IRC log of dnt on 2012-01-18

Timestamps are in UTC.

16:56:09 [RRSAgent]
RRSAgent has joined #dnt
16:56:09 [RRSAgent]
logging to
16:56:11 [trackbot]
RRSAgent, make logs world
16:56:13 [trackbot]
Zakim, this will be
16:56:13 [Zakim]
I don't understand 'this will be', trackbot
16:56:13 [dsriedel]
zakim, mute me
16:56:14 [trackbot]
Meeting: Tracking Protection Working Group Teleconference
16:56:14 [trackbot]
Date: 18 January 2012
16:56:14 [Zakim]
dsriedel should now be muted
16:56:20 [johnsimpson]
johnsimpson has joined #DNT
16:56:25 [npdoty]
Zakim, this will be 87225
16:56:26 [Zakim]
ok, npdoty; I see T&S_Track(dnt)12:00PM scheduled to start in 4 minutes
16:57:44 [schunter]
Zakim, who is on the phone?
16:57:44 [Zakim]
I notice T&S_Track(dnt)12:00PM has restarted
16:57:45 [Zakim]
On the phone I see +1.609.627.aaaa, ??P10, dsriedel (muted)
16:58:03 [Zakim]
16:58:27 [Zakim]
16:59:04 [Zakim]
16:59:04 [schunter]
Zakim, ??P10 is mschunter
16:59:16 [Zakim]
+mschunter; got it
16:59:27 [PederMagee]
PederMagee has joined #dnt
16:59:29 [schunter]
Zakim, who is on the phone?
16:59:30 [sidstamm]
sidstamm has joined #dnt
16:59:46 [Zakim]
On the phone I see +1.609.627.aaaa, mschunter, dsriedel (muted), cOlsen
16:59:48 [Zakim]
+ +1.646.654.aabb
17:00:10 [Zakim]
17:00:20 [Zakim]
17:00:22 [Zakim]
17:00:23 [sidstamm]
Zakim, Mozilla has sidstamm
17:00:25 [justin]
justin has joined #dnt
17:00:31 [Zakim]
+sidstamm; got it
17:00:35 [tedleung]
tedleung has joined #dnt
17:00:39 [Joanne]
Joanne has joined #DNT
17:00:48 [schunter]
Zakim, who is online?
17:00:49 [johnsimpson]
zakim, mute me
17:00:55 [Zakim]
I don't understand your question, schunter.
17:00:59 [Zakim]
johnsimpson should now be muted
17:00:59 [chesterj2]
chesterj2 has joined #dnt
17:01:08 [schunter]
Zakim, who is on the phone?
17:01:12 [eb]
eb has joined #dnt
17:01:17 [Zakim]
On the phone I see +1.609.627.aaaa, mschunter, dsriedel (muted), cOlsen, +1.646.654.aabb, npdoty, johnsimpson (muted), [Mozilla]
17:01:20 [Zakim]
[Mozilla] has sidstamm
17:01:26 [Zakim]
+ +1.301.270.aacc
17:01:34 [chesterj2]
Jeff Chester is on phone
17:02:04 [eb]
elise berkower is calling from 646
17:02:06 [Zakim]
+ +1.916.641.aadd
17:02:11 [rigo]
rigo has joined #dnt
17:02:18 [npdoty]
Zakim, aabb is eberkower
17:02:22 [rigo]
zakim, code?
17:02:24 [Joanne]
+1.916.641 is Joanne
17:02:35 [npdoty]
Zakim, aaaa is trapani
17:02:39 [ChrisPedigo]
ChrisPedigo has joined #dnt
17:02:42 [Zakim]
17:02:45 [npdoty]
Zakim, aadd is Joanne
17:03:05 [Zakim]
+eberkower; got it
17:03:09 [Zakim]
the conference code is 87225 (tel:+1.617.761.6200, rigo
17:03:11 [Zakim]
+ +1.978.944.aaee
17:03:23 [Zakim]
+trapani; got it
17:03:39 [npdoty]
ack johnsimpson
17:03:39 [Zakim]
+Joanne; got it
17:03:45 [Zakim]
17:03:51 [vincent]
vincent has joined #dnt
17:04:04 [Zakim]
17:04:12 [Zakim]
17:04:20 [npdoty]
karl, can you scribe?
17:04:32 [johnsimpson]
zakim, mute me
17:04:38 [WileyS]
WileyS has joined #DNT
17:04:51 [johnsimpson]
zakim, mute me
17:04:52 [npdoty]
I can take the second half
17:05:04 [Zakim]
17:05:16 [npdoty]
scribes: dwainberg and tedleung
17:05:28 [Zakim]
johnsimpson should now be muted
17:05:43 [npdoty]
scribenick: dwainberg
17:05:44 [Zakim]
johnsimpson was already muted, johnsimpson
17:05:48 [Zakim]
+ +1.408.349.aaff
17:05:59 [dwainberg]
schunter: Any comments on the minutes?
17:06:01 [npdoty]
17:06:07 [dwainberg]
... no comments, so cosidered approved.
17:06:12 [Zakim]
17:06:14 [Zakim]
+ +1.202.835.aagg
17:06:14 [dwainberg]
... Overdue actions?
17:06:19 [npdoty]
17:06:19 [trackbot]
ACTION-26 -- Karl Dubost to do a review of the Tracking Protection WG deliverables according to -- due 2011-12-07 -- OPEN
17:06:19 [trackbot]
17:06:28 [npdoty]
17:06:46 [Zakim]
17:06:52 [schunter]
17:06:52 [npdoty]
17:06:52 [trackbot]
ACTION-42 -- Jonathan Mayer to proposes non-normative language to obtain DNT info in Javascript; would replace DOM-API -- due 2012-01-11 -- OPEN
17:06:52 [trackbot]
17:07:05 [johnsimpson]
unmute me
17:07:10 [schunter]
17:07:11 [JC]
JC has joined #DNT
17:07:11 [npdoty]
17:07:12 [trackbot]
ACTION-44 -- Shane Wiley to also write additional examples around branding for first parties by next week -- due 2012-01-11 -- OPEN
17:07:12 [trackbot]
17:07:15 [schunter]
17:07:15 [trackbot]
ACTION-44 -- Shane Wiley to also write additional examples around branding for first parties by next week -- due 2012-01-11 -- OPEN
17:07:15 [trackbot]
17:07:33 [ksmith]
ksmith has joined #DNT
17:07:38 [Zakim]
17:07:41 [dwainberg]
WileyS: Action-44 was addressed in the email list.
