IRC log of dnt on 2011-12-14

Timestamps are in UTC.

16:50:22 [RRSAgent]
RRSAgent has joined #dnt
16:50:22 [RRSAgent]
logging to
16:50:29 [Zakim]
Zakim has joined #dnt
16:50:36 [aleecia]
Zakim, this is dnt
16:50:36 [Zakim]
aleecia, I see T&S_Track(dnt)12:00PM in the schedule but not yet started. Perhaps you mean "this will be dnt".
16:50:42 [aleecia]
Zakim, this will be dnt
16:50:42 [Zakim]
ok, aleecia; I see T&S_Track(dnt)12:00PM scheduled to start in 10 minutes
16:50:50 [aleecia]
chair: aleecia
16:51:02 [aleecia]
regrets+ ndoty
16:51:41 [aleecia]
agenda+ Selection of scribe
16:52:02 [tedleung]
tedleung has joined #Dnt
16:52:10 [Zakim]
T&S_Track(dnt)12:00PM has now started
16:52:17 [Zakim]
16:52:34 [aleecia]
agenda+ Any comments on minutes from the last call
16:52:52 [aleecia]
Review of action items:
16:53:09 [aleecia]
agenda+ Reminder: those drafting text, please send to those editing the text by the end of the day today
16:53:30 [aleecia]
agenda+ ISSUE-101 What is a user? add to defns<>
16:53:44 [aleecia]
agenda+ ISSUE-104 Could use a better defn of user agent, rather than browser <>
16:53:56 [aleecia]
agenda+ ISSUE-19 Data collection / Data use (3rd party) <>
16:54:07 [aleecia]
agenda+ Announce next meeting & adjourn
16:54:57 [jmayer]
jmayer has joined #dnt
16:54:59 [Zakim]
16:55:02 [Zakim]
16:55:03 [aleecia]
regrets+ Jeffrey Chester
16:55:03 [Zakim]
16:55:23 [aleecia]
zakim, who is on the call please
16:55:23 [Zakim]
I don't understand 'who is on the call', aleecia
16:55:45 [aleecia]
16:57:25 [tl]
zakim, who is on the phone?
16:57:25 [Zakim]
On the phone I see aleecia, tl
16:57:40 [tl]
thank you, was that that so hard zakim?
16:57:51 [Zakim]
16:58:11 [efelten]
efelten has joined #dnt
16:58:22 [justin]
justin has joined #dnt
16:58:27 [Zakim]
16:58:41 [Zakim]
+ +91.37.4.aaaa
16:59:01 [dsriedel]
zakim, mute me
16:59:06 [Zakim]
16:59:11 [KevinT]
KevinT has joined #dnt
16:59:22 [Zakim]
sorry, dsriedel, I do not know which phone connection belongs to you
16:59:32 [Zakim]
+ +65141aabb
16:59:34 [rvaneijk]
will do
16:59:42 [fielding]
fielding has joined #dnt
16:59:46 [rvaneijk]
.. thats me sorry
16:59:54 [sidstamm]
sidstamm has joined #dnt
17:00:01 [ninjamarnau]
ninjamarnau has joined #dnt
17:00:01 [Frankie]
Frankie has joined #dnt
17:00:03 [rvaneijk]
Zakim, +65141aabb is rvaneijk
17:00:11 [Zakim]
17:00:19 [aleecia]
who is on the call
17:00:19 [rvaneijk]
Zakim, 65141aabb is rvaneijk
17:00:25 [aleecia]
zakim, who is on the phone
17:00:27 [Zakim]
17:00:33 [sidstamm]
Zakim, Mozilla has sidstamm
17:00:35 [tl]
zakim aabb is rvaneijk
17:00:41 [Zakim]
17:00:45 [rvaneijk]
tnk Tom
17:00:48 [Zakim]
- +91.37.4.aaaa
17:00:52 [Zakim]
+rvaneijk; got it
17:00:53 [Zakim]
17:01:11 [hwest]
hwest has joined #dnt
17:01:16 [Zakim]
sorry, rvaneijk, I do not recognize a party named '65141aabb'
17:01:23 [Zakim]
I don't understand 'who is on the phone', aleecia
17:01:27 [aleecia]
zakim, aabb is rvaneijk
17:01:29 [Zakim]
+sidstamm; got it
17:01:35 [Zakim]
17:01:43 [Zakim]
17:01:46 [WileyS]
WileyS has joined #dnt
17:01:53 [Zakim]
17:01:58 [Zakim]
17:02:01 [Zakim]
sorry, aleecia, I do not recognize a party named 'aabb'
17:02:03 [Zakim]
17:02:14 [adrianba]
adrianba has joined #dnt
17:02:25 [Zakim]
+ +1.425.214.aacc - is perhaps bryan
17:02:29 [Zakim]
17:02:35 [Zakim]
+ +1.347.689.aadd
17:02:51 [Frankie]
Zakim, IPcaller is frankie
17:02:55 [Zakim]
+ +1.310.292.aaee
17:02:58 [vincent]
vincent has joined #dnt
17:03:04 [alex]
alex has joined #dnt
17:03:06 [Zakim]
17:03:09 [tl]
zakim aaee is jsimpson
17:03:16 [Zakim]
17:03:20 [Zakim]
+frankie; got it
17:03:23 [dsriedel]
zakim, mute me
17:03:32 [efelten]
I can scribe
17:03:33 [dsriedel]
I can
17:03:43 [aleecia]
17:03:46 [aleecia]
17:03:47 [Zakim]
17:03:50 [Zakim]
dsriedel should now be muted
17:03:56 [Zakim]
+ +1.646.654.aaff
17:04:05 [efelten]
scribe is efelten
17:04:14 [tl]
zakim, who is on the phone?
17:04:16 [efelten]
aleecia: Comments on last week's minutes?
17:04:22 [jmayer]
Zakim, who is talking?
17:04:23 [tl]
zakim, who is talking?
