16:37:47 RRSAgent has joined #dnt 16:37:47 logging to http://www.w3.org/2012/01/04-dnt-irc 16:37:55 Zakim has joined #dnt 16:38:04 Zakim, this will be dnt 16:38:05 ok, aleecia; I see T&S_Track(dnt)12:00PM scheduled to start in 22 minutes 16:38:16 chair: aleecia 16:38:24 rrsagent, make logs public 16:40:42 schunter has joined #dnt 16:44:28 johnsimpson has joined #DNT 16:44:48 johnsimpson has left #DNT 16:47:19 vincent has joined #dnt 16:48:02 tl has joined #dnt 16:50:40 rvaneijk has joined #dnt 16:51:15 sidstamm has joined #dnt 16:51:28 T&S_Track(dnt)12:00PM has now started 16:51:35 +[Mozilla] 16:51:36 + +1.408.674.aaaa 16:51:38 dsinger has joined #dnt 16:52:18 +??P27 16:52:21 zakim, Mozilla has tl 16:52:21 +tl; got it 16:53:23 agenda+ Selection of scribe 16:53:26 efelten has joined #dnt 16:53:35 agenda+ Any comments on minutes from the last call: 16:53:47 agenda+ Review of overdue action items 16:54:00 agenda+ Discussion of action-34, draft of first-party text 16:54:11 agenda+ Discussion of Europe, Canada, the US and DNT; request for volunteers 16:54:19 agenda+ Review of open issues and current status 16:54:30 agenda+ Issue-6, What are underlying concerns? 16:54:41 agenda+ Issue-15, What special treatment should there be for children's data? 16:54:50 agenda+ Announce next meeting & adjourn 16:55:09 zakim, who is here? 16:55:09 On the phone I see [Mozilla], +1.408.674.aaaa, ??P27 16:55:10 [Mozilla] has tl 16:55:11 On IRC I see efelten, dsinger, sidstamm, rvaneijk, tl, vincent, schunter, Zakim, RRSAgent, aleecia, bryan, tlr-bbl, hober, trackbot, pde 16:55:17 npdoty has joined #dnt 16:55:21 zakim, ??P27 is Matthias Schunter 16:55:21 I don't understand '??P27 is Matthias Schunter', schunter 16:55:42 trackbot, start meeting 16:55:44 RRSAgent, make logs world 16:55:47 Zakim, this will be 16:55:48 I don't understand 'this will be', trackbot 16:55:49 Meeting: Tracking Protection Working Group Teleconference 16:55:51 Date: 04 January 2012 16:56:11 Nick, I've done it 16:56:14 We're set 16:56:15 i love that our robots can't quite work out each others' syntax 16:56:22 Please don't wipe out the agenda :-) 16:56:25 zakim, this is ??P27 16:56:25 sorry, schunter, I do not see a conference named '??P27' in progress or scheduled at this time 16:56:38 +[Mozilla.a] 16:56:46 Zakim, Mozilla.a has sidstamm 16:56:46 + +31.65.141.aabb 16:56:50 +sidstamm; got it 16:56:57 agenda? 16:56:57 Zakim, aabb is rvaneijk 16:57:12 zakm, ??P27 is schunter 16:57:18 +rvaneijk; got it 16:57:27 zakim, ??P27 is schunter 16:57:27 +schunter; got it 16:57:42 + +1.425.214.aacc 16:58:08 Joanne has joined #DNT 16:58:08 chesterj1 has joined #dnt 16:58:44 maybe we could add issue 32? I've sent a draft before the holidays 16:58:58 + +1.510.859.aadd 16:59:02 + +1.415.520.aaee 16:59:07 + +1.202.326.aaff 16:59:14 Zakim, aadd is npdoty 16:59:14 +npdoty; got it 16:59:15 clp has joined #dnt 16:59:17 There are many drafts before the holidays that we won't likely get to today, but if we do get through the agenda quickly, I'd love to do more! 16:59:19 Zakim, aaff is efelten 16:59:19 +efelten; got it 16:59:24 johnsimpson has joined #dnt 16:59:25 +1.415.520 is Joanne 16:59:28 What is the dial in number and code again? 16:59:31 +[Apple] 16:59:33 zakim, [apple] has dsinger 16:59:33 +dsinger; got it 16:59:39 zakim, code? 16:59:39 the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), dsinger 16:59:42 ksmith has joined #dnt 16:59:46 +1.617.761.6200, conference code TRACK (87225) 16:59:53 justin has joined #dnt 16:59:57 present+ Bryan_Sullivan 16:59:58 WileyS has joined #DNT 17:00:15 +??P34 17:00:23 enewland has joined #dnt 17:00:24 useful URLs today: http://www.w3.org/2011/tracking-protection/compliance-issues.html has summary of status on issues; http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html has draft of first party work 17:00:30 + +1.760.705.aagg 17:00:31 + +1.301.270.aahh 17:00:34 I'll repeat those when relevant 17:00:44 agenda? 17:00:47 jmayer has joined #dnt 17:00:49 alex___ has joined #dnt 17:00:49 Lia has joined #dnt 17:00:54 Zakim, agenda? 17:01:00 hefferjr has joined #dnt 17:01:18 zakim, +1.425.214.aacc is bryan 17:01:28 zakim, who is here? 17:01:41 Been away last few weeks, forgive me, real life called me away, here now --clp 17:01:52 zakim, who is online? 17:01:53 pmagee has joined #dnt 17:02:01 + +1.202.684.aaii 17:02:06 scribenick: johnsimpson 17:02:06 cOlsen has joined #dnt 17:02:07 I see 9 items remaining on the agenda: 17:02:13 1. Selection of scribe [from aleecia] 17:02:17 2. Any comments on minutes from the last call: [from aleecia] 17:02:20 dwainberg has joined #dnt 17:02:21 3. Review of overdue action items [from aleecia] 17:02:23 4. Discussion of action-34, draft of first-party text [from aleecia] 17:02:25 zakim, mute me 17:02:25 5. Discussion of Europe, Canada, the US and DNT; request for volunteers [from aleecia] 17:02:27 Zakim, close agendum 1 17:02:29 6. Review of open issues and current status [from aleecia] 17:02:31 7. Issue-6, What are underlying concerns? [from aleecia] 17:02:33 8. Issue-15, What special treatment should there be for children's data? [from aleecia] 17:02:36 Zakim, close agendum 2 17:02:37 9. Announce next meeting & adjourn [from aleecia] 17:02:39 minutes are accepted 17:02:41 + +1.801.830.aajj 17:02:42 laurengelman has joined #dnt 17:02:43 + +1.813.366.aakk 17:02:43 http://www.w3.org/2011/tracking-protection/track/actions/overdue 17:02:45 Zakim, take up agendum 3 17:02:45 + +1.408.349.aall 17:02:45 tedleung has joined #dnt 17:02:47 +bryan; got it 17:02:49 + +1.202.326.aamm 17:02:51 +??P65 17:02:55 + +1.508.655.aann 17:02:55 move to action items 17:02:56 Justin and I are not able to dial in 17:02:57 On the phone I see [Mozilla], +1.408.674.aaaa, schunter, [Mozilla.a], rvaneijk, bryan, npdoty, +1.415.520.aaee, efelten, [Apple], ??P34, +1.760.705.aagg, +1.301.270.aahh, 17:02:57 hwest has joined #dnt 17:03:02 ... +1.202.684.aaii, +1.801.830.aajj, +1.813.366.aakk, +1.408.349.aall, +1.202.326.aamm, ??P65, +1.508.655.aann 17:03:04 [Apple] has dsinger 17:03:04 henryg has joined #dnt 17:03:06 [Mozilla] has tl 17:03:06 C. Olsen has joined 17:03:08 [Mozilla.a] has sidstamm 17:03:10 + +1.310.392.aaoo 17:03:10 Zakim, aakk is alex__ 17:03:12 + +1.813.366.aapp 17:03:14 I don't understand your question, schunter. 