17:07:50 [laurengelman]
laurengelman has joined #dnt
17:08:02 [Zakim]
17:08:08 [dwainberg]
schunter: that settles item 3 of the agenda, next is discussion of f2f meeting.
17:08:17 [dwainberg]
... important to register, or you won't get in.
17:08:22 [Zakim]
+ +1.727.686.aahh
17:08:34 [npdoty]
and we need it today!
17:08:37 [Zakim]
+ +385221aaii
17:08:52 [dsinger]
dsinger has joined #dnt
17:08:57 [Zakim]
17:09:02 [Zakim]
+ +1.650.308.aajj
17:09:07 [dsinger]
zakim, [apple] has dsinger
17:09:07 [Zakim]
+dsinger; got it
17:09:11 [efelten]
efelten has joined #dnt
17:09:22 [dwainberg]
... dinner arrangements for joint dinner on 1st day in Brussels.
17:09:37 [Zakim]
17:09:49 [kj]
kj has joined #dnt
17:09:58 [dwainberg]
... restaurant wants prior indication of menu. schunter will send a form to the mailing list to get input.
17:10:53 [johnsimpson]
zakim, unmute me
17:10:53 [Zakim]
johnsimpson should no longer be muted
17:10:59 [johnsimpson]
17:11:02 [chesterj2]
what building are we meeting at first day?
17:11:14 [rigo]
17:11:21 [rigo]
ack john
17:11:22 [npdoty]
ack johnsimpson
17:11:32 [dwainberg]
johnsimpson: just 1 joint dinner, and then we're on our own?
17:11:40 [dwainberg]
schunter: That's unsettled. Any preferences?
17:11:48 [rigo]
ack rigo
17:11:58 [johnsimpson]
zakim, mute me
17:11:58 [Zakim]
johnsimpson should now be muted
17:12:17 [Zakim]
17:12:26 [npdoty]
Morning meetings in Beaulieu (Avenue de Beaulieu)
17:12:36 [alex_]
alex_ has joined #dnt
17:12:55 [Zakim]
+ +1.415.734.aakk
17:13:07 [enewland]
enewland has joined #dnt
17:13:08 [rigo]
zakim, mute me
17:13:08 [Zakim]
Rigo should now be muted
17:13:08 [tedleung]
Building BU25
17:13:08 [dwainberg]
schunter: Suggest day 1 is arranged dinner, and then the rest people are on their own.
17:13:37 [schunter]
Locals wil propose some restaurants for 2nd and 3rd day.
17:13:52 [johnsimpson]
David, only if you have cookies in your pocket
17:13:58 [Zakim]
- +1.415.734.aakk
17:14:06 [dwainberg]
schunter: Any other questions?
17:14:13 [schunter]
17:14:13 [trackbot]
ISSUE-105 -- Response header without request header? -- open
17:14:13 [trackbot]
17:14:14 [npdoty]
17:14:14 [trackbot]
ISSUE-105 -- Response header without request header? -- open
17:14:14 [trackbot]
17:14:31 [Zakim]
+ +44.142.864.aall
17:14:38 [BrianTs]
BrianTs has joined #DNT
17:14:39 [WileyS]
Like your SHOULD respond proposal
17:14:59 [npdoty]
17:15:08 [Zakim]
+ +1.415.734.aamm
17:15:14 [rigo]
17:15:19 [schunter]
Language for review: "If a server has received a http request that does not contain a DNT request header field, then the site MAY include a response header field into the corresponding response."
17:15:24 [Adam]
Adam has joined #dnt
17:15:41 [WileyS]
17:15:50 [dwainberg]
schunter: does not say what the response should contain, only that if you like can send a response without seeing a request header.
17:15:54 [rigo]
ack npdoty
17:16:01 [Zakim]
+ +1.917.349.aann
17:16:28 [rigo]
ack Wil
17:16:33 [npdoty]
Zakim, who is talking?
17:16:43 [dwainberg]
npdoty: easy for companies that don't want to do complex configuration and respond on every time.
17:16:44 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: +1.917.349.aann (19%), +1.301.270.aacc (19%), +1.408.349.aaff (90%)
17:17:15 [dwainberg]
WileyS: Supports as well. Also could be a good way to indicate honoring opt out. Only concern is weight or spam if this is coming back in every response header.
17:17:26 [dwainberg]
... wants to ask Roy that question.
17:17:39 [dwainberg]
schunter: If a site wants to do stupid things, we should not be the ones to disallow it.
17:18:06 [johnsimpson]
makes sense to me.
17:18:13 [dwainberg]
... Given this language, they decide to only send on particular resources. Gives freedom to respond as they like.
17:18:14 [hefferjr]
hefferjr has joined #dnt
17:18:14 [Zakim]
17:18:23 [schunter]
17:18:24 [dwainberg]
WileyS: Thinks this proposal is non-controversial.
17:18:27 [dsinger]
17:18:35 [WileyS]
+aaff WileyS
17:18:44 [schunter]
Item 8
17:18:52 [dwainberg]
dsinger: We should discuss response headers and caching. Is the response a cacheable statement?
17:19:07 [dsinger]
ack dsinger
17:19:08 [WileyS]
[WileyS] +aaff
17:19:08 [dwainberg]
schunter: There's also related Item 8 on the agenda.
17:19:11 [rigo]
zakim, aaff is WileyS
17:19:11 [Zakim]
+WileyS; got it
17:19:25 [WileyS]
Thank you Rigo - can never remember that syntax
17:19:25 [dwainberg]
schunter: Thinks we can record consensus on that, and close the issue.
17:19:47 [npdoty]
17:19:56 [dwainberg]
schunter: Next item: User agent managed site specific exceptions.
