See also: IRC log
<npdoty> Internet connection info is on the whitescreen, although if you're reading this....
<npdoty> <sings Happy Birthday>
<npdoty> scribenick: npdoty
schunter: welcome back, thanks for coming back
... happy with the progress so far
... identified two major proposals and a lot of areas of agreement
... and a very lively discussion on the mailing list
... in working order and we are working cooperatively on finding solutions to our challenges
... appreciate the time you put into this group and the constructive feedback
<applause>
schunter: still have some work to do
... don't need to debate the wordsmithing, but figure out what pieces we can or can't live with
... not to aim for perfect solution, but what are the key points that I cannot live with and focusing on getting agreement with these points
... feel free to make little groups over coffee to work out issues, which can be even more efficient
... agenda review and looking for scribes
... 1. Welcome and Goals
... finding solutions
tl: introduce yourselves and note the observers
schunter: +1, go through introductions around the room after this session
<Chris_IAB> I would scribe, but I am only an "observer"
<asoltani> jjj
<tl> Chris_IAB: That's the best place to scribe from!
scribe volunteers: dwainberg, justin, rigo, Ian, AmyC, jason
<Chris_IAB> yeah, I'm not in accord with that...
<Chris_IAB> if I'm only an observer, I'd like to observe :)
<dwainberg> is there a cheat sheet on the web with the scribing syntax
<dwainberg> ?
<tl> Chris_IAB, Scribing is a great opportunity to follow the conversation very closely!
<scribe> scribenick: dwainberg
Participants:
Jon Mayer ...
scribe: Justin Brookman,
... Vinay G
Brooks Dobbs....
(sorry, I'm missing some)
<robsherman> ...Rob Sherman
Mike Zaneis
Thomas R
Keerat
<Chris_IAB> sorry, who is "tl"?
<Chris_IAB> you have a non-transparent IRC name
<sidstamm> Chris_IAB, tl is tom lowenthal
<npdoty> <applause for our hosts>
<npdoty> I'll share the full attendee list since we won't get everyone's details in this go-round
aleecia: thanking companies that provided support
<npdoty> huge thanks to Microsoft for hosting, and to Yahoo, Facebook and Google for financial support
aleecia: [reviewing the agenda]
... Mission of the TPWG is to improve user privacy .... (from the charter)
... we need something that works for users and that can be adopted by biz
... [reviewing dates]
... dates are aspirational
... we were looking for a last call doc in June, we'll see if it happens, even if we don't, we need to publish something out of this meeting
... WG issue freeze
... aleecia filled in dates assuming last call, and padded it out
... Getting to closed
... we start with an open issue, use texts to have discussions, and get to consensus text, then closed issue
... issues can be reopened based on new information
... w/out new info or new text the issue will remain closed
... we can have formal objectsion
... if we have multiple texts, consensus is on the least objectionable proposal
... chairs will identify consensus for the least objectionable path
... it is about substance, not about volume, "me too's", etc.
... WileyS: there is not agreement on this process, can we set that aside as a separate issue
rigo: this _is_ w3c process...it's about sustained opposition
<npdoty> If you're curious about w3c process: http://www.w3.org/2005/10/Process-20051014/
tlr: [reading from the process doc] "where unanimity is not possible, ... in establishing consensus, the WG must address legit concerns of members.... it is desirable that a large majority accept...
<npdoty> http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus
tlr: ignore the above (old process doc vesion)
<npdoty> <ignore earlier tlr, reading out of date version>
tlr: current version: "in some cases a group may be unable to reach consensus.... dissenters cannot stop the groups work....if chair believes group has considered dissenters views they can move on
... consensus ... [reading from the process doc]
... it is a general practice to look for the least objectionable
ian: can we highlight the process for moving a document to last call?
tlr: upon consensus of the WG
aleecia: typically we do not have a vote, but last call could be a time for a vote
<BerinSzoka> Here's the W3C process document that was just read from: http://www.w3.org/2005/10/Process-20051014/policies
<tlr> http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus
<BerinSzoka> note the section on Consensus in particular http://www.w3.org/2005/10/Process-20051014/policies#Consensus
<tlr> an additional piece that I didn't read to you: Groups should favor proposals that create the weakest objections. This is preferred over proposals that are supported by a large majority but that cause strong objections from a few people. As part of making a decision where there is dissent, the Chair is expected to be aware of which participants work for the same (or related) Member organizations and weigh their input accordingly.
