W3C

Tracking Protection Working Group teleconference

21 Mar 2012

See also: IRC log

Attendees

Present
tl, aleecia, Rigo, npdoty, +1.202.629.aaaa, John_Simpson, Vincent, +1.919.388.aabb, anna_long, +1.646.654.aacc, WileyS, +1.516.695.aadd, fielding, +1.617.733.aaee, +1.415.520.aaff, [Microsoft], dsinger, +1.646.654.aagg, justin_, alex, +1.813.366.aahh, +1.415.520.aaii, +1.206.369.aajj, Joanne, +2930aakk, ifette, +1.202.326.aall, +1.202.496.aamm, [IPcaller], rvaneijk, +1.949.573.aann, eberkower
Regrets
Chair
aleecia
Scribe
vincent_

Contents


<vincent> tl, B2G ?

<rigo> scribenick: vincent_

<tl> vincent_, Boot to Gecko, Mozilla's new mobile operating system built entirely using the web! </advertisement>

overdue action item review

<npdoty> http://www.w3.org/2011/tracking-protection/track/actions/overdue

aleecia: action 56 is about reviewing current draft

<dsinger> action-56?

<trackbot> ACTION-56 -- Kevin Trilli to propose text on enabling auditing compliance -- due 2012-02-01 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/56

aleecia: changing the due date for action 56 for two weeks from now

action-56 housekeeping

<npdoty> issue-28?

<trackbot> ISSUE-28 -- Exception for mandatory legal process -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/28

aleecia: issue 28 associated to action 28, DNT means follow local laws

<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#ExemptionIssues

aleecia: section 4.5.4 in the latest draft

<Joanne> +1.415.520. is Joanne

tl: unhappy with the descriptions

<WileyS> What? Make a decision to not follow the law? Disagree strongly.

<npdoty> WileyS, I think that was the opposite of Tom's point, that people would make a decision to follow the law and not follow DNT and that's fine

tl: if you violate DNT you should notify the affected user

<WileyS> Nick, Tom said you "make a decision to either follow the law or follow the standard". I disagree and believe you MUST make a decision to follow both.

rigo: you are operating in a certain legal frameword (e.e europe data retentention) and there is nothing you can do about it

<WileyS> If you want to state you are DNT compliant

rigo: saying something create more confusion

johnsimpson: evident that the law overright DNT you should follow the law
... if you are required to turnover data because of the law you should notify the user

<tl> I said: If the law required to do something contrary to DNT, you need to choose which is more important to you. When you inevitably decide that you'll follow the law of the land instead of a technical standard, you are in violation of the technical standard. That's okay.

<rigo> should notify is " data breach notification" which is a mess anyway

WileyS: more important now after tl point

<tl> But I completely agree that whenever you share data in violation of DNT, whether through breach or legal compulsion, you SHOULD notify users.

<tl> [But law may prohibit you from doing so.]

dsinger: imagine the service operating in a repressive regim, if you have to obey by law you have to bey by law there is nothing you can do about it

aleecia: what about if the law ask you to do more than DNT?

<johnsimpson> seems to me clear you need to follow the law...

ifette: no need for a statement "you should follow the law"

<tl> +1

<tl> [obviously]

<WileyS> +1 for keeping the language as is

<fielding> ditto dsinger

<rigo> ditto dsinger

tl: the standard should not specify anything about local law and should not speak about the law topic at all

<johnsimpson> the law is the law

<Zakim> ifette, you wanted to say companies may operate in multiple jurisdictions

<WileyS> Disagree with that perspective - it's not a "get out of jail free" - rather you can support the standard AND follow the law.

<WileyS> Law trumps standard - but that doesn't mean you're not compliant with the standard

<tl> "reasonable"

ifette: if you're in multiple country, one country expect to violate DNT and one expect you to complie, it might be nice to have something for that situation

<johnsimpson> the only thing that is necessary to say is that if the law requires you to violate the standard, you *should* notify the user if possible...

aleecia: it gets more complicated, in some cases the law applying is the one applying where the server is in some case it's where the user is

<WileyS> I disagree with any statement that says "following law = violation of standard"

<aleecia> Q.

aleecia: could we writ esomething that will cover this case

<justin> We're not solving international jurisdictional disputes in this document . . .

