15:58:12 RRSAgent has joined #dnt 15:58:12 logging to http://www.w3.org/2012/06/20-dnt-irc 15:58:32 Zakim, make logs public 15:58:32 I don't understand 'make logs public', npdoty 15:58:38 rrsagent, make logs public 15:58:39 vincent has joined #dnt 15:58:47 rvaneijk has joined #dnt 15:58:59 Internet connection info is on the whitescreen, although if you're reading this.... 15:59:05 tedleung has joined #dnt 15:59:13 Joanne has joined #DNT 15:59:29 ifette has joined #dnt 15:59:35 efelten has joined #dnt 15:59:36 johnsimpson has joined #dnt 16:00:23 bryan has joined #dnt 16:00:33 16:00:49 scribenick: npdoty 16:01:02 present+ Bryan_Sullivan 16:01:19 schunter: welcome back, thanks for coming back 16:01:23 hwest has joined #dnt 16:01:23 ... happy with the progress so far 16:01:30 vinay has joined #dnt 16:01:43 ... identified two major proposals and a lot of areas of agreement 16:01:47 ... and a very lively discussion on the mailing list 16:02:01 ... in working order and we are working cooperatively on finding solutions to our challenges 16:02:11 ... appreciate the time you put into this group and the constructive feedback 16:02:17 16:02:29 ... still have some work to do 16:03:15 tlr has joined #dnt 16:03:25 ifette_ has joined #dnt 16:03:38 adrianba has joined #dnt 16:03:44 Chris_IAB has joined #dnt 16:03:49 justin has joined #dnt 16:03:53 ... don't need to debate the wordsmithing, but figure out what pieces we can or can't live with 16:03:56 zakim, who is on the phone? 16:03:56 sorry, tlr, I don't know what conference this is 16:04:06 zakim, this will be TRACK 16:04:06 ok, tlr, I see T&S_Track(dnt)12:00PM already started 16:04:11 ... not to aim for perfect solution, but what are the key points that I cannot live with and focusing on getting agreement with these points 16:04:13 zakim, who is on the phone? 16:04:13 On the phone I see +1.813.366.aaaa 16:04:29 i can't hear anything, but 813.366 is hefferjr 16:04:29 is the caller on IRC? 16:04:39 zakim, aaaa is hefferjr 16:04:39 +hefferjr; got it 16:04:50 schunter: feel free to make little groups over coffee to work out issues, which can be even more efficient 16:04:52 +[Apple] 16:05:04 zakim, [apple] has dsinger 16:05:04 +dsinger; got it 16:05:11 ... agenda review and looking for scribes 16:05:24 ... 1. Welcome and Goals 16:05:29 -hefferjr 16:06:04 ... finding solutions 16:06:11 tl: introduce yourselves and note the observers 16:06:41 schunter: +1, go through introductions around the room after this session 16:06:42 +hefferjr 16:06:52 jmayer has joined #dnt 16:07:05 dwainberg has joined #dnt 16:07:08 hefferjr, I think we don't have Zakim hooked up to the room yet, will follow up 16:07:31 thx. 16:07:36 i just heard "hello" 16:07:58 dsinger, hefferjr, I'm not sure we have Zakim hooked up to the room yet, please stand by 16:09:23 I would scribe, but I am only an "observer" 16:10:00 james has joined #dnt 16:10:29 jjj 16:10:34 cspiezle has joined #dnt 16:10:51 Chris_IAB: That's the best place to scribe from! 16:11:13 meme has joined #dnt 16:11:14 scribe volunteers: dwainberg, justin, rigo, Ian, AmyC, jason 16:11:34 yeah, I'm not in accord with that... 16:11:47 if I'm only an observer, I'd like to observe :) 16:11:54 is there a cheat sheet on the web with the scribing syntax 16:11:55 ? 16:12:09 suegl has joined #dnt 16:12:16 Chris_IAB, Scribing is a great opportunity to follow the conversation very closely! 16:12:18 egrant has joined #dnt 16:12:19 jchester2 has joined #dnt 16:12:25 Participants: 16:12:26 Ionel, please q up here in IRC so that we know to unmute the phone 16:12:28 sidstamm has joined #dnt 16:12:39 Jon Mayer ... 16:12:44 ... Justin Brookman, 16:12:49 ... Vinay G 16:12:55 Brooks Dobbs.... 16:13:00 (sorry, I'm missing some) 16:13:02 …Rob Sherman 16:13:03 Mike Zaneis 16:13:11 Thomas R 16:13:14 Keerat 16:13:22 scribenick: dwainberg 16:13:23 sorry, who is "tl"? 16:13:39 you have a non-transparent IRC name 16:13:49 Chris_IAB, tl is tom lowenthal 16:14:35 scribing notes: http://www.w3.org/2002/03/RRSAgent 16:14:44 and docs on Zakim: http://www.w3.org/2001/12/zakim-irc-bot 16:14:57 thanks 16:14:57 16:15:10 amyc has joined #dnt 16:16:08 I'll share the full attendee list since we won't get everyone's details in this go-round 16:16:16 thanks, have used IRC since the 1980's in college... funded largely by advertising revenue, UI's for IM were improved, and I moved on ;) 16:16:31 vincent has joined #dnt 16:16:40 but I get that this is free, so I'm getting the rust out! 16:16:40 scribenick: dwainberg 16:17:01 Chris_IAB: All the IM networks look pretty much the same to me, I use Pidgin... 16:17:01 aleecia: thanking companies that provided support 16:17:21 rigo has joined #dnt 16:17:29 huge thanks to Microsoft for hosting, and to Yahoo, Facebook and Google for financial support 16:17:32 ... [reviewing the agenda] 16:17:49 alex has joined #dnt 16:17:52 ... Mission of the TPWG is to improve user privacy .... (from the charter) 16:18:02 ... we need something that works for users and that can be adopted by biz 16:18:21 keerat has joined #dnt 16:18:36 ... [reviewing dates] 16:18:41 .... dates are aspirational 16:19:03 ... we were looking for a last call doc in June, we'll see if it happens, even if we don't, we need to publish something out of this meeting 16:19:25 ... WG issue freeze 16:19:31 ronan.heffernan@nielsen.com 16:19:47 BrianH has joined #dnt 16:20:03 Marc has joined #dnt 16:20:13 ... aleecia filled in dates assuming last call, and padded it out 16:20:40 ... Getting to closed 16:21:03 WileyS has joined #DNT 16:21:05 ... we start with an open issue, use texts to have discussions, and get to consensus text, then closed issue 16:21:09 JC has joined #DNT 16:21:17 ... issues can be reopened based on new information 16:21:27 ... w/out new info or new text the issue will remain closed 16:21:39 ... we can have formal objectsion 16:21:55 npd_test has joined #dnt 16:22:04 ... if we have multiple texts, consensus is on the least objectionable proposal 16:22:28 ... chairs will identify consensus for the least objectionable path 16:22:29 -hefferjr 16:22:43 ... it is about substance, not about volume, "me too's", etc. 16:22:48 s/ronan.heffernan@nielsen.com// 16:23:27 ... WileyS: there is not agreement on this process, can we set that aside as a separate issue 16:23:47 rigo: this _is_ w3c process...it's about sustained opposition 16:23:48 hwest has joined #dnt 16:23:53 If you're curious about w3c process: http://www.w3.org/2005/10/Process-20051014/ 16:24:41 tlr: [reading from the process doc] "where unanimity is not possible, ... in establishing consensus, the WG must address legit concerns of members.... it is desirable that a large majority accept... 16:24:53 http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus 16:24:58 fwagner has joined #dnt 16:25:05 ... ignore the above (old process doc vesion) 16:25:10 16:25:12 randomwalker has joined #dnt 16:25:52 -[Apple] 16:25:53 T&S_Track(dnt)12:00PM has ended 16:25:53 Attendees were +1.813.366.aaaa, hefferjr, dsinger 16:26:01 ... current version: "in some cases a group may be unable to reach consensus.... dissenters cannot stop the groups work....if chair believes group has considered dissenters views they can move on 16:26:19 ... consensus ... [reading from the process doc] 16:26:36 ... it is a general practice to look for the least objectionable 16:26:50 Zakim, aaaa is hefferjr 16:26:50 sorry, hefferjr, I do not recognize a party named 'aaaa' 16:27:13 ian: can we highlight the process for moving a document to last call? 16:27:14 BerinSzoka has joined #dnt 16:27:24 tlr: upon consensus of the WG 16:27:40 aleecia: typically we do not have a vote, but last call could be a time for a vote 16:27:42 Here's the W3C process document that was just read from: http://www.w3.org/2005/10/Process-20051014/policies 16:27:45 http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus 16:27:58 note the section on Consensus in particular http://www.w3.org/2005/10/Process-20051014/policies#Consensus 16:28:02 an additional piece that I didn't read to you: Groups should favor proposals that create the weakest objections. This is preferred over proposals that are supported by a large majority but that cause strong objections from a few people. As part of making a decision where there is dissent, the Chair is expected to be aware of which participants work for the same (or related) Member organizations and weigh their input accordingly. 16:28:08 http://www.w3.org/2005/10/Process-20051014/policies.html#managing-dissent 16:28:17 aleecia: formal objections happen at decision points. FO authors must cite technical basis. 16:28:36 ... group can resolve right there, or there is a w3 process, which can go up to Berners-Lee 16:28:54 ... if one thing is reversed, there can be an entire dependency chain 16:29:03 ... not unusual to have multiple formal objections 16:29:08 ... questions? 16:29:17 ... (none) 16:29:21 ... What's new? 16:29:31 ... issues about IP 16:29:54 Rigo Wenning, W3C's Legal Counsel 16:29:58 rigo: is w3c's legal counsel. There were messages on the list about alleged IP issues. 16:30:16 ... discussion of the issue on the mailing list has stopped 16:30:30 ... w3c can create patent advisory group 16:31:11 ... w/ committment to royalty free, the issue is resolved, but if can't resolve quickly, will create advisory group 16:31:24 if we can resolve just by getting a W3C royalty-free licensing commitment, then we don't need to go forward 16:31:34 ... formal procedure, with fixed membership, members only, no experts, no observers 16:31:47 ... w/ discretion of chair invited experts can be invited to the group 16:31:59 ... private meetings, but the result will be public, with suggestions to the wG 16:32:05 deliberation in Member-space only, with a report to the public 16:32:31 ... w3c patent policy says clearly that a standard cannot be covered by IP 16:32:40 ... there will not be a spec that is encumbered with IP 16:33:04 ... important not to give in to panic; we will resolve this. 16:33:27 for questions, grab Rigo in a coffee break 16:33:39 aleecia: on the mailing list; currently it is world readable/writable 16:33:59 ... and we're seeing problems 16:34:37 ... the chairs will bar contributors who are contributing IP w/out an agreement, or who are disrupting the group 16:34:59 ... problem of people contributing IP over which they have a patent 16:35:17 ... we need to be careful to keep those things out 16:35:29 vinay_ has joined #dnt 16:36:24 ... questions? 16:36:49 justin: how does it work; anyone can join, are they required to give up their IP before they can join? 16:36:54 jchester2 has joined #dnt 16:36:55 q? 16:37:34 rigo: w3c has a complex framework. Members follow w3 policy. Invited experts sign a form on an individual basis. Observers haven't signed anything, so we have to be careful. 16:37:45 ... this is the chair's task to be careful about this. 16:38:04 patent policy details: http://www.w3.org/Consortium/Patent-Policy-20040205/ 16:38:33 q+ tlr 16:38:36 q+ WileyS 16:38:39 aleecia: this will be posted w/in the next week. 16:38:43 ack tlr 16:39:02 tlr: one clarification; we have an obligation to respond to comments from the public after last call. 16:39:25 q? 16:39:36 ... WRT current members, we're having issues. People are complaining about tone. 16:39:51 people not reading the list because it makes them ill to read it 16:40:04 ... Social competence is a key component for WG membership. 16:40:13 ... We're getting to the point of having problems. 16:40:31 ... Please self-moderate. 16:40:47 q+ hwest 16:40:48 ... Last piece; we also need a way to take public comments. 16:41:12 ... Will set up a public comment list, and we will need to respond to those public comments. 16:41:18 ack WileyS 16:41:30 WileyS: Is there a private list as well? What is it? 16:41:59 ... Does that exist? Can someone explain its composition. 16:42:05 -q 16:42:35 tl: we do have a private list. By charter it is only allowed for organization, logistics, etc. But no substantive WG content. 16:42:44 q? 16:42:58 Member list archive -> https://lists.w3.org/Archives/Member/member-tracking/ 16:43:07 tlr: archive for the private list shows 7 messages from Nov 2011 16:43:29 aleecia: we have new people involved. 16:43:31 (and I don't believe that the Member mailing list archive is currently visible to our Invited Experts) 16:43:43 ... we're seeing exec level decision making descend on the group 16:44:18 ... we're suddenly working at executive speed, and it's bogging down the process 16:44:49 rrsagent, pointer? 16:44:49 See http://www.w3.org/2012/06/20-dnt-irc#T16-44-49 16:45:03 ... Also external pressures. Press. 16:45:20 q+ 16:45:35 ... Increased Congressional interest in the US. 16:45:51 ... UK "implied consent" for cookies 16:45:56 ... NL prior consent 16:46:08 ... Art 29 calling out DNT as inadequate 16:47:03 ... may have to send out last call for comments twice 16:47:57 "we're doing something unusual and special" 16:48:28 ... thanks to all for doing this work. It is important. It is important to a lot of people. The stakes are high. 16:49:47 ... [talking about dinner plans] 16:50:35 ack Marc 16:51:04 "new information" 16:51:13 marc: Process question. A decision about one section could hinge on another section that we've not discussed. How do we loop back? 16:51:27 ... Troubled or concerned about how that plays out in a rational way. 16:52:03 aleecia: Mostly applies to the compliance doc. For things that have dependencies, we have put those issues together. It is much easier to do it issue by issue. 16:52:18 ... for things that are interlocked, we'll just have to do them together. 16:52:28 ... if you have specific things in mind, call them out. 16:53:06 ... Does that answer your question? 16:53:07 alex has joined #dnt 16:53:12 marc: I think so. 16:53:23 npdoty: This may also be "new information" 16:53:37 q? 16:53:43 aleecia: I've tended to be much more willing to go back to issues. This starts to change as we get closer to closed. 16:54:32 ... Next we have editors. David is not here, so Roy will do a quick summary on TPE. 16:54:43 Topic: Presentations of the Working Drafts 16:55:14 Roy F is presenting 16:56:35 editors' draft of TPE: http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html 16:56:53 and compliance: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html 16:57:23 Heather and Justin presenting on Compliance Doc 16:57:32 hwest: not many changes made since Wash 16:57:47 justin: lots of options in the doc 16:57:54 s/Wash/Washington DC 16:58:00 hwest: options, notes, issues are color coded in the doc 16:58:13 ... things not called out are close to consensus 16:58:24 justin: major issues. 16:58:44 ... 1. definition of parties and consumer expectations 16:58:45 Nick Doty, please note that Shane Wiley of Yahoo! just sent a formal request to add the IAB as "invited experts" to this TP Working Group; Could you please reply today? Thanks :) 16:59:07 ... advocates have largely conceded on this 16:59:36 hwest: next piece is permitted uses; what can that party do for operational purposes. We've been treating those together. 16:59:50 justin: parties and unique identifier are biggest issues 17:00:36 ... advocates argue there should be no unique identifier; industry argues there should be a number of permitted uses allowed using unique ID's 17:00:48 hwest: the draft at this time does not reflect recent discussions. 