17:03:38 On IRC I see cOlsen, pmagee, hefferjr, Lia, alex___, jmayer, enewland, WileyS, justin, ksmith, johnsimpson, clp, chesterj1, Joanne, npdoty, efelten, dsinger, sidstamm, rvaneijk, 17:03:39 Zakim, aamm is cOlsen 17:03:41 action item 14 is in progress, my apologies. 17:03:41 Sorry, couldn't find user - item 17:03:43 ... tl, vincent, schunter, Zakim, RRSAgent, aleecia, bryan, tlr-bbl, hober, trackbot, pde 17:03:47 sorry, johnsimpson, I do not know which phone connection belongs to you 17:03:51 agendum 1, Selection of scribe, closed 17:03:53 I see 8 items remaining on the agenda; the next one is 17:03:55 2. Any comments on minutes from the last call: [from aleecia] 17:03:56 action-14: in progress 17:03:56 ACTION-14 Write straw man proposal on response from server being optional (related to Issue-81) notes added 17:04:01 jonathan has not worked on action item 17:04:03 agendum 2, Any comments on minutes from the last call:, closed 17:04:05 I see 7 items remaining on the agenda; the next one is 17:04:07 3. Review of overdue action items [from aleecia] 17:04:09 jonathan needs another week 17:04:11 + +1.202.326.aaqq 17:04:15 agendum 3. "Review of overdue action items" taken up [from aleecia] 17:04:17 + +1.714.852.aarr 17:04:20 Zakim, aakk is alex___ 17:04:24 zakim, mute me 17:04:29 + +1.202.643.aass 17:04:31 +alex__; got it 17:04:37 + +1.646.825.aatt 17:04:43 fielding has joined #dnt 17:04:53 +cOlsen; got it 17:04:55 + +1.202.637.aauu 17:04:55 are we using action items for the drafting text assignments that were due Dec 21? are all of those finished? 17:04:59 http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html 17:04:59 turning to action 34. 17:05:03 Chris has joined #dnt 17:05:08 + +1.206.369.aavv 17:05:16 zakim, who is on call? 17:05:24 sorry, alex___, I do not recognize a party named 'aakk' 17:05:26 sorry, johnsimpson, I do not know which phone connection belongs to you 17:05:26 zakim, aaqq is justin has enewland 17:05:39 zakim, aavv is tedleung 17:05:44 adrianba has joined #dnt 17:05:44 +??P88 17:06:04 I don't understand your question, johnsimpson. 17:06:14 I don't understand 'aaqq is justin has enewland', justin 17:06:16 jonathan: four definitions 17:06:22 +tedleung; got it 17:06:31 plans to address each in sequence... 17:06:40 + +44.789.449.aaww 17:06:44 + +1.212.565.aaxx 17:06:50 - +44.789.449.aaww 17:06:54 high level points crisp text 17:06:59 BrianTs has joined #DNT 17:07:07 +[Microsoft] 17:07:16 zakim, [Microsoft] has adrianba 17:07:21 +??P91 17:07:22 jmayer, we can't hear you 17:07:23 tried to strike balance... 17:07:31 - +1.202.684.aaii 17:07:31 lost jonathan 17:07:33 +adrianba; got it 17:07:41 tom picks up. 17:07:43 + +1.415.520.aayy 17:08:07 we can wal through document 17:08:12 + +1.206.658.aazz 17:08:25 ... definitions lots of stuff in it 17:08:43 http://www.w3.org/2011/tracking-protection/track/actions/overdue 17:08:48 http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html 17:08:48 got dropped 17:08:49 A "first party" is any party, in a specific network interaction, that can infer 17:08:49 with high probability that the user knowingly and intentionally communicated 17:08:49 with it. Otherwise, a party is a third party. 17:08:49 A "third party" is any party, in a specific network interaction, that cannot 17:08:49 infer with high probability that the user knowingly and intentionally 17:08:49 Zakim, mute me 17:08:49 sorry, alex___, I do not know which phone connection belongs to you 17:08:50 communicated with it. 17:08:54 rejoining 17:09:02 thanks, Jonathan 17:09:05 Zakim, aakk is alex 17:09:05 sorry, alex___, I do not recognize a party named 'aakk' 17:09:12 KevinT has joined #dnt 17:09:21 Zakim, alex is aakk 17:09:21 +aakk; got it 17:09:45 + +1.202.684.bbaa 17:09:51 Zakim, mute me 17:09:51 sorry, alex___, I do not know which phone connection belongs to you 17:09:54 knowingly and intentionally ... have bunch of specific componets 17:09:59 Zakim, bbaa is jmayer 17:09:59 +jmayer; got it 17:10:11 amyc has joined #dnt 17:10:44 infer with high probability,,, most confusing word is "party" 17:11:42 andyzei has joined #dnt 17:12:12 + 17:12:21 ?+ 17:12:21 important component is one set of examples would be Flicker and Yahoo, needs to understand branding. might get that Flcker is Yahoo, not necessarily the other way.. same with Google an You Tube 17:12:22 JC has joined #DNT 17:12:25 +? 17:12:26 jimk has joined #DNT 17:12:46 +q 17:12:53 +q 17:12:54 (noted) 17:13:13 We think that corporate affiliation is not good. .. must people don't get it. Relying on branding 17:13:17 (going to let Tom finish, then ask Jonathan if he wants to comment, then the queue) 17:13:31 I can't connect using (617)761.6200 17:13:44 Nick, can you help JC? 17:13:59 If anyone can help I'm having trouble with the +1.617.761.6200 number; it's failing via Skype, where it was working 17:14:02 Tom: Lot of non-normative discussion to guide it... mashups multiple first parties 17:14:07 try dialing 1 first? then wait, then 87225# 17:14:12 q+ 17:14:16 +q 17:14:20 I did 17:14:21 q+ 17:15:30 Jonathan comments... High level: balance between bright line rules and high level standards 17:15:57 now 17:15:59 Q- 17:16:05 okay for details 17:16:20 nick: my telephone number is 310-292-7041, didn't see what letters zakim assigned 17:16:22 s/okay/okay to wait/ 17:16:35 Adam has joined #dnt 17:16:43 ack clp 17:17:13 That document URL again in case you cannot find it quickly in email: http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html 17:17:24 +[Microsoft.a] 17:17:51 charles: just wanted to point out some use cases a good use of good branding. 