<WileyS> That's why this language is so important

<ifette> "Any laws from any jurisdiction that may apply to the request or transaction taking place are assumed to take precedence over requirements of this specification"

<johnsimpson> don't mean "violate" standard. should mean compel you not to follow it?

fielding: I prefer David's shorter version
... I think the final sentence on contract fulfillment is unnecessary

dsinger: just wanted to clarify, in case someone said that they had a legal obligation in that they had a contract with another company
... avoid the case where two company create a contract that would allow to avoid DNT (using the contract as a justification)

<rigo> the more we say, the more we create a mess IMHO

<justin> "Breaching a contract" isn't really a violation of law.

tl: it is local law because the contract may be subject to a local law

fielding: you would not be violating the law by breaking a contract

<npdoty> +1 for a Note

<justin> +1 but don't feel strongly

<tl> + somewhat

<rigo> can live with

<enewland> +1

<ifette> is that implying that there is still some text around law?

<dsinger> +1 but don't feel that strongly

<johnsimpson> +1 moderately

strawpoll on wether we should mention contract ( the final sentence)

<justin> Lot of +.5s

<ifette> +1 there should be some text, dont care about sentences about contracts

<WileyS> Rigo - without saying this, you could trap implementers that attempt to follow the standard (and state so in their privacy policy) AND follow the law. Without this language, following the law could be considered a "violation" of your privacy policy committment. Would make DNT a legally toxic concept to support as "violation" is almost assured.

<tl> If we have text around law, then it must disclaim contracts, but there should not be any language about law.

<fielding> contracts cannot override laws or regulations or judicial process.

<eberkower> -1

<fielding> -1

<alex_> -1

<tl> fielding, No, but they can prohibit you from complying with DNT.

<Lia> -1

<fielding> tl, that would be a different issue

<npdoty> "overall we're getting a lot of meh"

aleecia: no strong sense of support for this, more people supporting than against

<tl> fielding: That is the issue at hand.

aleecia: anyone with a strong objection or can we live with it

<tl> +1

<johnsimpson> sorry which issue

<tl> But add separate breach notification.

aleecia: should we mention local law at all? (stawpoll)

<WileyS> John, the "follow the law" statement draft

aleecia: we should look at what should the text be

<rigo> Indeed, a party may take action contrary to the requirements of this standard if compelled by applicable law. If compelled by applicable law to collect, retain, or transmit data despite receiving a DNT:1 signal for which there is no exemption, the party should notify affected users to the extent practical and allowed by law.

<ifette> This specification is not intended to override applicable laws and regulations.

<ifette> Indeed, a party may take action contrary to the requirements of this standard if compelled by applicable law. If compelled by applicable law to collect, retain, or transmit data despite receiving a DNT:1 signal for which there is no exemption, the party should notify affected users to the extent practical and allowed by law.

<ifette> It should be noted that this allowance does not extend to the fulfillment of a contractual obligation.

<tl> This language is a deal-breaker, especially if it allows contracts to override DNT.

<npdoty> from http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#ExemptionIssues

<ifette> I don't see how this can be construed to imply contracts

aleecia: of the two sentences anything in particualr somebody wants to cut

rigo: we should'nt introduce data breach notifications cause they are too complex

<fielding> regardless, the last sentence does not do what tl wants.

<ifette> sgtm

<ifette> (the first two sentences of existing text sgtm)

tl: "may" should be "must not"

<tl> fielding, What do you understand my goal to be here?

aleecia: already discussed, check with a strawpoll

<ifette> -1

<tl> +1

<johnsimpson> _1

aleecia: no support on that one, any other change on these two sentences?