17:01:18 justin: not much concern anymore about 1st vs 3rd definitions 17:01:32 ... some discussion of need for definition of "tracking" and "collection" 17:01:57 ... Section 5 on user granted exceptions. There's some discussion on what is needed for consent. 17:02:01 I'm happy to help with editing if we want to do things in real time or each evening /cc: hwest, justin 17:02:37 hwest: that sums up the big issues 17:03:00 justin: take-away -- don't look at the compliance doc right now (laughter) 17:03:47 (roy presenting on TPE) 17:03:50 I haven't added that functionality (toggling non-normative text) to the live editor's draft yet, but it's ready to go 17:03:55 aleecia has joined #dnt 17:03:58 roy: Defines what goes over the wire. 17:04:02 http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html 17:05:02 ... Status is; we have made changes since the draft in DC. Major areas of change are the tracking response proposal. We've merged Roy's and Tom's proposals into one version, but not sure if they're happy with it. 17:06:02 schunter: The point of this section of the specification is to specify how a server replies to a UA. I perceive agreement on parts, but we'll discuss later. 17:06:44 roy: (displaying diffs on the overhead) 17:06:51 fielding: I think we addressed those Community Group comments, though I'm not quite sure 17:06:54 Sorry Nick, not trying to make your day any harder :) 17:07:02 ... change; site-specific >> user-granted exceptions 17:08:03 schunter: (describing options for user-granted exceptions) 17:08:04 fielding, johnsimpson, jchester2 -- we should confirm whether we've addressed the CG comments, and if we need to document that, we can do so 17:09:17 haven't formally reviewed http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining 17:09:17 fielding: (continuing to describe diffs) 17:09:31 (fielding's changes on defaults and requirements for setting a preference) 17:09:40 ... added issues 111. There are some new issues since the last working draft. We'll cover later. 17:10:17 ... other major change is the response section, where it was two proposals, resource and header field, now it uses both, depending on context. 17:11:53 schunter: context. If you want to tell a party it's ok to track. There's user-granted in the spec, and out-of-band, where site continues to get DNT:1, but site can respond it's not honoring because it has out-of-band consent. 17:12:44 section to review (per fielding): http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#responding 17:13:17 fielding: Tk header field is the combination of proposals. Confirm that what you want in there is in there. 17:13:47 schunter: Roy did a great job merging proposals. But the combination is not 100% perfect. What should go into the UI? What should go into the headers? 17:14:02 Checkin notes dlist is here: public-tracking-commit@w3.org 17:14:10 I'll send that to the dlist 17:14:23 ... Roy listed attributes you might want to communicate; we have to decide which are needed. But we hope not to need all. 17:15:11 fielding: last topic; user-granted exceptions. dsinger has been working on it. 17:15:31 added the exact model of what happens 17:15:40 added the cancel calls 17:15:42 npdoty: Major changes are adding a method for web-wide exceptions, starting w/ Shane's text, and API for removing exceptions. 17:15:49 added the web-wide exception 17:15:57 ... We want feedback from other browser makers. 17:16:01 added notes and issues 17:17:18 aleecia: What happens if we're not able to come to agreement? 17:17:26 Topic: What does the landscape look like? 17:17:59 npdoty, can dwainburg go for 10 minutes longer and then I will take over? 17:18:01 ... What does 6 months, 12 months... look like if we do not have DNT? 17:18:13 @justin: yes 17:18:14 s/dwainberg/dwainburg 17:18:21 q? 17:18:25 @nick They were addressed orally in DC. I think those slides were supposed to be sent to us. I don't think they were. 17:19:29 jchester2: I'm sure we all feel a responsibility for global users of the internet. ... Without a standard, we will see an escalation of the demands of privacy groups across the world for regulation and greater protections. 17:19:39 q? 17:19:41 fielding has joined #dnt 17:20:04 kimon: (responding) EU regs are about storage on the client, but DNT is not really about storage. 17:20:16 q+ 17:20:23 ... but haven't been able to get much out of politicians as far as what they actually want to get out of it. 17:20:32 kimon: EU already has a strong legal framework 17:20:49 ... would like to make it interoperational with existing OBA framework. 17:20:50 +q 17:20:58 ack rigo 17:21:01 +q 17:21:07 q+ 17:21:16 q+ 17:21:32 rigo: Had talks with a company in Japan. They are watching the outcome of US and EU. 17:21:33 q+ rvaneijk 17:21:37 ack WileyS 17:21:58 WileyS: If this group is unsuccessful, a DNT standard will still emerge. It does not need to be one from a w3c standard. 17:22:06 ack BerinSzoka 17:22:44 BerinSzoka: Has been involved in the space for over 4 years. Lots of trade offs. Worry about this process breaking, and leading to a regulatory solution that's less able to deal with tradeoffs. 17:22:45 WileyS, you were also making a point that it might not be universal, but it would still be satisfactory? 17:23:19 q+ to point out that users will get what they want, one way or another. 17:23:34 ... Examples: A DAA standard outside of this process would be politically difficult. Congressional hearing, it was made clear they wouldn't support a DNT standard that does not comply with headers. 17:24:05 BerinSzoka: re: James Grimmelman testimony 17:24:18 ... Also, FTC could be tasked with writing the standard. 17:24:20 dwainberg, happy to take over once Berin is done . . . 17:24:51 BerinSzoka: a standard from outside this process (from DAA) would likely be unsatisfactory to that audience 17:25:04 q+ 17:25:08 ... Markey and Barton have been co-chairs of privacy caucus. Their letter made clear they reject a standard that does not allow DNT to be set by default. They also reject a number of other fundamental assumptions of this group. 17:25:17 Q+ 17:25:38 ... Very likely that if this group does not produce a workable standard, we'll see something crafted by regulators, who have little understanding of the issu. 17:25:47 "Barkey"... good one :) 17:26:06 ... in fact this will be resolved by people on the hill. 17:26:15 ack ifette 17:26:15 @justin all yours. thanks! 17:26:15 +q 17:26:20 scribenick: justin 17:26:24 -q 17:26:27 +q 17:26:29 MikeZ has joined #dnt 17:26:54 ifette: Google hopes this doesn't fail. But we started with a self-regulatory regime (DAA) that has been implemented by most third-parties, so there's a willingness to do something here. 17:27:26 ... Some we came into this process because we realized that DAA process was sub-optimal (have to go to website, cookie-based so not persistent). 17:27:29 a vast majority of the third parties that I believe we're trying to target covered by DAA program -- is that right? I thought we had agreed that these issues applied well beyond behavioral advertising 17:28:02 ... But over time it's become clear that group believes that DAA not enough. And WileyS's proposal does make real concessions. 17:28:06 Brooks has joined #dnt 17:28:25 ifette: there are meaningful concessions, this is beyond the DAA program, not just putting DAA opt-out into the browser 17:28:50 ... Obviously, some are pushing for a prior consent before tracking, especially in Europe. I am worried about the *pandering* being done around this issue. I don't believe that the world will move to opt-in model if this group fails. 17:29:11 ... Europe's opt-in model hasn't worked. And to be fair, the DAA model hasn't worked either. 17:29:26 +1 to Ian 17:29:46 Ionel has joined #dnt 17:29:48 aleecia: queue is closed --- be focused! 17:30:04 hober: If this working group fails, we'll need to look to other solutions to protect users' privacy 17:30:13 aleecia: what does that mean? 17:30:22 hober: It will depend. 17:30:29 aleecia: Give me some options 17:30:45 erikn: I'll take a shot at that 17:31:05 ... We're not trying to be dodgy --- we want this to work. 17:31:12 rnb has joined #dnt 17:31:17 ... But we are in agreement internally that we need to do something to protect user privacy. 17:31:26 aleecia: from a browser perspective? 17:31:42 erikn: yes, that captures it. But we really want DNT to succeed and to be the answer. 17:31:46 q? 17:31:54 ack hober 17:31:54 ack hober 17:31:55 ack rvaneijk 17:31:56 ack rvaneijk 17:32:20 rvaneijk: Without DNT, there will be enforcement actions in Europe. A lot of people have put hopes on meaningful do not track. 17:32:48 ... We need to make process the next three days. There are two ends of the spectrum: do-not-collect vs do-not-target. We need to find the middle. 17:33:12 ... The statements of the Congressmen and the Chairman on the FTC (?) all push more for the do not collect approach. 17:33:16 ack fielding 17:33:59 fielding: My hope is that DNT does (?) work out. But don't push for DNT on by default. 17:34:04 wheeler has joined #dnt 17:34:22 ... As a protocol editor, I don't want to go through the process of grappling with a DNT by default universe (?) 17:34:24 FTC and the Chairman have said that DNT should be Do Not Collect, with narrow exceptions. 17:34:42 +1 to advocating for "don't track users without consent" but not enabling DNT:1 by default 17:34:57 Roy: If you want DNT to be on by default, ask for that to be the default with *no* signal. Don't mess up the protocol. 17:34:57 ... DNT should express user preference which can't happen by default. There will be regulation on this if this doesn't work, but it will be focused on the default issue (?) 17:35:07 fielding: for advocates, please don't go out there and ask people to turn on DNT by default, instead ask for regulation that DNT be the regulatory default because it won't need changes to the protocol, or any changes to HTTP protocol, the IETF process 17:35:29 spiezle: We need to focus on the consumer perspective. Lacking trust is hurting our business models. 17:35:36 fielding: I expect that regulation would be about tracking of HTTP requests in general, not tied to the default/DNT setting only 17:35:40 +1 to appropriate privacy protections should be the default, but DNT should always be the user's voice. 17:35:52 +1 to that 17:35:58 ... We're going to see legal approaches to protect users if this doesn't work out. 17:36:03 aleecia: Elaborate. 17:36:05 I've never seen any substantiation of this this consumer trust meltdown scenario that's so often bandied about as a supposedly compelling need for regulation 17:36:32 q? 17:36:32 spiezle: You'll see increased allegations of contract suits, class action suits for privacy violations. Even if they don't work out, bad PR issues. 17:36:41 ac cspiezle 17:36:46 "even if meritless, will consume a lot of cycles" 17:36:51 ack cspiezle 17:36:54 ack jmayer 17:37:01 jmayer: Want to echo the Apple answer: best answer is getting a standard. 17:37:51 ... But if this doesn't work out, the research community will be move active. They will engage much more with regulators (who right now lack expertise). Increasingly, regulaotrs have built better relationships with advocacy and research community. 17:38:17 ... Regulators will consult with research community on potential regs. Also, research will push more for ad block solutions if this fails. 17:38:33 ... And I don't want that outcome. It would be awful. 17:38:43 WileyS: That happens today even in parallel to DNT. 17:38:53 jmayer: It will be worse if DNT fails. 17:39:01 Bully for Shane for pointing out the obvious: Jonathan's threat to build the ultimate ad blocker, etc will happen regardless 17:39:24 WileyS, AdBlock will stop to block ads complying with dnt 17:39:33 tl: Hope DNT works, but pro-privacy users will find a solution. DNT should not be a default, but we can make other privacy choices as a browser that don't need to be off by default. 17:39:59 can we get some commitments or evidence on this point: that advocates won't need to build or advocate for countermeasures if we come up with DNT? 17:40:02 aleecia: I'm going to put some on the spot --- what happens to your org if DNT fails. Picking on Adobe first. 17:40:46 meme: From an engineering perspective, maybe fielding can say better. But I agre with WileyS, companies will compete on privacy. Don't think that's necessarily the best approach, because you lose the value of standardization. 17:40:51 npdoty, If we have a strong DNT standard, we don't need to. 17:41:10 The research and advocacy communities haven't begun work on technical countermeasures in earnest. I expect the pace of development would accelerate exponentially if DNT fails. Again, that would be a very bad outcome for all stakeholders. 17:41:21 ... DNT is good because users can reasonably expect the same thing. Adobe is looking at competing on privacy, tho, but it takes time. And we will listen to consumers to see what they are asking for. 17:41:39 aleecia: who else can comment with a strong int'l presence? 17:42:08 q? 17:42:24 ack tl 17:42:28 hwest: Globally, we think a strong DNT standard that's not fragmented is incredibly value. If we don't have a standard, we'll keep working on privacy (as everyone else will say), but we'd like the reliability of one std where everyone knows what to expect (users and companies) 17:43:12 q+ fielding 17:43:13 aleecia: I am expecting someone to say (which I'm not hearing) is that without a standard, companies need to go country to country. 17:43:14 wheeler has joined #dnt 17:43:15 jeffwilson has joined #dnt 17:43:15 q+ ifette 17:43:20 Sounds like all of the browsers are saying the same thing: DNT is the best outcome, but if DNT isn't a viable option, plan B is technical privacy protections, and we'd rather not have to do that. 17:43:25 ack fielding 17:44:04 fielding: you made an assumption that having a DNT standard will release that pressure. I haven't seen DNT as a fix to cookie law --- when I talk with DPAs in Europe, it's all about YOU NEED TO OBEY THE LAW REGARDLESS OF WHAT THE STD SAYS 17:44:15 q+ kimon 17:44:21 ... which is reasonable. But if DNT doesn't reach those laws, we need to deal with them anyway. 17:44:27 ack ifette 17:44:41 the other nightmare is that if we do this at the W3C, we can publish, listen, learn, discuss, revise, and be global; regulation is not like that, it tends to be publish and walk away. 17:44:56 ifette: But the question is do we need to try to accord DNT to accomodate every law around the world? I don't think that's a good idea, and would be impossible. I want something that protects privacy (reasonably) and is deployable. 17:45:23 ... We'll need to country by country anyway. I take that as a given so we don't need to bog the spec down with every possible legal requirement around the world. 17:45:52 ifette: if there are things we can address cheaply, great; if there are things that are common, great 17:46:12 +q 17:46:17 (briefly, I swear) 17:46:22 WileyS: Another outcome the press has brought up. The escalating war between publishers and browsers. We'll get to a world of apps. You access content pre-packaged in browsers. Each of those "browsers" control their own interaction with their users. 