17:18:00 I will take an Action to create pictures of good and bad examples for first party / third party relationships in UI 17:18:16 defniing "obvious to the user" 17:18:26 charles volunteers to offer some pictures of good and bad branding 17:18:36 +[Microsoft.aa] 17:18:43 zakim, aaoo is johnsimpson 17:18:43 +johnsimpson; got it 17:18:59 action: clp to create pictures of good and bad examples for first party / third party relationships in UI 17:18:59 Sorry, couldn't find user - clp 17:19:00 thanks, nick 17:19:07 zakim, mute me 17:19:07 johnsimpson should now be muted 17:19:28 is there concern over ambiguity on "ordinary user"? 17:19:34 A "party" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person, that an ordinary user would perceive to be a discrete entity for purposes of information collection and sharing. Domain names, branding, and corporate ownership may contribute to, but are not necessarily determinative of, user perceptions of whether two parties are distinct. 17:19:53 No more concern than 'reasonable' and similarly vague words 17:19:55 npdoty, it's an analogue of the "reasonable person" legal standard 17:19:57 me 17:20:05 Aleecia asks for comments on definition 17:20:13 Aleecia says reasonable is vague 17:20:25 + +44.789.449.bbbb 17:20:25 The first party definition leaves good room to hook up action item 14. I am happy with the defs. 17:20:33 ack hwest 17:20:53 Roy next 17:21:10 "that an ordinary user would perceive" needs to be validated through some sort of survey process 17:21:12 heather says reasonable, huge number of vague words 17:21:15 FYI Aleecia, I hope to have that Action completed by Monday of next week (pictures) 17:21:26 great, thanks Charles 17:21:52 is there precedent in W3C specs for such standards? 17:21:59 or similar language? 17:22:09 that we could reuse in this spec 17:22:14 Heather adsks are we mandating a survey of users? 17:22:23 Jonathan says no 17:22:26 +[Microsoft.aaa] 17:22:35 s/Heather adsks/hwest:/ 17:22:42 "overwhelming majority of cases will be clear" << I'm not sure that's true 17:22:47 Zakim, [Microsoft.aaa] has BrianTs 17:22:49 s/Jonathan says/jmayer:/ 17:22:49 +BrianTs; got it 17:23:04 ... jonathan in close cases the language is designed to put burden on Website 17:23:38 What about "most users" rather than "an ordinary user" ? 17:23:51 Agree - I believe there needs to be a "good faith" standard - equally subjective but at least sets forth good practices. 17:24:13 Heather: need to clarify expectations 17:24:27 +q 17:24:40 If you want it stronger, "the vast majority of users" 17:24:44 Aleecia: Not clear to what you are suggesting instead 17:24:55 I think "good faith" is too weak. Would be fine with "reasonable," "ordinary," or "clear branding" 17:25:06 "most users" 17:25:09 was the original idea 17:25:14 vague 17:25:15 agree with Aleecia, want to avoid most or quantitifying 17:25:48 Aha, the reasonable man standard, got you J. 17:25:50 aleecia: looking at this as user-centric definition 17:25:53 q? 17:25:58 ack fielding 17:26:10 Roy: Questions: Separating parties from other ones is wrong 17:26:22 ... all about first party 17:26:36 usually with a reasonable person standard, someone later-- a court or other entity-- comes up with reasonable implementations 17:26:41 ... third party and the second party 17:26:52 ... doesn't make sense... a waste of time 17:27:01 FYI, the second party "the user" can also be software, not a person, FYI 17:27:26 1st party is owner of initial page request 17:27:42 s/1st/... 1st/ 17:27:55 q? 17:28:00 impossible to know if user intentionally accessed. Site can determine if ist site accessed 17:28:21 s/impossible/... impossible/ 17:28:44 Jmayer: got trapped in definitions, owner is a website, who mis the owner 17:29:05 ... what if page is operated by multiple companies?... 17:29:06 +q 17:29:28 ... I think there is so much stuff here we wanted to unpack it... 17:29:37 ... not asking the sites to have ESP... 17:29:56 ... want to set objective standard 17:30:26 ... were subjective definitions suggested earlier, we don't think we've done that here. 17:30:26 - +1.206.658.aazz 17:31:06 I am i the queue for "party" 17:31:28 Aleecia paraphrase Roy: Trying to give general definition across three parties. 17:31:40 ^^aleecia is queue going to be run though? 17:31:51 Roy: what does branding have to do with 3rd parties? 17:32:03 ack dsinger 17:32:19 I think the definition is right in spirit, but problematically vague in testability and detail; there is far too much judgment call in here. We can expect that some organizations will try to operate 'close to the line' and what we have here is a very soft/blurry line. That's not good. 17:32:40 David: Definition is right in spirit, too much judgment calling here. Agree with spirit, not crazy about details... 17:32:42 "legal entity" 17:32:59 + +44.142.864.bbcc 17:33:28 ... can I bring a suit? are they legal entity? Too much judgment. Need testability. 17:34:05 "ordinary user" … "perceive" … 17:34:13 jmayer: is there a use case of someone trying to game the text? 17:34:16 "Legal entity" could either be too narrow or too broad depending on how an organization is structured, and in any event will not conform to users' expectations. 17:34:25 ack WileyS 17:34:43 Shane: My concerns in opposite direction... 