17:20:29 [dwainberg]
npdoty: The idea is an option for sites that want to ask permission for a particular 3rd party to track them on that site.
17:20:41 [rigo]
q+ to support
17:20:58 [dwainberg]
npdoty: Can this particular party track me while I'm on this site.
17:21:53 [dwainberg]
npdoty: JS API for prompting for exceptions. And a JS property with a list of site specific exceptions, so a first party can check.
17:22:25 [sidstamm]
17:22:27 [dwainberg]
WileyS: Left open web-wide exceptions, but for site specific they chose to leave this open as a polled property.
17:23:19 [dwainberg]
... very simple 1st party/3rd party pairing, so the 1st party could poll for exceptions. If they add a new 3rd party, they'd have to request an new exception.
17:23:40 [schunter]
17:23:41 [dwainberg]
17:24:06 [dwainberg]
... on web-wide exceptions, we discuss it briefly that a domain could receive a web-wide exception.
17:24:32 [dwainberg]
... A first party could request an exception from a user anywhere it is on the web.
17:24:32 [chesterj2]
17:25:38 [schunter]
ack rigo
17:25:38 [rigo]
ack rigo
17:25:39 [Zakim]
rigo, you wanted to support
17:26:35 [dwainberg]
rigo: Very good effort. But this is the kind of thing I was looking at that would help in the EU context. We shouldn't get too mixed up about the semantics.
17:27:13 [vm1]
vm1 has joined #dnt
17:27:23 [schunter]
rigo: May need fine-tuning to align with the EU regulations. Usability important.
17:27:27 [WileyS]
Continue to counsel the working group to not attempt to leverage DNT to cover the more extreme transpositions of the ePrivacy Directive
17:27:28 [rigo]
17:27:30 [schunter]
17:27:44 [dwainberg]
... Encourage you to make it really easy to use. We have already done some work on the privacy dashboard.
17:27:58 [Zakim]
17:28:05 [dwainberg]
... It will ask questions when you encounter a new domain, and you can see how annoying or not it is.
17:28:13 [schunter]
ack sidstamm
17:28:17 [schunter]
17:28:40 [tl]
tl has joined #dnt
17:28:50 [WileyS]
Agreed - we tried to limit the ability to use this as a digital fingerprint
17:28:53 [dwainberg]
sidstamm: I like it. Concerned about a few particulars. Querying could be used to simulate cookies (Issue 109?).
17:28:55 [schunter]
Sid says that ISSUE-109 is important and should be investigated
17:29:08 [dwainberg]
... Browser can take care of the user interface for not prompting on duplicate requests.
17:29:11 [schunter]
17:29:22 [schunter]
Zakim, mute rigo
17:29:22 [Zakim]
Rigo should now be muted
17:29:40 [npdoty]
just to record, sid you specifically support the alternative to use requestSiteSpecificTrackingException rather than the list of siteSpecificTrackingExceptions
17:29:44 [npdoty]
17:29:49 [dsriedel]
dsriedel has joined #dnt
17:29:50 [sidstamm]
17:29:53 [sidstamm]
npdoty, ^
17:29:55 [WileyS]
Fair - good point, we can modify the language to make this more of a SHOULD than a MUST
17:30:15 [WileyS]
Via Registration / TOS for example
17:30:16 [sidstamm]
+1 to SHOULD, WileyS
17:30:26 [dsinger]
17:30:38 [dsinger]
17:30:40 [tl]
17:31:03 [WileyS]
Publisher choice - let them take on the weight if they want it
17:31:15 [laurengelman]
17:31:31 [rigo]
look at the management of site-stuff in the privacy dashboard. It is complex but feasible. But we should take the restrictions of the mobile web into account
17:32:23 [johnsimpson]
isn't this non-normative?
17:32:59 [npdoty]
dwainberg: This is too definitive. I think sometimes trackers may have a particular relationship and can track a permission to track outside the context of the user agent.
17:33:09 [rigo]
johnsimpson, it is normative
17:33:38 [rigo]
but it has a different meaning as we have legal crossing technical meaning
17:33:41 [schunter]
17:33:59 [rigo]
so I think people are talking passed each other
17:34:15 [schunter]
17:34:21 [npdoty]
npdoty: Are there examples where this is important? Could create confusion if users have to remember some exceptions via the user agent and others via a site relationship.
17:34:33 [johnsimpson]
I am looking at the section. It says "This section is non-normative"
17:34:38 [npdoty]
I'd be very concerned about Terms of Service covering this
17:34:42 [sidstamm]
which section number, johnsimpson
17:34:56 [npdoty]
"The special string * signifies all document origins."
17:35:01 [schunter]
17:35:10 [JC]
Who defines trustworthy?
17:35:11 [johnsimpson]
6.1 Overview
17:35:14 [rigo]
+1 to have a first party request exception and collect consent
17:35:25 [rigo]
that's what I need for 5.3
17:35:33 [WileyS]
Agreed - but what if an express consent request was asked of the user prior to the implementation of DNT. In this case it seems fair to be able to honor that and not be forced to "reask" for an exception with the implementation of DNT
17:35:38 [kj_]
kj_ has joined #dnt
17:35:51 [JC]
17:35:52 [vincent]
vincent has joined #dnt
17:36:09 [schunter]
ack dwainberg
17:36:15 [schunter]
ack chesterj
17:36:19 [rigo]
WileyS, they are different sources of permission and independent of each other
17:36:29 [npdoty]
dwainberg: Sites should be able to ask for all of their third parties at once. (We'll choose third parties from time to time and you should trust us.)
17:36:43 [dwainberg]
chesterj2: One of the most imporant issues here, but I am concerned with how exemptions are structured. Users will be prompted through a variety of ways.
17:36:53 [npdoty]
npdoty: can request with "*" for all 3rd-party origins from a site
17:37:07 [WileyS]
17:37:25 [dwainberg]
... every web site will encourage users to opt back in, and will tell them this is to benefit them.
17:37:29 [tl]
zakim, who is on the phone?
17:37:29 [Zakim]
On the phone I see trapani, mschunter, dsriedel (muted), cOlsen, eberkower, npdoty, johnsimpson (muted), [Mozilla], +1.301.270.aacc, Joanne, dwainberg, +1.978.944.aaee, tedleung,
17:37:31 [dwainberg]
... This could undermine DNT.
