16:56:09 RRSAgent has joined #dnt 16:56:09 logging to http://www.w3.org/2012/01/18-dnt-irc 16:56:11 RRSAgent, make logs world 16:56:13 Zakim, this will be 16:56:13 I don't understand 'this will be', trackbot 16:56:13 zakim, mute me 16:56:14 Meeting: Tracking Protection Working Group Teleconference 16:56:14 Date: 18 January 2012 16:56:14 dsriedel should now be muted 16:56:20 johnsimpson has joined #DNT 16:56:25 Zakim, this will be 87225 16:56:26 ok, npdoty; I see T&S_Track(dnt)12:00PM scheduled to start in 4 minutes 16:57:44 Zakim, who is on the phone? 16:57:44 I notice T&S_Track(dnt)12:00PM has restarted 16:57:45 On the phone I see +1.609.627.aaaa, ??P10, dsriedel (muted) 16:58:03 +cOlsen 16:58:27 -cOlsen 16:59:04 +cOlsen 16:59:04 Zakim, ??P10 is mschunter 16:59:16 +mschunter; got it 16:59:27 PederMagee has joined #dnt 16:59:29 Zakim, who is on the phone? 16:59:30 sidstamm has joined #dnt 16:59:46 On the phone I see +1.609.627.aaaa, mschunter, dsriedel (muted), cOlsen 16:59:48 + +1.646.654.aabb 17:00:10 +npdoty 17:00:20 +johnsimpson 17:00:22 +[Mozilla] 17:00:23 Zakim, Mozilla has sidstamm 17:00:25 justin has joined #dnt 17:00:31 +sidstamm; got it 17:00:35 tedleung has joined #dnt 17:00:39 Joanne has joined #DNT 17:00:48 Zakim, who is online? 17:00:49 zakim, mute me 17:00:55 I don't understand your question, schunter. 17:00:59 johnsimpson should now be muted 17:00:59 chesterj2 has joined #dnt 17:01:08 Zakim, who is on the phone? 17:01:12 eb has joined #dnt 17:01:17 On the phone I see +1.609.627.aaaa, mschunter, dsriedel (muted), cOlsen, +1.646.654.aabb, npdoty, johnsimpson (muted), [Mozilla] 17:01:20 [Mozilla] has sidstamm 17:01:26 + +1.301.270.aacc 17:01:34 Jeff Chester is on phone 17:02:04 elise berkower is calling from 646 17:02:06 + +1.916.641.aadd 17:02:11 rigo has joined #dnt 17:02:18 Zakim, aabb is eberkower 17:02:22 zakim, code? 17:02:24 +1.916.641 is Joanne 17:02:35 Zakim, aaaa is trapani 17:02:39 ChrisPedigo has joined #dnt 17:02:42 +dwainberg 17:02:45 Zakim, aadd is Joanne 17:03:05 +eberkower; got it 17:03:09 the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), rigo 17:03:11 + +1.978.944.aaee 17:03:23 +trapani; got it 17:03:39 ack johnsimpson 17:03:39 +Joanne; got it 17:03:45 +tedleung 17:03:51 vincent has joined #dnt 17:04:04 +Cyril_Concolato 17:04:12 +Erika 17:04:20 karl, can you scribe? 17:04:32 zakim, mute me 17:04:38 WileyS has joined #DNT 17:04:51 zakim, mute me 17:04:52 I can take the second half 17:05:04 +Rigo 17:05:16 scribes: dwainberg and tedleung 17:05:28 johnsimpson should now be muted 17:05:43 scribenick: dwainberg 17:05:44 johnsimpson was already muted, johnsimpson 17:05:48 + +1.408.349.aaff 17:05:59 schunter: Any comments on the minutes? 17:06:01 http://www.w3.org/2012/01/11-dnt-minutes 17:06:07 ... no comments, so cosidered approved. 17:06:12 +ChrisPedigo 17:06:14 + +1.202.835.aagg 17:06:14 ... Overdue actions? 17:06:19 action-26? 17:06:19 ACTION-26 -- Karl Dubost to do a review of the Tracking Protection WG deliverables according to http://www.w3.org/TR/qaframe-spec -- due 2011-12-07 -- OPEN 17:06:19 http://www.w3.org/2011/tracking-protection/track/actions/26 17:06:28 http://www.w3.org/2011/tracking-protection/track/actions/overdue 17:06:46 +[Microsoft] 17:06:52 Action--42? 17:06:52 action-42? 17:06:52 ACTION-42 -- Jonathan Mayer to proposes non-normative language to obtain DNT info in Javascript; would replace DOM-API -- due 2012-01-11 -- OPEN 17:06:52 http://www.w3.org/2011/tracking-protection/track/actions/42 17:07:05 unmute me 17:07:10 Ation-44? 17:07:11 JC has joined #DNT 17:07:11 action-44? 17:07:12 ACTION-44 -- Shane Wiley to also write additional examples around branding for first parties by next week -- due 2012-01-11 -- OPEN 17:07:12 http://www.w3.org/2011/tracking-protection/track/actions/44 17:07:15 Action-44? 