<tlr> http://www.w3.org/2005/10/Process-20051014/policies.html#managing-dissent
aleecia: formal objections happen at decision points. FO authors must cite technical basis.
... group can resolve right there, or there is a w3 process, which can go up to Berners-Lee
... if one thing is reversed, there can be an entire dependency chain
... not unusual to have multiple formal objections
... questions?
... (none)
... What's new?
... issues about IP
<npdoty> Rigo Wenning, W3C's Legal Counsel
rigo: is w3c's legal counsel. There were messages on the list about alleged IP issues.
... discussion of the issue on the mailing list has stopped
... w3c can create patent advisory group
... w/ committment to royalty free, the issue is resolved, but if can't resolve quickly, will create advisory group
<npdoty> if we can resolve just by getting a W3C royalty-free licensing commitment, then we don't need to go forward
rigo: formal procedure, with fixed membership, members only, no experts, no observers
... w/ discretion of chair invited experts can be invited to the group
... private meetings, but the result will be public, with suggestions to the wG
<npdoty> deliberation in Member-space only, with a report to the public
rigo: w3c patent policy says clearly that a standard cannot be covered by IP
... there will not be a spec that is encumbered with IP
... important not to give in to panic; we will resolve this.
<npdoty> for questions, grab Rigo in a coffee break
aleecia: on the mailing list; currently it is world readable/writable
... and we're seeing problems
... the chairs will bar contributors who are contributing IP w/out an agreement, or who are disrupting the group
... problem of people contributing IP over which they have a patent
... we need to be careful to keep those things out
... questions?
justin: how does it work; anyone can join, are they required to give up their IP before they can join?
rigo: w3c has a complex framework. Members follow w3 policy. Invited experts sign a form on an individual basis. Observers haven't signed anything, so we have to be careful.
... this is the chair's task to be careful about this.
<npdoty> patent policy details: http://www.w3.org/Consortium/Patent-Policy-20040205/
aleecia: this will be posted w/in the next week.
tlr: one clarification; we have an obligation to respond to comments from the public after last call.
... WRT current members, we're having issues. People are complaining about tone.
<npdoty> people not reading the list because it makes them ill to read it
tlr: Social competence is a key component for WG membership.
... We're getting to the point of having problems.
... Please self-moderate.
... Last piece; we also need a way to take public comments.
... Will set up a public comment list, and we will need to respond to those public comments.
WileyS: Is there a private list as well? What is it?
... Does that exist? Can someone explain its composition.
tl: we do have a private list. By charter it is only allowed for organization, logistics, etc. But no substantive WG content.
<adrianba> Member list archive -> https://lists.w3.org/Archives/Member/member-tracking/
tlr: archive for the private list shows 7 messages from Nov 2011
aleecia: we have new people involved.
<npdoty> (and I don't believe that the Member mailing list archive is currently visible to our Invited Experts)
aleecia: we're seeing exec level decision making descend on the group
... we're suddenly working at executive speed, and it's bogging down the process
... Also external pressures. Press.
... Increased Congressional interest in the US.
... UK "implied consent" for cookies
... NL prior consent
... Art 29 calling out DNT as inadequate
... may have to send out last call for comments twice
<npdoty> "we're doing something unusual and special"
aleecia: thanks to all for doing this work. It is important. It is important to a lot of people. The stakes are high.
... [talking about dinner plans]
<tlr> "new information"
marc: Process question. A decision about one section could hinge on another section that we've not discussed. How do we loop back?
... Troubled or concerned about how that plays out in a rational way.
aleecia: Mostly applies to the compliance doc. For things that have dependencies, we have put those issues together. It is much easier to do it issue by issue.
... for things that are interlocked, we'll just have to do them together.
... if you have specific things in mind, call them out.
... Does that answer your question?
marc: I think so.
npdoty: This may also be "new information"
aleecia: I've tended to be much more willing to go back to issues. This starts to change as we get closer to closed.
... Next we have editors. David is not here, so Roy will do a quick summary on TPE.
<npdoty> editors' draft of TPE: http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
<npdoty> and compliance: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
Heather and Justin presenting on Compliance Doc
hwest: not many changes made since Washington DC
justin: lots of options in the doc
hwest: options, notes, issues are color coded in the doc
... things not called out are close to consensus
justin: major issues.