17:37:33 [Zakim]
... Cyril_Concolato, Erika, Rigo (muted), WileyS, ChrisPedigo, +1.202.835.aagg, [Microsoft], ??P75, [Microsoft.a], +1.727.686.aahh, +385221aaii, [Apple], +1.650.308.aajj, efelten,
17:37:37 [Zakim]
... Erika.a, +44.142.864.aall, +1.415.734.aamm, +1.917.349.aann, aakk, [Mozilla.a]
17:37:39 [Zakim]
[Apple] has dsinger
17:37:39 [Zakim]
[Mozilla] has sidstamm
17:37:41 [tl]
zakim, Mozilla has tl
17:37:41 [Zakim]
+tl; got it
17:37:56 [dsriedel]
dsriedel has joined #dnt
17:38:02 [dwainberg]
... There's a slippery slope. And the other side of it -- enable users to have greater control over other data collection techniques.
17:38:03 [tl]
zakim mozilla.a has tl
17:38:09 [tl]
zakim, mozilla.a has tl
17:38:09 [Zakim]
+tl; got it
17:38:30 [dwainberg]
schunter: Would like a concrete proposal from Jeff of what things are too risky. Pinpoint a particular piece of the spec.
17:38:38 [schunter]
17:38:42 [dwainberg]
chesterj2: Will post something to the list prior to Brussels.
17:39:11 [npdoty]
q+ to mention ISSUE-67
17:39:25 [npdoty]
ack schunter
17:39:28 [npdoty]
ack dsinger
17:39:28 [dwainberg]
schunter: Flexible with regard to the user interface, but gives users control they need. Like it a lot.
17:39:28 [schunter]
ack schunter
17:39:32 [schunter]
ack dsinger
17:39:49 [dwainberg]
dsinger: On other ways to opt back in. The DNT header signal is a very course instrument.
17:40:16 [dwainberg]
... Parties might have a more nuanced choice through, e.g. a web interface.
17:40:17 [rigo]
Nick, Issue 67, IMHO that's a matter of evidence collection and who has to invoke it in case of dispute
17:40:46 [dwainberg]
... Users may wish to interact directly with advertising tracking sites, and we should make it possible to opt back in through mechanisms other than the header.
17:41:15 [npdoty]
that's how I would personally want us to implement that situation (+1 to schunter)
17:41:26 [schunter]
17:41:31 [npdoty]
ack tl
17:41:37 [schunter]
ack tl
17:42:05 [dwainberg]
tl: Makes it easy for users to find their exceptions. But also likes the idea of going to a preferences pane.
17:42:32 [dwainberg]
17:42:38 [dwainberg]
17:43:14 [dwainberg]
... What I'm really afraid of is going to visit a site, and they say you have to agree to the TOS, and para 12 says by agreeing you allow us to override DNT.
17:43:47 [schunter]
Tom supports the idea that nuanced tracking preferences should only play once the ¨big¨ DNT switch for the site has been flipped.
17:43:50 [dwainberg]
... Would love to hear ideas about how to navigate that.
17:43:52 [schunter]
ack WileyS
17:44:00 [schunter]
17:44:12 [dwainberg]
WileyS: I agree on the concerns, but wants to highlight an example.
17:44:48 [dwainberg]
... Yahoo had a property call mybloglog where they recognized users off of Yahoo.
17:45:19 [dwainberg]
... In that case, wouldn't want to have to re-ask consent. Wants the express consent from the user to stick.
17:45:26 [vincent]
tl, I think UA managed specific excetpion actually prevent that while websit managed exception do not
17:45:33 [schunter]
This is a new issue: How can one ´import´ prior consent into the new Scheme?
17:45:40 [chesterj2]
Yahoo also has smart ads that uses data to personalize ad targeting "on the fly." Users have no idea how this works. Such techniques, inc rich media, will be used to urge people to opt-back in. Creating a system where the DNT standard is undermined.
17:45:43 [rigo]
17:45:46 [vincent]
you can still check when DNT is enabled
17:46:09 [dwainberg]
schunter: I think this is a new issue. Given that you've collected consent via a different scheme, how do you get it into the UA.
17:46:16 [npdoty]
that (MyBlogLog) seems like an example of wanting Web-wide exceptions, right?
17:46:31 [WileyS]
Yes - good point Nick
17:46:42 [rigo]
MS: how to get old consent into the new scheme?
17:47:13 [dwainberg]
WileyS: Yes, it's a way of casting historical consent mechanism into DNT, but also an example for allowing for something other than the UA mechanism.
17:47:32 [schunter]
17:47:36 [rigo]
q+ to say that one source doesn't exclude the other, but that a browser may have restrictions and we have to get around those
17:47:40 [schunter]
ack npdoty
17:47:40 [Zakim]
npdoty, you wanted to mention ISSUE-67
17:47:47 [npdoty]
17:47:47 [trackbot]
ISSUE-67 -- Should opt-back-in be stored on the client side? -- raised
17:47:47 [trackbot]
17:48:01 [ksmith]
A similar problem occurs when a user uses multiple browsers or computers. It would be nice to have a mechanism that did not require me to approve or reject it in each UA
17:48:15 [JC]
17:48:27 [tl]
vincent, i'm not sure i follow you?
17:48:30 [JC]
Also multiple-user computers a problem
17:48:32 [chesterj2]
"Should" would allow all kinds of targeting techniques to be used, inc. "immersive" rich media and even neuromarketing (which Yahoo, Microsoft and other use). This is a serious concern about the integrity of DNT
17:48:42 [vincent]
ksmisth, it could be handled by browser sync mechanisms
17:48:43 [dwainberg]
npdoty: Different issues (Issue-67). There have been some objections. We may need to accomodate older browsers.
17:48:59 [dwainberg]
... And their might be some implementations costs. Reasons we might not want opt-in on the client side.