17:46:31 ... I hope we don't get to that. 17:46:47 q? 17:46:53 +q 17:47:03 +1 to WileyS, I think this is an important point on the dangers of back-and-forth escalation 17:47:43 rigo: Quick report from last week's OBA roundtable in Brussels. I positioned DNT as a tool to help you with regulatory compliance. There aren't 27 Robs around the table or 50 Ed Feltens (for the 50 states). A DNT tool can make compliance a lot easier, and the regulators want that too, and is a good outcome. 17:47:44 Wheeler33 has joined #dnt 17:47:53 Shane is exactly right: turning on DNT by default could fundamentally change digital media landscape. everyone hear should read and think carefully about "Opt-In Dystopias" by Betsy masiello & Nick Lundblad http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp 17:47:59 ... We should adapt the protocol to address some regulatory concenrs. 17:48:16 q? 17:48:27 ack kimon 17:48:35 kimon: Regulators in Brussels stated very clearly that DNT can't fix law, but you should come up with a good technical standard, and we'll take it from there. 17:48:42 but to add to Shane's point, that world may not only be bad in economic terms for the diversity of richness of media, but also for (a) competition and (b) privacy 17:49:13 ... Not very helpful to focus on the legal side. This should really be about users --- what will they expect and use. If we offer a simple solution, users will take it and it will work. We need to address user concerns. 17:49:32 ... signal from Brussels really is DON'T TRY TO CREATE A LEGAL INSTRUMENT. 17:50:24 ack BerinSzoka 17:50:28 BerinSzoka: Briefly, we're talking about a fundamental change in the ecosystem. You should reach Opt-in Dystopias to consider the bad results from this world. This will be bad from competition and also for privacy. 17:50:35 susanisrael has joined #dnt 17:50:58 If folks haven't seen the Opt-In Dystopias paper Berin is referencing, it's here: http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp 17:51:02 ... In this world, users will have to be opting in to a LOT MORE collection of information. Is that really what privacy advocates want? (Also, less information will be available to users). 17:51:50 q+ jchester2 17:51:51 Marc: Without DNT, much of what we have that works will still be there. There was an AdAge article this weekend that says: "When 3P data goes away, power shifts to those with 1P data." I love my big members with 1P data, but real concerns on pure 3Ps who are at the table and do great things for the ecosystem. 17:51:54 ack Marc 17:52:02 ack jchester2 17:52:06 PG has joined #dnt 17:52:06 I'd like to hear from OPA and publishers, if they're in the room. 17:52:36 q? 17:52:40 jchester2: The ecosystem has already been changed by real time bidding. We have a huge data collection ecosystem that needs to be addressed. And DNT will help address that. And advocates have made huge concesssions. We need to get privacy off the table for users. 17:53:16 +1 to Marc on the concern for shifting power by company size or by 1st/3rd, we should be cognizant of this 17:53:29 aleecia: So let's stop repeating points. We've talked about walled gardens and paywalls. We've talked about lawsuits and trust issues. We've talked about arms races with cookie blocking. And we've talked about the problems for a lack of standardizatiton. 17:54:12 ... We've also talked about increased tracking in an opt-in world. And potential for increased regulation (possibly written by folks without good understanding of technology), And increased regulatory attention in Europe. 17:54:17 Ironically, Aleecia is repeating points ;) 17:54:58 q? 17:55:05 ... DNT can be a useful tool for compliance in Europe. And we've heard there will be more enforcement in Europe. Some browsers have said they'll do more if no DNT. And other outlets for DNT, possibly through DAA, FTC, or IETF. 17:55:21 q+ 17:55:42 ifette: Point of clarification. On your (just made) PPT, you say that DAA will be cookie-based only --- I think that DAA wants to go for a different mechanism if this fails. 17:55:44 ack fwagner 17:56:01 FrankWagner: If we have no DNT now, we'll have increased complexity for users. 17:56:13 s/fwagner/FrankWagner 17:56:24 aleecia: What would opt-in look like for your sites? 17:56:28 I do think that the W3C publish-implement-learn-discuss-revise model is hugely better than slow-moving regulatory model (and, I hope better informed in the first place) 17:56:50 +q 17:57:05 ifette: I asked on the mailing list for good examples of opt-in. I was told about the ICO and the FT. The ICO has no third parties, and the FT has "if you don't like cookies, close this window" and 50 are installed regardless. 17:57:16 q+ Wheeler33 17:57:21 aleecia: How do you deal with Euro std if cookies are set before choice? No one has really done this wekk yet. 17:57:40 ... Maybe DNT can offer some ease there, if regulators might be OK with that. 17:57:49 ack Wheeler33 17:57:55 q+ rvaneijk 17:58:13 Simon has joined #dnt 17:58:37 Wheeler33: Two points. Publishers make a lot of revenue from third parties. The impact will be felt by 3Ps and the publishers. 17:59:02 ... (2) Impact on users. Not clear that users really understand difference between 1P and 3P cookies. Or understand how DNT differentiates. 17:59:10 q? 17:59:30 . . . There's a belief by users that DNT will make behavioral advertising will go away, and that's wrong. It will still be done, just through 1Ps. 17:59:47 s/.../. . . 17:59:50 q- 18:00:01 aleecia: You're making a different point. How will it be different if no DNT. 18:00:13 Wheeler33: Without DNT, the money will flow better. 18:00:27 aleecia: That's not clear for all the reasons we've just heard. 18:00:29 q+ tl 18:00:33 Wheeler33: That's my answer 18:00:39 -q 18:00:51 ... AND, not clear that if this really does work, users will be confused because they don't get 1P v 3P. 18:01:03 To Aleecia: I think there are actually three scenarios we need to be talking about here: (i) DNT premised on the default-off consensus of this group, (ii) DNT that is coerced to be default-on (what Wheeler is speaking to, and (iii) DNT fails--which likely leads to #2 by legislative or regulatory means 18:01:03 Why is the speaker not allowed to make his position without interruption by the Chair? 18:01:06 +q 18:01:10 aleecia: To be clear, we're talking about : "In a world . . . without Do Not Track" 18:01:14 ack jmayer 18:01:54 jmayer: BT.com has an interesting approach to cookie law. They drop cookies, but then delete immediately if you don't grant consent. Some regulators might be OK with that. 18:02:35 q? 18:03:12 ... Want to address the economic issues. You're right that 1P and 3P is blurred. The economic impact --- not clear who will suffer. But we can be clear that 1Ps will *really* suffer with AdBlock because with technical solutions, all ads are blocked regardless of party status. 18:03:12 Chris_IAB, he was making a point relevant to what happens if DNT *does* exist, which is not the scenario we're discussing. The speaker was allowed to make his point relevant to the scenario after the intteruption 18:03:16 ack BerinSzoka 18:04:16 q? 18:04:34 BerinSzoka: I like Wheeler33's comments. Options are (1) DNT on when default is off, (2) this group breaks down, or (3) DNT on by default. I'm concerned about this last scenario when DNT-on is coerced by Hill or FTC which is different than contemplated by this group. This group needs to stay on track to keep DNT off by default. 18:04:36 sidstamm, it doesn't matter what his point was, it's that he get's to state it without interruption... 18:04:52 aleecia: To be clear, the group isn't saying DNT off by default, it's DNT is *not set* by default. 18:04:58 aleecia: (tiredly) anyone else on this? 18:05:10 I take Aleecia's point, but I don't see how it changes what I said 18:05:16 A few asked for a pointer to my paper on third-party tracking (including some economic analysis). See https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf. 18:05:21 let's not get into a semantics war here 18:05:33 rigo: We are all working on the assumption that no one ever changes their browser. But IAB Europe put out a very interesting poll saying that 56% of Euro users delete all their cookies once a month. 18:05:37 dsinger has joined #dnt 18:05:45 BerinSzoka, I think Aleecia was just clarifying; it might help us in the press to clarify that the default question is not a default to tracking, but a default to no preference 18:05:46 But that could just be anti-virus, yes? 18:05:53 aleecia: not really on point. 18:06:11 I think the gentleman was quite clear actually 18:06:24 +q 18:06:29 +1 18:06:31 +q 18:06:47 The w3c solution MUST reflect user preference - without DNT user preference remains with the users 18:06:49 +1 to "more pressure for better cookie management tools if no DNT" from WileyS 18:06:57 WileyS: Another option could be better cookie management tools from the browsers. Especially in Europe to deal with cookie directive. 18:07:14 JC: Disagree with WileyS. Cookies don't work. Need to look at non-cookie options. 18:07:51 q+ 18:07:56 WileyS: We're talking past each other. Rigo's point is more that you may not need DNT since people delete cookies. 18:08:01 ack Brooks 18:08:06 agree - OBA cookie targeting effectiveness drops off a cliff after 30 days 18:08:25 Aleecia - Ian is in the Queue 18:08:39 its ok 18:08:41 q- 18:08:46 Brooks: To rigo's point, the presumption isn't that tools aren't being used, because without DNT people are finding way to express choice today. 18:08:53 Nick - Ian had raised his hand and was holding the mic when Matthias took it away - could you please add him to the queue 18:09:30 aleecia said ashkan had the last word 18:09:33 it's fine 18:09:34 asoltanti: One more observation: one of the benefits of DNT is innovations of tracking will be more accepted. 18:09:50 if there were standards for cookie deletion after a certain time period - would we need DNT? 18:09:55 WileyS: that's actually not what I meant. I meant that people make a choice if we give them a tool to do that 18:10:03 ... Because there will be cross-technology express of preference, new technologies in innovation might be more accepted where DNT off on exception is granted. 18:10:32 I completely agree with Ashkan's point. In other words, in a world without Do Not Track, new tracking technologies continue to result in public debacles. 18:10:34 * aleecia notes that asoltani is a disembodied voice from the ceiling 18:11:37 aleecia: Different people have different concerns. Some OBA companies may not want DNT at all, which is understandable from their perspective. Europe has a particular perspective that we should take into account, though recognie ifette's point that we can't accomodate all legal frameworks. 18:12:31 ... so what happens if we leave here without an agreement? This discussion continues in other forums. We'd do a better job dealing with the issues here rather than fighting on Capitol Hill for the next year and half. Not fun 18:12:38 ... So what are our options now? 18:13:07 q? 18:13:09 ... We had 5 proposals in DC. We whittled them in DC to 2. We've whittled both closer together, but several people are unsatisfied with both. 18:13:10 q- asoltani 18:13:28 Topic: How can we move on? 18:13:41 ... We could write up both in standards fashion, and get comments on both and then adopt the least objectionable. That's not a great result, but that's the default of where we go to. 18:13:49 aleecia: that is the default, but not an attractive option 18:14:10 ... Or we could pick one. Or we could come up with new ones. Or we could go back to other options that sound better now. 18:14:19 ... Or we could fail. 18:14:49 ... So what should we be doing? 18:15:15 q? 18:15:17 ... Looking for guidance from people who aren't proposal authors? 18:16:01 +q 18:16:07 Chris_IAB: I propose that if we want a solution that includes 90+% adoption, we go with WileyS's proposal. It's realistic and based on lots of years of learning and industry experience. 18:16:09 -q 18:16:14 q+ 18:16:24 adoption immediately, i.e. in the next couple months 18:16:30 ... It's realistically implementable by industry. 18:16:30 +q 18:16:39 q? 18:16:57 -q 18:17:28 Maybe we should make like the French Revolution and re-seat after lunch according to which side of the aisle we're on: Shane or Jonathan! 18:17:33 jchester2: There is movement here, There is an understanding that things have to move. Consumers have moved a lot. On 1Ps, we've moved. On defaults, we've made concession. Or logging protocol data, we've moved. And I acknowledge that industry has moved too. 18:17:33 q+ to ask about adoption timing 18:17:34 I think it's important to simply accept that everyone has made significant progress and concessions 18:17:45 hwest, +1 18:18:01 +1 18:18:01 aleecia: I'm reading that as support for the idea of continuing to move toward each other. 18:18:02 ack dwainberg 18:18:03 So let's figure out how to close the remaining gap. 18:19:06 dwainberg: As a distant observer, the group has gotten a bit into the weeds. Rather than horsetrade, we should back up and understand the bigger picture and go from there. And we need to consider the possible unintended consequences. 18:19:17 q? 18:19:24 ack npdoty 18:19:24 npdoty, you wanted to ask about adoption timing 18:19:33 q? 18:19:42 to clarify the comment that was made after my statement, IAB was not listed as an author on Shane's proposal, but I personally support it 18:19:45 +q 18:19:47 npdoty: Want to follow up on Chris_IAB's point. And the question of how fast adoption will happen. We need to consider adoption rate, and how fast we want to move. Do we want to phase some parts in? 18:20:23 aleecia: Maybe you were suggesting that a phased proposal is the way to go. Phase 1 then Phase 2, etc if they would faciliate compromise. 18:20:30 q? 18:20:33 ack tl 18:20:39 +q 18:20:49 tl: Don't want phased proposal. If folks lag on implementation we have option options as browser (duh-duh-DUH) 18:20:50 +q 18:20:52 ack jmayer 18:21:29 I like the "let's get out of the weeds and see the forrest statement"-- Shane's proposal will likely have 90+% industry adoption in no time. Are we here to get a "DNT win" or are we here to keep hashing something out until we ultimately kill it? 18:21:40 jmayer: I want to second the phasing point. To the extent that comlanies are going to have to implement new tech, totally reasonable to giving cos some grace period to implement if that narrows the gap. 18:21:47 ack erikn 18:21:58 q+ 18:21:59 aleecia: This was discussed on a call and industry didn't really want that approach. 18:22:02 +q 18:22:10 see the forest guys... 18:22:29 erikn: What should we do next? We should focus on text. Talking in abstract not terribly helpful. 18:22:38 +1 to erikn 18:22:47 I've had more conversations with ad companies than I can remember; some really wanted phase-in, others didn't. Mixed response. 18:22:56 erikn: Going through the points will help move us toward the center. 18:23:28 +q 18:23:34 ack rvaneijk 18:23:42 rvaneijk: The proposal I have is to focus on added value of DNT. The WileyS proposal just reflects a lot of what the DAA has already done. Starting at Do Not Target doesn't really focus on the added value of Do Not Track. 18:24:05 ... We need something extra from this process, not just existing self-reg. 18:24:38 hwest: On phase in, phase out, we can't decide that until we know what spec means. 