17:34:56 ... agree need to be user centric 17:34:56 +1 to justin, I don't think user expectations will match legal entities, and like user expectations as the motivation 17:35:35 q+ 17:35:38 ...we'll need to provide good faith examples of people trying to act the way 17:36:01 Discoverable cannot be the test 17:36:23 +1 justin. The legal layer can be on top of the technical layer. The technical layer may be user centric, the legal layer may be legal entity centric. 17:36:41 Shane: important for a Disney to make clear... fair practice, good faith examples needed. 17:37:08 Aleecia: Do you want to move to corporate identity? 17:37:21 so the example of "foo.com, powered by google analytics!"? 17:37:27 I liked your point, Shane, about needing examples to guide implementing sites, but I'm not sure why you conclude that this definition therefore breaks the Internet 17:37:53 Shane says sees examples on both affiliate and and branding model that could work... Need examples. Very needed 17:37:56 Yes 17:38:15 what about nbc universal or fox 17:38:20 Shane agrees to come up with examples 17:38:37 -q 17:38:42 ack clp 17:38:54 action: shane to also write additional examples around branding for first parties by next week 17:38:54 Created ACTION-44 - Also write additional examples around branding for first parties by next week [on Shane Wiley - due 2012-01-11]. 17:39:22 Charles: A subtle point, since describing party. Can a party be scraping, screenware, software, rather than entity itself... 17:39:28 Moving the bar from user understanding to user discoverability is a non-starter for me. Opens loopholes, deviates from user expectations, places an inordinate burden on users. 17:39:38 IMO software acting on my behalf is a type of 1st party. 17:40:19 agree 17:40:22 Aleecia points out definition of user agent could answer Charles' issue 17:40:24 q? 17:40:30 ack dsinger 17:41:02 YouTube + Google 17:41:17 (unless there is no agent allowed to be acting on behalf of first and third parties, three software agents all acting on behalf of each party is possible in theory) 17:41:30 dsinger: seems to me the legal entity test is important, two separate legal ought not to be a single entity 17:41:42 Well, I think we need to make sure that "foo.com powered by google analytics" doesn't make google a first party if Foo is a separate legal entity 17:41:51 So I agree with dsinger 17:41:52 http://www.youtube.com/t/contact_us 17:41:54 YouTube LLC 17:42:00 Aleecia: question gets into merge acquisitions 17:42:15 There is: legal structure, functional biz structure, domain structure, web page inclusion structure, and first party/thirf party structure 17:42:24 legal entity is itself a fuzzy term 17:42:41 ... movie companies create brand new companies for liability reasons 17:42:46 SInger +1 17:43:07 good point! 17:43:20 -1 : At the end of the day the same entity is paying for liability related issues 17:43:23 i think it will be the opposite-- they will claim they are all under one roof as a defense under the first party exception 17:43:51 q? 17:44:00 Alecia: asks Jonathan and Tom to think about issue 17:44:27 Tom's request: if you want changes, please write them down 17:44:30 And add to email 17:44:39 Tom asks to out comments in emails 17:45:06 I think changing "legal entity" to common ownership would solve most of these problems. 17:45:28 Jmayer: network interaction 17:45:53 3.1 A "network interaction" is an HTTP request and response, or any other set of logically related network traffic. 17:46:14 +q 17:46:20 justin, common ownership has all sorts of problems, see the writeup 17:46:21 Determination of a party's status is limited to a single transaction because a party's status may be affected by time, context, or any other factor that influences user expectations. 17:46:31 q+ 17:46:32 ack clp 17:46:41 Discussing Netwok Interaction 3. 17:47:03 Charles: What is "logically related"? 17:47:05 ack fielding 17:47:30 Roy: Is it a single network interaction or a sequence? 17:47:55 jmayer, corporate ownership as necessary, but not sufficient, for first party status. Still need branding or other means to get "reasonable expectations." 17:47:55 Jonathan: Just a single... 17:48:07 fielding, can you give an example where you think it should be more than one request/response? 17:48:10 Zakim, who is talking? 17:48:21 npdoty, listening for 10 seconds I heard sound from the following: +1.408.674.aaaa (84%), +1.801.830.aajj (9%), ??P65 (69%) 17:48:37 Zakim, mute ??P65 17:48:37 ??P65 should now be muted 17:48:56 Zakim, who is talking? 17:49:05 -schunter 17:49:05 4.1 Definitions 17:49:06 A "first party" is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it. Otherwise, a party is a third party. 17:49:07 npdoty, listening for 10 seconds I heard sound from the following: jmayer (19%), schunter (6%) 17:49:13 Move to next section, 4 A first party.. 17:49:31 kj has joined #dnt 17:49:36 +??P3 17:49:56 q+ 17:50:02 ... places where we think a clear difference... 17:50:03 ack dsinger 17:50:19 same comments as before 17:50:34 +dsinger, should add awareness of the site 17:50:38 does "intentionally" capture "independent choice"? 17:50:41 Dsinger: User should be aware of the distinctness... Should be an independent choice. 17:50:52 zakim, ??P3 is schunter 17:50:52 +schunter; got it 17:51:28 Dsinger: user not making the decison,,. the site is 17:51:29 how about firefoxwithbing.com 17:51:56 Roy: user doesn't use domain...just clicking on link 17:52:19 Roy: following a link is fine... 17:52:46 ... no difference between site and a mashup site 17:52:49 Do these mashups actually exist? Who owns cheezburgerongooglemaps.com in your scenario? 17:53:07 -[Microsoft] 17:53:11 justin, I agree corporate ownership will almost always happen when two entities are the same party (*not* first party). Wouldn't mind specifying that floor. 