17:49:11 [fwagner]
fwagner has joined #dnt
17:49:14 [sidstamm]
vincent, +1
17:49:19 [schunter]
17:49:30 [schunter]
ack dwainberg
17:49:58 [tl]
17:50:05 [vincent]
tl, I think that with UA managed exception you can implement a DNT "enforcer" that would monitor which entities receive DNT=2 (or 0)
17:50:14 [WileyS]
Good example - in that case is the publisher able to somehow trigger the user's exception on the new browser?
17:50:14 [Zakim]
17:50:22 [dwainberg]
tl: I think that's less of an issue than you think.
17:50:27 [schunter]
17:50:33 [WileyS]
Only Mozilla allows that, correct?
17:50:34 [npdoty]
when I switch devices I might want to have very different preferences
17:50:35 [JC]
I don't agree
17:50:40 [Zakim]
- +1.917.349.aann
17:50:42 [schunter]
17:50:48 [JC]
Sync is a problem
17:51:01 [npdoty]
maybe I'm okay with tracking on my home computer but not while I'm at work
17:51:04 [fwagner]
zakim, Ipcaller is fwagner
17:51:04 [Zakim]
+fwagner; got it
17:51:20 [npdoty]
maybe I'm okay with tracking while at my desktop, but feel less comfortable about tracking of browsing on my mobile device
17:51:29 [fwagner]
hi there, sorry for being late....
17:51:29 [vincent]
tl, whereas if it's managed by the website you may not know when you are actually tracked
17:51:41 [rigo]
ack rigo
17:51:42 [Zakim]
rigo, you wanted to say that one source doesn't exclude the other, but that a browser may have restrictions and we have to get around those
17:51:44 [tl]
vincent, well, you'll get a response header
17:51:53 [schunter]
I think that if a site has different means to store opt-back-in, we must obligate these sites to provide transparency in a standardised way.
17:52:09 [tl]
WileyS, I don't think it'll be long before you log into Chrome with your Google account either.
17:52:10 [vincent]
JC, problem is the same with opt-out cookies
17:52:11 [dwainberg]
rigo: we have to get out of the assumption that is underlying this discussion: if we have no DNT permission, we can't.
17:52:26 [dwainberg]
... Permission can come from many sources, and DNT is just one tool you use.
17:52:52 [npdoty]
many people use different browsers, or incognito modes in their browsers, in order to browse at some times with different privacy settings
17:53:04 [JC]
17:53:06 [vincent]
tl, when you get the response header it might be too late :)
17:53:10 [tl]
WileyS, But yes, we're leading the field on browser sync and identity.
17:53:11 [dwainberg]
... Lawyers know there can be conflict of statements. If we prompt the users too many times we tire them.
17:53:17 [tl]
17:53:45 [tl]
vincent, This is a problem with the web in general...
17:54:34 [dwainberg]
... The service that does actual tracking leads to being challenged. They have to prove they had permission. So depends on in whose favor a certain statement is and where should it be stored.
17:54:38 [tedleung]
taking over as scribe
17:54:40 [schunter]
17:54:48 [Zakim]
17:54:54 [npdoty]
scribenick: tedleung
17:54:55 [dwainberg]
Thanks, Ted.
17:54:58 [rigo]
ack schunter
17:55:34 [rigo]
=> feedback mechanism
17:55:39 [tedleung]
schunter: transparency to the user is important, user should be able to know how an opt back in happened
17:56:08 [rigo]
should contain a way to convey that permission was acquired via another mechanism
17:56:40 [schunter]
17:56:44 [dsinger]
yes, if ANY tracking happens, the user MUST know, in real time (thru the response header, ideally)
17:57:03 [tedleung]
do we need some information in the response header to indicate that an opt back in from another source has happened?
17:57:19 [dsinger]
"I see your DNT:1 but I claim to have permission to track you, and I am tracking you"
17:57:19 [schunter]
Proposed text: Opt-back-in should be in the response header. In particular if the opt-back-in has been managed/stored outside the user agent.
17:57:42 [schunter]
Draft decisions:
17:57:49 [tedleung]
npdoty: realtime feedback doesn't help if you want to clear all your preferences everywhere in a single place
17:57:55 [schunter]
1. Opt-back-in SHOULD be managed by the user agent.
17:57:57 [ksmith]
With the onset of cloud computing, device is getting less important and configuration is expected to go with the user wherever they are. This is the largest weakness with having the UA manage exceptions. I think its ok to have the UA manage things for DNT version 1 (since cookies have already created this same paradigm), but I expect the lifetime of this approach to be limited.
17:58:24 [tedleung]
schunter: believes there is agreement and will document in IRC.
17:58:46 [schunter]
2. If opt-back-in is managed elsewhere, then the site MUST [inform] the user via an appropriate response header.
17:59:15 [tl]
ksmith, Disagree. The cloud also synchronizes settings between UAs, just look at Firefox Sync.
17:59:33 [dsinger]
I don't think (2) needs the leading "if" clause
17:59:35 [npdoty]
ksmith, as above, I think we see examples where users now are intentionally using different UAs or different UA configurations to provide different privacy situations
17:59:41 [schunter]
17:59:50 [dsinger]
17:59:53 [ksmith]
npdoty - agreed - both options should be abailabler
18:00:20 [Zakim]
18:00:27 [johnsimpson]
sorry, have to leave.
18:00:27 [schunter]
Tom: The response header may need to distinguish between opt-back-in from the browser and opt-back-in from other sources.
18:00:30 [tedleung]
tl: thinks schunter's proposed text is insufficient,
18:00:43 [Zakim]
18:00:47 [rigo]
this is really looking very good for the 5.3 issue
18:00:49 [Zakim]
18:00:51 [tedleung]
schunter wants to defer details to response header discussion
18:00:56 [rigo]
18:00:58 [npdoty]
18:01:05 [johnsimpson]
johnsimpson has left #DNT
18:01:07 [npdoty]
ack dsinger
18:01:07 [rigo]
ack dsinger
18:01:08 [schunter]
18:01:08 [tl]
zakim, Mozilla has tl
18:01:18 [Zakim]
+tl; got it
18:01:26 [dsinger]
2 should be "2. If tracking occurs, through an opt-back-in, permission, or any other mechanism, then the site MUST [inform] the user via an appropriate response header."