18:24:41 ack hwest 18:24:50 ack WileyS 18:25:27 q+ on MUST/SHOULD, or iterations 18:25:54 WileyS: I see the counterproposal from EFF as aspirational. I don't disagree with their aims, but will require significant cost and time to get there. We should agree on what we can do now NOW and then work on technical, standardized approach to dealing with the other aspirations in EFF/Stanford/Moz proposal. 18:26:17 ... We should immediately begin working on those issues, and one day they could become the DNT standard. But technology isn't there yet. 18:26:26 I don't think that's reflective of industry 18:26:37 aleecia: So you see your proposal as Phase 1 and EFF proposal at Phase 2 but with no time limit? 18:26:38 In terms of phase one/two and the two proposals 18:26:50 WileyS: we could, suggesting a second round of this Working Group 18:27:04 on "job security" 18:27:08 I'd say this is more like Job than a job 18:27:12 WileyS: Yes, there's no planned Phase 2 for this group, but we should have one. Job security 18:27:15 q+ 18:27:30 aleecia: We could have two standards that come out of this group. 18:27:45 WileyS: I strongly disagree with THAT. Would be too confusing. 18:27:49 q+ 18:27:53 aleecia: How is that not what you just said? 18:28:12 WileyS: It's not responsible to put out the EFF proposal as a standard right now. 18:28:39 ... Too many blanks to be filled in at a future data. Can't reach those aspirational goals today. Two standards might be worse than none. 18:28:52 q+ ifette 18:28:54 ... And eventually that proposal could supplant the interim (?) WileyS proposal. 18:29:14 aleecia: So what you're saying is you like the direction of Jonathan's proposal, but it's not baked yet? 18:29:19 supplant the original DNT, rather than "interim" 18:29:20 WileyS: I don't think it's achievable yet? 18:29:29 s/./?/ 18:29:45 npdoty: Could we bridge the proposal with MUST/SHOULD language? 18:29:51 q? 18:29:54 ack npdoty 18:29:54 npdoty, you wanted to comment on MUST/SHOULD, or iterations 18:29:58 I don't think advocates would be comfortable with that. 18:30:00 schunter_ has joined #dnt 18:30:24 avk ifette 18:30:30 ifette: SHOULDs are problematic in the spec. SHOULDs may create unreasonable expectations from users and regulators. I'd like a spec with all MUSTs. 18:30:30 q+ Lee 18:30:31 -q 18:30:54 I do recognize the concern about SHOULDs, I was only proposing it because maybe it could be an attempt at a middle ground 18:31:04 ... and give people a direction/confidence in a future iteration 18:31:05 rigo: I don't think a version 1 debate will spare us from testing out the pain points of how far industry is willing to go today. Also, big issue of trust --- will industry come back to the room for a rematch? 18:31:16 ack ifette 18:31:16 ... But that said, it's a valid option. 18:31:18 ack rigo o 18:31:19 ack rigo 18:31:24 I agree with Ian. Specs should be musts. Where I suspect we disagree is what the musts should be.. 18:31:32 KevinT has joined #dnt 18:32:03 Fair - amend proposal to "MUST" from Industry proposals and "MAY" for advocate proposal 18:32:05 how about we get a balanced v.1 spec out, see if it works, and go from there? 18:32:14 iterative work 18:32:14 +q 18:32:23 seems rather agile, actually 18:32:26 +q 18:32:26 ifette: As far as a version 2, would be better to circle back. My reading of jmayer et al proposal is "We don't want 3Ps to have a record of your browsing activity." But industry approach is: "We charge based on impressions, and that valid business model can be done without violating privacy." 18:33:27 ... We need to find a way to charge people while protecting privacy. jmayer may point to papers, but I think more research and testing needs to be done to make sure CPM (etc) model can be done with privacy respected but without rampant click fraud, etc. 18:34:00 aleecia: We could have two last call docs, first the WileyS approach, and second the jmayer proposal that folks will have to get to eventually (?) 18:34:05 ifette: wait for a certain successful deployment of a technique, and only then standardize that as an additional version [am I capturing that right?] 18:34:06 +q Arvind 18:34:10 schunter2 has joined #dnt 18:34:28 ... that's in line with what you propose, to spend more time on the jmayer proposal but to implement what can be done today TODAY 18:34:44 ifette: I want to make sure that jmayer approach is implementable before we put it in Last Call. 18:34:56 q+ Alan 18:34:59 ... I can't vote yes on a LC until I know it's implementable. That's my bottom line. 18:35:00 Last call should not be fragmented, IMHO 18:35:14 q+ 18:35:19 q? 18:35:28 q+ 18:35:48 yes, this is susanisrael 18:35:59 SusanIsrael: I agree with that. We should implement what we can now while commiting to work on the harder options. But it's somewhat unclear, which is why we can't put in a LC document today. But would like to have a commitment to work on another LC later. 18:36:00 Speaking from experience (CableLabs has put out alot of succesful specs) any spec will need revision as technology changes. Need to get something out that can be used now. 18:36:09 q- lee 18:36:15 ack tl 18:36:17 +q 18:36:18 q+ jchester2 18:36:27 q- 18:36:52 +q 18:36:56 +q 18:37:08 tl: Let's presume the only thing we're concerned about in 3Ps having total view into browsing activities. If they can do what they want to do without that, great. But if they can't, those are illegitimate business models. (Don't want to bless short-term?) 18:37:10 susanisrael, I'm curious how we could phrase those commitments 18:37:13 ack jmayer 18:37:57 jmayer: This may be soundly rejected. But it may be worth it to have a very difficult conversation on PETs. It will be very technical and uncomfortable, but there are some wonderful technical people in this room who can chart a way to move the ball forward. 18:38:09 aleecia: Yeah, we often do that, are we usually disagree. So that gives me pause. 18:38:14 ack Arvind 18:38:57 Arvind: The researchers have done all the necessary research to find privacy-protective ways to achieve your business models. But just saying "Hey, we need new research." 18:39:03 are there ways to encourage iterations to move forward without waiting for a new standardization effort? could we say "best available and feasible efforts"? 18:39:04 ... isn't fair. 18:39:40 q- 18:39:50 Alan: Not saying that we need new research. Question about whether Google, Yahoo!, etc can implement. But concerned about two standards. If we have two, regulators are going to want to require Version 2 right away. 18:39:59 ack Alan 18:40:13 ... Unless we bend over backward to say that Version 2 is not implementable today (which some would object to!) concern with two different standards. 18:40:13 ack Alan 18:40:18 ack Chris_IAB 18:40:46 q+ 18:40:59 Chris_IAB: Clarifying earlier statement. Want to be clear that we can't boil the ocean. Over the last two years, I've created technical spec with IAB. Any company that subscribes to agile development would say let's put out now what works, test, iterate, and then evolve the spec. 18:41:26 ... That's how it works on the industry side, and by and large, everyone has over time adopted v1, v2, v3, etc. 18:42:01 ... By boiling the ocean, you stop something from getting to consumers. Getting something workable today is a win for DNT and advocates. We'll find out from v1 if we need to do more. 18:42:15 ... If there are complaints, then we start a new working group. 18:42:29 amyc has joined #dnt 18:42:29 +q 18:42:41 is there a clear way for us to determine exactly how many complaints are necessary to support a new iteration? 18:42:44 ack jchester2 18:42:46 q+ 18:43:23 jchester2: I appreciate what WileyS and ifette are saying, it just won't work to have a phased-in approach. Regulators and advocates want a reasonable standard TODAY. Industry approach as is is unacceptable. Let's get the proposals closer together and continue to evolve. 18:43:53 ... Won't be acceptable to say "let's do an OK approach and then wait ten years and fix later." 18:43:58 q? 18:44:05 18:44:10 Chris_IAB, it's hard to focus on the conversation when you keep interrupting. Could you please add yourself to the queue? 18:44:45 aleecia: Why aren't we just putting the two docs out for vetting? Because both are objectionable to a large swath of folks. 18:44:53 BrianH has joined #dnt 18:45:08 ... Has anyone moved from "Can't live with" to "Can live with" on either of these proposals? 18:45:19 jmayer, sorry, I was following your previous examples :) 18:45:33 ... No one seems to have moved. 18:45:36 "easier to live with" 18:45:40 but in any case, I believe the scribe got it right here, so go ahead and read up 18:45:51 +q 18:46:08 +q 18:46:13 ... We are still in the world of pain. If we flip a coin, either way we lose. And we've received feedback from regulators around that world that industry proposal is not sufficient. 18:46:30 I'm also in the category of not being familiar with all the details of latest proposal from Shane 18:46:32 ... And we've had feedback from jmayer standard that current proposal is not implementable. 18:47:05 ... So we fifteen minutes. No one has any bright ideas. 18:47:18 Why not Zoidberg? (CDT proposal) 18:47:56 justin, maybe we could do a comparison or merge of the CDT proposal with the latest from Shane et al. and Jonathan et al.? 18:48:13 rigo: There are some pain points. The pain points are not as bad as some might have us believe. Seeing the differences in details will help advance us significantly 18:48:46 ack BerinSzoka 18:48:52 BerinSzoka: No cost opt-outs don't scale. 18:49:18 sean has joined #dnt 18:49:19 mischat has joined #dnt 18:49:25 ... It seems to be that we are all here because we've assumed that we're assuming a certain low opt-in-to-DNT threshold. 18:49:40 aleecia: scolding BerinSzoka for not staying on topic. 18:49:44 ack hwest 18:49:51 Q+ 18:49:59 q+ 18:50:04 q+ 18:50:19 hwest: A lot of us have a problem with multiple LC docs. We very much don't want a fragmented approach, and that's what two LCs does. 18:50:44 aleecia: Does anyone really want multiple LC docs? (No one raises hand) 18:50:45 ack efelten 18:50:47 ashkan: i will unmute you 18:50:48 q? 18:51:09 efelten: We only get ONE bite at this apple. When we get a consensus proposals, then all the forces we talked about earlier come into play. 18:51:18 ... Echoes erikn's point that we need to focus on text. 18:51:22 q+ Alan 18:51:41 ... Let's talk through nuts and bolts and stop claiming "everyone want this" and "no one wants that" 18:51:53 +1 18:51:54 efelten: a focus on text 18:52:03 asoltani: Echo idea that merging the proposals is the best way to go given the political pressure. 18:52:09 ack asoltani 18:53:01 ... Maybe we should have DNT-beta --- you can respect one of two proposals. Let consumers opt for which one they want. We'll then have metrics as to what people want. It's a little bit complicated, and not necessarily the right idea, but could work as a back-up plan 18:53:03 +1 to ashkan, W3C can organize joint development around DNT v.2 Beta if this has sufficient support 18:53:04 Wasteful suggestion - doubles implementation overhead 18:53:06 Let's focus on moving forward instead of the "what if it doesn't work" ideas 18:53:40 aleecia: And of course, you might see different treatment of users, because users might see firewalls, paywall, etc. So not a survey but test of different implementations. 18:53:49 +1 to WileyS on this point! 18:53:50 q? 18:53:56 I rather see one DNT then forked versions. 18:54:29 aleecia: This testing assumes that good data would actually change anyone's mind! 18:54:36 +1 hwest ... phased deployment and versioning adds confusion and implementation overhead 18:54:48 -q 18:54:54 rigo: W3C can organize this testing. 18:54:57 q 18:54:59 s/then/than/ 18:55:01 ack ifette 18:55:08 susanisrael: you have to add a + to q 18:55:17 +q 18:55:49 I think Ashkan was talking about not getting behaviorally targeted ads, like "Do Not Target" 18:56:00 ifette: I understand asoltani's basic point. But I don't think that anyone in this group would be willing to offer and support a "Do Not Advertise To" signal and continued to offer free content. Users need to see consequences. 18:56:05 clarification: DNT:0 = unset, DNT:1 = shane's proposal , DNT:2 = eff/mozilla 18:56:44 if many people send DNT:2 but sites only support DNT:1, then we need to revisit 18:56:52 ... Key point: Don't see how we can implement jmayer's approach without significant hit to revenue. Until we get to the point that we're comfortable with understanding the economic impact, you won't see implementation. 18:56:55 'until we actually get to the point where people are confident on the effect (in terms of revenue) they aren't going to implement' 18:56:59 asoltani, how do users express consent for tracking (as per each proposal)? negative numbers? 18:57:30 ... The industry proposal, we understand what we think the impact is going to be. Not knowing the impact is holding back the jmayer proposal? 18:57:40 q? 18:57:45 aleecia: So what do you propose to get industry to get data? 18:57:48 ifette: need to be able to show the impact of a proposal, details on data 18:58:06 ifette: Get a big third party to implement it and publish the results. 18:58:15 Well said, Ian. When I said that "No Cost Opt-Outs Don't Scale," this is precisely what I was talking about: not just the default question but also the question of users making choices that don't reflect real-world tradeoffs inherent in exercising DNT 18:58:59 sid: settings needs to have 4 states. unset, allow tracking, opt-out of targeting, opt-out of collection 18:59:17 ... jmayer keeps saying that client-side scales. Google has bought companies who had this business model AND IT DIDN'T SCALE. We've really tried. So this is why I'm skeptical. I understand aleecia's desire to move forward, but we have no data points to say how jmayer model will work. 18:59:29 q? 18:59:46 aleecia: But none of this has seen proven data point that this will work. 18:59:56 I think W3C can offer a framework and platform to test out stuff, organize research, help with acquiring funding for advanced development and test things out 19:00:00 asoltani, thanks 19:00:03 ... we're low on time. If you have a new point, then you can talk. 19:00:24 +1 19:00:27 +1 - this will be an iterative process if it's going to succeed 19:00:40 Alan: Not sure we only have one bite at the apple. We may be able to finesse this to allow iterative approach that satisfies everyone. 19:01:07 kind of stable + unstable approach and moving 19:01:46 tlr: Timing is slipping --- need to figure out what to do about charter. 19:01:47 my +1 was to the idea that this will be an iterative process. That was my point rather than the fact that only one proposal is acceptable. Let's work through text, do what we can agree on, and agree to keep iterating 19:02:24 ... Current working assumption is that at some point we'll announce an extension of the charter without a change to the scope of the charter. 19:02:36 Thanks for taking great notes justin! 19:02:37 ... If there are changes to the scope that people think are important or desirable, come talk to me. 19:02:41 ... Enjoy your lunch. 19:03:38 drinks tonight: Tracktinis for all! 19:18:15 fwagner has joined #dnt 19:29:25 randomwalker has joined #dnt 19:40:09 johnsimpson has joined #dnt 19:46:27 dwainberg has joined #dnt 19:53:54 KevinT has joined #dnt 19:54:34 Joanne has joined #DNT 19:55:36 npdoty has joined #dnt 19:57:25 WileyS_ has joined #dnt 19:59:10 Joanne has joined #DNT 20:01:34 hwest has joined #dnt 20:01:47 jeffwilson has joined #dnt 20:03:42 aleecia has joined #dnt 20:03:56 Time to get started again... 