17:07:15 ACTION-44 -- Shane Wiley to also write additional examples around branding for first parties by next week -- due 2012-01-11 -- OPEN 17:07:15 http://www.w3.org/2011/tracking-protection/track/actions/44 17:07:33 ksmith has joined #DNT 17:07:38 +??P75 17:07:41 WileyS: Action-44 was addressed in the email list. 17:07:50 laurengelman has joined #dnt 17:08:02 +[Microsoft.a] 17:08:08 schunter: that settles item 3 of the agenda, next is discussion of f2f meeting. 17:08:17 ... important to register, or you won't get in. 17:08:22 + +1.727.686.aahh 17:08:34 and we need it today! 17:08:37 + +385221aaii 17:08:52 dsinger has joined #dnt 17:08:57 +[Apple] 17:09:02 + +1.650.308.aajj 17:09:07 zakim, [apple] has dsinger 17:09:07 +dsinger; got it 17:09:11 efelten has joined #dnt 17:09:22 ... dinner arrangements for joint dinner on 1st day in Brussels. 17:09:37 +efelten 17:09:49 kj has joined #dnt 17:09:58 ... restaurant wants prior indication of menu. schunter will send a form to the mailing list to get input. 17:10:53 zakim, unmute me 17:10:53 johnsimpson should no longer be muted 17:10:59 +q 17:11:02 what building are we meeting at first day? 17:11:14 q+ 17:11:21 ack john 17:11:22 ack johnsimpson 17:11:32 johnsimpson: just 1 joint dinner, and then we're on our own? 17:11:40 schunter: That's unsettled. Any preferences? 17:11:48 ack rigo 17:11:58 zakim, mute me 17:11:58 johnsimpson should now be muted 17:12:17 +Erika.a 17:12:26 Morning meetings in Beaulieu (Avenue de Beaulieu) 17:12:36 alex_ has joined #dnt 17:12:55 + +1.415.734.aakk 17:13:07 enewland has joined #dnt 17:13:08 zakim, mute me 17:13:08 Rigo should now be muted 17:13:08 Building BU25 17:13:08 schunter: Suggest day 1 is arranged dinner, and then the rest people are on their own. 17:13:37 Locals wil propose some restaurants for 2nd and 3rd day. 17:13:52 David, only if you have cookies in your pocket 17:13:58 - +1.415.734.aakk 17:14:06 schunter: Any other questions? 17:14:13 Issue-105? 17:14:13 ISSUE-105 -- Response header without request header? -- open 17:14:13 http://www.w3.org/2011/tracking-protection/track/issues/105 17:14:14 issue-105? 17:14:14 ISSUE-105 -- Response header without request header? -- open 17:14:14 http://www.w3.org/2011/tracking-protection/track/issues/105 17:14:31 + +44.142.864.aall 17:14:38 BrianTs has joined #DNT 17:14:39 Like your SHOULD respond proposal 17:14:59 q+ 17:15:08 + +1.415.734.aamm 17:15:14 http://www.w3.org/2011/tracking-protection/track/issues/105 17:15:19 Language for review: "If a server has received a http request that does not contain a DNT request header field, then the site MAY include a response header field into the corresponding response." 17:15:24 Adam has joined #dnt 17:15:41 +q 17:15:50 schunter: does not say what the response should contain, only that if you like can send a response without seeing a request header. 17:15:54 ack npdoty 17:16:01 + +1.917.349.aann 17:16:28 ack Wil 17:16:33 Zakim, who is talking? 17:16:43 npdoty: easy for companies that don't want to do complex configuration and respond on every time. 17:16:44 npdoty, listening for 10 seconds I heard sound from the following: +1.917.349.aann (19%), +1.301.270.aacc (19%), +1.408.349.aaff (90%) 17:17:15 WileyS: Supports as well. Also could be a good way to indicate honoring opt out. Only concern is weight or spam if this is coming back in every response header. 17:17:26 ... wants to ask Roy that question. 17:17:39 schunter: If a site wants to do stupid things, we should not be the ones to disallow it. 17:18:06 makes sense to me. 17:18:13 ... Given this language, they decide to only send on particular resources. Gives freedom to respond as they like. 17:18:14 hefferjr has joined #dnt 17:18:14 +aakk 17:18:23 q? 17:18:24 WileyS: Thinks this proposal is non-controversial. 