18:01:29 [rigo]
zakim, Mozilla really is tl
18:01:37 [tedleung]
dsinger: if the site does any tracking, the site must tell the user via the response header
18:01:43 [Zakim]
I don't understand 'Mozilla really is tl', rigo
18:01:58 [rigo]
zakim, Mozilla is really tl
18:02:07 [Zakim]
+tl; got it
18:02:12 [tedleung]
tl: did you say the response header should have different values from an opt back in via the site vs via the browser?
18:02:13 [dsinger]
…ok to defer to the response header discussion...
18:02:19 [tl]
rigo, Mozilla really isn't tl...
18:02:30 [schunter]
Site should tell user
18:02:36 [schunter]
a) whether he is tracked or not
18:02:41 [rigo]
tl, sorry
18:02:43 [schunter]
b) Whether some opt-back-in was in place
18:02:56 [schunter]
c) The source of the opt-back-in (browser, site, somethinge)
18:03:06 [WileyS]
correction - a) whether he is "cross-site tracked" or not
18:03:45 [rigo]
18:03:50 [tedleung]
dwainberg: language should indicate whether the site should be permitted to track
18:03:51 [schunter]
correction: a´) whether the site may cross-site track him or not
18:03:51 [rigo]
18:04:01 [schunter]
18:05:24 [WileyS]
+1 for SHOULD
18:05:26 [tl]
18:05:35 [tedleung]
moving on to SHOULD or MUST for acknowledging DNT:1?
18:06:02 [rigo]
q+ to state that this may kill the 5.3 tool that we just created
18:06:32 [rvaneijk]
rvaneijk has joined #dnt
18:06:35 [WileyS]
We should not be trying to create a 5.3 tool - that is not the purpose of DNT
18:06:48 [schunter]
18:06:52 [WileyS]
18:06:55 [schunter]
18:07:06 [rigo]
ack tl
18:07:11 [tedleung]
schunter favors SHOULD language
18:07:37 [Zakim]
18:07:55 [tedleung]
tl favors MUST b/c there a user has no recourse because the user agent got no information
18:07:58 [schunter]
18:08:03 [WileyS]
They shouldn't - and that should factor into their decision to visit the site
18:08:22 [schunter]
18:08:26 [tedleung]
schunter assumes that no answer means that the user should assume the worst, that is, tracking
18:08:55 [tedleung]
tl: if the user doesn't see the header, then site should be able to claim it implements DNT
18:09:08 [tl]
s/should/should\ not
18:09:16 [schunter]
Tom: Part of DNT should be to acknowledge DNT; a site that claims compliance without sending acknowledgements is dangerous from a privacy perspective.
18:09:26 [tedleung]
sorry tl
18:09:43 [tl]
tedleung, Important semantic change there. =p
18:09:50 [tedleung]
for sure.
18:10:18 [WileyS]
Not true - a bit of an overstatement Icovers "deceptive" claims but not "unfair")
18:11:01 [JC]
So are privacy statements useless?
18:11:07 [schunter]
18:11:09 [rigo]
Yes! :)
18:11:14 [rigo]
ack rigo
18:11:14 [Zakim]
rigo, you wanted to state that this may kill the 5.3 tool that we just created
18:11:16 [schunter]
ack rigo
18:11:18 [tedleung]
rigo: it's tricky to use this as a consent mechanism, the SHOULD might mislead implementors
18:11:25 [chesterj2]
Yes, privacy statements are useless.
18:12:04 [tedleung]
WileyS: you need to deal with both deceptive and unfair
18:12:05 [dwainberg]
rigo and chesterj2, privacy statements are legally binding.
18:12:40 [npdoty]
18:12:46 [chesterj2]
Users don't read or understand. They are largely deceptive and unfair, but both FTC and EU are just catching up on digital marketing and privacy
18:12:54 [tedleung]
there are lots of reasons why a site might not respond, and for availability reasons, SHOULD allows that availability leeway
18:13:02 [Zakim]
- +1.415.734.aamm
18:13:06 [rigo]
dwainberg, both statements are not excluding each other
18:13:32 [tedleung]
but also agrees with tl, that we should say that in order to claim to implemented W3C DNT, you must make every effort to provide a reponse header
18:14:10 [tedleung]
perhaps a browser should signal the user that no reponse header was returned
18:14:12 [tl]
18:14:19 [schunter]
Shane: User should interpret ¨no response¨ as a site not following a DNT;1 desire.
18:14:26 [schunter]
18:14:33 [tedleung]
reponse headers should be absent only a very small percentage of the time
18:14:34 [rigo]
ack WileyS
18:14:35 [schunter]
ack tl
18:15:23 [WileyS]
What if they've not implemented any response headers yet but are listening for the request header and honoring it?
18:15:34 [WileyS]
Are they not compliant?
18:15:37 [tedleung]
tl: could people send back a "DNT:beta" header to indicate that site is making some progress on DNT, but isn't there yet.
18:15:44 [tl]
WileyS, No.
18:15:57 [tedleung]
tl: believes that a site must return the response header in order to be compliant
18:16:20 [tl]
WileyS, You're not compliant with the spec until your send a response header.
18:16:27 [schunter]
mschunter believes that a site must stop the tracking in order to be compliant.
18:16:32 [rigo]
18:16:37 [rigo]
ack npdoty
18:16:43 [schunter]
ack npdoty
18:16:45 [dsinger]
…thinks we need a fairly nuanced set of response header values (including "if you asked, I am trying")
18:16:47 [tedleung]
npdoty: sites already have the option of not following DNT, so we can use MUST because sites can ignore
18:16:47 [tl]
WileyS, Not to say that everyone non-compliant is evil, but you must respond to be compliant.
18:16:58 [WileyS]
Disagree - SHOULD is the appropriate end point here. Would be nice to hear from others in industry on this topic.
18:17:07 [vincent]
tl, I'm afraid we will have the "perpetual beta" problem then
18:17:25 [tedleung]
rigo: do we have a legitimate case where someone who is fully DNT compliant may not want to send a response header. I can't think of one
18:17:28 [schunter]
Rigo: Are there legitimate cases where a fully compliant site (following DNT;1) does not return a response header?