20:04:05 tl has joined #dnt 20:04:54 adrianba has joined #dnt 20:05:45 vincent has joined #dnt 20:06:00 rvaneijk has joined #dnt 20:06:18 scribenick: jmayer 20:06:28 aleecia: talking about user agents 20:06:37 ... talked before, day before microsoft announcement 20:06:40 egrant has joined #dnt 20:06:45 ... mostly about anti-virus software now 20:06:49 amyc has joined #dnt 20:06:53 ... some language in TPE, not Compliance 20:06:59 ... looking at a couple issues 20:07:08 bryan has joined #dnt 20:07:11 alex has joined #dnt 20:07:29 npdoty: new users, here's how to join irc 20:07:35 s/users/members/ 20:07:35 justin has joined #dnt 20:07:44 npd has joined #dnt 20:07:50 aleecia: thanks 20:07:53 meme has joined #dnt 20:07:57 ... help available if you need it 20:08:01 samsilberman has joined #dnt 20:08:01 ... back to issues 20:08:13 BerinSzoka has joined #DNT 20:08:13 ... not talking about ISSUE-150 20:08:15 efelten has joined #dnt 20:08:25 s/not// 20:08:28 ChrisPedigoOPA has joined #dnt 20:08:30 ... start there 20:08:50 A given device may have multiple sources of user preferences, for example a browser could have a DNT user setting, plus an add-on or plug-in could have a DNT user setting. One DNT choice must be sent. We do not specify how conflicts are resolved. 20:09:07 ... decision that while there might be conflicting user choices on a device (e.g. browser + plugin/addon), leave it to those sources of preference to resolve 20:09:12 ... language pasted in irc 20:09:28 ... looking to get consensus, hear dissent 20:09:35 tl: middle part should be normative 20:09:40 q+ 20:09:40 s/be/not be/ 20:09:45 +q 20:09:51 q- 20:09:52 -q 20:09:53 q= 20:09:55 q+ bryan 20:09:55 aleecia: move to example section? 20:09:57 q+ hwest 20:09:59 tl: ok 20:10:00 -q 20:10:13 cSpiezle has joined #dnt 20:10:24 aleecia: npdoty is editing in realtime 20:10:47 jchester2 has joined #dnt 20:11:09 ... proposal: new paragraph with former middle part, example section 20:11:17 q? 20:11:22 vinay has joined #dnt 20:11:35 dwainberg: doesn't this interact with the defaults discussion? 20:11:50 Marc has joined #dnt 20:12:00 q+ 20:12:05 aleecia: yes, for example, if mozilla doesn't have DNT on by default and a plugin does, they have to reconcile 20:12:15 ... could imagine the same by IE 20:12:35 ... up to user agents to resolve conflicts 20:13:00 ... in other words, it're related to defaults, but a separate discussion 20:13:01 fielding has joined #dnt 20:13:04 q? 20:13:14 *s/it're/it's/ 20:13:20 q- Chris_IAB 20:13:22 q- sean 20:13:28 q- Alan 20:13:32 ack bryan 20:13:32 20:13:39 Re "One DNT choice must be sent", does that mean any and all Web user agents (any Web-enabled application) must send the same value for a particular default or domain? Multiple UAs/apps in a single device would need system-level support for that. Any device that did not provide such support would be inherently non-compliant. Is that what is intended? 20:13:44 q? 20:14:05 q? 20:14:08 bryan: asking question pasted in irc 20:14:28 aleecia: how about rephrasing, you must not send more than one DNT value per request 20:14:46 bryan: to be clear, we're not saying every user agent / app has to have the same setting 20:14:49 aleecia: right 20:15:00 Would a program setting DNT outside the UA, e.g. injecting into the http request, be an "intermediary"? 20:15:14 hwest: concerned about a different issue 20:15:20 sean has joined #dnt 20:15:23 ... but related to defaults 20:15:32 ... if this is just about sending only one value per request, ok 20:15:32 q? 20:15:40 aleecia: ok, yep, seemed an easy point of consensus 20:15:43 ack hwsest 20:15:47 ack ifette 20:15:49 ISSUE-150? 20:15:49 ISSUE-150 -- DNT conflicts from multiple user agents -- raised 20:15:49 http://www.w3.org/2011/tracking-protection/track/issues/150 20:15:49 ifette: what about identifying who set the preferences? 20:15:58 aleecia: that's ISSUE-143, a separate discussion 20:16:01 ack hwest 20:16:19 keerat has joined #dnt 20:16:24 ifette: less fine with this if information about attribution isn't there 20:16:29 BrianH has joined #dnt 20:16:39 tl: don't like notion of attribution, adding lots of information to user-agent 20:16:47 aleecia: again, ISSUE-143, another conversation 20:16:55 q? 20:17:03 aleecia: group ok with text? 20:17:08 efelten has joined #dnt 20:17:15 20:17:22 ... moving on to ISSUE-149 20:17:31 I think the group will need to confirm that we're ok with that text once we address 143 20:17:34 ... roy added language about on vs. off vs. unset 20:17:48 ISSUE-149? 20:17:48 ISSUE-149 -- Compliance section for user agents -- raised 20:17:48 http://www.w3.org/2011/tracking-protection/track/issues/149 20:17:53 ... section 3 in tpe, determining user preference 20:18:07 ... comments? 20:18:11 scribenick: rigo 20:18:12 q? 20:18:17 scribe: rigo 20:18:34 q+ 20:18:57 +q 20:19:27 HeatherWest (HW): two choices may not be sufficient. Alternative to unset or only two 20:19:41 q? 20:19:50 s/HeatherWest (HW)/hwest/ 20:20:02 +q 20:20:12 AM: minimum of two is currently in the spec 20:20:36 HW: we have an open issue on that. Not fixed yet 20:21:23 AM: show of hands of 20:21:36 Roy: this is what the choice that is offered to the user 20:22:22 MTS: questions: Does not allow for a german user "an" "aus"? and a tool that only send DNT:1 20:22:22 fwagner has joined #dnt 20:22:53 ... so even a tool that only sends DNT:1 must be able to be switched off 20:23:12 q? 20:23:28 npdoty: even with the current text that would require at least on and off 20:23:49 jmayer: does that mean that uninstall is sufficient? 20:24:32 Or if the browser offers a "Disable" option, is that enough? 20:24:34 HW: DNT should fully implement the Specification 20:24:47 AM: is it sufficient to remove tool 20:24:50 HW: no 20:24:56 what if the notice is in the privacy policy? 20:25:00 That's not in the spec yet. 20:25:10 in for example, http://www.google.com/policies/privacy/ 20:25:16 I think this conversation is conflating different issues: notice, defaults, choices, ... 20:25:29 +q 20:25:38 q+ 20:26:02 ack adrianba 20:26:33 adrianba: 1/ lot of discussion about tools and add-ins. user agent has the collective thing that user uses, including all plugins 20:27:06 ack jmayer 20:27:11 2/ spec talks about the ua have to offer choices, but UI is out of scope. 20:28:04 q+ 20:28:10 jmayer: language proposal: instead of offer (user agent has to do something) "a user must be reasonably able to ". Any tool must be able to put the user in one of those states 20:28:12 +q 20:28:12 s/UI is out of scope/offer is not defined (how choices are offered is out of scope)/ 20:28:15 MTS liked this 20:28:18 ack tl 20:28:27 hwest, can you elaborate why we should prescribe that a privacy-protective add-on must be able to send DNT:0? What's the point? 20:28:50 +q 20:28:59 tl: dislike this. If I have my add-on to only should send DNT:1. 20:29:00 q? 20:29:10 That's totally fine. 20:29:23 I have no problem with a DNT:0 add-on that doesn't send DNT:1 20:29:25 q? 20:29:30 +q 20:29:33 ack ifette 20:29:45 If it's installed deceptively, I am comfortable informing the FTC about this add-on. 20:29:55 justin +1 20:29:59 aleecia: would you be comfortable having an add-on that only makes DNT:0 headers? 20:30:00 ack ifette 20:30:02 tl: yes 20:30:33 -q 20:30:41 +q 20:30:42 If the user can turn off an add-on in their user agent then the user agent (as a whole) offers a way of turning the signal off 20:30:45 Ian made my point (individual vs. collective) 20:30:54 justin, it's the DNT0 plugin example - would you be ok with that? What if it's loaded without user interaction? 20:31:11 hwest, yes I'm fine with a DNT:0 plugin. 20:31:13 ack erikn 20:31:18 -q 20:31:24 +q 20:31:24 ifette: agree with Jonathan (laughter). User must be able to express on off or unset. If we look at individual tool than must be able to express all. If the entire environment (adrianb's point) than should be sufficient 20:31:28 If it's loaded without user interaction, I look forward to the cy pres award funding my work for the next several years. 20:31:42 q? 20:31:58 erikn: does DNT:0 have to be supported? 20:32:12 q+ 20:33:12 ack jmayer 20:33:13 AM: what requirements on what you want send, what is the minimum bar we have 20:33:33 can we just delete the whole paragraph? user choice requirement is present above 20:33:49 ack BerinSzosa 20:33:59 ack BerinSkoka 20:34:16 ack BerinSzoka 20:34:20 q+ 20:34:31 q+ 20:34:35 hober: does a UA have to do 3 options, that is distinct from the UI question of how to present that. People are concerned about limitations on UI to must be able to express 3 states 20:34:42 I think you skipped BerinSzoka 20:35:05 yes 20:35:19 noted 20:35:19 I just wanted to know how this conversation intersects with negotiations between sites and users 20:35:25 q+ 20:35:36 ack tl 20:35:40 tl: some UA like tor browser -> defaults on high privacy. tor - browser will not offer dnt:0. Should they be non-compliant 20:35:45 might sites offer plugins to turn off DNT:1, for example? 20:36:29 This seems like a different point. 20:36:31 BerinSzoka: ?? 20:36:36 ack tl 20:37:01 q? 20:37:20 ack rigo 20:37:36 +q 20:37:45 jmayer: practical impacts 1/ if we set must on DNT:0 every single implementation is non compliant 20:38:00 2/ there is a UI implication, you have to have a choice 20:38:18 (a choice that can't be a checkbox) 20:38:22 my question simply put: It's important to me that we don't do anything to thwart negotiations between sites and users because, as I said before, no-cost opt-outs don't scale. So my specific question is: Might sites offer plugins to users as an easy way of either turning off DNT:1 OR creating an exception for their site/network as a quid pro quo to gain access to content? 20:38:24 I don't think anyone is saying that DNT:0 needs to be presented clearly and prominently --- just that it needs to available. 20:38:27 3/ same sementics could be done out of band 20:38:40 q? 20:39:14 BerinSzoka, plugins aren't how sites will do negotiation. We have separate mechansisms for allowing the negotiation you're discussing (in-band and out-of-band consent). 20:39:42 BerinSzoka, I mean, they can require a plug-in if they want to, but there are easier ways. 20:40:02 MikeZ has joined #dnt 20:40:31 ack ifette 20:41:30 rigo: need for on off unset needed for consent. Also the ecosystem is a bundle with the 3 options 20:41:36 q- 20:42:06 +q 20:42:11 I would strongly object to saying that DNT:0 must be as prominently offered as DNT:1 20:42:27 ack Brooks 20:42:28 ifette: good to have concerns, but requirement is limiting to the point that a user shouldn't be forced to uninstall, symmetry of turning on and off being equally painful or easy 20:43:18 brooks: AVG and so on: none of those are UAs, so should we accommodate. "Able to do HTTP request". 20:43:29 AM: how does that affect 20:43:38 Ian, is this what you're talking about?

20:43:39 A user agent MUST make it equally easy to configure their agent to each of a minimum of {two|three} choices for a Do Not Track preference. 20:43:40

20:43:43 ack Chris_IAB 20:43:49 q+ 20:43:56 brooks: AVG is just changing an entry in the registry, not issuing HTTP request 20:44:36 aleecia: different issue that we take differently? 20:44:43 brooks: it is bundled 20:45:08 -q later 20:45:18 aleecia: re-defining user agent is not next 15 min 20:46:05 rigo: tie it to ISSUE-151 because it also requires exception mechanism to be present 20:46:25 ISSUE: what are the implications on software that changes requests but does not necessarily initiate them? 20:46:25 Created ISSUE-153 - What are the implications on software that changes requests but does not necessarily initiate them? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/153/edit . 20:46:31 AM: tools that change settings, but do not issue HTTP requests 20:46:33 ack adrianba 20:46:53 q+ 20:46:54 -q 20:46:56 adrianba: disagree that symmetry of UI is essential. We should be free to compete 20:47:32 who took me off the q? 20:47:34 q? 20:47:35 q- 20:47:39 s/disagree that symmetry of UI is essential. We should be free to compete/I disagree that symmetry of UI is necessary. I think how options are offered to a user is up to the user agent. Products should be free to compete on this basis./ 20:47:43 q+ 20:47:45 dwainberg: are we in issue freeze? 20:47:48 schunter acknowledged you a bit earlier, Chris 20:48:05 what? 20:48:09 aleecia: only at last call 20:48:10 I never got to speak??? 20:48:23 he acked you on IRC earlier. Seems he didn't follow that with a microphone. 20:48:41 I have been waiting patiently, with a microphone 20:48:47 in hand 20:48:49 aleecia: 1/ on off unset 20:49:08 2/ implicit on off by uninstall 20:49:16 q? 20:49:23 3/ on off unset per entire system 20:49:27 thanks, so someone removed me from the speaker q before I could talk 20:49:51 aleecia: started with 2 options, nobody supported that 20:49:54 jchester2 has joined #dnt 20:50:13 q? 20:50:22 q+ 20:50:43 q- in 20:51:34 q? 20:51:34 so opposition between one option and three options 20:51:37 q? 20:52:18 adrianba, was your point that we could leave this paragraph out and leave it up to the UA? 20:52:31 4/ need on and off and unset and same level of effort to set on, off or unset 20:53:35 q+ 20:53:41 q? 20:54:06 ifette, So on the symmetry point, you think we should prescribe that upon install (or in settings), everyone would need to offer equally weighted options for "do you want to tell websites not to track me" and "alternatively, do you want to tell websites they can track you all the time"? We want to put that in the spec? 20:54:12 q? 20:54:45 Chris_IAB: question to tl: What exactly is the problem with disabling the feature. What is the rationale not being able to set off 20:55:12 tl: we should not increase complexity of simple tools 20:55:33 ... browser add on will just turn on DNT:1 20:55:48 q? 20:55:51 q+ 20:55:51 ack Chris_IAB 20:55:57 q- 20:55:58 what is being referred to as "the whole ecosystem"? if by this it's meant (as Rigo suggested) that a system-level setting MUST be provided for all user agents on the device, that is *possible* but is unlikely to be *enforceable* given the diversity of devices, UA types, and Internet software stacks. 20:55:59 +q 20:56:02 ack bryan 20:56:10 queue closed 20:56:10 -q 20:56:21 does "Keep My Opt Outs" satisfy the principle of user choice? 20:56:22 but here's my question: What happens when a user running the DNT:1 plugin tries to negotiate with a site to get access to content? Will the user have to remove that plugin on his own before getting access? 20:56:32 if so, won't that frustrate negotiation? 20:56:43 Nick, no, Keep My Opt Outs is a blunt tool - my understanding of this working group was to have a more effective, nuanced tool rather than a blunt object a la existing tools 20:56:50 q? 20:57:04 BerizSzoka, no 20:57:14 I ask in ignorance 20:57:16 how would this work? 20:57:41 would the exception negotiated by the site simply supersede the general preference set by the plugin? 20:57:50 BerinSzoka, The industry proposal requires that UAs need to be able to handle exceptions. 20:58:19 ok, so to respond to Tom: the plugin wouldn't "just" set DNT:1; it would also have to allow exceptions 20:58:20 aleecia: bryan wants to have a setting per user agent, not per device 20:58:21 right? 