<dsinger> try: "Local laws and regulations take precedence over this standard, when applicable; however, contractual obligations do not."

<WileyS> Nick - question for you, can anyone join the weekly meetings (aka public)? Similar to the email list?

<rigo> If compelled by applicable law to collect, retain, or transmit data despite receiving a DNT:1 signal for which there is no exemption, the party should notify affected users to the extent practical and allowed by law.

<ifette> "the extent practical" is also somewhat unclear

<WileyS> Nick, are you there? Question for you, can anyone join the weekly meetings (aka public)? Similar to the email list?

fielding: should always refer to 'laws and regulations' not just laws

<fielding> laws, regulations, or judicial orders?

thanks npdoty

<npdoty> agreement to change to 'laws and regulations' in both sections of that paragraph

<rigo> change if compelled by applicable law to if compelled by applicable law or regulations

<ifette> roy, judicial orders are usually supported by some law, no?

aleecia: any other changes for this text?

<fielding> probably in the case of dnt, but not normally

<rigo> roy, rulings are derived from laws or regulations, so no need to further detail

<tl> Yes, I like dsinger's proposal, with notification addendum.

<WileyS> npdoty, question for you, can anyone join the weekly meetings (aka public)? Similar to the email list?

<rigo> +1

<npdoty> WileyS, sorry, we're a little busy at the moment.

<johnsimpson> I'd like "must" notify, but could live with "should"

<dsinger> +1 to delete the paragraph (both sentences)

<WileyS> Nick, easy question - yes or no

aleecia: strawpoll if you beleive there should be no "should notify" +1 on IRC

<WileyS> +1

<npdoty> WileyS, fine for people to join the calls in general, though if our phone bridge collapses I might not encourage all of them ;)

<rigo> proposal cut: the party should notify affected users to the extent practical and allowed by law.

<rigo> +1

<justin> -1

<enewland> -1

<ifette> if we want to change it?

<WileyS> npdoty, thank you.

aleecia: to keep that sentence -1

<tl> -1

<johnsimpson> -1

<ifette> +0 -- don' want ot get rid of but change

aleecia: looking like an even splite

<tl> I propose: Local laws and regulations take precedence over this standard when applicable, but contractual obligations do not. If compelled to take action contrary to this standard parties SHOULD/MUST notify affected users to the extent practical and allowed by law.

ifette: main concern "extent practical" not really defined, it's not the same that data breach notification

aleecia: agree that it is not data breach

<tl> At Mozilla, we consider subpoenas to be data breaches. That's part of our security models.

aleecia: in term of no practical, two solution

<enewland> +1 to tl's proposal

<rigo> exactly tl :)

<tl> They're the hardest breach to protect against.

<ifette> "commercially reasonable as determined by the holder of the data"

<ifette> :)

aleecia: 1) make the text non-normative
... 2) define what the "extent practical" is

<chapell> +1 - commercially reasonable as determined by holder of data

<ifette> i'm fine with dropping the notification

<ifette> it's not that meaningful in most cases probably

<tl> chapell, You realize that that was the viewpoint being caricatured?

<ifette> you're some third party ad network with just an IP, what are you supposed to do

rigo: concer about losing focus, we should talk about this in a different specification that is focused on governemental collection and notification

<chapell> TL, yes

<npdoty> that's the same as dropping the sentence, right?

aleecia: proposal, we take the sentence "shoudl notify" and make it non-normative (strawpool)

<fielding> no SHOULD

<rigo> aleecia: if you' re opposed to changing the section to NON-normative

<johnsimpson> can't have a "should" in non-normagtive, caN YOU?

<rigo> ... please indicate +1

<justin> Should is per se normative

<rigo> tl: can' t have non-normative instructions ...

tl: it is normative instruction, either you shoudl do it, or you should not do it

<rigo> RF: tracking indicates that you' re tracking for a reason, one of them is that for reason of law

fielding: the tracking status response may indicate that you are trackign for a reason (might be the applicable law)

<rigo> ... standard doesn' t apply to subpoenas

<tl> fielding, How about: Local laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not. If compelled to take action contrary to this standard parties SHOULD/MUST notify affected users to the extent practical and allowed by law

aleecia: We have already some response in Pref Spec and could indicate there.