18:17:35 [Zakim]
- +1.301.270.aacc
18:17:47 [Zakim]
- +1.978.944.aaee
18:17:49 [schunter]
18:17:55 [rigo]
hearing non, :)
18:17:58 [rigo]
ack rigo
18:18:06 [npdoty]
Shane, you disagreed, do you think there are fully-compliant sites that still wouldn't send the response header?
18:18:55 [JC]
18:18:57 [WileyS]
I believe compliant sites may not send a response header (they receiving the signal and processing it appropriately - and stating this somewhere other than a response header
18:19:01 [schunter]
18:19:10 [rigo]
reason I heard was caching, AFAIK
18:19:10 [dwainberg]
18:19:24 [npdoty]
18:19:32 [rigo]
ack JC
18:19:40 [tl]
WileyS, I do not think that those sites should be compliant.
18:19:55 [WileyS]
We're over forcing a technical end-point here when there are many other possible communication channels with users. I agree MOST of the time this should occur but not EVERY time. Unfortunately we don't appear to have language to support that type of stance on a position.
18:19:56 [tedleung]
JC: if we do MUST, then browsers will be bugging users all the time, and then users will turn off DNT
18:20:32 [WileyS]
That's fine - becomes a natural forcing function
18:20:49 [schunter]
Draft proposal: A site that receives DNT;1 SHOULD stop tracking (as specd by us) and acknowledge this with a header. If it does not send an acknowledgement, then the user can assume that his DNT;1 preference has not been honored.
18:20:50 [tedleung]
dsinger: we're talking about 3rd party
18:20:53 [rigo]
18:21:06 [tedleung]
JC: grateful for the 3rd party clarification
18:21:11 [schunter]
18:21:20 [tedleung]
JC: favors some kind of beta period
18:21:21 [npdoty]
WileyS, just to be clear then, you're talking about a case not just halfway-implemented but a final implementation where a site chooses a different communication channel than the response header to let the user know?
18:21:32 [dwainberg]
Somebody's typing is really loud -- please mute.
18:21:35 [WileyS]
npdoty, yes
18:21:55 [WileyS]
Again - if browser highlight the failure of a response header this will force alignment
18:22:16 [tedleung]
dsinger: if i don't get a response, maybe the browser just blacklists the site
18:22:19 [dsriedel]
Example: how is this for companies offering web hosting? What does the webserver respond to the visitor?
18:22:24 [schunter]
18:22:32 [vincent]
WileyS, isn it a good thing?
18:22:38 [npdoty]
WileyS, good for us to clarify, I had thought you were talking about a different (the other) situation
18:22:57 [tedleung]
tl: as a browser manufacturer, I think that we can make this not suck
18:23:09 [WileyS]
+1 for SHOULD
18:23:11 [tedleung]
JC: but you can't assume everyone will use just your browser
18:23:32 [schunter]
Draft proposal (rev 2): A site that receives DNT;1 MUST stop tracking (as specd by us) and acknowledge this with a header. If it does not send an acknowledgement, then the user can assume that his DNT;1 preference has not been honored.
18:23:33 [ksmith]
as a browser consumer - I am more skeptical
18:23:53 [WileyS]
-1 for MUST (no consensus on this position)
18:24:10 [npdoty]
18:24:11 [dsinger]
do you mean "A site that receives DNT;1 MUST stop tracking (as specd by us) and SHOULD acknowledge this with a header. If it does not send an acknowledgement, then the user can assume that his DNT;1 preference has not been honored." ?
18:24:12 [tedleung]
npdoty: if your not compliant with DNT, that's fine. only sites that want to comply need to do this
18:24:43 [tedleung]
rigo: MSFT has a good track record, look at their implementation of P3P. Within 6mos, 70% of the internet was compliant
18:25:12 [ksmith]
ksmith has left #DNT
18:25:15 [tedleung]
rigo would oppose rules on browser reaction to absence of the response header
18:25:16 [Zakim]
- +1.650.308.aajj
18:25:26 [WileyS]
Agreed - they should innovate around lack of response header - this will drive compliance. No need for a MUST here.
18:25:28 [Zakim]
- +385221aaii
18:25:29 [tl]
18:25:35 [tl]
18:25:36 [schunter]
Draft proposal (Rev. V03) A site that receives DNT;1 either MUST stop tracking (as specd by us) and SHOULD acknowledge this with a header or else MAY continue tracking (opt-back-in etc) and MUST send a response header .
18:25:38 [schunter]
If it does not send an acknowledgement, then the user can assume that his DNT;1 preference has not been honored.
18:25:48 [tedleung]
rigo wants to allow browser innovation around responses
18:25:54 [schunter]
18:25:55 [rigo]
18:26:01 [tedleung]
JC: i don't want to just rely on the browser
18:26:17 [schunter]
18:26:29 [schunter]
18:26:31 [tedleung]
dwainberg: mabye 70% of sites had headers, but it's not clear they were accurate
18:26:39 [tedleung]
schunter: enforcement is not our business
18:26:55 [rigo]
ack dwainberg
18:27:00 [WileyS]
Agree: MUST stop cross-site tracking, SHOULD send header response.
18:27:01 [schunter]
That was ¨rigo: enforcement is not our business¨ (not schunter)
18:27:01 [fwagner]
+1 Rigo - enforcement is another thing
18:27:07 [tedleung]
dwainberg: i'm not clear what we mean by sites. in the compliance discussion we are talking about parties
18:27:07 [JC]
I feel the privacy policy is the best way to validate implementation and permit enforcement.
18:27:17 [rvaneijk]
+1 rigo
18:27:29 [WileyS]
JC, Agreed
18:27:54 [JC]
If I'm not tracking why make me do work?
18:28:02 [rvaneijk]
+1 shane
18:28:19 [rigo]
Shane, I can live with a SHOULD if we explain in the Specification that not sending it may have very detrimental effects
18:28:21 [tedleung]
tl: the spec details what servers need to do to be compliant
18:28:28 [alex_]
18:28:41 [tedleung]
dwainberg: you're wanting to reconfigure every server on the planet
18:28:53 [tedleung]
dsinger: only servers that want to act as 3rd parties
18:29:03 [Zakim]
18:29:07 [WileyS]
Rigo, that's great - and I like that approach. Provides publishers/1st parties with options but sets a real expectation that sending a response header is in their best interest.