20:58:53 ifette: should not be limited to DNT:1 tools. 20:58:58 aleecia: 20:58:59 BerinSzoka: Yes. Add-ons can break things. If I installed an add-on that disables cookies, that would likewise break things. I don't think sites should be able to ignore preferences that come from simple tools. 20:59:08 1/ user agent must be able to do one choice 20:59:19 BerinSzoka, I think tl's assumption is that the browser will be able to handle the exceptions. I do not believe that the advocate proposal requires dealing with exceptions. 20:59:20 2/ three choices on, off, unset 20:59:20 Also, I am not in favor of the industry proposal. 20:59:43 3/ 3 choices with equal effort of setting of all 20:59:43 efelten has joined #dnt 21:00:00 so, Tom, just to make sure I understand clearly: you envision plugins that would make negotiation impossible because they couldn't process exceptions? the user's only recourse would be to uninstall the plugin that "breaks things?" 21:00:14 tl: only signal on the wire 21:00:39 ... should not specify user must configure. Signal means the user has made a choice if you see the signal 21:00:54 ... nothing represents my opinion, not the first 21:01:11 +1 to Tom's suggestion: we should talk about expressions over the wire and not how they have to be manageable in UAs 21:01:19 .... would delete the sentence. Must reflect the users choice ... and no sentence on offer choice 21:02:03 dwainberg: where do we make that choice? OS, UA, ecosystems 21:02:14 aleecia: we talked about plugins, user agents 21:03:03 aleecia: something that can change the value of an HTTP request is one issue 21:03:11 dwainberg: want to get that first 21:03:17 aleecia: will re-open later 21:03:28 sorry if this is resolved, but to the point david is making, is it possible that different user agents could be treated differently? and have different requirements? 21:03:50 q? 21:04:39 jmayer: question: there me be a substantive difference: around when a browser claims compliance with the spec, we want at minimum to express DNT:1 21:05:23 ... difference is that it would be installed and does just that 21:05:54 q? 21:05:59 I think this discussion is whether or not we want to have blunt tools or fleshed out tools 21:06:02 aleecia: what is threshold for sufficiency... 21:06:05 ian: want to speak? 21:07:24 I think the inability to nail down what a user agent is (e.g. in terms of the diversity of ways in which Web-enabled clients can be built and deployed), indicates that the best approach is to remain silent on this UA configuration point. 21:07:31 aleecia: straw poll 21:07:42 silence: 14 hands 21:07:57 ack silence 21:08:02 ack 14 21:08:47 23 for three choices 21:08:47 for rough magnitude, we're fine 21:08:54 14 for one choice 21:09:24 aleecia: if you can't live with one choice 21:10:00 7 people can not live with silence 21:11:04 can not live with 3 choice 16 21:11:16 aleecia: fairly even split 21:11:25 And that's not even accounting for required symmetry! 21:12:19 +q 21:12:40 q? 21:15:00 "Do you prefer 2 over 3?" This is like having an argument with your ophthalmologist! "Better 2, or better 3? 21:15:07 aleecia: action or just copy and paste? 21:15:16 q? 21:15:20 ? 21:15:22 q? 21:15:58 q? 21:16:22 action: aleecia to issue a call for objections on symmetry/minimum number of choices 21:16:22 Created ACTION-214 - Issue a call for objections on symmetry/minimum number of choices [on Aleecia McDonald - due 2012-06-27]. 21:16:33 Resolution: MTS and Aleecia will issue a call for objections 21:16:34 q? 21:16:44 q- ifette 21:16:44 ack ifette 21:16:47 q= 21:16:48 q- Chris_IAB 21:16:52 q- 21:16:58 ============= 21:17:32 aleecia: We had 8 page table and had an incredible amount of agreement 21:17:39 ScribeNick: ifette 21:17:51 Aleecia: Back in DC we had lots of tables where people had a lot of agreement, and a few disagreements 21:18:01 … we were going to write this up, Aleecia ended up doing this 21:18:10 … would like to work through this as much as possible, do some live editing 21:18:12 http://w3.org/2011/tracking-protection/drafts/combo-draft.html 21:18:17 … and get pieces we appeared to be near consensus to actual consensus 21:18:21 … this "should" be easy 21:18:25 Cspiezle_ has joined #dnt 21:18:50 … going to skip to Section 2, information practices for all parties 21:19:16 q? 21:19:18 … going to go through this, please scream/q+ if you want to speak against something 21:19:22 q? 21:19:25 … additional voluntary measures (reads) 21:19:43 … reads 2.2 user permission and consent 21:19:52 q+ 21:19:56 q+ hwest 21:20:02 i would like to return to some of these definitions at some point as i believe they are not as precise as intended. 21:20:26 ack 21:20:33 hwest: how granular do you want to get 21:20:37 aleecia: want this to be the language in spec 21:20:39 hwest: well then 21:21:02 … first sentence, consensus was closer to "a party is not bound by these requirements" as opposed to "a party may now do these things" 21:21:04 aleecia: ok 21:21:25 hwest: an out of band consent for option b (just say "an out of band consent") 21:21:33 … we need to be clear/consistent around "consent" vs "choice mechanism" 21:21:42 aleecia: "choice mechanism" will probably cause us less problems 21:21:56 +q 21:21:57 hwest: a party is not bound by these guidelines if a user grants an exception to that party/parties 21:22:01 ack hwest 21:22:19 tl: disagree, out of band consent may not be "please ignore my dnt signal" 21:22:23 q? 21:22:28 hwest: fine with language "as granted by the user" 21:22:34 aleecia: please, IRC 21:22:43 … ya'll (hwest+tl) work on that 21:22:50 q? 21:22:54 rigo: assumes permission and consent, out of band, we have two 21:22:57 "A party is not bound by these requirements and guidelines to the extent that a user grants an exception to that party or parties" 21:22:59 … for dnt:0 we have in-band consent 21:23:05 tl, doe that work for you? 21:23:09 aleecia: you're saying we have a and b but there should also be c 21:23:12 What's the URI of the doc that npd is editing? 21:23:13 … i understand 21:23:24 q? 21:23:25 … (third option for you receive dnt:0 not by an exception but because the UA is sending dnt 0) 21:23:39 tl, http://www.w3.org/2011/tracking-protection/drafts/combo-draft.html 21:23:40 aleecia: thx 21:23:45 … think jmayer next 21:23:54 ack jmayer 21:24:00 jmayer: since we're discussing language, don't intend to substantively change meaning but instead clarify 21:24:08 … sites may override dnt preference if they receive explicit informed consnet 21:24:11 … seems contradictory 21:24:27 Reception found a pair of sunglasses 21:24:33 … propose party may engage in info practices otherwise prohibited by this specification if a) b) c) 21:24:46 npdoty: can I combine with heather's sentence? 21:24:53 aleecia: same idea 21:25:05 Here's what I just read: "A party MAY engage in information practices otherwise prohibited by this recommendation..." 21:25:20 XA: don't understand MUST vs SHOULD here 21:25:26 q? 21:25:30 … when seeking an exemption, sites MUST communicate these requests clearly 21:25:37 s/XA/johnsimpson/ 21:25:55 fielding: MUST is a hard requirement, won't occur successfully without this 21:26:06 … SHOULD is MUST unless you have a good reason not to 21:26:08 q? 21:26:12 … read RFC2119 21:26:27 http://www.ietf.org/rfc/rfc2119.txt 21:26:49 … in SHOULD case there may be good exceptions but you don't know them a priori, for MUST you have to list the exceptions apriori 21:26:52 Everyone should read RFC2119 21:26:55 mischat has joined #dnt 21:27:01 +1 re RFC 2119 21:27:09 q? 21:27:10 http://www.ietf.org/rfc/rfc2119.txt 21:27:14 npdoty: reads 21:27:57 hwest, how about: When a user provides a party or parties with an exception to one or all of these requirements and guidelines, that exception overrides their DNT signal. 21:28:30 schunter: should be more general, through other means 21:28:35 q+ 21:28:36 aleecia: oob consent handled in other doc 21:28:36 +q 21:28:39 As I have noted before, approval of the language around consent for UGEs needs to be dependent upon approval of the language around consent for UAs to set DNT:1 in the first place. The point is worth noting, but I don't want to interrupt the convo . . . 21:28:44 q? 21:28:57 rigo: Matthias says this section doesn't apply, but we then don't get to meaning of dnt0 21:29:01 … may be tweaking necessary 21:29:09 … in another section we may want to define what dnt0 menas 21:29:15 q+ 21:29:17 … have to make sure this section doesn't contradict the other one 21:29:20 aleecia: open issue 21:29:26 q? 21:29:32 q- 21:29:46 ack jmayer 21:29:52 ack tmayer 21:29:57 ack jmayer 21:30:01 jmayer: party is not bound by requirements in this section - presumably there are things not just in this section that applies 21:30:07 … anyhow "this section" seems ambiguous 21:30:15 … believe intent is anything prohibited in the doc is now allowed 21:30:21 … haven't discussed level of specificity 21:30:26 aleecia: section -> document 21:30:29 … ? 21:30:36 jmayer: specificity 21:30:48 q+ 21:30:49 … "a party is not bound by" 21:30:55 … they are bound, just not required to do so 21:31:04 … document still has force, they just are not required to do certain things 21:31:06 aleecia: text? 21:31:11 q- 21:31:28 resend: "A party MAY engage in information practices otherwise prohibited by this recommendation ..." 21:31:47 ChrisPedigoOPA: section "MUST comply with and align with consumer protection laws…" is problematic 21:31:48 jmayer, that's the direction I was going for too, that looks fine 21:31:53 … its assumed you will comply with the law 21:31:59 q? 21:32:07 "applicable law"? 21:32:09 ack ChrisPedigoOPA 21:32:10 … when you say operate, rigo can correct but operate is a dicey term in the EU 21:32:19 +1 robsherman 21:32:23 aleecia: debated to death around comply with law 21:32:28 … not attempting to get in jurisdiction 21:32:48 q? 21:33:06 q? 21:33:14 aleecia: only looking at normative sections 21:33:17 … close on this 21:33:32 The language now only provides exception from "...for All Parties" 21:33:36 Should be broader, right? 21:33:52 … reads "a party may receive conflciting signals, specific overrides general, ..." 21:34:26 q? 21:34:52 tl: stuff about what should go in the status resource should go in the TPE 21:34:58 aleecia: which sentence 21:34:58 +q 21:35:08 tl: if a party chooses to track based upon… must indicate … supply a link 21:35:17 q? 21:35:23 aleecia: if a party chooses to track based on prior consent, their response must be as defiend in the TPE etc. 21:35:29 +1, don't put normative language about protocol into this spec. 21:35:29 … just point to the TPE, take out the middle sentence 21:35:38 q? 21:35:40 jmayer: might be two separate issues 21:35:41 ack jm 21:35:54 … prior consent in mode of you give consent at some point, come back 21:35:56 q+ 21:36:10 … some might interpret as "prior consent from before you even turn on DNT" 21:36:17 … and even after you turn on DNT subsequently 21:36:20 q? 21:36:23 … not sure if we have agreement there 21:36:32 q+ 21:36:32 … suggest reframe from prior consent to "consent when DNT is on" 21:36:43 aleecia: would add a note here, not to the point of talking about decisions prior to DNT being on 21:36:45 … more complex 21:36:53 … we not spend a whole lot of time here now, note that it's open issue 21:36:55 ack jmayer 21:36:57 q- 21:37:04 … this is issue xyz still to be addressed 21:37:25 q? 21:37:25 aleecia: final statement in section, oob choice mechanism must satisfy following... 21:37:27 q+ 21:37:32 ack dwainberg 21:37:34 +q 21:37:37 q+ 21:38:05 dwainberg: party can get permission to do whatever they want, up to that party and regulators etc to determine if they got appropriate permission 21:38:27 aleecia: general principle that the more granular choice is the one that controls, not the more global one 21:38:49 schunter: if i have a well known uri which says my whole site doesnt do any tracking, and then i have headers that conflict, headers are more specific and take precedence 21:39:03 dwainberg: confusion between technical specificity/generality vs 21:39:06 q+ 21:39:12 rigo: the technology actually conveys the semantics 21:39:26 … specific statement by the user 21:39:35 npdoty, are you still workshopping the "A party is not bound..." sentence? 21:39:37 … equally applies that a specific always overrides general 21:39:38 request for clarification re: prior consent. We tabled this issue, rather than dismissing the possibility of prior consent, correct? 21:39:50 I think both hwest and I were looking for clarifications there. 21:39:55 jmayer, do you have alternatives? 21:39:55 randomwalker has joined #dnt 21:40:03 dwainberg: if a party puts up a big consent thing "we want you to consent to do everything" 21:40:11 … that overrides any little granular settings 21:40:13 rigo: other way round 21:40:17 resend x2: "A party MAY engage in information practices otherwise prohibited by this recommendation ..."" 21:40:30 aleecia: you're talking about which types of things you might consnet to rather than which parties 21:40:33 "DNT: 1" does not tell you the scope of my permission, does it? 21:40:46 aleecia: written in a way that this might not be clear, that's important 21:40:50 maybe "engage in" -> "conduct" 21:40:51 jmayer, hwest, please duke that out and get back to me 21:40:51 … need it to be understandable 21:40:59 … specifics about specific parties 21:41:04 I actually have a comment on the next piece :) 21:41:11 … if you are sending a DNT signal to the entire world, that is global, you can have something specific about a given party 21:41:16 hwest, are you good with that language? 