17:04:32 [justin]
zakim, Justin has enewland
17:04:33 [enewland]
enewland has joined #dnt
17:04:35 [Lia]
Lia has joined #dnt
17:04:39 [dsinger]
dsinger has joined #dnt
17:04:44 [efelten]
No comments, take minutes as approved
17:04:45 [Zakim]
On the phone I see aleecia, tl, jmayer, tedleung, efelten, rvaneijk, NinjaMarnau, SueG, Joanne, [Mozilla], fielding, Justin, hwest, bryan, frankie, +1.347.689.aadd,
17:04:51 [Zakim]
... +1.310.292.aaee, WileyS, dsriedel (muted), [IPcaller], +1.646.654.aaff
17:04:53 [Zakim]
[Mozilla] has sidstamm
17:04:53 [dsinger]
zakim, [apple] has dsinger
17:04:57 [Zakim]
+enewland; got it
17:04:59 [Zakim]
jmayer, listening for 10 seconds I heard sound from the following: [IPcaller] (5%), aleecia (72%)
17:05:09 [tedleung]
zakim, [Disney] has tedleung
17:05:16 [Zakim]
tl, listening for 10 seconds I heard sound from the following: 21 (57%), aleecia (68%)
17:05:19 [Zakim]
17:05:20 [tl]
zakim, aaee is jsimpson
17:05:22 [Zakim]
+dsinger; got it
17:05:24 [eberkower]
eberkower has joined #dnt
17:05:25 [efelten]
aleecia: If you're drafting text, by end of today please send to those editing the text
17:05:31 [aleecia]
17:05:36 [Zakim]
sorry, tedleung, I do not recognize a party named '[Disney]'
17:05:37 [efelten]
... quick look through action items
17:05:45 [Zakim]
17:05:48 [Zakim]
+jsimpson; got it
17:05:53 [bryan_]
bryan_ has joined #dnt
17:06:03 [bryan_]
present+ Bryan_Sullivan
17:06:04 [efelten]
... start with action 26; Karl not on call; 26 is overdue
17:06:19 [vincent]
zakim, [IPcaller] is vincent
17:06:21 [Zakim]
+vincent; got it
17:06:21 [efelten]
... action 27, is that open?
17:06:50 [efelten]
tl: 27 is pending review; Tom trying to synthesize with Jonathan's work; will circle back
17:07:07 [efelten]
... can do by Friday
17:07:33 [efelten]
aleecia: action 31, shane et al
17:07:57 [efelten]
WileyS: have draft text, well thought through, will post today with some issues still open
17:08:17 [adrianba]
scribenick: efelten
17:08:20 [efelten]
aleecia: action 34, first party vs third party, Jonathan and Tom working together, related to previous
17:08:23 [adrianba]
Present+ adrianba
17:08:29 [efelten]
... action 37, Karl not on phone
17:08:33 [efelten]
... done with open actions
17:08:45 [aleecia]
17:08:46 [efelten]
... look at text drafted by editors
17:08:56 [tl]
sorry: action 27 is complete, action 34 is the current open action with jmayer
17:09:00 [efelten]
... start with definition of user
17:09:04 [hwest]
I believe that I'm on the hook to help draft something about identity providers, but I don't see an action item - where do I find that?
17:09:22 [efelten]
... [reads definition]
17:09:26 [KevinT]
Zakim Joanne is KevinT
17:09:36 [WileyS]
17:09:44 [efelten]
... text is coming from other related W3C specs, or other docs seen previously on mailing list
17:10:04 [aleecia]
ack WileyS
17:10:09 [jmayer]
tl, action 27 is not complete, nice try
17:10:25 [enewland]
we used as a starting point
17:10:31 [enewland]
for the definitions of user and user agent
17:10:36 [aleecia]
thank you, erica
17:10:49 [jmayer]
suggest marking this as pending review
17:10:50 [efelten]
WileyS: on defn of user, will be difficult for some of us to evaluation without knowing more about how used later in documents; might need to return to defns later as uses develop
17:10:51 [fielding]
user agent is already defined in the TPE document
17:11:01 [efelten]
17:11:03 [tl]
jmayer, action 27 was sent to the list, reviewed, and turned into the new and shiny action 34 for both of us
17:11:03 [dwainberg]
dwainberg has joined #dnt
17:11:13 [justin]
We should probably reconcile those . . .
17:11:43 [WileyS]
17:11:45 [efelten]
aleecia: to re-open, need to have new information (could include interactions with new text elsewhere), also need proposed alternative
17:12:00 [efelten]
... Shane's suggestion seems consistent with this
17:12:15 [WileyS]
link to the text?
17:12:16 [efelten]
... Any issues with defn of user?
17:12:22 [aleecia]
17:12:26 [justin]
Here is how it's defined in the other spec: This specification uses the term user agent to refer to any of the various client programs capable of initiating HTTP requests, including browsers, spiders (web-based robots), command-line tools, native applications, and mobile apps [HTTP11].
17:12:27 [WileyS]
thank you
17:12:36 [bryan_]
17:12:37 [Zakim]
17:12:46 [efelten]
... This seems staightforward and is based on past W3C docs
17:12:50 [aleecia]
ack bryan_
17:13:11 [efelten]
bryan: Group of individuals acting as an entity. Would that include an enterprise / company?
17:13:17 [jmayer]
rescind suggestion of pending review, closed sounds right
17:13:21 [efelten]
aleecia: Text could be read either way
17:13:22 [alanchapell]
alanchapell has joined #dnt
17:13:33 [fielding]
17:13:38 [jmayer]
17:13:42 [ninjamarnau]
17:13:44 [tl]
yes, corporations are people!
17:13:45 [efelten]
bryan: Defn anticipates broad understanding of what a group is?
17:13:46 [dsinger]
I think the definition applies, yes. Do we want it to?
17:13:47 [WileyS]
What is the value of the "user" definition versus a "user agent"?
17:13:53 [efelten]
aleecia: apparently yes
17:13:53 [WileyS]
17:14:04 [bryan_]
17:14:12 [aleecia]
ack fielding
17:14:15 [efelten]
... should flag this for clarification
17:14:19 [Zakim]
- +1.347.689.aadd
17:14:43 [efelten]
fielding: unnecesarily complicating things; why not simple definition, user = person making request
17:14:45 [WileyS]
Agree with Roy - User Agent is more important than "User"
17:14:45 [Zakim]
+ +1.347.689.aagg
17:14:52 [aleecia]
ack jmayer
17:14:54 [efelten]
aleecia: think we do need a defn of user
17:14:59 [amyc]
amyc has joined #dnt
17:15:10 [efelten]
jmayer: agree with Roy, can simplify this
17:15:14 [tl]
WileyS, user agents should do things for users, like deciding to send dnt only after the user has made it clear that's what they want
17:15:19 [dsinger]
17:15:21 [efelten]
... propose that user should be only an individual person, not a group
17:15:22 [fielding]
what requirements are applied to "user"?