<ifette> my first counter-proposal is fine to drop

aleecia: at that point we might just take that sentence out and cover that in the spec, but not yet since we did not decide what the response should be

<johnsimpson> +1 tl text

<tl> Local laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not.

<rigo> Local laws and regulations take precedence over this standard, when applicable; however, contractual obligations do not.

<dsinger> try: "Local laws and regulations take precedence over this standard, when applicable; however, contractual obligations do not."

tl: text I'm proposing is a compromise, slight modifycation of dsinger text

<dsinger> I'm fine with that

<WileyS> One person at a time please

<tl> How about: Local laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not. If compelled to take action contrary to this standard parties SHOULD/MUST notify affected users to the extent practical and allowed by law

tl: that would be in replacement of the all thing, not jsut the second sentence

<WileyS> Remove the last sentence and I agree

<dsinger> replace all text with (a) Tom's sentence and (b) an open issue on notification.

<fielding> That's better, but starting with "Adherence to applicable laws or regulations take precedence over ..."

<rigo> What is "local" anyway?

aleecia: we drop the three sentences and replace it with one
... remove local from there and just take law

<dsinger> Adherence to laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not.

<npdoty> does anyone object to this as a concept?

RESOLUTION: Change three sentences to "Adherence to laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not." in 4.5.4

<npdoty> resolution: change 3 sentences to dsinger's final single sentence, with an open question on notification (pending TPE)

<tl> I note that HTML5 doesn't allow you to violate it when local laws prohibit it.

<npdoty> ifette: fine with dropping my suggestion and accepting this

aleecia: finished discussing issue 28, moving on

<fielding> simpler version: Applicable laws or regulations take precedence over this standard, but contractual obligations do not.

Issue-14

<trackbot> ISSUE-14 -- How does what we talk about with 1st/3rd party relate to European law about data controller vs data processor? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/14

<rigo> For the EU, the outsourcing scenario is clearly regulated. In the current EU Directive 95/46/EC, but also in the suggested regulation reforming the data protection regime, an entity using or processing data is subject to data protection law. A First Party (EU: data controller) is an entity or multiple entities (EU: joint data controller) who determines the purposes, conditions and means of the data processing will be the data controller. A service provider (EU: data

<rigo> processor) is an entity with a legal contractual relation to the Data Controller. The Service Provider does determine the purposes, conditions and means of the data processing, but processes data on behalf of the controller. The data processor acts on behalf of the data controller and is a separate legal entity. An entity acting as a first party and contracting services of another party is responsible for the overall processing. A third party is an entity with no

<rigo> contractual relation to the Data Controller and no specific legitimacy or authorization in processing personal data. If the third party has own rights and privileges concerning the processing of the data collected by the first party, it isn't a data processor anymore and thus not covered by exemptions. This third party is then considered as a second data controller with all duties attached to that status. As the pretensions of users are based on law, they apply to

aleecia: we might be moving this to another portion of the document, are we closed on issue-14?

<rigo> first and third party alike unless the third party acts as a mere data processor.

<tl> fileding +1

<WileyS> Please remove this text in its entirety

aleecia: anyone who can not live with this text?

<justin> +1 to WileyS

fielding: not usefull for us to redefine data controler and data process, just use those terms and copy current definitions

<ifette> +1 Shane

<enewland> +1 to WileyS as well. This doesn't belong here or add very much.

WileyS: suggest to divorce legal tenant completley from the standard docuement, discuss them broadly but not the specifics

<tl> dsinger: fielding suggested "Applicable laws or regulations take precedence over this standard, but contractual obligations do not." which is even tighter.