17:18:27 +q 17:18:35 +aaff WileyS 17:18:44 Item 8 17:18:52 dsinger: We should discuss response headers and caching. Is the response a cacheable statement? 17:19:07 ack dsinger 17:19:08 [WileyS] +aaff 17:19:08 schunter: There's also related Item 8 on the agenda. 17:19:11 zakim, aaff is WileyS 17:19:11 +WileyS; got it 17:19:25 Thank you Rigo - can never remember that syntax 17:19:25 schunter: Thinks we can record consensus on that, and close the issue. 17:19:47 http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#exceptions 17:19:56 schunter: Next item: User agent managed site specific exceptions. 17:20:29 npdoty: The idea is an option for sites that want to ask permission for a particular 3rd party to track them on that site. 17:20:41 q+ to support 17:20:58 npdoty: Can this particular party track me while I'm on this site. 17:21:53 npdoty: JS API for prompting for exceptions. And a JS property with a list of site specific exceptions, so a first party can check. 17:22:25 q+ 17:22:27 WileyS: Left open web-wide exceptions, but for site specific they chose to leave this open as a polled property. 17:23:19 ... very simple 1st party/3rd party pairing, so the 1st party could poll for exceptions. If they add a new 3rd party, they'd have to request an new exception. 17:23:40 q? 17:23:41 q+ 17:24:06 ... on web-wide exceptions, we discuss it briefly that a domain could receive a web-wide exception. 17:24:32 ... A first party could request an exception from a user anywhere it is on the web. 17:24:32 +q 17:25:38 ack rigo 17:25:38 ack rigo 17:25:39 rigo, you wanted to support 17:26:35 rigo: Very good effort. But this is the kind of thing I was looking at that would help in the EU context. We shouldn't get too mixed up about the semantics. 17:27:13 vm1 has joined #dnt 17:27:23 rigo: May need fine-tuning to align with the EU regulations. Usability important. 17:27:27 Continue to counsel the working group to not attempt to leverage DNT to cover the more extreme transpositions of the ePrivacy Directive 17:27:28 http://code.w3.org/privacy-dashboard/ 17:27:30 q? 17:27:44 ... Encourage you to make it really easy to use. We have already done some work on the privacy dashboard. 17:27:58 +[Mozilla.a] 17:28:05 ... It will ask questions when you encounter a new domain, and you can see how annoying or not it is. 17:28:13 ack sidstamm 17:28:17 q+ 17:28:40 tl has joined #dnt 17:28:50 Agreed - we tried to limit the ability to use this as a digital fingerprint 17:28:53 sidstamm: I like it. Concerned about a few particulars. Querying could be used to simulate cookies (Issue 109?). 17:28:55 Sid says that ISSUE-109 is important and should be investigated 17:29:08 ... Browser can take care of the user interface for not prompting on duplicate requests. 17:29:11 q? 17:29:22 Zakim, mute rigo 17:29:22 Rigo should now be muted 17:29:40 just to record, sid you specifically support the alternative to use requestSiteSpecificTrackingException rather than the list of siteSpecificTrackingExceptions 17:29:44 ? 17:29:49 dsriedel has joined #dnt 17:29:50 yeah 17:29:53 npdoty, ^ 17:29:55 Fair - good point, we can modify the language to make this more of a SHOULD than a MUST 17:30:15 Via Registration / TOS for example 17:30:16 +1 to SHOULD, WileyS 17:30:26 …agrees 17:30:38 +q 17:30:40 +q 17:31:03 Publisher choice - let them take on the weight if they want it 17:31:15 Yes 17:31:31 look at the management of site-stuff in the privacy dashboard. It is complex but feasible. But we should take the restrictions of the mobile web into account 17:32:23 isn't this non-normative? 17:32:59 dwainberg: This is too definitive. I think sometimes trackers may have a particular relationship and can track a permission to track outside the context of the user agent. 