17:15:30 [tl]
17:15:31 [aleecia]
ack ninjamarnau
17:15:41 [amyc]
on IRC, but unable to dial in to conf call
17:15:56 [jmayer]
suggestion: "User: An individual person."
17:15:58 [WileyS]
Would a user agent be able to do anything on its own? Outside of direction from the user?
17:15:58 [efelten]
ninjamarnau: question about "on whose behalf ..." language. Covers e.g. mother accessing on behalf of children?
17:16:13 [efelten]
aleecia: if mother and child acting together, would be covered
17:16:24 [aleecia]
17:16:30 [efelten]
... Do Ninja and Jonathan have different views?
17:16:31 [rvaneijk]
Why not dropping 'acting as a single entity'
17:17:10 [jmayer]
17:17:14 [efelten]
... mother is doing access so is user, less clear about child
17:17:23 [efelten]
ninjamarnau: this might be a misunderstanding
17:17:32 [tl]
WileyS, i think we expect UAs to take care of all the tedious busy-work, leaving users free to enjoy the wind in their hair on the information highway
17:17:34 [aleecia]
ack WileyS
17:17:54 [efelten]
WileyS: ref email discussion with Jonathan
17:18:20 [efelten]
... not clear on where there is value in treating user separately from user agent
17:18:31 [Zakim]
17:18:33 [efelten]
... seems redundant to have separate definitions, complicates text
17:18:39 [adrianba]
zakim, [Microsoft] is me
17:18:39 [Zakim]
+adrianba; got it
17:19:04 [efelten]
... not sure why user is needed, why not just user agent
17:19:17 [fielding]
for example, a browser user agent sometimes has profiles for multiple users, one of whom uses it at a time
17:19:26 [efelten]
aleecia: user agent is software, like browser. user is a person
17:19:29 [WileyS]
one example please
17:19:34 [bryan_]
17:19:49 [efelten]
... think we will need to distinguish them, can merge them if that turns out not to happen
17:20:16 [aleecia]
17:20:22 [aleecia]
ack dsinger
17:20:36 [fielding]
17:20:42 [tl]
WileyS, UA manages site-specific preferences on user's behalf
17:21:06 [efelten]
dsinger: see major diff between user and user agent. user is who we are trying to protect, user agent is software which doesn't have a privacy interest in itself
17:21:13 [tl]
17:21:23 [ninjamarnau]
thanks dsinger, this was the differnce I was referringt to
17:21:27 [tl]
17:21:41 [efelten]
... mistake to write in passive voice here?
17:22:06 [efelten]
aleecia: others have used separate defns, but we can do otherwise if it makes sense to us
17:22:13 [WileyS]
"An individual human" +1
17:22:26 [efelten]
... Is the suggestion to drop language about groups?
17:22:38 [WileyS]
User Proxy should be defined separetely
17:22:51 [fielding]
I prefer the CC/PP definition … "An individual or group of individuals acting as a single entity. The user is further qualified as an entity who uses a device to request content and/or resource from a server."
17:22:52 [bryan_]
+1 to dropping "group of individuals" and "on behalf of"
17:22:53 [jmayer]
agree with shane
17:23:08 [tl]
WileyS, +1
17:23:11 [aleecia]
ack jmayer
17:23:12 [efelten]
dsinger: No. My concern is that "on behalf" language. Why not define more directly: individual, or group acting as an entity, who accesses a service
17:23:22 [dsriedel]
Maybe this phrase just tries to acknowledge that a service might not be able to disinguish if the request comes from an individual enity or another network. More of a technical thing.
17:23:27 [aleecia]
17:23:29 [efelten]
jmayer: Would drop "who accesses a service" language.
17:23:51 [efelten]
... probably will be covered by discussion elsewhere in spec
17:23:54 [aleecia]
ack bryan_
17:24:08 [efelten]
bryan: Definitely see distinction between user and user agent
17:24:28 [efelten]
... important to treat actions of user agent done on user's behalf as if they were done by the user
17:24:33 [aleecia]
the user accesses or is accessed on behalf of the user?
17:24:43 [efelten]
... key is to think in terms of user's intent
17:25:04 [dsinger]
got it. agree
17:25:18 [efelten]
aleecia: Might be good to avoid trying to distinguish between what user does and what browser does
17:25:24 [rvaneijk]
wikipedia: A user is an agent, either a human agent (end-user) or software agent, who uses a computer or network service.
17:25:25 [Zakim]
17:25:35 [aleecia]
17:25:40 [efelten]
... Can we come up with text that does what we seem to want here?
17:25:43 [WileyS]
wikipedia, +1
17:26:04 [BrianTs]
BrianTs has joined #DNT
17:26:23 [efelten]
fielding: Typically talk in terms of activities initiated by the user; these might involve several steps done by the user agent
17:26:30 [fielding]
An individual or group of individuals acting as a single entity. The user is further qualified as an entity who uses a device to request content and/or resource from a server.
17:26:33 [efelten]
... pasted in text to IRC about this
17:26:40 [ksmith]
ksmith has joined #DNT
17:27:05 [dsriedel]
Wouldn´t it be easier to drop user completely and just referr to user-agent as this is the entity DNT works on/is implemented?
17:27:10 [efelten]
... agree with dsinger, get rid of "on behalf of"
17:27:30 [aleecia]
An individual or group of individuals acting as a single entity. The user is further qualified as an entity who uses a device to request content and/or resource from a server.
17:27:31 [efelten]
aleecia: Anybody want to argue for "on behalf of"?
17:27:37 [Zakim]
+ +44.789.449.aahh
17:27:56 [fielding]
that's from the glossary for CC/PP
17:27:57 [Zakim]
+ +385221aaii
17:28:14 [efelten]
... glossary definition here seems pretty good
17:28:25 [efelten]
... group of individuals understood as including a company
17:28:39 [efelten]
... not sure we need "from a server", might be too specific/restrictive
17:28:45 [jmayer]
17:28:48 [dsinger]
we can add "including access actions by the user-agent on behalf of the user", if we want to be clear...