<chapell> +1 to WileyS

WileyS: we should put that in a companion document

<Joanne> +1 to Shane

<Zakim> rigo, you wanted to say that this is a useful explanation for EU customers

<eberkower> +1

<chapell> Lets push this to the standards doc

<npdoty> chapell, this is a standards document. do you want to move it to a separate document?

<WileyS> Put that in the companion document

<chapell> @nick - yes, I meant companion doc

<WileyS> That's nice - but the A29WP isn't the purpose of this standard

rigo: -1, this is a added value, it is not specifying but it is a how to
... how to handle dnt in EU

ifette: it could be informative but we're not witing an implementation of article 29

<WileyS> Separate document altogether please

<ifette> +1 separate doc

<tl> +1: separate document.

<chapell> +1 seperate doc

<eberkower> +1 with WileyS

aleecia: what I'm hearing is that we should move the text somewhere else, we could debate later where

<tl> We are agreed!

<Joanne> +1 to sep doc

<WileyS> Aleecia - it appears everyone (perhaps save Rigo) is asking for this to be moved to a separate document

<WileyS> Please look at all the +1s above

rigo: this ended-up here due to the discussion on 1st vs 3rd party and look to the EU scenario
... I'd be satisfy if you go back to rvaneijk

<WileyS> Rigo - we don't disagree on the guidance - but rather we'd like to move to a separate document that discusses the entirty of the standard's tenants from individual local law perspectives

<WileyS> Aleecia - Rob just joined

<johnsimpson> would we be better to use the data controller, data processor model rather than 1st and 3rd party throughout entire document?

<rigo> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#EUterms

rvaneijk: fine with moving the text in another docuement

<ifette> Can we plan on "another document" rather than leaving "elsewhere' undefined?

<ifette> everyone +1'd another doc

<ifette> above

RESOLUTION: we will move this text elsewhere

<fielding> johnsimpson, unfortunately we can't avoid the third-party distinction entirely because the third-parties that we do care about are the ones that are controllers, not just processors.

<rigo> resolution: rvaneijk ok with moving text of issue-14 elsewhere as the rest of first/third party still in flux

aleecia: ifette not sure what we gonna do yet

WileyS: many "+1" to move the text in another docuement
... did not see anyone against it

<rigo> I'm not against separate document

<tl> To paraphrase Mr. Cameron: "I agree with Shane."

<rigo> for the record. This could be a WG Note

32

<dsinger> issue-32?

<trackbot> ISSUE-32 -- Sharing of data between entities via cookie syncing / identity brokering -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/32

aleecia: discussing with matthias on that issue

<rvaneijk> Rigo, can we move that to an issue?

<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#cookieSync

aleecia: issue-32a couple of note on that issue

<npdoty> ... propose postponing this issue until we figure out the question of service providers

<npdoty> ... and close action 106

<tl> +1

aleecia: suggestion on the table we close action 106 and move issue 32 to postpone

<ifette> No, other than a meta comment to say it's hard to figure out "what is the text under review"

<ifette> with giant email chains

<ifette> (would be great to get a link to the relevant email / text directly)

<tl> ifette, So true.

<tl> Or if we had some way to propose text. Like a pull request. Just saying.

<vincent> my fault, I sent an update this morning

<ifette> ISSUE-55?

<trackbot> ISSUE-55 -- What is relationship between behavioral advertising and tracking, subset, different items? -- closed

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/55

ISSUE-65 ?

<trackbot> ISSUE-65 -- How does logged in and logged out state work -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/65

<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#loggedIn

<rigo> If a user is logged into a first-party website and it receives a DNT:1 signal, the website must respect DNT:1 signal as a first party and should handle the user login as it normally would. If a user is logged into a third-party website, and the third party receives a DNT:1 signal, then it must respect the DNT:1 signal unless it falls under an exemption described in this document.

<ifette> If a user is logged into a first-party website and it receives a DNT:1 signal, the website must respect DNT:1 signal as a first party and should handle the user login as it normally would. If a user is logged into a third-party website, and the third party receives a DNT:1 signal, then it must respect the DNT:1 signal unless it falls under an exemption described in this document.