17:33:09 johnsimpson, it is normative 17:33:38 but it has a different meaning as we have legal crossing technical meaning 17:33:41 q? 17:33:59 so I think people are talking passed each other 17:34:15 q? 17:34:21 npdoty: Are there examples where this is important? Could create confusion if users have to remember some exceptions via the user agent and others via a site relationship. 17:34:33 I am looking at the section. It says "This section is non-normative" 17:34:38 I'd be very concerned about Terms of Service covering this 17:34:42 which section number, johnsimpson 17:34:56 "The special string * signifies all document origins." 17:35:01 q? 17:35:10 Who defines trustworthy? 17:35:11 6.1 Overview 17:35:14 +1 to have a first party request exception and collect consent 17:35:25 that's what I need for 5.3 17:35:33 Agreed - but what if an express consent request was asked of the user prior to the implementation of DNT. In this case it seems fair to be able to honor that and not be forced to "reask" for an exception with the implementation of DNT 17:35:38 kj_ has joined #dnt 17:35:51 +1 17:35:52 vincent has joined #dnt 17:36:09 ack dwainberg 17:36:15 ack chesterj 17:36:19 WileyS, they are different sources of permission and independent of each other 17:36:29 dwainberg: Sites should be able to ask for all of their third parties at once. (We'll choose third parties from time to time and you should trust us.) 17:36:43 chesterj2: One of the most imporant issues here, but I am concerned with how exemptions are structured. Users will be prompted through a variety of ways. 17:36:53 npdoty: can request with "*" for all 3rd-party origins from a site 17:37:07 +q 17:37:25 ... every web site will encourage users to opt back in, and will tell them this is to benefit them. 17:37:29 zakim, who is on the phone? 17:37:29 On the phone I see trapani, mschunter, dsriedel (muted), cOlsen, eberkower, npdoty, johnsimpson (muted), [Mozilla], +1.301.270.aacc, Joanne, dwainberg, +1.978.944.aaee, tedleung, 17:37:31 ... This could undermine DNT. 17:37:33 ... Cyril_Concolato, Erika, Rigo (muted), WileyS, ChrisPedigo, +1.202.835.aagg, [Microsoft], ??P75, [Microsoft.a], +1.727.686.aahh, +385221aaii, [Apple], +1.650.308.aajj, efelten, 17:37:37 ... Erika.a, +44.142.864.aall, +1.415.734.aamm, +1.917.349.aann, aakk, [Mozilla.a] 17:37:39 [Apple] has dsinger 17:37:39 [Mozilla] has sidstamm 17:37:41 zakim, Mozilla has tl 17:37:41 +tl; got it 17:37:56 dsriedel has joined #dnt 17:38:02 ... There's a slippery slope. And the other side of it -- enable users to have greater control over other data collection techniques. 17:38:03 zakim mozilla.a has tl 17:38:09 zakim, mozilla.a has tl 17:38:09 +tl; got it 17:38:30 schunter: Would like a concrete proposal from Jeff of what things are too risky. Pinpoint a particular piece of the spec. 17:38:38 q? 17:38:42 chesterj2: Will post something to the list prior to Brussels. 17:39:11 q+ to mention ISSUE-67 17:39:25 ack schunter 17:39:28 ack dsinger 17:39:28 schunter: Flexible with regard to the user interface, but gives users control they need. Like it a lot. 17:39:28 ack schunter 17:39:32 ack dsinger 17:39:49 dsinger: On other ways to opt back in. The DNT header signal is a very course instrument. 17:40:16 ... Parties might have a more nuanced choice through, e.g. a web interface. 17:40:17 Nick, Issue 67, IMHO that's a matter of evidence collection and who has to invoke it in case of dispute 17:40:46 ... Users may wish to interact directly with advertising tracking sites, and we should make it possible to opt back in through mechanisms other than the header. 17:41:15 that's how I would personally want us to implement that situation (+1 to schunter) 17:41:26 q? 17:41:31 ack tl 17:41:37 ack tl 17:42:05 tl: Makes it easy for users to find their exceptions. But also likes the idea of going to a preferences pane. 17:42:32 q+ 17:42:38 q? 17:43:14 ... What I'm really afraid of is going to visit a site, and they say you have to agree to the TOS, and para 12 says by agreeing you allow us to override DNT. 17:43:47 Tom supports the idea that nuanced tracking preferences should only play once the ¨big¨ DNT switch for the site has been flipped. 