21:41:18 But can duke out this piece too 21:41:19 … that thing specific to the given party trumps the generalized signal 21:41:30 npdoty: fact you received dnt1 doesn't imply it's general to whole world 21:41:37 tl: only applies to this network interaction 21:41:38 q? 21:41:52 q- 21:42:03 aleecia: dont have to worry about specific vs general, just say OOB trumps DNT signal 21:42:12 schunter: principle is ok but need to spell out instances 21:42:23 … OOB trumps signal, response header trumps well known URI, etc 21:42:24 hwest, [14:31] jmayer, that's the direction I was going for too, that looks fine 21:42:26 … spell it out 21:42:35 Yes, that still works, jmayer 21:42:40 aleecia: try for that now 21:42:42 Ok. Nick, please swap it in. 21:42:51 But I like the out of band consent trumps general anything language 21:43:13 That seems to be the consensus view. 21:43:20 q? 21:43:26 tl: if i have a bunch of settings on a site, that i dont use regularly but they have widgets all over, nd i get a new browser and i turn on dnt1 21:43:33 … but i haven't gone back to that site to modify the preferences 21:43:40 … think its ok because im setting dnt1 21:43:41 q+ 21:43:52 q+ to say if you didnt go back to that site you didn't go log into that site 21:44:11 q? 21:44:16 hwest: comment on next piece 21:44:17 -q 21:44:32 q? 21:44:33 susanisrael: quick clarification, earlier we dismissed idea of prior consent 21:44:36 … not asking to talk about now 21:44:36 ack susanisrael 21:44:38 ack susan 21:44:42 … but think we tabled issue of prior consent 21:44:48 … that might remain valid despite a later setting 21:44:52 … as opposed to dismissing it 21:44:55 … clarify here 21:45:05 q? 21:45:08 jmayer, no private messages here 21:45:16 message was that heather agreed 21:45:41 q? 21:46:06 was trying to not clutter the room 21:46:20 tl: question is if i've gone and opted into xyz or only opted into a couple of things, THEN i turn on dnt1 21:46:25 … and they have added more features since then 21:46:29 … their state about me is incomplete 21:46:41 … would they then assume that the DNT applies only to the things that i've already picked, vs newly added things 21:46:49 Too complex 21:46:49 … or am I opted into things that werent previously options 21:47:03 q? 21:47:09 ack ifette 21:47:09 ifette, you wanted to say if you didnt go back to that site you didn't go log into that site 21:47:37 q? 21:47:41 ifette: you are talking about prior consent, i will hold my comments until then 21:48:23 npdoty: OOB may override an expressed DNT signal, suggesting as replacement for specific overrides general 21:48:27 q? 21:48:40 hwest: can we enumerate "an oob may override a DNT:1 and the other option we put in" 21:48:43 tl: think perfect 21:48:49 fielding: confused 21:48:54 … OOB overrides DNT signal period 21:48:56 … it overrides 21:49:08 +q 21:49:18 +1 to Roy 21:49:23 q? 21:49:24 fielding: feel MAY is problematic 21:49:27 aleecia: also feel MAY problematic 21:49:31 … anyone want to fight for MAY? 21:49:35 jmayer: segue 21:49:48 … as we did before, get rid of "override" and say "you MAY do things inconsistent with elsewhere" 21:49:57 q? 21:49:59 hwest: "or you are no longer bound by this signal" 21:50:05 ack jmayer 21:50:14 ack hwest 21:50:18 hwest: instead of re-granting permission, say "the requirements in this spec no longer apply" written nicely 21:50:20 jmayer: same fix from above 21:50:25 hwest: similar, yes 21:50:30 fielding: opposite of what i just said 21:50:40 q? 21:50:41 … reason to say OOB overrides DNT is so that a user who has set DNT:1 globally 21:50:55 … has a means of still consenting to the one website they have an interest in having tracking enabled 21:51:00 … if you make taht optional, user can't use OOB to do thayt 21:51:08 jmayer: consent is not "and you must track me down" 21:51:13 q? 21:51:20 tlr: guess wondering where we are 21:51:31 … editors may be in a position to rpoduce a strawman 21:51:34 aleecia: trying to do that 21:51:42 tlr: at a point where discussion is editorial 21:51:55 tlr: let editors do another pass for later review 21:52:07 q+ 21:52:09 q? 21:52:24 ack ifette 21:52:32 q? 21:52:36 aleecia: basically happy with this, modulo roy's point 21:52:43 … if we move forward, hwest in queue for next section 21:52:56 hwest: generally when we talk about policy, we dont talk about an ordinary user, we talk about a reasonable user 21:52:59 … is that change OK? 21:53:04 aleecia: fine 21:53:09 hwest: anything else on OOB? 21:53:22 aleecia: great, reasonable user must understand 21:53:28 aleecia: skipping next non-normative section 21:53:30 … moving on 21:53:46 q+ hwest 21:53:51 I do not believe that we had consensus on 2.3 Unidentifiable Data 21:54:08 aleecia: skipped over unidentifiable as we haven't yet gotten consensus here 21:54:11 … will talk about later 21:54:24 … moving to additional requirements based on party status 21:54:34 … pulled out to have informatin practices for first party 21:54:39 … at bottom 21:54:53 … think we can agree on "1st party must not share with 3rd party that 3rd party is prohibited from collecting itself" 21:55:00 … reads 21:55:32 ChrisPedigoOPA: can also cover offline data 21:55:32 q? 21:55:36 q- 21:55:37 q+ 21:55:40 While I would prefer some bright-line rules around out-of-band consent, like the EFF/Mozilla/Stanford proposal, I'm willing to compromise on the "reasonable user" approach. 21:55:42 tl: disagree with "if it covers offline that's a problem" 21:55:44 +q 21:55:46 q? 21:55:50 ChrisPedigoOPA: host of case law about offline data 21:56:05 q+ 21:56:05 q+ 21:56:30 ChrisPedigoOPA: going back 200 years, publishers have collected information off line about their customers, much case law here, this is out of scope 21:56:33 aleecia: great, next? 21:56:37 +q 21:56:46 out of scope 21:56:48 q? 21:56:54 ack rigo 21:56:59 rigo: have trouble with "receive" 21:57:13 … creates a lot of issues we shouldnt have, what we mean here is collect not receive 21:57:21 aleecia: receive -> collect 21:57:26 +q 21:57:30 ack robshermann 21:57:36 ack robsherman 21:57:51 robsherman: may be overreading, in which case need clarity, but DNT signal is supposed to be scoped to an interaction, here 1st party must not receive/collect data about a user 21:58:01 … broader than "an http request" 21:58:07 q? 21:58:08 … other users e.g. can post info about you on facebook 21:58:14 … "I'm with Aleecia at MSFT" 21:58:23 … that's not intended to be in scope of this document, e.g. "Nick can't post about her" 21:58:30 … this sentence might imply that 21:58:54 … in my example npdoty is another party. FB cannot receive info from npdoty if aleecia has dnt on 21:59:03 WileyS: our definition of third party excludes users 21:59:23 robsherman: don't think this is intended company is never intended to receive info, e.g. billing relationship 21:59:27 aleecia: billing is outsourcing 21:59:29 q+ 21:59:33 … if you can give me problematic example please do 21:59:37 q? 21:59:49 amyc: general observation, don't think we've defined "share" etc 22:00:01 Can someone point me to the definition of "outsource relationship"? 22:00:05 … if we haven't defined key words, we may place obligations on publishers to montior all third parties 22:00:06 +1 to need to clarify definitions 22:00:11 … look at each verb we use 22:00:15 +q 22:00:16 ack amyc 22:00:20 ack dwainberg 22:00:31 dwainberg: how do first parties know what third parties are prohibited from receiving 22:00:35 aleecia: from the spec 22:00:40 dwainberg: any third party may have consent 22:00:41 +q 22:00:42 … api or OOB 22:00:46 … first party needs to know 22:00:49 tl: ask third party 22:00:50 A party shares data if the party enables another party to collect the data. 22:00:55 dwainberg: shouldkn't it be up to third party 22:01:05 … if third party gets info they dont have consent to receive, their job to comply witht he spec 22:01:08 aleecia: coming up on 15h 22:01:10 … 30m break 22:01:23 … piece that came out that we have not taken on as a group is, so far we've been saying "no sharing in and out" 22:01:25 q? 22:01:28 … hearing from chris that's problematic 22:01:30 q-- 22:01:34 … barely skimmed the surface 22:01:37 -q 22:01:37 … should capture as a new issue 22:01:40 … more time on this 22:01:44 q* 22:01:48 q- 22:02:30 I thought we had agreement on this principle a long time ago. 22:02:42 ChrisPedigoOPA: have agreed first parties won't share data with third parties 22:02:47 We're technology agnostic—first parties can't give third parties data they can't collect themselves. 22:02:47 q? 22:02:51 … question about bringing in other data to a first party still up for debate 22:02:58 … problem with offline data being covered under this standard 22:03:07 … requiring that a first party can't get data from a third party isn't an issue here 22:03:18 … third parties can't collect the data anyways except for specific conditions 22:03:22 aleecia: not sure if that is the case 22:04:08 q? 22:04:10 -q 22:04:13 -q 22:04:19 ISSUE: Are First parties allowed to use data (either offline or online) from third parties 22:04:19 Created ISSUE-154 - Are First parties allowed to use data (either offline or online) from third parties ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/154/edit . 22:04:21 ack jchester2 22:04:26 ack jchester 22:04:37 efelten_ has joined #dnt 22:04:53 Brooks: 22:04:59 Brooks: to go back to definition of issue 22:05:06 q? 22:05:06 … sharing is a defined term and we're almost contradicting it here 22:05:09 … "cause to receive" 22:05:11 … that is the problem 22:05:17 … if i'm cnn and i put a mazda ad on my site 22:05:36 … brooks drives a mazda, has a mazda cookie, have caused mazda to receive info it shouldnt have 22:05:44 … i dont know what the third party has/knows/doesn't have/know 22:05:45 q? 22:05:50 ack Brooks 22:06:04 ack susanisrael 22:06:29 susanisrael: want to understand the purpose, stepping back from language, to say "we dont want to create a loophole where someone turns on DNT to prevent third parties from collecting data and first parties facilitiate this by overriding DNT and using their privilege to feed that data to third parties" 22:06:50 … if i understand that, then whenever we return,  that's the core purpose of this? may help us get to the righ tlanguage 22:07:05 aleecia: may not have agreement on even what that core purpose is 22:07:11 … break, 3:30 return 22:07:21 by "this" i meant this sentence not the whole spec 22:08:42 was seeking clarification as a basis for addressing the language 22:18:42 johnsimpson has joined #dnt 22:31:37 vinay has joined #dnt 22:34:42 Joanne has joined #DNT 22:35:15 KevinT has joined #dnt 22:35:27 dwainberg has joined #dnt 22:35:32 hwest has joined #dnt 22:35:38 fwagner has joined #dnt 22:38:54 randomwalker has joined #dnt 22:39:23 justin has joined #dnt 22:39:32 vincent has joined #dnt 22:40:50 alex has joined #dnt 22:41:00 amyc has joined #dnt 22:41:21 Aleecia: starting session on proposal 22:41:37 ... asking for scribe for final session, will be Nick 22:41:42 (npdoty to scribe final session) 22:41:45 ... Shane will present his proposal 22:42:01 Shane: not just my proposal, cosigned by multiple parties 22:42:12 Topic: Presentation of industry proposal 22:42:16 susanisrael has joined #dnt 22:42:29 efelten has joined #dnt 22:42:42 npdoty has left #dnt 22:42:48 ... objective in intro, goal is DNT that will advance user choice beyond existing options and be implemented by significant portion of ecosystem 22:42:50 npdoty has joined #dnt 22:42:55 ... part 1 is parties 22:43:11 ... similar to advocate proposal, affiliates with easy discoverability 22:43:26 ... commonly owned and controlled, similar to DAA 22:43:42 ... affiliate list link to be provided within one click 22:43:52 ... of page 22:44:00 q? 22:44:11 q+ to say that we should have the list in a machine readable format as defined by TPE 22:44:15 ... meaningful interaction, common ground here too 22:44:32 rigo, how about machine readable as one option? or a SHOULD? 22:44:34 ... owner or operator of site, or widget interaction 22:44:58 ... service providers is new text, although discussed before 22:45:24 ... also considered first party if performing services on behalf of first party 22:45:26 what does it mean to include permitted uses if you're a first party, which has all uses? 22:45:33 samsilberman has joined #dnt 22:45:45 ... third party is everyone other than first, service provider or user 22:46:03 ... cobranding may make 2 or more first parties 22:46:33 ... Rules that first party can go about business as normal, can't pass data to 3rd parties 22:47:09 ... data must be segregated, third party must not aggregate together data from first party sites 22:47:26 ... no profiling, open to defining profile definition to be proposed 22:47:46 ... third party cannot leverage profile to change user experience, when DNT is on 22:48:13 ... party (first or third) cannot share data with another party when DNT:1, unless service provider 22:48:34 does that get us in to the same question about combining offline data? 22:48:51 ... outside DNT context, but wanted to note that data collected or received may be combined with first party data, DNT does not cover offline data 22:49:25 TL: if I am a first party, I can look at generally available data to combine with my own data? 22:49:50 Shane: Yes, because public info or gathered with prior consent so OK to combine 22:50:03 but 3rd parties can't combine your data with offline data 22:50:24 ... party may choose to purge, but not required to do so, just can't use 22:50:44 Chapell has joined #DNT 22:50:44 q? 22:50:53 ... permitted uses apply, user granted exceptions override 22:51:09 ... Permitted uses more limited, express and detailed 22:51:35 doesn't freq capping alter the user's online experience? 22:51:40 ... For all uses, the following will apply, includes no profiling, no altering of experience 22:51:51 Efelten: what is profiling? 22:52:18 Shane: assembly of data across multiple sites gathered to predict user interest 22:52:22 wileys: profiling 'assembling data about a user across multiple sites and then using it to alter a user's experience' 22:52:32 efelten: processing or gathering? 22:52:42 Shane: making assessments based on data 22:52:53 ... will work on succint definition 22:53:21 ... if you do not have collection purpose for specific permitted use, then colleciton is not permitted 22:53:30 wileys: if you don't have a specific permitted use, then collection is prohibited 22:53:38 jeffchester: is this first party or third party 22:53:49 wileys: this is third party 22:54:06 q? 22:54:06 ... rules mostly apply to third parties 22:54:13 ack ri 22:54:13 rigo, you wanted to say that we should have the list in a machine readable format as defined by TPE 22:54:28 ... to claim permitted use, you must provide retention period(s) 22:54:41 ... reasonable technical and org safeguards 22:54:52 ... can suggest that more is better 22:55:17 ... public purpose, such as emergency protection and IP, is covered 22:55:32 sean: wanted to clarify response to Jeff? 22:56:05 wileys: allow first party use within first party context ok, third party use of data outside of first party experience is not OK 22:56:29 ... but could use third party data to alter first party experience 22:56:40 jeffchester: concerned about tracking 22:57:08 Rigo: but first party can write this back into third party profile? 22:57:20 JC: asks Rigo to clarify? 22:57:38 wileys: may need visuals 22:57:59 ... security permitted use, includes fraud, detection and defense 22:58:31 ...don't want to have DNT used for antisecurity purposes 22:59:13 ... next area is financial purpose, billing and audit compliance, requires uniqueness for user interactions 22:59:18 "This is necessary for ..." should be non-normative, right? 22:59:30 ... need to retain proof or receipt for what was billed for 22:59:51 ... list of billing scenarios 23:00:47 jeffchester: what is time limitation? IAB writes standard contracts for timing. what are best practices for timing for billing and frequency caps? 23:00:53 q? 23:01:10 wileys: also have legal obligations for billing, state and securities and contractual 23:01:27 ... don't know exact timeframe 23:01:39 jeffchester: what is typical timeframe? 23:01:47 q+ 23:01:57 wileys: think three years or more, will check with IAB 23:02:26 does Financial Purposes include whether a person of a particular historical profile has seen this ad? 23:02:29 ... frequency capping, simply a counter, may be used across multiple dimensions of ad experience 23:02:47 ifette: can frequency cap be shared with other third parties? 23:03:01 wileys: uncontemplated in this proposal 23:03:29 Rigo: how identifiable? 23:03:36 johnsimpson has left #dnt 23:03:41 wileys: unique cookie, anonymous 23:03:48 pseudonymous? 23:03:50 johnsimpson has joined #dnt 23:04:07 Rigo: pseudonymous, and attached to page on which ad was seen, isn't this profile? 23:04:19 frequency capping does alter the user's experience based on their browsing history? 23:04:32 wileys: expressly call this out as permitted use, wanted to be clear 23:04:50 jeffchester: how does creative versioning or sequencing affect? 