<ifette> Example use cases:

<ifette> A user with DNT:1 logs into a search service called "Searchy". Searchy also operates advertisements on other websites. When the user is on a news website, Searchy receives DNT:1, and it must respect it, as Searchy is operating in a third-party context.

<ifette> A user with DNT:1 enabled visits a shopping website and logs in. The shopping website continues to provide recommendations, order history, etc. The shopping site includes third-party advertisements. Those third-parties continue to respect DNT:1. When the user purchases the items in their basket, a third-party financial transaction service is used. The user interacts with the third-party service, at which point it becomes first-party and may use previously collect

<ifette> data.

<ifette> A user with DNT:1 visits a website (Website A) that uses a third-party authentication service called "LogMeIn". The user logs into the site with his LogMeIn credentials. The user has interacted with LogMeIn, and now it can act as a first-party. Now the user vists Website B, which also uses the LogMeIn service, but is branded differently than Website A. LogMeIn must respect the DNT:1 signal until the user chooses to interact with LogMeIn in order to log into Websi

aleecia: two different text proposals for this issue, one with some use cases and the other with no comment at all

<rigo> With DNT enabled the site should not track the user when the user navigates to another site. However, the user should still be able to benefit from some level of personalization.

<tl> Straw poll time?

<ifette> Is there an option that logging in == dnt0?

dsinger: it's confuse to say a cookie to a third party and say "don't track me!"

<JC> That happens with DNT anyway

aleecia: not sure that it is scope to this problem

<npdoty> I thought the point of DNT is that you could send a preference even though the browser might send identifying cookies

rigo: there are some caveats that I try to discuss with use cases
... : user not knowing that he's logged-in and look for sensitive information and get tracked

<ifette> Isn't that what we have private browsing modes for?

rigo: he's not aware of it's logging cookie, DNT might be an opportunity to solve this issue

tl: agree with rigo, the rule we have already cover the use cases

<Zakim> ifette, you wanted to say we seem to be trying to solve use cases solved by incognito/private modes which i think is a bit different than what I anticipated DNT used for

<dsinger> strongly disagree with a 'logged in exception' also

ifette: it's seems to be something we tried to address with private browsing

JC: not looking for an excepetion for logging state,

<ifette> if you're in private mode and you log in, you have given a very strong signal. why would you log in to facebook in a 'private browsing' session?

JC: if you 're in private mode and you login the website know who you are
... DNT does not mean do not personalize but it means do not keep track

<ifette> "I want the bread but I don't want to bake it"

JC: I want to know what my friend like in an article (active feedback)

<tl> <battle music starts>

<johnsimpson> JC, Does option one allow what you want?

<rigo> JC, this also applies filtering in streams, IMHO a more important use case

WileyS: I disagree, I believe logged-in imply consent

<JC> Yes

<ifette> Shane is saying basically what I want to say

<ifette> so i will drop off

<JC> +1

WileyS: user are consenting to an experience, I don't beleive DNT has a place there
... if you don't want that experience then logout

<JC> DNT doesn't block cookies

<WileyS> Logged-in = Out of Band Consent

<fielding> ditto shane … it should be an account preference that gives consent

<tedleung> I agree with shane

dsinger: if you send DNT:1 with a cookie, you can know who i am and tells me waht my friends like

<WileyS> Logged-in = Out of Band Consent (if constructed appropriately) = trumps DNT (web-wide exception)

<justin> Logged in = Out of Band consent IF this standard's consent requirement is met

<rvaneijk> TL +1

<johnsimpson> +1 to TL

<dsinger> dnt:0 and a logged-in-cookie trumps DNT, not DNT:1

<WileyS> Don't participate in SocialNet (or Log out of SocialNet)

<JC> +1

tl: it I logging in Socialnet and then go and browse the web, I don't want social net to know which site I view