17:53:12 Aleecia: two different examples here 17:53:34 adrianba has left #dnt 17:54:00 justin, If multiple first parties, then not necessarily corporate ownership. 17:54:14 .... google maps and craigs list one type... an aggregating site don't know what you're going to get 17:54:23 right, but in those cases the user is "pulling in data" using XHR from two sites, essentially making both third parties, and the sites know that because of the APIs used 17:54:31 -[Mozilla.a] 17:54:39 jmayer, fine, but still trying to wrap my head around "multiple first parties" 17:54:40 Aleecia: daivid probably right might want to go more fine grained.... 17:54:46 q? 17:55:17 mgroman has joined #dnt 17:55:27 ...if the debate is what to do about mashups, we're in great shape. 17:55:40 Roy: user is pulling data from multiple sites, other sites are third party 17:55:45 agree with Roy, a site "can infer with high probability" as the URL for APIs are typically distinct from URLs intended for direct access 17:56:39 I would support some sort of "what the hell, someone just embedded all my stuff" safe harbor for things like personal websites. 17:56:47 the publisher should be responsible 17:56:49 aleecia: a concerning situation where a site that intends to always be a first party and then gets embedded somewhere without the site's knowledge 17:56:55 -[Microsoft.aa] 17:56:55 Aleecia: I've created a site, I get in sucked in as a third party. How do I deal with that? Roy says you consider to act as a 1st party 17:58:00 +q 17:58:21 (we want to be careful because we don't have safe harbor power :-) 17:58:41 lauren: the publisher is the one the user is interacting with, whatever legal or subjective test the publisher is the only one that can do it... 17:58:42 Would like to reiterate that if we're focusing on corner cases like random embeds, I think we're making awesome progress. 17:59:48 aleecia: I've created a site... can put notice to users that this comes from elsewhere 17:59:56 ack WileyS 17:59:57 HousingMaps.com is the name of the craiglist/google mashup. Why isn't the owner of that site the first party, along with any other co-owned and co-branded corp entity. At least one of Google or Craigslist will be a third-party in that scenario, but I don't see why that's a problem 18:00:14 Shane: 1st party in many cases, wouldn't be in a technical position to affect the outcome... 18:00:30 Justin - I was agreeing with that (and thanks for the url) 18:00:35 justin, I think dsinger's point was that the definition about user interaction would lead Google and Craigslist to argue that they're first parties too 18:00:54 ... should recognize should self identify... 3rd party should recognize 18:01:22 controller - processor is bounded by a contract. 18:01:39 npdoty, the user interaction could at some point turn Google or Craigslist into a first party if they're not the owner, but that's a different issue. 18:01:50 - +1.801.830.aajj 18:01:57 Question about the EU context? 18:02:01 sites can also know that there has been a mashup of data from their 1st party URLs due to other things such as headers e.g. referrer 18:02:16 As a practical matter - publishers often have no idea what third parties are on their site. Can't expect them to carry much burden. 18:02:32 q+ 18:02:39 Lauren: Whole point of the problem is the user has no idea what's going on. .. 18:02:50 Disagree about publisher being in the best position to understand party status. 18:03:28 Aleecia: Useful to build something supports German's and U/ 18:03:30 Overwhelming majority of cases, a third party knows it's a third party - and the first party knows essentially nothing about the third party. 18:03:36 For the record, HousingMaps.com says "this site is in no way affiliated with craigslist or Google" :) 18:03:44 and U.S. practices. 18:03:49 Sorry Aleecia - didn't mean to interrupt - thought you had finished your statement 18:03:59 No problem, I paused too long :-) 18:04:39 My question right now is basically: is this a problem, and if so how large a problem is it 18:04:54 q- 18:05:10 possible new issue: what do we do about browser add-ins/extension that overlay or manipulate content on the client-side? 18:05:12 But the first party embedded the initial third party to start the chain. with that comes responsibility with what happens downstream with respect to user expectations. 18:05:38 jmayer: often publishers don't know what 3rd parties are doing on sites. Don't see a lot of need for 1st party to get involved, because 3rd party knows their status.. 18:06:02 Sean: would fall back on contractual langauge 18:06:09 Roy, IMO addins are part of the 1st party site from where they were obtained 18:06:14 .... couldn't monitor in real time 18:06:17 fielding, is that part of guidance to the user agent? (I would assume browser extensions are also user agents) 18:06:30 and what about the "check for fraudulent website" interaction that many browsers perform automatically? 18:07:00 i know how it works. i don't disagree. but that is a by-product of publisher's not bearing any legal or social responsibility for what happens to their users, not a architectural requirement of the system. 18:07:02 +q 18:07:29 aleecia: third parties exist to collect data, some exist for other reasons -- how to differentiate? 18:07:37 virus/phishing site checkers are a type of 1st party - the user is getting a specific service from them intentionally 18:07:38 npdoty, yes … these are network interactions that are not intentionally made by the user but still subject to our DNT protocol, maybe? 18:08:08 aleecia: mashup site providing info is different situation 18:08:34 ack jmayer 18:08:36 aleecia: how to treat to examples differently? 