23:05:08 wileys: this is form of OBA, would cease based on DNT 23:05:08 of note: frequency capping data can be used to uniquely identify users, as per recent research 23:05:10 wileys: "creative versioning" and "sequencing" isn't part of this permitted use 23:05:17 I thought we had reached agreement in Brussels that sequencing was going to be considered tracking. 23:05:27 And it sounds like we're still in agreement. 23:05:32 +q 23:05:56 wileys: debugging, scoped for repairing site errors 23:06:13 ... replicate user experience to fix site 23:06:34 Roy: with user consent? 23:06:51 wileys: not intended to require user consent 23:07:20 ... but in 1 to 1 interaction, may be consent based on user complaint 23:07:41 ... last is aggregate reporting using unlinkable data 23:07:54 ... outside scope of DNT 23:08:09 ... is a time period to collect data before aggregating 23:08:12 fielding has joined #dnt 23:08:18 ... related to grace period discussion 23:08:39 ... some examples of aggregate reporting 23:08:51 ... went from 8 to 5, and 5th is out of scope 23:09:01 TL: any prohibited collection? 23:09:06 does someone have a diff on the 8 vs. the 5? would that help anyone? 23:09:13 wileys: if no permitted use, then collection prohibited 23:09:13 Combining multiple permitted uses into a newly named permitted use is not a reduction in permitted uses. 23:09:41 TL: wants to see differential between currently collected data and what would be permitted here 23:10:02 jeffchester: does retargeting or modeling apply to market research? 23:10:16 +q 23:10:21 wileys: not profiling or targeting to individual 23:10:40 ... can explain more offline, modeling is different than market research 23:11:06 JohnSimpson: third party could track on one first party site, as long as segregated 23:11:18 WileyS: [responding to tl] This is mostly about use, not collection. 23:11:22 ... but if site has 60 affiliates, a third party could track across all of that 23:11:41 wileys: a service provider, because the 3rd party could only provide back to first party 23:12:14 to follow up on that, users will continue to see behaviorally targeted ads, provided by a 3rd party, just based on your history on that site and affiliate site? 23:12:17 brooks: question about fraud 23:12:19 q+ to say that frequency capping does alter online experiences derived from multi-site activity 23:12:42 efelten: limits on retention? 23:12:53 wileys: must disclose 23:13:02 efelten: could keep for 100 years? 23:13:23 wileys: yes, but will face scrutiny of regulators 23:13:40 johnsimpson: could an ad network be a service provider? 23:14:09 wileys: depends on business model, could provide this service as service provider if segregate data, limit view only to that first party 23:14:21 Rigo: do you have independent rights? 23:14:30 wileys: not as service provider 23:14:42 ... new area of explicit user choice 23:14:51 ... will skip non normative text 23:15:07 ... heard input from industry and browser vendors 23:15:25 .. reading nonnormative text 23:16:01 TL: when a party does not comply with DNT signal from uA because they think not compliant, are they complying with DNT signal? 23:16:11 wileys: lets go through rule set 23:16:17 q? 23:16:22 ... explicit and informed consent 23:16:31 .. must also have link and explanatory text 23:16:44 ... any UA claiming compliance must have exceptions 23:17:01 ... server may respond that UA is noncompliant if they believe noncompliant 23:17:18 ... server must relay this info to user 23:17:27 q? 23:17:35 ... servers must defend why they reach decision 23:17:58 +q 23:18:03 ... but can't reject all DNT signals as noncompliant and still claim compliant as a server 23:18:13 q+ 23:18:15 q? 23:18:18 ack rvaneijk 23:18:37 q+ rvanijk 23:18:41 q+ 23:18:44 ack jmayer 23:18:45 ack jmayer 23:18:53 q+ 23:18:54 jmayer: want to understand scope of product improvement permitted uses 23:19:04 ... and market research 23:19:16 q- rvanijk 23:19:18 ack rvanijk 23:19:19 Marc has joined #dnt 23:19:22 q- later 23:19:26 wileys: now saying that can use aggregate data, not individual data 23:19:41 jmayer: goal is what? 23:19:45 -q 23:19:56 wileys: you can use aggregate data for multiple uses 23:20:14 jmayer: can collect individual data to aggregate data 23:20:39 ... is there a time limit as to when aggregation must occur? 23:20:43 q? 23:20:50 ack tl 23:21:21 tl: in 4(c), if I only get requests from IE, but no other browser, am I compliant? 23:21:33 wileys: not realistic question 23:21:58 tl: what if you only think one obscure browser is compliant, and everyone else is not, what happens? 23:22:05 q- 23:22:20 wileys: if server expresses what they are doing, OK 23:22:51 q? 23:22:57 ... appropriately responding to what you believe to be invalid UA 23:23:23 Thomas: for error response, have you considered granularity request 23:23:35 ... per request, rather than per software 23:24:22 wileys: think you are making distinction between protocol discussion and compliance discussion [not sure I got this] 23:24:46 q? 23:24:52 npdoty: does choice have to be separate as well as explicit and informed? 23:25:01 wileys: open on this point personally 23:25:15 aleecia: let's go quickly through rest of section 23:25:19 "Separate" for UGEs was rejected in DC, FWIW. 23:25:41 wileys: unlinkable outside of scope, included definition 23:25:45 this sounds like the FTC report suggestion on unlinkability (in terms of downstream contracts) 23:26:26 Roy: many data sets are unlinkable by nature and do not need to be de identified; add "or" 23:26:44 aleecia: what suggestions do you have for Shane? 23:26:44 q+ to talk about list of affiliates 23:27:05 q? 23:27:11 ack schunter 23:27:51 schunter: what is purpose of UA section? site can decide how to service user 23:28:51 wileys: this would be the same as interpreting as DNT1, and I disagree with that. User should be offered opportunity to have another browser 23:28:58 ack rvaneijk 23:29:16 q- 23:29:19 q? 23:29:46 rvaneijk: AdChoices has more transparency, added value in closing section 23:30:01 q? 23:30:11 ... did you think about road to compliance? this is DAA plus proposal. 23:30:29 ... EU legal compliance 23:30:54 +q 23:30:54 wileys: don't want to have eprivacy debate here. will be adding proportionality text 23:31:24 ... notes that implementing regs and interpretation still developing. Could use technical infrastructure. 23:31:47 ack rigo 23:31:47 rigo, you wanted to talk about list of affiliates 23:31:49 rvaneijk: extra homework very important 23:32:03 +q 23:32:12 rigo: on affiliates, must be one click away on each page to affiliate page 23:32:27 we can do one more question after Jeff 23:32:32 Then close the queue 23:32:32 ... can't this be machine readable? 23:32:36 q+ 23:32:51 Last question to Adrian, then 23:33:10 wileys: already in TPE spec, has optional location for domain list, now this is human readable approach 23:33:10 q+ 23:33:29 ... must have human readable, machine readable is optional 23:33:41 MeMe, I'll ask you to take your question to Shane on break 23:33:49 Rigo: hard retention periods necessary, especially if number of years 23:33:50 +1 on must have human readable discoverability on affiliates, may have machine readable option 23:33:53 (sending results to IRC would be great) 23:34:10 ack meme 23:34:13 q- 23:34:19 sorry 23:34:29 ... bargaining position different 23:34:40 q? 23:34:41 ack justin 23:34:52 no worries aleecia 23:35:04 justin: if browser puts link and prechecked link on first page, is that express informed consent and who decides? 23:35:09 queue is closed; Jonathan please be ready to walk through your proposal at the end 23:35:13 q? 23:35:18 wileys: each server must decide, and defend that decision 23:35:21 q? 23:35:35 justin: should have a site that lists of software they don't like? 23:35:37 q+ fielding 23:35:50 ... fractures DNT experience 23:36:21 ... if someone sending fraudulent signal, then legal action appropriate, not fracturing DNT 23:36:39 justin: why not go after, take a cause of action, against a vendor who turns on DNT:1 without the user's permission 23:36:49 For the minutes: Shane stated that the current proposal will be updated on proportionality/subsidiarity for the operational uses: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0566.html 23:36:52 MeMe, perhaps add your question on IRC now if you'd like? 23:37:03 q? 23:37:09 wileys: want mass implementation of standard, need balance, already have large number of third partis that they would not implement DNT with that standard 23:37:24 justin: why not sue Microsoft 23:37:35 ack jchester 23:37:40 aleecia: stop it, both! 23:37:49 Roy, we've closed the queue after Adrian 23:38:10 We have much more to discuss, I know, but need to move to the final session of the day. 23:38:10 jeffchester: interested in following up, rob has identified critical question about structuring permitted uses 23:38:10 ... without the reservation 'where appropriate'. 23:38:11 q? 23:38:24 You might put your question in IRC, and please find Shane on break 23:38:27 randomwalker has joined #dnt 23:38:27 q- 23:38:28 ack fielding 23:38:32 thanks / sorry 23:38:43 q? 23:38:52 rvaneijk: put up link in IRC 23:39:18 ... how to accomplish goal in different ways that could be less intrusive, balance against user privacy 23:39:25 WileyS has joined #DNT 23:39:37 ack adrianba 23:39:48 Section F in definitions should except out Service Providers I believe 23:40:09 adrianba: proposal says that UA must relay server responses to users to ensure transparency, what if there are dozen 3rd parties on single page 23:40:10 I can't wait to see a bunch of long tail bloggers sue MS. 23:40:15 It will make a great movie. 23:40:27 ... understand that UI out of scope, how would that work? 23:40:28 can we please stop discussion about who might sue whom? 23:40:44 that's not a useful way to get this discussion to *any* reasonable place. 23:40:45 For the minutes: Shane stated that the current proposal will be updated on proportionality/subsidiarity for the operational uses without the reservation 'where appropriate'.: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0566.html 23:40:45 Thanks. 23:40:57 wileys: so many innovative user interfaces, perhaps iconic representation of DNT compliance 23:41:22 tlr, I am looking for an alternative to every single third party making unilateral determinations of what is compliant. 23:41:53 aleecia: thanks, we will spend more time reviewing 23:41:55 adrianba, is your suggestion that the user agent MAY relay the server's response, not MUST ? 23:42:01 tlr, I don't see why liability risk doesn't solve the problem. 23:42:06 justin, that's fine. Say "there's a legal environment for that". Don't say "you could sue $COMPANY" while filling in a real name. 23:42:58 tlr, My apologies. 23:42:59 npdoty, I'm okay if a UA wants to display something - I don't think the spec needs to say that - I disagree with a MUST 23:43:09 scribenick: npdoty 23:43:36 Topic: Proposal from Jonathan and advocates 23:43:45 jmayer: with pde at EFF and tl at Mozilla 23:43:59 ... huge thank you to everyone who talked to us, reflects loads of conversations with anyone we could get our hands on 23:44:00 Justin - any suit of the magnitude you are suggesting would (among other things) stall the implementation of DNT for years 23:44:07 ... including people who really didn't agree 23:44:30 ... on github under my account, if you want to look at details 23:44:34 my apologies for making that point more emotionally than I'd like - as its not productive 23:44:44 ... but for now want to look at high level direction 23:45:02 ... motivate, what we tried to: what seemed to us like a really fair compromise 23:45:08 Proposal Github: https://github.com/jonathanmayer/dnt-compromise 23:45:24 ... looked at advocates, publishers, advertisers, social networks, adequately balanced all interests 23:45:38 http://jonathanmayer.github.com/dnt-compromise/compromise-proposal.html 23:45:39 Chapell, I am not recommending such a suit. I had just posited several times in the mailing list whether making the standard more clear on requiring consent would discourage browsers from sending without consent. 23:45:49 ... so no one will say this is what I wanted, but hoping that it might be in the direction of what we might live with 23:45:57 efelten has joined #dnt 23:46:20 ... 1) parties 23:46:27 http://jonathanmayer.github.com/dnt-compromise/compromise-proposal.html#parties 23:47:10 jmayer: in DC we proposed a definition based on user expectations, here's an example based on Microsoft web sites 23:47:31 My comments are at http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0462.html 23:47:54 ... for user expectations you'd have to look at a number of factors including domain names, branding, consumer awareness 23:48:08 JC: does the word "Microsoft" appear in the footer of every one of those pages? 23:48:51 jmayer: there may be, and I think given the logos and user understanding, these would all be the same party 23:49:01 ... now the test is corporate affiliation 23:49:29 ... if they're all under a single corporate umbrella, then you're done 23:49:54 ... although we don't prefer this outcome as individuals, we think as a compromise it's a good direction given a lot of pushback in this direction 23:50:25 ... distinction between Passive and Active 23:51:01 ... Passive is the stuff that is sent just by virtue of having a communication (ip address, user agent, referer, etc.) 23:51:20 seanharvey: what do you mean by "supercookie"? 23:51:29 jmayer: any stateful technology in a browser 23:51:36 q+ 23:52:11 seanharvey: some alternate local storage mechanism (html5 localStorage, LSOs) 23:52:14 q? 23:52:27 q+ 23:52:44 WileyS: what do you mean by "fingerprinting"? it seems like the Passive elements on your list accumulated over time would be fingerprinting 23:53:28 tl: active fingerprinting would be querying lists, an active step (like fonts installed available to Flash)... the best fingerprints (without sticking an identifier on the user) include active steps 23:54:08 WileyS: maybe you should define or make a distinction between different types of fingerprinting 23:54:51 jmayer: happy to have that discussion, but think there are certainly some bright lines for what is "Active" 23:54:59 Note to AdTruth - you've now been but in the same bucket as anyone who uses cookies. :-) 23:55:31 ... passive information can be collected without any limit, kept in the near term with no limit but must be unlinkable in the long term 23:55:55 ... but for active collection, you must use something unlinkable, something low-entropy 23:55:59 long term is 2 weeks+? 23:56:27 q? 23:56:33 ifette: does this apply both to 1st and 3rd? 23:56:37 jmayer: just 3rd parties. 23:57:11 sharvey: can you quickly define "near-term" and "long-term"? and how firm are those timelines? 23:57:42 jmayer: beyond "near-term" for us is 14 days 23:57:56 ... not something like months 23:58:08 23:58:18 jmayer: there are some exceptions 23:58:32 ... particularly security/fraud -- all bets are off and we won't second guess 23:59:26 ... what if personal information is embedded without your knowledge, etc., but if you actually know about a certain data, they should remove it for DNT users 23:59:37 q+ 23:59:49 dwainberg: I thought there were some limitations on security/fraud prevention