17:28:48 [efelten]
... Any suggestions on this text?
17:28:54 [andyzei]
andyzei has joined #dnt
17:28:54 [rvaneijk]
suggestion: replace from a servwer with: who uses a computer or network service.
17:28:55 [aleecia]
ack fielding
17:28:58 [aleecia]
ack jmayer
17:29:47 [aleecia]
sounds like an argument back for "on behalf of"
17:29:53 [efelten]
jmayer: Defn seems to require some state of mind of the user, or some knowledge
17:30:08 [fielding]
fine with me to remove the second sentence
17:30:12 [efelten]
... but need to protect user even when technology is doing something the user wants, but doing it automatically
17:30:30 [aleecia]
J: try some text?
17:30:31 [bryan_]
17:30:41 [kj]
kj has joined #dnt
17:30:51 [efelten]
... can break this down into a set of binary choices
17:31:05 [efelten]
... suggest starting simple, adding extra stuff only as needed
17:31:19 [efelten]
aleecia: jmayer, can you suggest specific text?
17:31:22 [aleecia]
ack bryan_
17:31:53 [WileyS]
Roy, +1
17:32:00 [efelten]
bryan: Don't need to talk about user agent privacy concerns separate from the user's privacy concerns
17:32:08 [WileyS]
Disagree with Aleccia (sorry :-( )
17:32:15 [Zakim]
+ +1.650.924.aajj
17:32:33 [bryan_]
CC/PP had that language because it was addressing user-agent capabilities as something distinct from the user, but such a distinction does not exist for privacy concerns
17:32:48 [efelten]
aleecia: Move on, will circle back to this
17:33:09 [jmayer]
Suggested: "An individual person." Open issues: 1) users acting on behalf of other users, 2) users acting as a group, 3) qualifiers on types of behavior (network interaction, device usage, mental state)
17:33:09 [efelten]
... discuss defn of "user agent"
17:33:14 [aleecia]
A "user agent" retrieves, accesses, and/or renders, content or services on behalf of the user. Examples of user agents include browsers, plug-ins for a particular media type, and assistive technologies.
17:33:14 [fielding]
An individual or group of individuals acting as a single entity to initiate requests on the Web?
17:33:24 [punderwood]
punderwood has joined #dnt
17:33:24 [efelten]
... pasted text into IRC
17:33:28 [efelten]
... comments?
17:33:34 [tl]
also: robots
17:33:49 [Zakim]
- +44.789.449.aahh
17:33:51 [efelten]
... seeing no suggestions, let's go back to "user"
17:33:52 [jimk]
jimk has joined #dnt
17:34:05 [efelten]
... Jonathan suggested "An individual person", full stop
17:34:08 [efelten]
... comments?
17:34:10 [WileyS]
I'm fine with "an individual human or person"
17:34:13 [bryan_]
17:34:13 [tl]
17:34:21 [Zakim]
+ +44.789.449.aakk
17:34:25 [bryan_]
17:34:31 [jmayer]
17:34:40 [aleecia]
ack tl
17:34:44 [efelten]
bryan: has to be an individual person using this service
17:34:57 [WileyS]
dogs have no privacy rights :-)
17:35:01 [eberkower]
Why not just "an individual"?
17:35:10 [efelten]
tl: should say "human" rather than "person" since person might have unintended legal consequences
17:35:41 [eberkower]
yes - a corporation can be a legal person
17:36:04 [dsinger]
"An individual who accesses a service (who has the ability to express a legitimate desire for privacy)"??
17:36:05 [bryan_]
boo hiss
17:36:07 [efelten]
WileyS: sometimes a corporate entity qualifies as a legal person, agree with Tom that we should use "human"
17:36:07 [tl]
also: we disenfranchise robots
17:36:09 [ninjamarnau]
why not "an individual" ?
17:36:09 [tl]
and aliens
17:36:23 [jmayer]
"An individual human or equivalent conscious entity."
17:36:36 [aleecia]
an individual who access a service
17:36:47 [aleecia]
17:36:50 [efelten]
aleecia: How about "an individual who accesses a service"?
17:37:22 [ksmith]
There are several individual's working here whose human status I question:-D
17:37:30 [aleecia]
(or on behalf of whom an service is accessed?)
17:37:38 [dsriedel]
+1 to jmayer definition. Other details can be added to the definition of "user-agent", like accessing (et al.) a service
17:37:57 [jmayer]
sidstamm raises the important issue of zombies
17:38:19 [WileyS]
17:38:19 [efelten]
jmayer: Important not to put limitations on which people are covered, at least until we know that limitations won't have complicated consequences
17:38:28 [jmayer]
17:38:37 [efelten]
aleecia: Don't want to parse apart different groups of people based on ability, age, etc
17:38:46 [efelten]
... Does this really have to be so complicated?
17:38:51 [aleecia]
ack WileyS
17:39:23 [dsinger]
I agree to take a place-holder and refer to PSIG; too many legal nuances come up
17:39:32 [efelten]
WileyS: propose that we use "an individual human" for now, consider it as quasi-closed, and come back to it later
17:39:50 [fielding]
17:39:51 [efelten]
aleecia: Don't see full consensus now
17:40:13 [efelten]
... What is starting point for text? Language in draft; language from Roy.
17:40:31 [efelten]
... Questions: need "on behalf of"? need to cover groups?
17:40:55 [efelten]
... Those who care strongly, if any, should go off and talk about this, make a joint proposal
17:41:06 [ninjamarnau]
I would be interested
17:41:14 [efelten]
... Volunteers?
17:41:25 [bryan_]
17:41:31 [tl]
pick me!
17:41:44 [tl]
i am always serious
17:41:49 [efelten]
... ninjamarnau, bryan, tl have volunteered
17:41:54 [fielding]
At some point we should decide whether it is okay to keep track of the ISP/Company that accessed a service even if DNT indicates the "user" is not tracked.
17:42:05 [tl]
[except about the robots/aliens thing]
17:42:12 [ninjamarnau]
okay, deadline?
17:42:14 [efelten]
... Ninja to take lead, work with bryan and tl, propose language back to the full group
17:42:31 [aleecia]
action: ninjamarnau to draft user defn language due next week
17:42:31 [trackbot]
Sorry, couldn't find user - ninjamarnau
17:42:35 [efelten]
... Please do within one week
17:42:53 [fielding]
17:42:54 [efelten]
aleecia: Return to "user agent"
17:43:04 [tl]
action: ninja to draft user defn language due next wee
17:43:04 [trackbot]
Created ACTION-40 - Draft user defn language due next wee [on Ninja Marnau - due 2011-12-21].
