a few lines of JavaScript somewhere for this particular purpose is all that's required

clp: wanted to underline what aleecia has tried tos ay - we need to separate consensus that we have - that it could be useful
... from how we accmplish that on the tech side
... seems like we have consensus that this could be ueful, depending on the implementation
... so lets just move forward with that

aleecia: worth adding the symmetrical case as an issue

<pde> pde: all that's required /if/ you really want to know whether your third parties are DNT'd

aleecia: agree that we have consensus as well as concerns around implemetation
... we can come back to that later
... it is useful for a first party to know the status of third parties on the site
... I'll ask a few people to take an action item to send a propsoal for how this would work to the mailing list.

<ksmith> Disagree with Jmayer. An an individual call would not be hard, but doing this for all 3rd party requests would be effort and performance prohibitive

aleecia: JMayer, PDE?
... c an you write something up by next Tuesday?

jmayer: yes

pde: I'll write about DNT override solution

<aleecia> ACTION: jmayer to write a summary of options for how 1st parties hear 3rd party status by tuesday [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action02]

<trackbot> Created ACTION-18 - Write a summary of options for how 1st parties hear 3rd party status by tuesday [on Jonathan Mayer - due 2011-10-26].

clp: W3C question: my impression is that we're in the center of what everyone cares about?

aleecia: not sure, this WG is central yes, but conversation may be better offline

<aleecia> ACTION: aleecia to summarize progress on this issue [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action03]

<trackbot> Created ACTION-19 - Summarize progress on this issue [on Aleecia McDonald - due 2011-10-26].

<pde> aleecia, I'm going to write an proposal for how 1st parties /set/ 3rd party status (for a specific request/operation)

aleecia: not going to close this issue, but we are moving forward

<pde> in a standardised, observable way

ISSUE-88 -- different rules for impression of and interaction with 3rd-party ads/content

<aleecia> issue-88?

<trackbot> ISSUE-88 -- different rules for impression of and interaction with 3rd-party ads/content -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/88

aleecia: ok, ISSUE-88
... are there different rules for impression versus interactin? Tied to ISSUE-26, third party widget interactions
... so does interaction with an ad or a widget change how they classify under DNT?
... does that make it a first party once you've interacted with it?

WileyS: just to pick up where we were over email, between impressiona nd interaction seems to be agreement that interaction is a first party
... some are hard rules, some are soft
... need appropriate branding and linkage to widget owner privacy policy
... jmayer modified that there would be certain times where something is so ubiquitous that direct branding isn't necessary, ubut in some cases it would be
... everyone knows what the FB like button is, but it's carried the branding with it
... would we all agree on linkage back to privacy policy?
... if we agree on interaction is first party, with conditions, then that's a good starting point

aleecia: user expectation is met if the user really know it's not the first party, and when user interacts with that in a meaningful way, then first party interaction

seanharvey: is there a difference in state if a user is or isn't logged in to a service?
... logged in state with relevant service - if you're not logged in, then do you have different obligations?
... i think there has to be some difference in how those standards interact
... if you're logged in, then there's a much better chance that they know the service, etc
... in those cases where you're not logged in, then users might be surprised that they're being associated with activities off those sites
... something that's been raised recently

<jmayer> i think the recent facebook issues show logout = don't track, not login = tracking more ok

<justin> I don't believe there should be a difference between logged in/logged out third parties.

aleecia: not as the chair, what I've seen in research is that users are surprised that login credentials persist from tab to tab or even more surprised when data is collected when they're not logged in

clp: wanted to make a mathematical observation. Hearing that this new idea could be recursively applied
... that would mean user thinkgs they're on site A, then parts of the website that the user might interact with, then they become a first party
... just pointing out that that recussively continues
... now that part of the page is first party, parts of IT may be third party
... this would allow all sorts of agent relationships

WileyS: did bring this up over email; this owuld be part of the conditions conversation
... interaction should be first party on the conditions that
... must side: branding and link back to privacy policy
... agree with JMayer that there are situations where something may be so ubiquitous that it's not necessary
... should: if user is logged in, widget could represent that to the user

<tlr> ACTION: nick to get PeterE to write an option for how first parties set third party DNT status in an observable way [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action04]

<trackbot> Created ACTION-20 - Get PeterE to write an option for how first parties set third party DNT status in an observable way [on Nick Doty - due 2011-10-26].

WileyS: so that when they interact with the widget they know that they're logged in and the context of the interact3ion
... but then user might think that impression could be tied back to logged in state

jmayer: one of the two points on this
... in the referenced email talked about the FB like button
... other side of the coin is stuff that's very subtle
... generic sharing widgets, for example
... seems likely that users understand that they're sharing through a third party service, but not that the widget is itself a third party
... second, an alternative here is to put something next to the widget saying "hey if you let us, we'll do XYZ"

aleecia: also talking abotu mechanics of opting back in, let's have that conversation at a later time
... so if you click on third party content and have a meaningful interaction, we will treat that as a first party, subject to possible conditions
... make sure that muting isn't interaction, etc
... does this sound like the point that we're in agreement on?

<clp> +1

jmayer: I don't disagree, I sideways agree - concern is that users understand what's going on. Framing it as interaction isn't how I see it, I see it as the point where a user understands that they're interacting with this company
... lots of cases and design considerations

<dsriedel> How can the user understand about 3rd party elements and widgets if they are not "marked" in a certain way?

jmayer: lots of stuff here that has subtlety

<dsriedel> Wouldnt you like to give the user a hint about it?

aleecia: better to refer to meaningful interaction rather than clicking?

jmayer: I think so, and would suggest that it be defined as reasonable expectation from the user

<WileyS> +1 - agree with "meaningful interaction" meaning a user reasonably expects "interaction"

aleecia: any disagreement with the general direction?
... ok, then, I would like to move forward to what some of this should look like
... would like a more useful proposal for text in the strawman doc

<justin> Are we agreeing on the flip side too? That without meaningful interaction, you're a third party?

aleecia: justin raises a good point

<jmayer> justin - yes

<scribe> ACTION: jmayer writes up a third party interaction bit for the doc [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action05]

<trackbot> Created ACTION-21 - Writes up a third party interaction bit for the doc [on Jonathan Mayer - due 2011-10-26].

<justin> I agree, but I thought Sean might be disagreeing.

aleecia: justin asks whether we're also at consensus on the flip side - no meaningful interaction means you're a third party
... even if signed in?

<justin> Yes, even if signed in.

aleecia: lets try signed out for now

<jmayer> agreed, justin

aleecia: even if you give info to the widget, is that first party?

I'm tempted to argue that would be meaningful interaction

aleecia: we'll postpone (as there was disagreement). Thanks!

<aleecia> issue-59?

<trackbot> ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/59

Summary of Action Items

[NEW] ACTION: aleecia to summarize progress on this issue [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action03]
[NEW] ACTION: jmayer to write a summary of options for how 1st parties hear 3rd party status by tuesday [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action02]
[NEW] ACTION: jmayer writes up a third party interaction bit for the doc [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action05]
[NEW] ACTION: nick to get PeterE to write an option for how first parties set third party DNT status in an observable way [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action04]
[NEW] ACTION: Shane to write a concrete proposal re 3rd party response. [recorded in http://www.w3.org/2011/10/19-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2011/10/23 08:31:46 $