<WileyS> This is how you vote on SocialNet's features

<WileyS> Can't eat your cake and have it too

<WileyS> Strongly disagree

<dsinger> strongly agree with tl

tl: we should prohibit that behavior, just because I'm logged in does not mean that SocialNet should be tracking me

<JC> Not the same

<npdoty> jc, are you in agreement with shane or not? we seem to go back and forth

<dsinger> if you WANT socialnet's behavior, then send dnt:0 to them

aleecia: 3 possiblities:

<justin> How about middle ground --- SocialNet can serve you content based on the url and your profile, but they cannot store info for profile

<JC> It's gray

aleecia: 1) being loged in is irrelevant because DNT is still operative

<justin> Unless they clearly opted in as part of enrollment process.

<JC> I don't agree with tracking with DNT:1

<johnsimpson> Justin has it right, I thnk

aleecia: 2) it's relevant because I oped int

<JC> I agree with personalization with logged in state

aleecia: 3) is the option proposed by JC

<tl> +1

<JC> +1

<dsinger> dnt:1, no logged-in cookies sent: plain DNT applies; dnt:1, logged-in cookies sent: recognize me, but don't add to your database about me;

<rigo> +

<rigo> +1

<justin> This discussion conflates a lot of issues, but on this specific issue I would prefer to say nothing on loggedinness

<npdoty> ifette: as I understand JC's proposal, when I log in to Facebook they could ask me at that time for a *,facebook.com exception so that they can track me around the Web, and that they otherwise can't

<dsinger> otherwise send dnt:0 to SocialNet and give them an exception

JC: I login to FB, they know I'm logging, if I have DNT one, everytim I'm reading an article, people know that I'm reading that article

<WileyS> Agree with Justin (and like the new word "loggedinness" :-) )

<rigo> think about personalization in filtering information streams like stock selections you' re looking at

JC: if I send DNT:1 people won't know I'm reading that article but I can still see which of my friend liked that article

<chapell> @JC - not sure I disagree, but it seems complicated and difficult to impliment

<justin> My middle ground I think would take care of JC's issue.

<johnsimpson> and if you actively interact, on the 3rd party site that could be logged

aleecia: two action items:

<ifette> that would be up to the site to offer

aleecia: 1) write this middle ground

<WileyS> They can if the service provider extends it

aleecia: 2)write WileyS's proposal

<WileyS> @JC - :-)

<WileyS> Yes

<WileyS> :-)

<justin> Sure, but I think my vision is reflected in the current spec.

<WileyS> Yes

<npdoty> ACTION: cannon to write up personalization-without-tracking on loggedinness (with David and Shane) [recorded in http://www.w3.org/2012/03/21-dnt-minutes.html#action01]

<trackbot> Created ACTION-151 - Write up personalization-without-tracking on loggedinness (with David and Shane) [on JC Cannon - due 2012-03-28].

<ifette> Question - aleecia, i had two actions due today, can you mark them pending review?

<ifette> 146+147

<npdoty> ACTION: shane to write up logged-in-means-out-of-band-consent [recorded in http://www.w3.org/2012/03/21-dnt-minutes.html#action02]

<trackbot> Created ACTION-152 - Write up logged-in-means-out-of-band-consent [on Shane Wiley - due 2012-03-28].

aleecia: move forward on 65 when we have some text

<rigo> 1/ Do not track is not affected by login

<ifette> 1: dnt unaffected by DNT

<ifette> 2: middle ground

<ifette> 3: logged in seen as consenting to tracking, DNT is off after login

<tl> 1

<rvaneijk> 1

<justin> 1.5

<ifette> ifette votes 3

<johnsimpson> Option 1

<dsinger> 1 or 2

<npdoty> 1 or 2

<rigo> rigo votes 2

<vincent> thanks ifette , rigo

<tedleung> 2

<justin> I think login and DNT are orthogonal, but personalization may be ok regardless of loggedinness

big issues

<rvaneijk> I think the question 'how big is a first party' needs to be solved first

aleecia: moving forward on operational uses of data

<WileyS> Propose we do this at DC F2F

<npdoty> aleecia: hearing that what we can live with on parties will depend on operational uses of data and vice versa

aleecia: we will be talk about in DC but we should make progress before we get there