17:43:16 [WileyS]
"including, but not limited to, "
17:43:16 [efelten]
... Objections? (with alternative)
17:43:23 [justin]
The issue fielding brings up can be addressed within the exceptions
17:43:24 [aleecia]
A "user agent" retrieves, accesses, and/or renders, content or services on behalf of the user. Examples of user agents include browsers, plug-ins for a particular media type, and assistive technologies.
17:43:26 [tl]
17:43:33 [Frankie]
17:43:42 [efelten]
fielding: Prefer to use definition already in the TPE document, which has been through years of standards review
17:44:01 [aleecia]
ack tl
17:44:06 [efelten]
tl: agree with fielding
17:44:09 [aleecia]
ack Frankie
17:44:22 [fielding]
TPE says This specification uses the term user agent to refer to any of the various client programs capable of initiating HTTP requests, including browsers, spiders (web-based robots), command-line tools, native applications, and mobile apps [HTTP11].
17:44:36 [efelten]
Frankie: Should list of examples include smartphone apps?
17:44:49 [efelten]
aleecia: [reads defn from TPE document]
17:45:01 [bryan_]
17:45:12 [Frankie]
right +1
17:45:16 [tl]
17:45:17 [WileyS]
+1 for TPE definition
17:45:19 [tedleung]
17:45:20 [sidstamm]
17:45:23 [jmayer]
looks good
17:45:41 [jmayer]
int rollover
17:45:53 [efelten]
... Differences: TPE defn drops language about rendering, accessing; seems to be fine
17:46:17 [efelten]
... Consensus on the TPE definition?
17:46:26 [tl]
yay consensus!
17:46:27 [WileyS]
17:46:31 [Zakim]
17:46:40 [efelten]
... Nobody objecting, we have consensus to use the definition in the TPE
17:46:58 [enewland]
17:47:00 [enewland]
17:47:00 [efelten]
dsinger: Friendly amendment: change "including" to "including, but not limited to,"
17:47:10 [fielding]
17:47:16 [efelten]
aleecia: Nobody has objected to amendment, so have consensus to adopt it
17:47:26 [efelten]
... Closing definition of "user agent"
17:47:29 [WileyS]
No issues with User Agent - just User
17:47:50 [aleecia]
17:47:55 [efelten]
aleecia: Move on to issues 19 and 91
17:48:30 [efelten]
... issue 19: data collection and data use from third party [reads suggested text]
17:48:40 [justin]
If the operator of a third-party domain receives a communication to which a [DNT-ON] header is attached: that operator must not collect, retain, or use information related to that communication outside of the explicitly expressed exceptions as defined within this standard; that operator must not use information about previous communications in which the operator was a third party, outside of the explicitly expressed exceptions as defined within this stan
17:48:57 [fielding]
17:49:14 [WileyS]
17:49:26 [efelten]
... Comments?
17:49:33 [jmayer]
17:49:38 [fielding]
17:49:39 [dwainberg]
17:49:39 [justin]
[must not or should not] retain information about previous communications in which the operator was a third party, outside of the explicitly expressed exceptions as defined within this standard (second half)
17:49:42 [tl]
17:49:46 [aleecia]
ack WileyS
17:50:08 [efelten]
WileyS: In email, asked to remove "retain"
17:50:09 [jmayer]
17:50:22 [ksmith]
17:50:37 [efelten]
... want to separate handling of previously collected data from how to treat new data
17:50:45 [jmayer]
this text is very clear in its treatment of historical data
17:50:53 [efelten]
... otherwise generally happy now that exceptions are mentioned explicitly in core definition
17:50:55 [aleecia]
ack dwainberg
17:51:11 [WileyS]
Agree David - will address in exceptions
17:51:15 [WileyS]
Operational Purposes
17:51:16 [efelten]
dwainberg: "use" is extremely broad, hope we will address this in exceptions
17:51:19 [bryan_]
believe that "use" includes "retain"
17:51:46 [efelten]
... think that requirement to delete previously collected data would go too far
17:51:58 [justin]
Is there an example outside of the exceptions that we're going to enumerate?
17:51:59 [WileyS]
Agree with David
17:52:01 [efelten]
... can be legitimate to retain old data in some cases
17:52:04 [efelten]
aleecia: use case?
17:52:07 [ninjamarnau]
this will be addressed by issue 71, I guess
17:52:31 [WileyS]
17:52:32 [efelten]
dwainberg: If user engages DNT for limited time, e.g. for one session, but then wants to switch back to DNT-off
17:52:44 [bryan_]
DNT should work like privacy mode in browsers - turning it on does not clear all history
17:52:54 [efelten]
... user might want old data to be held and used after DNT is turned back off at the end
17:53:01 [bryan_]
17:53:07 [efelten]
aleecia: Let's look at existing adopters of DNT.
17:53:34 [amyc]
will have Issue 71 draft to Ninja tomorrow, which addresses issue
17:53:35 [WileyS]
Holding out AP as a solo example isn't very helpful - too early and its directional of industry concerns
17:53:38 [efelten]
... Some worried that user might turn on DNT for five minutes, force provider to throw away five years of data
17:53:44 [efelten]
... (example is AP)
17:53:51 [dsinger]
I think the definition is clear about data *connected with the communication on which DNT-ON is present*, only, isn't it?
17:54:01 [efelten]
... AP initially kept the old data
17:54:16 [amyc]
agree with dsinger, DNT signal is granular
17:54:25 [efelten]
... Turned out to be a PR problem, because users were worried when they saw tracking cookies persisting even when DNT was on
17:54:31 [Zakim]
17:54:32 [WileyS]
Did they delete logs that were tied to financial activities?
17:54:39 [adrianba]
adrianba has left #dnt
17:54:41 [WileyS]
Should be a "May" - not should or must
17:54:46 [efelten]
... Could take this as SHOULD, MUST, best practice, or not mention at all
17:55:06 [aleecia]
17:55:13 [aleecia]
ack tl
17:55:14 [hwest]
17:55:16 [efelten]
... Shane asks about data tied to financial activities, but don't think that's relevant for this
17:55:38 [dwainberg]
adding to Shane's point -- auditable logs of served ad impressions may need to be retained
17:55:47 [efelten]
tl: Have concern about "in which the operator was a third party" in second part. Why limit it to case where operator was third party?