... 1. definition of parties and consumer expectations
<Chris_IAB> Nick Doty, please note that Shane Wiley of Yahoo! just sent a formal request to add the IAB as "invited experts" to this TP Working Group; Could you please reply today? Thanks :)
justin: advocates have largely conceded on this
hwest: next piece is permitted uses; what can that party do for operational purposes. We've been treating those together.
justin: parties and unique identifier are biggest issues
... advocates argue there should be no unique identifier; industry argues there should be a number of permitted uses allowed using unique ID's
hwest: the draft at this time does not reflect recent discussions.
justin: not much concern anymore about 1st vs 3rd definitions
... some discussion of need for definition of "tracking" and "collection"
... Section 5 on user granted exceptions. There's some discussion on what is needed for consent.
<npdoty> I'm happy to help with editing if we want to do things in real time or each evening /cc: hwest, justin
hwest: that sums up the big issues
justin: take-away -- don't look at the compliance doc right now (laughter)
(roy presenting on TPE)
<npdoty> I haven't added that functionality (toggling non-normative text) to the live editor's draft yet, but it's ready to go
roy: Defines what goes over the wire.
<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
roy: Status is; we have made changes since the draft in DC. Major areas of change are the tracking response proposal. We've merged Roy's and Tom's proposals into one version, but not sure if they're happy with it.
schunter: The point of this section of the specification is to specify how a server replies to a UA. I perceive agreement on parts, but we'll discuss later.
roy: (displaying diffs on the overhead)
<npdoty> fielding: I think we addressed those Community Group comments, though I'm not quite sure
roy: change; site-specific >> user-granted exceptions
schunter: (describing options for user-granted exceptions)
<npdoty> fielding, johnsimpson, jchester2 -- we should confirm whether we've addressed the CG comments, and if we need to document that, we can do so
<johnsimpson> @nick They were addressed orally in DC. I think those slides were supposed to be sent to us. I don't think they were.
<npdoty> haven't formally reviewed http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining
fielding: (continuing to describe diffs)
<npdoty> (fielding's changes on defaults and requirements for setting a preference)
fielding: added issues 111. There are some new issues since the last working draft. We'll cover later.
... other major change is the response section, where it was two proposals, resource and header field, now it uses both, depending on context.
schunter: context. If you want to tell a party it's ok to track. There's user-granted in the spec, and out-of-band, where site continues to get DNT:1, but site can respond it's not honoring because it has out-of-band consent.
<npdoty> section to review (per fielding): http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#responding
fielding: Tk header field is the combination of proposals. Confirm that what you want in there is in there.
schunter: Roy did a great job merging proposals. But the combination is not 100% perfect. What should go into the UI? What should go into the headers?
<aleecia> Checkin notes dlist is here: public-tracking-commit@w3.org
<aleecia> I'll send that to the dlist
schunter: Roy listed attributes you might want to communicate; we have to decide which are needed. But we hope not to need all.
fielding: last topic; user-granted exceptions. dsinger has been working on it.
<dsinger> added the exact model of what happens
<dsinger> added the cancel calls
npdoty: Major changes are adding a method for web-wide exceptions, starting w/ Shane's text, and API for removing exceptions.
<dsinger> added the web-wide exception
npdoty: We want feedback from other browser makers.
<dsinger> added notes and issues
aleecia: What happens if we're not able to come to agreement?
aleecia: What does 6 months, 12 months... look like if we do not have DNT?
jchester2: I'm sure we all feel a responsibility for global users of the internet. ... Without a standard, we will see an escalation of the demands of privacy groups across the world for regulation and greater protections.
kimon: (responding) EU regs are about storage on the client, but DNT is not really about storage.
... but haven't been able to get much out of politicians as far as what they actually want to get out of it.
<npdoty> kimon: EU already has a strong legal framework
kimon: would like to make it interoperational with existing OBA framework.
rigo: Had talks with a company in Japan. They are watching the outcome of US and EU.
WileyS: If this group is unsuccessful, a DNT standard will still emerge. It does not need to be one from a w3c standard.
BerinSzoka: Has been involved in the space for over 4 years. Lots of trade offs. Worry about this process breaking, and leading to a regulatory solution that's less able to deal with tradeoffs.
<npdoty> WileyS, you were also making a point that it might not be universal, but it would still be satisfactory?