18:08:40 Why do we need to treat those sites differently? If the second category of third-party sites isn't tracking, what is the concern, as long as the responsibility is on the third-party, not the first-party (as we have structured thus far)? 18:09:11 publishers can absolutely have riders in their contracts with ad servers that limit the sharing of user data with campaigns or creative 18:09:31 jmayer: measurement of 3rd parties on web; almost all we've seen are ads, we're treading into corner cases 18:09:46 All in favor of covering edge cases. But want to make sure we recognize points of agreement. 18:09:48 referral networks 18:09:59 Aleecia: yes, but edge cases will be interesting... 18:10:30 Roy: referral networks -- common things that aren's ads 18:11:01 4.2.1 Overview 18:11:02 We draw a distinction between those parties an ordinary user would or would not expect to share information with, "first parties" and "third parties" respectively. The delineation exists for three reasons. 18:11:02 Moving to Section 4.2 18:11:14 First, when a user expects to share information with a party, she can often exercise control over the information flow. Take, for example, Example Social, a popular social network. The user may decide she does not like Example Social's privacy or security practices, so she does not visit examplesocial.com. But if Example Social provides a social sharing widget embedded in another website, the user may be unaware she is giving information to Example Social and u 18:11:14 to exercise control over the information flow. 18:11:27 Second, we recognize that market pressures are an important factor in encouraging good privacy and security practices. If users do not expect that they will share information with an organization, it is unlikely to experience market pressure from users to protect the security and privacy of their information. In practice, moreover, third parties may not experience sufficient market pressure from first parties since increasingly third parties do not have a direc 18:11:27 business relationship with the first party websites they appear on. We therefore require a greater degree of user control over information sharing with such organizations. 18:11:39 Last, third parties are often in a position to collect a sizeable proportion of a user's browsing history – information that can be uniquely sensitive and easily associated with a user's identity. We wish to provide user control over such information flows. 18:11:43 Don't want to reopen "what is tracking debate", but want to list our concerns 18:11:55 We recognize that, unlike with a bright-line rule, there can be close calls in applying our standard for what constitutes a first party or a third party. But we believe that in practice, such close calls will be rare. The overwhelming majority of content on the web can be classified as first party or third party, with few cases of ambiguity in practice. 18:11:56 pedermagee has joined #dnt 18:12:11 We require a confidence at a "high probability" before a party can consider itself a first party. Where there is reasonable ambiguity about whether a user has intentionally interacted with a party, it must consider itself a third party. Our rationale is that, in the rare close cases, a website is in the best position to understand its users' expectations. We therefore impose the burden of understanding user expectations on the website. We also wish, in close ca 18:12:11 to err on the side of conforming to user expectations and protecting user privacy. If the standard is insufficiently protective, ordinary users have limited recourse; if the standard imposes excessive limits, websites retain the safety valve of explicitly asking for user permission. 18:12:43 After moving through the document, it would be helpful to hear where people are - is this close to consensus? 18:12:48 Aleecia: Have reasons why not technical definition 18:13:06 4.2.3 Multiple First Parties 18:13:07 There will almost always be only one party that the average user would expect to communicate with: the provider of the website the user has visited. But, in rare cases, users may expect that a website is provided by more than one party. For example, suppose Example Sports, a well known sports league, collaborates with Example Streaming, a well known streaming video website, to provide content at www.examplesportsonexamplestreaming.com. The website is prominentl 18:13:07 advertised and branded as being provided by both Example Sports and Example Streaming. An ordinary user who visits the website may recognize that it is operated by both Example Sports and Example Streaming. 18:13:21 4.2.4 User Interaction with Third-Party Content 18:13:22 A party may start out as a third party but become a first party later on, after a user interacts with it. If content from a third party is embedded on a first party page, the third party may become an additional first party if it can infer with high probability that the average user knowingly and intentionally communicated with it. If a user merely moused over, closed, or muted third-party content, the party would not be able to draw such an inference. 18:13:40 Not close until Corporate Ownership and Affiliates are addressed in a more reasonable manner. I believe a "reasonably discoverable" standard should be set here. 18:13:49 That was to JMayer's question... 18:14:31 "addressed in a more reasonable manner" = ? 18:14:51 Why "average user" here rather than "reasonable" or "ordinary" ? 18:15:05 Shane: Jonathan asked if close to consensus. We can't be close until corporate and affilitiate status are addressed... 18:15:08 yep 18:15:10 clp, tried to be clear that this is objective and, if necessary, testable. 