17:56:06 [ninjamarnau]
agree with tl
17:56:15 [efelten]
aleecia: Let's defer that, take it up at end of discussion of this issue today
17:56:26 [aleecia]
ack jmayer
17:56:43 [Zakim]
- +44.789.449.aakk
17:56:45 [hwest]
+1, I like jmayer's proposal - very similar to what I would suggest
17:56:56 [aleecia]
17:56:56 [efelten]
jmayer: Want to suggest a middle ground: can keep old data, but only in a way that can't be associated with a specific user
17:57:01 [aleecia]
ack ksmith
17:57:02 [justin]
The Facebook example was the reason for the language, tl --- if you're customizing content based on first-party data, that's not really tracking as we've discussed.
17:57:06 [tl]
17:57:25 [aleecia]
session based for DNT or not: that seems the crux of this
17:57:28 [jmayer]
i agree with tl on 2
17:57:41 [jmayer]
justin, if we decide to do that, it should be an explicit exception
17:57:44 [Zakim]
+ +44.789.449.aall
17:57:48 [dsinger]
agree with the speaker; 'treat me as someone about whom you remember nothing and record nothing" -- that doesn't say you *delete* old data, you just ignore it for a while
17:57:50 [jmayer]
don't pack it into the high-level definition
17:57:52 [efelten]
ksmith: Have always thought of DNT as session-based, should mean "don't recognize this individual now", no implications for other sessions
17:58:10 [Zakim]
17:58:13 [vincent]
jmayer, even if data can not be associated to a specific user it could still be associated wieth a specific user-agent (i.e. browser) and that would be ok
17:58:17 [efelten]
... PR issue in AP case shouldn't influence us, that's up to each company
17:58:21 [aleecia]
ack WileyS
17:58:30 [jmayer]
vincent, i would say both, good point
17:58:51 [efelten]
WileyS: Want to manage retention/deletion issue outside of this definition
17:59:06 [justin]
I don't feel terribly strong either way, but it seems like DNT is about collection and use of third-party data ---- I don't see why we would not try to encompass first-party data as well.
17:59:11 [efelten]
... Have operational need to prove that ad impressions actually happened
17:59:22 [efelten]
... Will need some other operational-driven exceptions
17:59:24 [jmayer]
when facebook reads your cookies as a third party
17:59:32 [jmayer]
that falls into (1)
17:59:44 [efelten]
... Except for these cases, would agree with MAY or SHOULD not retain
17:59:56 [efelten]
... Don't want to go all the way to MUST
18:00:01 [dsinger]
q+ to say that we need to be clear it's about *use* of historical data, not deletion
18:00:12 [jmayer]
in fact, i could do without (2)
18:00:20 [Zakim]
18:00:24 [efelten]
aleecia: There is discussion in Europe about consent applying only to new data collected
18:00:37 [efelten]
... requirements may differ between Europe and US
18:00:49 [bryan_]
DNT should work like privacy mode in browsers - turning it on does not clear all history - this could cause real problems for users that lose all personalization mistakenly. if we really need a clear history action, it should be explicit, and operator compliance based upon best effort (some info is not technically feasible to forget).
18:00:50 [aleecia]
ack bryan_
18:00:52 [efelten]
... setting aside "eraser" proposals
18:01:07 [justin]
If someone turns on DNT, they're not going to want tailored ads based on historical x-site data. I'm ambivalent on actual deletion, but usage should be within scope.
18:01:18 [jmayer]
to the extent a company can use old data in personalizing to a user, that has to be explicit in an exception anyways
18:01:28 [efelten]
bryan: Should work like privacy mode in browsers. Active when it's turned on. More like privacy mode than like delete-all-history.
18:01:28 [jmayer]
because we have to say the new data can be used to link up old data
18:01:56 [efelten]
... Deleting more would hurt user experience for users who want to toggle DNT on and off over time
18:02:10 [aleecia]
ack hwest
18:02:10 [ksmith]
18:02:28 [tl]
18:02:32 [tl]
18:02:43 [ninjamarnau]
18:02:45 [rvaneijk]
EU context: consent is for new data collection.
18:02:48 [efelten]
hwest: Retrospective deletion would require extra tracking in order to comply
18:02:59 [jmayer]
could add language here like "make reasonable efforts" to cover cases where deletion isn't possible
18:03:01 [efelten]
... agree with last several speakers
18:03:24 [efelten]
... should be okay to keep data if severed from that user's profile
18:03:47 [aleecia]
18:04:01 [fielding]
+1 to what hwest said
18:04:01 [aleecia]
ack dsinger
18:04:01 [Zakim]
dsinger, you wanted to say that we need to be clear it's about *use* of historical data, not deletion
18:04:30 [efelten]
dsinger: definition is fine, but would be clearer to say you shouldn't *use* historical data when DNT is on
18:04:34 [vincent]
if a user has DNT + InPrivate mode then only his current session will not be tracked, if user has DNT only then it means that he asks to be forgotten, would that be ok?
18:04:40 [WileyS]
Agree with David - use application (not a "retention" application)
18:04:40 [efelten]
... but shouldn't require retrospective deletion
18:04:44 [Zakim]
- +44.789.449.aall
18:04:52 [aleecia]
ack ksmith
18:05:14 [tl]
18:05:15 [tl]
18:05:20 [efelten]
ksmith: Difficult in practice to purge old data based on DNT hit
18:05:39 [efelten]
... much more practical to avoid using old data while DNT is on
18:06:18 [efelten]
... also worry about race conditions if, e.g., see the same logged-in user on different browsers that send different DNT signals
18:06:25 [efelten]
... would cause bad user experience
18:06:32 [fielding]
No server/collector that I know of would implement a "forget me purge" without a complete form-based specific request with anti-forgery protections.
18:07:07 [efelten]
aleecia: Not clear on why this would be a problem
18:07:39 [Zakim]
+ +44.789.449.aamm
18:07:41 [efelten]
ksmith: Could make it work, but would provide strange user experience
18:08:04 [aleecia]
ack ninjamarnau
18:08:15 [efelten]
... consider same user at work and home, where work has DNT-on policy, but DNT-off at home
18:08:35 [WileyS]
18:08:44 [WileyS]
Ninja + 1
18:08:56 [efelten]
ninjamarnau: When user sees DNT on, operator should not combine new data with existing data about that user.