17:43:50 ... Would love to hear ideas about how to navigate that. 17:43:52 ack WileyS 17:44:00 q? 17:44:12 WileyS: I agree on the concerns, but wants to highlight an example. 17:44:48 ... Yahoo had a property call mybloglog where they recognized users off of Yahoo. 17:45:19 ... In that case, wouldn't want to have to re-ask consent. Wants the express consent from the user to stick. 17:45:26 tl, I think UA managed specific excetpion actually prevent that while websit managed exception do not 17:45:33 This is a new issue: How can one ´import´ prior consent into the new Scheme? 17:45:40 Yahoo also has smart ads that uses data to personalize ad targeting "on the fly." Users have no idea how this works. Such techniques, inc rich media, will be used to urge people to opt-back in. Creating a system where the DNT standard is undermined. 17:45:43 q? 17:45:46 you can still check when DNT is enabled 17:46:09 schunter: I think this is a new issue. Given that you've collected consent via a different scheme, how do you get it into the UA. 17:46:16 that (MyBlogLog) seems like an example of wanting Web-wide exceptions, right? 17:46:31 Yes - good point Nick 17:46:42 MS: how to get old consent into the new scheme? 17:47:13 WileyS: Yes, it's a way of casting historical consent mechanism into DNT, but also an example for allowing for something other than the UA mechanism. 17:47:32 q? 17:47:36 q+ to say that one source doesn't exclude the other, but that a browser may have restrictions and we have to get around those 17:47:40 ack npdoty 17:47:40 npdoty, you wanted to mention ISSUE-67 17:47:47 issue-67? 17:47:47 ISSUE-67 -- Should opt-back-in be stored on the client side? -- raised 17:47:47 http://www.w3.org/2011/tracking-protection/track/issues/67 17:48:01 A similar problem occurs when a user uses multiple browsers or computers. It would be nice to have a mechanism that did not require me to approve or reject it in each UA 17:48:15 +1 17:48:27 vincent, i'm not sure i follow you? 17:48:30 Also multiple-user computers a problem 17:48:32 "Should" would allow all kinds of targeting techniques to be used, inc. "immersive" rich media and even neuromarketing (which Yahoo, Microsoft and other use). This is a serious concern about the integrity of DNT 17:48:42 ksmisth, it could be handled by browser sync mechanisms 17:48:43 npdoty: Different issues (Issue-67). There have been some objections. We may need to accomodate older browsers. 17:48:59 ... And their might be some implementations costs. Reasons we might not want opt-in on the client side. 17:49:11 fwagner has joined #dnt 17:49:14 vincent, +1 17:49:19 q? 17:49:30 ack dwainberg 17:49:58 +q 17:50:05 tl, I think that with UA managed exception you can implement a DNT "enforcer" that would monitor which entities receive DNT=2 (or 0) 17:50:14 Good example - in that case is the publisher able to somehow trigger the user's exception on the new browser? 17:50:14 +[IPcaller] 17:50:22 tl: I think that's less of an issue than you think. 17:50:27 q? 17:50:33 Only Mozilla allows that, correct? 