<npdoty> ... take these issues together

aleecia: think to common use cases would be usefull

<rigo> my use case is filtering the information stream by a special disease

<rigo> on a medical site

<WileyS> operational purposes

aleecia: use "operational uses" for "exemption/exceptions"

<johnsimpson> what's wrong with exemption?

<justin> exemptions not exceptions

aleecia: anyone object to "operational purposes"

<WileyS> In text, I've been saying "User Granted Exceptions" and "Operational Purpose Exceptions"

<fielding> I fixed that ;-)

aleecia: exemptions and exceptions are confusing

<rigo> I would call them exclusions

<rvaneijk> as long as operational puposes will not be defined

<rigo> rvaneijk: the goal is to define operational purposes

<rigo> rvaneijk, so speak up or be lost

npdoty: will we be judging the exemptions wether or not they're used for operational

<WileyS> Nomenclature solution - but seems like they would be judged in that light "necesary operational purposes"

johnsimpson: there are some exemption that would be granted and that are not for operational purpose

<rvaneijk> +1 john

<ifette> Perhaps we could call it an "operational exemption"?

johnsimpson: exemption comes in the spec, exceptions are granted by the suer

<npdoty> we would still be using "exception" for user-granted site-specific exceptions, right?

johnsimpson: ok to move on, just note that some exemtpions are not operation purposes

rvaneijk: operational uses has been used in the EU directive as well

<WileyS> "strictly necessary purpose" in EU language - not the same

<rigo> RV: operational purpose would lead to confusion in EU

<rvaneijk> not the same but will lead to confusion

<npdoty> tl: "permitted uses"

<rigo> permitted uses

<rvaneijk> permitted is better.

<rigo> +1

tl: permitted uses (suggestions)

<justin> Wait, is this permitted by spec or permitted by user?

aleecia: anybody obtect to permitted uses?

<npdoty> aleecia: does anyone object to "permitted uses" as a placeholder for the moment? if anyone has a better idea, please share with the mailing list

<ifette> A Bjork

<vincent> :)

<WileyS> So, "User Granted Exceptions" and "Permitted Uses" ?

DC hosting

<WileyS> The Yahoo! office is too small - sorry (could handle about 20 people - no more)

<npdoty> aleecia: not yet have a location in DC, three different organizations that would like to but can't

<fielding> uses? retention, collection, sharing?

<ifette> we have a dc office but it's not that large...

<npdoty> ... looking at up to 60 people, volunteer hosts are welcome

<ifette> aleecia, operational question?

<johnsimpson> Thank you

<dsinger> thx

<WileyS> Thank you

<npdoty> 'same time next week'

<ifette> ACTION-146?

<trackbot> ACTION-146 -- Ian Fette to review the proposed text for ISSUE-111 in the context of a redirect chain where some parties get 0, some parties get 1, and there is potentially some data sharing between the parties in the redirect chain -- due 2012-03-21 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/146

<npdoty> ifette wants to move 146 and 147 to pending review

<npdoty> ... and will do so now

<vincent> thanks npdoty , rigo and ifette for helping me scirbing :)

<npdoty> thanks to vincent for keeping up on a very fast-moving call!

<vincent> that did seem very fast to me :)

Summary of Action Items

[NEW] ACTION: cannon to write up personalization-without-tracking on loggedinness (with David and Shane) [recorded in http://www.w3.org/2012/03/21-dnt-minutes.html#action01]
[NEW] ACTION: shane to write up logged-in-means-out-of-band-consent [recorded in http://www.w3.org/2012/03/21-dnt-minutes.html#action02]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2012/04/30 06:16:30 $