18:29:10 [tedleung]
tl: not all servers want to be compliant
18:29:17 [dsinger]
it should be possible and trivial to add a static response header to your server config
18:30:07 [tl]
18:30:19 [WileyS]
+1 for SHOULD
18:30:20 [tedleung]
??: a strong should is very close to a weak must
18:30:24 [npdoty]
-1, I don't favor a SHOULD given that MUST means compliant
18:30:27 [npdoty]
18:30:33 [JC]
+1 for SHOULD
18:30:37 [schunter]
Draft Consensus: Site that receives DNT;1 either MUST stop tracking (as specd by us) and SHOULD acknowledge this with a header; If it does not send an acknowledgement, then the user can assume that his DNT;1 preference has not been honored.
18:30:44 [tedleung]
tl: the spec is incomplete without MUST
18:30:49 [vincent]
+1 for MUST
18:31:03 [tedleung]
schunter: is tom the only on in favor of MUST?
18:31:05 [dsinger]
+1 for SHOULD, but we outline the very negative consequences (that the user assumes the worst, in the absence of other data)
18:31:21 [schunter]
Negative consequences:
18:31:24 [dsinger]
18:31:30 [schunter]
a) User will assume that DNT;1 was not honored
18:31:53 [schunter]
b) Scanners cannot determine that you state that you are compliant and will assume that you are not
18:32:01 [rvaneijk]
the respons opens the possibility to a dialog with the user
18:32:01 [Altaf]
18:32:02 [schunter]
18:32:22 [tedleung]
rigo: if we can live with MUST and say others are not compliant, and leave the action on non-compliance on the UA, this is the same as SHOULD, but UA's will react violently
18:32:26 [schunter]
c) User agents may block you if you omitted the response headers
18:32:30 [JC]
Bad dig.
18:32:30 [Altaf]
18:32:34 [WileyS]
That was uncalled for - and that wasn't what JC said
18:32:38 [schunter]
18:32:39 [tl]
JC =p
18:32:40 [vincent]
I'm afraid of website starting to say "I swear I *almost* respect DNT", some users would be ok with that but the website would not have to do anything
18:32:44 [tl]
18:32:56 [schunter]
18:33:06 [Zakim]
18:34:05 [tedleung]
dsinger: should, but in the absence of other knowledge the user should assume tracking seems to capture it
18:34:07 [Zakim]
18:34:12 [npdoty]
schunter, do you want to write up the proposal and email to the list and then we can discuss?
18:34:26 [rigo]
MS: opt-back-in will need headers anyway
18:34:31 [tedleung]
schunter: in the case of opt back in, there will be other header information needed
18:34:38 [rvaneijk]
please include hyperlinks
18:34:46 [JC]
Send links to reading material
18:34:46 [rvaneijk]
18:34:49 [npdoty]
18:34:57 [rigo]
ack dsinger
18:35:00 [rvaneijk]
18:35:08 [tedleung]
aleecia said the 20th was the date
18:35:36 [rigo]
ack npdoty
18:37:06 [Zakim]
18:37:15 [Zakim]
18:37:16 [Zakim]
- +1.202.835.aagg
18:37:20 [tedleung]
npdoty: can you assemble the notes?
18:37:21 [Zakim]
18:37:29 [fwagner]
bye cu in Brusseles
18:37:34 [Zakim]
18:37:38 [Zakim]
18:37:39 [tedleung]
18:37:40 [Zakim]
18:37:40 [Zakim]
18:37:44 [Zakim]
18:37:46 [Zakim]
18:37:46 [tedleung]
tedleung has left #dnt
18:37:47 [Zakim]
- +44.142.864.aall
18:37:48 [Zakim]
18:37:48 [Zakim]
18:37:49 [Zakim]
18:37:49 [Zakim]
18:37:50 [Zakim]
18:37:51 [Zakim]
18:37:53 [Zakim]
18:37:55 [Zakim]
18:37:57 [Zakim]
18:37:59 [Zakim]
18:38:01 [Zakim]
- +1.727.686.aahh
18:38:03 [Zakim]
18:38:05 [npdoty]
Zakim, list attendees
18:38:05 [Zakim]
As of this point the attendees have been +1.609.627.aaaa, dsriedel, cOlsen, mschunter, +1.646.654.aabb, npdoty, johnsimpson, sidstamm, +1.301.270.aacc, +1.916.641.aadd, dwainberg,
18:38:08 [Zakim]
... eberkower, +1.978.944.aaee, trapani, Joanne, tedleung, Cyril_Concolato, Erika, Rigo, +1.408.349.aaff, ChrisPedigo, +1.202.835.aagg, [Microsoft], +1.727.686.aahh, +385221aaii,
18:38:13 [Zakim]
... +1.650.308.aajj, dsinger, efelten, +1.415.734.aakk, +44.142.864.aall, +1.415.734.aamm, +1.917.349.aann, aakk, WileyS, tl, fwagner, rvaneijk
18:38:21 [npdoty]
trackbot, end meeting
18:38:22 [trackbot]
Zakim, list attendees
18:38:22 [Zakim]
As of this point the attendees have been +1.609.627.aaaa, dsriedel, cOlsen, mschunter, +1.646.654.aabb, npdoty, johnsimpson, sidstamm, +1.301.270.aacc, +1.916.641.aadd, dwainberg,
18:38:24 [trackbot]
RRSAgent, please draft minutes
18:38:24 [RRSAgent]
I have made the request to generate trackbot
18:38:25 [trackbot]
RRSAgent, bye
18:38:25 [RRSAgent]
I see no action items
18:38:26 [Zakim]
... eberkower, +1.978.944.aaee, trapani, Joanne, tedleung, Cyril_Concolato, Erika, Rigo, +1.408.349.aaff, ChrisPedigo, +1.202.835.aagg, [Microsoft], +1.727.686.aahh, +385221aaii,