18:15:21 (speaking for Disney) 18:15:45 ... ESP and Disney are is an acceptable approach... 18:15:46 Shane, can you expand that example? 18:16:14 s/ESP/ESPN/ 18:16:45 Aleecia -- If user and visit ESP, but no branding you're saying OK... 18:16:57 +q 18:17:11 what are we trying to protect by this definition? why does it matter that ESPN and other sites are owned by Disney? 18:17:19 Aleecia: Nielsen says 100 unique sites a day for average 18:17:21 So Disney's position is that, even if users don't understand that ESPN is owned by Disney, ESPN should be able to share data with Disney? 18:17:29 s/ESP/ESPN/ 18:17:35 May be because of images, ads, also loaded with a page? one page can be 12-15 entities? 18:17:51 Does that metric include images pulled into email readers etc? Otherwise the number seems way high to me also. 18:17:51 even if the vast majority of sites I visit each day are ones I have visited before, there's no way I am going to research the corporate structure of ANY site I visit, let alone work out which ones I am visiting for the first time!! 18:17:55 Aleecia: You're putting burden on user to discover the affiliations... 18:17:55 Reject this repeated claim about "users who care." The burden should not be on users. 18:17:55 (Aleecia to find Neilsen data for Shane on # unique sites per day) 18:18:15 jmayer, why not? 18:18:35 Shane: need to figure out a way to have a best practice for discoverable affiliation. 18:18:42 This is a list of assets owned by Rupert Murdoch's News Corporation: http://en.wikipedia.org/wiki/List_of_assets_owned_by_News_Corporation so they are covered for sharing ampong all of these as first-party? 18:19:00 Because they're in a terrible position to learn about and understand corporate relationships, as against a company that can use domains, branding, marketing, slogans, etc. 18:19:15 Shane: trying to figure our where gaining consensus 18:19:16 I just clicked on 20 links on ESPN.com and didn't see anything about Disney at all in those links. THE LINKS THAT A USER WOULD REASONABLY GO TO (stories about sports) 18:19:23 -1 18:19:30 -1 18:19:30 -1 18:19:30 -1 18:19:31 Click on Privacy Policy 18:19:31 -1 18:19:32 -1 18:19:33 -INT_MAX 18:19:34 +1 18:19:36 sure, but why does it matter which funnel is used to give data to Disney? Disney still has the data. 18:19:39 -1 18:19:40 -1 18:19:43 +1 potentially 18:19:43 -1 18:19:48 sharvey: +1 18:20:03 -1 strongly disagree 18:20:07 we have to click on the link "learn more" first, meaning that I have to intereact with ESPN before I actually know it belongs to Disney 18:20:34 WileyS, given the typical ESPN browsing experience, how can you say that I am intentionally or even knowingly sharing data with Disney? 18:20:37 The way the question was phrased implies an inordinate amount of effort to research the relationship - I don't think that was the intent of the discoverability assertion. 18:20:46 I don't have a prescription for a solution 18:20:50 Shane: I see this as an area where we will polarize as group. 18:20:59 I really hope we can find a non-polarized consensus! 18:21:03 but we definitely have concerns around the current language re: branding 18:21:06 Another important safety valve for erring on the side of multiple parties - websites can ask for an exception. 18:21:14 If a website decides it's a first party, the user is out of luck 18:21:44 Why isn't branding the non-polarizing middle ground? Yahoo/Flickr are co-parties, but ESPN/Disney isn't because there's no branding where any ordinary user would see it? 18:21:47 _q 18:21:52 -q 18:21:53 q+ 18:21:57 Aleecia: I think everyone understands there is a need to send data. I think need to have understanding of data flows when DNT is on. 18:22:00 q+ 18:22:01 ack fielding 18:22:02 it's a good example. I'm not taking it personally 18:22:08 "no understanding" is strong - many could argue users willingfully "dont want to understand" hence the low privacy policy reading rates 18:22:23 Shane, how would I know what I don't know? 18:22:49 What you suggest is that users would have to pay attention to corp ownership for each site they visit 18:22:51 roy, users might care about what part of Disney gets data, who it can share it with, how it can use it, ... 18:22:54 - +1.760.705.aagg 18:22:58 Roy: If the concern of the user is being provided to corporations they don't know about. What I care about is not how data gets to Disney, but if they have it. 18:22:58 And make decisions based on this 18:23:13 It's like we're reinventing the privacy policy problem 18:23:26 aleecia, +INT_MAX 18:23:29 It's not the users don't care, it's that the burden for reading privpols is way too high 18:23:35 We've tried putting the burden on users. It doesn't work. 18:23:49 There has to be a middle ground 18:24:05 Roy: Like to find easy definition of what trying to protect against... 18:24:05 I hope so 18:24:19 WileyS, "don't want to understand" isn't fair --- it's not economically rational for users to click through privacy policies to try to figure out what's going on --- they're not useful document for users 18:24:20 This plan purposely favors large companies over small one. It permits a company with multiple entities to create profiles and prevents small companies with one or few sites from doing so. 18:24:20 Use case of hospital and insurance company 18:25:05 Brian: discoverable is related to what is a good example... 18:25:10 Justin - many companies have invested heavily to make their privacy centers "useful" to users - so a blanket statement here doesn't feel fair 18:25:16 s/Brian/bryan/ 18:25:22 q+ 18:25:32 ack bryan 18:25:47 Shane, companies have been working on improving privacy transparency. But it has real limits. Can't pretend that better website design will solve the problem. 