18:09:01 [efelten]
... Do we have agreement on this?
18:09:21 [Frankie]
+1 Ninja
18:09:25 [efelten]
s/user sees/user sends/
18:09:30 [bryan_]
q+ to point out that DNT does not mean "do not personalize"
18:09:37 [WileyS]
(+1 Ninja) Again, "use" application, not a "retention" application
18:09:40 [efelten]
aleecia: Comments re Ninja's proposal?
18:09:42 [amyc]
18:09:46 [dwainberg]
18:09:52 [aleecia]
ack bryan_
18:09:52 [Zakim]
bryan_, you wanted to point out that DNT does not mean "do not personalize"
18:09:54 [tl]
18:09:54 [tl]
18:10:03 [efelten]
bryan: Need to be careful not to rule out all personalization when DNT is on
18:11:10 [dwainberg]
18:11:18 [jmayer]
+q on this
18:11:44 [efelten]
... suppose user has told site to provide high-contrast viewing
18:11:52 [ksmith]
lets not claim to know exactly what the user expects
18:12:06 [efelten]
... I see tracking as "don't remember what I'm doing" but not "don't personalize"
18:12:33 [efelten]
aleecia: Let's set this aside until Ninja suggests specific text
18:12:34 [bryan_]
18:12:38 [bryan_]
18:12:39 [jmayer]
18:13:43 [efelten]
jmayer: Reasoning about this starts with the general definition which says don't use unless exception
18:13:51 [efelten]
... so question is whether there should be an exception for this
18:14:11 [aleecia]
ack WileyS
18:14:13 [efelten]
aleecia: Pop the stack, return to third point in proposed language
18:14:49 [ninjamarnau]
I think if we say MUST not use, then associating with old data is also "use"
18:14:57 [efelten]
WileyS: If drop concept of retention, just talk about "collect or use", would block use of old information too
18:15:17 [jmayer]
agree with shane that, unless an exception explicitly allows it, the current text already prevents use of historical data
18:15:22 [jmayer]
don't agree on retain
18:15:26 [efelten]
... dropping "retain" could get us to consensus, or close to it, can come back to retention questions later
18:15:39 [efelten]
... propose to drop retain and leave that as new open issue
18:16:02 [aleecia]
ack tl
18:16:06 [jmayer]
18:16:43 [efelten]
tl: Setting aside whether "retain" requires deletion of old data, current definition says server shouldn't remember current access, nor use old info about same user
18:16:56 [bryan_]
Talk about "breaking the web"!
18:16:57 [efelten]
... principle is you should act like you don't recognize the user
18:17:24 [dwainberg]
18:17:27 [bryan_]
we need a much narrower definition of DNT intent
18:17:27 [efelten]
aleecia: Have some good standards language here, but not much about the intent of the language
18:17:41 [dsinger]
I assume if the user chooses to also send a cookie that expresses a preference, the service is welcome to act on it *in that transaction*, but (as usual) not remember anything
18:17:43 [efelten]
... Tom, can you suggest specific language about the intent?
18:17:57 [bryan_]
q+ to point out that "we need a much narrower definition of DNT intent"
18:18:08 [aleecia]
18:18:14 [aleecia]
ack bryan_
18:18:14 [Zakim]
bryan_, you wanted to point out that "we need a much narrower definition of DNT intent"
18:18:16 [justin]
Exceptions for volume controls and comparable settings can be carved out as an exception, but I'm not entirely sure of how many people set these settings on a third-party basis!
18:18:22 [dsinger]
18:18:45 [efelten]
bryan: Need a much narrower definition of the intent. If turn off recognition of the user, would break the web
18:18:49 [WileyS]
Capture these in exceptions
18:18:57 [jmayer]
completely agree, shane
18:19:01 [efelten]
... Should allow personalization
18:19:05 [tl]
when a user turns on DNT, they expect that the service will treat them like someone about whom they know nothing, and not remember anything about the current interaction going forward
18:19:25 [efelten]
aleecia: Think we can all agree that DNT means user is expressing a preference for privacy
18:19:37 [efelten]
... Want to hear more about how to reconcile that with personalization
18:19:52 [efelten]
... in a third-party setting
18:20:08 [efelten]
bryan: Am talking about personalization primarily by first parties
18:20:30 [fielding]
I think most of the comments so far have confused parties
18:20:33 [dwainberg]
18:20:33 [tl]
[in the third party context, of course]
18:20:49 [efelten]
aleecia: Expectation is that first parties will have relatively few obligations under DNT
18:20:53 [bryan_]
18:21:17 [jmayer]
18:21:19 [aleecia]
ack dsinger
18:21:32 [efelten]
dsinger: DNT is a wall between the current transaction and the server's database
18:21:51 [efelten]
... logically orthogonal to any other cookies that might be present
18:22:11 [tl]
18:22:19 [efelten]
... if user has cookie requiring, e.g., captioning in ads, that can be sent and server can caption ads accordingly, when DNT is on
18:22:31 [efelten]
... Does that make sense?
18:22:51 [efelten]
aleecia: Not sure I followed it entirely
18:23:11 [justin]
Do people agree with jmayer that we should kill (2) because it's already subsumed by (1)? Or is there sufficient ambiguity about the use of old data that (2) is still useful (with or without the revision that tl has suggested)
18:23:20 [efelten]
dsinger: Data that user chooses to put into transaction is actionable within that transaction
18:23:42 [efelten]
... but server shouldn't remember the transaction, shouldn't use past transaction data
18:23:55 [jmayer]
justin, i think there should be an explicit line about whether historical data may be retained
18:24:03 [jmayer]
since i think the first line says nothing about it
18:24:06 [bryan_]
The concern I was expressing still stands depending upon what the intent of the 3rd party site access is. If the site provides data presented in the 1st party site through a mashup, it is acting for the same purpose as a 1st party site.
18:24:19 [jmayer]
i hope that solves shane's concern
18:24:32 [bryan_]
However if the site is purely about advertising, the intent of the access is different.