17:50:34 when I switch devices I might want to have very different preferences 17:50:35 I don't agree 17:50:40 - +1.917.349.aann 17:50:42 q+ 17:50:48 Sync is a problem 17:51:01 maybe I'm okay with tracking on my home computer but not while I'm at work 17:51:04 zakim, Ipcaller is fwagner 17:51:04 +fwagner; got it 17:51:20 maybe I'm okay with tracking while at my desktop, but feel less comfortable about tracking of browsing on my mobile device 17:51:29 hi there, sorry for being late.... 17:51:29 tl, whereas if it's managed by the website you may not know when you are actually tracked 17:51:41 ack rigo 17:51:42 rigo, you wanted to say that one source doesn't exclude the other, but that a browser may have restrictions and we have to get around those 17:51:44 vincent, well, you'll get a response header 17:51:53 I think that if a site has different means to store opt-back-in, we must obligate these sites to provide transparency in a standardised way. 17:52:09 WileyS, I don't think it'll be long before you log into Chrome with your Google account either. 17:52:10 JC, problem is the same with opt-out cookies 17:52:11 rigo: we have to get out of the assumption that is underlying this discussion: if we have no DNT permission, we can't. 17:52:26 ... Permission can come from many sources, and DNT is just one tool you use. 17:52:52 many people use different browsers, or incognito modes in their browsers, in order to browse at some times with different privacy settings 17:53:04 agreed 17:53:06 tl, when you get the response header it might be too late :) 17:53:10 WileyS, But yes, we're leading the field on browser sync and identity. 17:53:11 ... Lawyers know there can be conflict of statements. If we prompt the users too many times we tire them. 17:53:17 -q 17:53:45 vincent, This is a problem with the web in general... 17:54:34 ... The service that does actual tracking leads to being challenged. They have to prove they had permission. So depends on in whose favor a certain statement is and where should it be stored. 17:54:38 taking over as scribe 17:54:40 q? 17:54:48 -[Mozilla] 17:54:54 scribenick: tedleung 17:54:55 Thanks, Ted. 17:54:58 ack schunter 17:55:34 => feedback mechanism 17:55:39 schunter: transparency to the user is important, user should be able to know how an opt back in happened 17:56:08 should contain a way to convey that permission was acquired via another mechanism 17:56:40 q? 17:56:44 yes, if ANY tracking happens, the user MUST know, in real time (thru the response header, ideally) 17:57:03 do we need some information in the response header to indicate that an opt back in from another source has happened? 17:57:19 "I see your DNT:1 but I claim to have permission to track you, and I am tracking you" 17:57:19 Proposed text: Opt-back-in should be in the response header. In particular if the opt-back-in has been managed/stored outside the user agent. 17:57:42 Draft decisions: 17:57:49 npdoty: realtime feedback doesn't help if you want to clear all your preferences everywhere in a single place 17:57:55 1. Opt-back-in SHOULD be managed by the user agent. 17:57:57 With the onset of cloud computing, device is getting less important and configuration is expected to go with the user wherever they are. This is the largest weakness with having the UA manage exceptions. I think its ok to have the UA manage things for DNT version 1 (since cookies have already created this same paradigm), but I expect the lifetime of this approach to be limited. 17:58:24 schunter: believes there is agreement and will document in IRC. 17:58:46 2. If opt-back-in is managed elsewhere, then the site MUST [inform] the user via an appropriate response header. 17:59:15 ksmith, Disagree. The cloud also synchronizes settings between UAs, just look at Firefox Sync. 17:59:33 I don't think (2) needs the leading "if" clause 17:59:35 ksmith, as above, I think we see examples where users now are intentionally using different UAs or different UA configurations to provide different privacy situations 17:59:41 q? 17:59:50 q+ 17:59:53 npdoty - agreed - both options should be abailabler 18:00:20 -[Mozilla.a] 18:00:27 sorry, have to leave. 18:00:27 Tom: The response header may need to distinguish between opt-back-in from the browser and opt-back-in from other sources. 18:00:30 tl: thinks schunter's proposed text is insufficient, 18:00:43