18:25:49 WileyS, the average privacy policy is not worth a user clicking on 18:26:06 Bryan: Things are more discoverable than they seem; just need examples. 18:26:29 -jmayer 18:26:30 Safe Travels Jonathan! 18:26:46 yes 18:26:48 q- 18:26:52 ack tedleung 18:27:00 All of this boils down to User Education 18:27:15 - thinks 'discoverable' is a lot less important than 'evident', and (like before) something that is NOT easily discoverable is prima facie, not evident :-) 18:27:15 Branding, Data Collection / Use Practices, etc. 18:27:25 If you can solve user education, you're first on my holiday gift list :-) 18:27:45 Ted: We are a bigger company; for smaller companies it's a much tougher problem. When read so many other parts of spec in flux... hard to know what will work... 18:28:28 ... part of where we are is that we're still working through all the pieces and need to see how work together... 18:28:55 ... that's what I'm feeling...from reading all the drafts. 18:28:58 - +1.646.825.aatt 18:29:08 -efelten 18:29:24 yes. it would be useul to understand what data flow can happen or not happen if disney and espn are both first parties or not. 18:29:35 Aleecia: Would be useful to take the text been discussing and put it in and see what's going on... 18:30:02 ... feel getting close... 18:30:06 - +1.301.270.aahh 18:30:08 +1, maybe having all of the text pieces in the same draft (even though we're not finished with it) will help us see the multiple (moving) pieces together 18:30:46 yay, more writing tasks ;-) 18:30:52 Aleecia: please but issues in email... 18:30:58 s/but/put/ 18:31:20 http://www.w3.org/2011/tracking-protection/compliance-issues.html 18:31:38 - +44.789.449.bbbb 18:31:56 Aleecia: Thanks for getting text in.. Look forward ti getting into docs 18:31:59 Happy New Year! 18:32:03 mgroman has left #dnt 18:32:04 - +1.408.349.aall 18:32:05 -??P88 18:32:05 - +1.212.565.aaxx 18:32:06 - +1.202.326.aaqq 18:32:06 - +1.415.520.aaee 18:32:06 -aakk 18:32:07 - +1.415.520.aayy 18:32:08 -??P65 18:32:08 Happy New year 18:32:10 - +1.202.643.aass 18:32:12 -cOlsen 18:32:12 thanks aleecia 18:32:14 -[Mozilla] 18:32:16 -bryan 18:32:18 -rvaneijk 18:32:20 - +1.202.637.aauu 18:32:22 -johnsimpson 18:32:24 -??P34 18:32:25 Zakim, list attendees 18:32:26 - +1.813.366.aapp 18:32:28 - +1.408.674.aaaa 18:32:29 tedleung has left #dnt 18:32:30 - +1.714.852.aarr 18:32:32 -[Microsoft.aaa] 18:32:33 johnsimpson has left #dnt 18:32:34 - +1.508.655.aann 18:32:34 Final note: We should be able to reach consensus on what is discoverable (in terms of branding relationships) by an average user through consideration of typical examples from our public websites and services. I believe that average users can typically find out with one or two clicks whether content presented on a site is sourced by an affiliate of the 1st party (and not thus a 3rd party). I recommend that group members provide such examples to determine how easy 18:32:36 - +44.142.864.bbcc 18:32:38 -[Apple] 18:32:40 -tedleung 18:32:42 -??P91 18:32:45 As of this point the attendees have been +1.408.674.aaaa, tl, [Mozilla], +31.65.141.aabb, sidstamm, rvaneijk, schunter, +1.510.859.aadd, +1.415.520.aaee, +1.202.326.aaff, npdoty, 18:32:45 zakim, aarr is fielding 18:32:47 ... efelten, dsinger, +1.760.705.aagg, +1.301.270.aahh, +1.202.684.aaii, +1.801.830.aajj, +1.813.366.aakk, +1.408.349.aall, bryan, +1.202.326.aamm, +1.508.655.aann, 18:32:48 KevinT has left #dnt 18:32:50 ... +1.310.392.aaoo, +1.813.366.aapp, +1.202.326.aaqq, +1.714.852.aarr, +1.202.643.aass, alex__, +1.646.825.aatt, cOlsen, +1.202.637.aauu, +1.206.369.aavv, tedleung, 18:32:53 ... +44.789.449.aaww, +1.212.565.aaxx, adrianba, +1.415.520.aayy, +1.206.658.aazz, aakk, +1.202.684.bbaa, jmayer, [Microsoft], johnsimpson, +44.789.449.bbbb, BrianTs, 18:32:56 ... +44.142.864.bbcc 18:32:58 sorry, fielding, I do not recognize a party named 'aarr' 18:33:00 -[Microsoft.a] 18:33:13 zakim, aarr is fielding 18:33:13 sorry, npdoty, I do not recognize a party named 'aarr' 18:33:23 rvaneijk has left #dnt 18:33:34 too late, I guess … just replace in minutes 18:33:56 s/+1.714.852.aarr/fielding/ 18:34:11 Bye all, Happy New Year 18:34:12 it's because I hung up first 18:34:15 Bryan, please go ahead and take a try 18:34:26 trackbot, end meeting 18:34:26 Zakim, list attendees 18:34:26 As of this point the attendees have been +1.408.674.aaaa, tl, [Mozilla], +31.65.141.aabb, sidstamm, rvaneijk, schunter, +1.510.859.aadd, +1.415.520.aaee, +1.202.326.aaff, npdoty, 18:34:27 RRSAgent, please draft minutes 18:34:27 I have made the request to generate http://www.w3.org/2012/01/04-dnt-minutes.html trackbot 18:34:28 RRSAgent, bye 18:34:28 I see 2 open action items saved in http://www.w3.org/2012/01/04-dnt-actions.rdf : 18:34:28 ACTION: clp to create pictures of good and bad examples for first party / third party relationships in UI [1] 18:34:28 recorded in http://www.w3.org/2012/01/04-dnt-irc#T17-18-59 18:34:28 ACTION: shane to also write additional examples around branding for first parties by next week [2] 18:34:28 recorded in http://www.w3.org/2012/01/04-dnt-irc#T17-38-54 18:34:29 ... efelten, dsinger, +1.760.705.aagg, +1.301.270.aahh, +1.202.684.aaii, +1.801.830.aajj, +1.813.366.aakk, +1.408.349.aall, bryan, +1.202.326.aamm, +1.508.655.aann, 18:34:32 ... +1.310.392.aaoo, +1.813.366.aapp, +1.202.326.aaqq, +1.714.852.aarr, +1.202.643.aass, alex__, +1.646.825.aatt, cOlsen, +1.202.637.aauu, +1.206.369.aavv, tedleung, 18:34:35 Zakim, who is on the phone? 18:34:36 ... +44.789.449.aaww, +1.212.565.aaxx, adrianba, +1.415.520.aayy, +1.206.658.aazz, aakk, +1.202.684.bbaa, jmayer, [Microsoft], johnsimpson, +44.789.449.bbbb, BrianTs, 18:34:38 ... +44.142.864.bbcc 18:34:38 On the phone I see npdoty, schunter