18:24:40 [fielding]
IOW, cookies can store user preferences on the browser that are actionable by the server even if DNT is turned on (I assume dsinger is excluding cookies that are just user IDs)
18:24:51 [aleecia]
ack dwainberg
18:24:56 [WileyS]
It solves my concern if you drop "retain" from the proposed definition. :-)
18:25:12 [efelten]
dwainberg: Confused by introduction of "personalization" which isn't the same as tracking
18:25:37 [jmayer]
shane, even if the next sentence explicitly says whether you can or can't retain historical data?
18:25:42 [efelten]
... "information" and "use", especially together, are very broad, so will need strong enough exceptions
18:25:44 [justin]
jmayer, but if we end up not requiring deletion, I think people could read (1) to allow for old use. Retention doesn't matter for immediate personalization based on old data.
18:25:51 [efelten]
... need to think through implications for personalization
18:25:58 [efelten]
aleecia: agree that should be addressed
18:26:02 [jmayer]
justin, how do you read (1) that way?
18:26:14 [jmayer]
to use old data, you need new data
18:26:22 [efelten]
... suggest that we remove "retain" and treat retention as an open issue
18:26:32 [enewland]
18:26:42 [efelten]
... that gets us fairly close to consensus on what remains
18:26:50 [jmayer]
18:27:01 [efelten]
... return to issue 2, as promised earlier; Tom?
18:27:14 [Zakim]
18:27:34 [efelten]
tl: Not comfortable "in which operator was a third party". Should also limit operator when operator is third party now.
18:27:38 [jmayer]
(2) is both ambiguous and undermines the meaning of (1)
18:27:42 [jmayer]
recommend striking it
18:27:44 [efelten]
aleecia: proposal to strike "in which the operator was a third party"
18:27:45 [justin]
18:27:46 [WileyS]
18:27:49 [efelten]
... any objections?
18:27:51 [aleecia]
ack tl
18:28:17 [jmayer]
if we want to allow linking a first-party database in a third-party context, that's an exception
18:28:20 [efelten]
justin: Don't feel strongly, but not sure this would be tracking.
18:28:29 [bryan_]
no, data provided to the 1st party should still be usable when acting as a 3rd party
18:28:31 [bryan_]
18:28:48 [jmayer]
justin, then let's talk about making an exception for that
18:28:56 [efelten]
... want to allow more use of data provided voluntarily by user
18:29:31 [efelten]
WileyS: Definition applies to entity acting as third party. Don't want to allow loophole. Seems like a drafting issue.
18:29:33 [tl]
18:29:43 [justin]
18:29:54 [Zakim]
18:30:09 [Zakim]
18:30:09 [efelten]
bryan: Need to think more about implications of how we treat data provided in first-party setting, when same entity is a third party later
18:30:21 [aleecia]
rrsagent, make logs public
18:30:30 [tl]
i propose the following alternative language:
18:30:44 [efelten]
... users will often want that data used for personalization, even if server cannot log that interaction
18:30:56 [efelten]
aleecia: Time's up. Next week, same time.
18:30:58 [tl]
If ta third-party domain receives a communication to which a [DNT-ON] header is attached:
18:30:58 [tl]
that operator must not collect, retain, or use information related to that communication outside of the explicitly expressed exceptions as defined within this standard;
18:30:58 [tl]
that operator must not use information about previous communications ioutside of the explicitly expressed exceptions as defined within this standard;
18:31:07 [Zakim]
- +1.650.924.aajj
18:31:09 [efelten]
efelten: Scribing is easy--be sure to volunteer next week!
18:31:17 [aleecia]
RRSAgent, set logs world-visible
18:31:19 [Zakim]
- +385221aaii
18:31:20 [Zakim]
18:31:21 [Zakim]
18:31:21 [Zakim]
18:31:22 [Zakim]
18:31:22 [Zakim]
- +44.789.449.aamm
18:31:22 [Zakim]
18:31:24 [Zakim]
18:31:26 [Zakim]
18:31:28 [Zakim]
- +1.347.689.aagg
18:31:30 [Zakim]
18:31:32 [Zakim]
18:31:33 [aleecia]
RRSAgent, make minutes
18:31:33 [RRSAgent]
I have made the request to generate aleecia
18:31:34 [Zakim]
18:31:36 [Zakim]
18:31:38 [Zakim]
18:31:39 [Zakim]
18:31:42 [Zakim]
18:31:44 [Zakim]
- +1.646.654.aaff
18:31:46 [Zakim]
18:31:47 [Zakim]
18:32:16 [ksmith]
ksmith has left #DNT
18:34:25 [punderwood]
punderwood has joined #dnt
18:36:38 [Zakim]
disconnecting the lone participant, hwest, in T&S_Track(dnt)12:00PM
18:36:40 [Zakim]
T&S_Track(dnt)12:00PM has ended
18:36:44 [Zakim]
Attendees were aleecia, tl, jmayer, tedleung, +91.37.4.aaaa, efelten, NinjaMarnau, SueG, Joanne, rvaneijk, sidstamm, dsriedel, fielding, hwest, +1.425.214.aacc, +1.347.689.aadd,
18:36:49 [Zakim]
... +1.310.292.aaee, WileyS, frankie, +1.646.654.aaff, enewland, dsinger, AlexDeliyannis, jsimpson, vincent, dwainberg, +1.347.689.aagg, adrianba, sharvey, +44.789.449.aahh,
18:36:50 [tedleung]
tedleung has left #Dnt
18:36:52 [Zakim]
... +385221aaii, +1.650.924.aajj, +44.789.449.aakk, +44.789.449.aall, +44.789.449.aamm
18:41:14 [enewland]
enewland has joined #dnt
19:19:05 [tl]
tl has joined #dnt
21:12:02 [aleecia]
aleecia has joined #dnt
21:43:54 [karl]
karl has joined #dnt
21:56:24 [mischat]
mischat has joined #dnt
21:56:58 [schunter]
schunter has joined #dnt
22:00:21 [schunter]
schunter has joined #dnt
22:20:12 [tl]
tl has joined #dnt
22:25:55 [schunter]
schunter has joined #dnt
22:39:33 [schunter]
schunter has joined #dnt
22:47:35 [schunter]
schunter has joined #dnt
22:56:32 [trackbot]
trackbot has joined #dnt
23:01:33 [trackbot]
trackbot has joined #dnt