BerinSzoka: Examples: A DAA standard outside of this process would be politically difficult. Congressional hearing, it was made clear they wouldn't support a DNT standard that does not comply with headers.
<npdoty> BerinSzoka: re: James Grimmelman testimony
BerinSzoka: Also, FTC could be tasked with writing the standard.
<npdoty> BerinSzoka: a standard from outside this process (from DAA) would likely be unsatisfactory to that audience
BerinSzoka: Markey and Barton have been co-chairs of privacy caucus. Their letter made clear they reject a standard that does not allow DNT to be set by default. They also reject a number of other fundamental assumptions of this group.
... Very likely that if this group does not produce a workable standard, we'll see something crafted by regulators, who have little understanding of the issu.
... in fact this will be resolved by people on the hill.
<npdoty> scribenick: justin
ifette: Google hopes this doesn't fail. But we started with a self-regulatory regime (DAA) that has been implemented by most third-parties, so there's a willingness to do something here.
... Some we came into this process because we realized that DAA process was sub-optimal (have to go to website, cookie-based so not persistent).
<npdoty> a vast majority of the third parties that I believe we're trying to target covered by DAA program -- is that right? I thought we had agreed that these issues applied well beyond behavioral advertising
ifette: But over time it's become clear that group believes that DAA not enough. And WileyS's proposal does make real concessions.
<npdoty> ifette: there are meaningful concessions, this is beyond the DAA program, not just putting DAA opt-out into the browser
ifette: Obviously, some are pushing for a prior consent before tracking, especially in Europe. I am worried about the *pandering* being done around this issue. I don't believe that the world will move to opt-in model if this group fails.
... Europe's opt-in model hasn't worked. And to be fair, the DAA model hasn't worked either.
<rigo> +1 to Ian
aleecia: queue is closed --- be focused!
hober: If this working group fails, we'll need to look to other solutions to protect users' privacy
aleecia: what does that mean?
hober: It will depend. <cryptic!>
aleecia: Give me some options
erikn: I'll take a shot at that
... We're not trying to be dodgy --- we want this to work.
... But we are in agreement internally that we need to do something to protect user privacy.
aleecia: from a browser perspective?
erikn: yes, that captures it. But we really want DNT to succeed and to be the answer.
rvaneijk: Without DNT, there will be enforcement actions in Europe. A lot of people have put hopes on meaningful do not track.
... We need to make process the next three days. There are two ends of the spectrum: do-not-collect vs do-not-target. We need to find the middle.
... The statements of the Congressmen and the Chairman on the FTC (?) all push more for the do not collect approach.
fielding: My hope is that DNT does (?) work out. But don't push for DNT on by default.
... As a protocol editor, I don't want to go through the process of grappling with a DNT by default universe (?)
<efelten> FTC and the Chairman have said that DNT should be Do Not Collect, with narrow exceptions.
<sidstamm> +1 to advocating for "don't track users without consent" but not enabling DNT:1 by default
<tlr> Roy: If you want DNT to be on by default, ask for that to be the default with *no* signal. Don't mess up the protocol.
fielding: DNT should express user preference which can't happen by default. There will be regulation on this if this doesn't work, but it will be focused on the default issue (?)
<npdoty> fielding: for advocates, please don't go out there and ask people to turn on DNT by default, instead ask for regulation that DNT be the regulatory default because it won't need changes to the protocol, or any changes to HTTP protocol, the IETF process
spiezle: We need to focus on the consumer perspective. Lacking trust is hurting our business models.
<npdoty> fielding: I expect that regulation would be about tracking of HTTP requests in general, not tied to the default/DNT setting only
<tl> +1 to appropriate privacy protections should be the default, but DNT should always be the user's voice.
<rigo> +1 to that
spiezle: We're going to see legal approaches to protect users if this doesn't work out.
aleecia: Elaborate.
<BerinSzoka> I've never seen any substantiation of this this consumer trust meltdown scenario that's so often bandied about as a supposedly compelling need for regulation
spiezle: You'll see increased allegations of contract suits, class action suits for privacy violations. Even if they don't work out, bad PR issues.
<npdoty> "even if meritless, will consume a lot of cycles"
jmayer: Want to echo the Apple answer: best answer is getting a standard.
... But if this doesn't work out, the research community will be move active. They will engage much more with regulators (who right now lack expertise). Increasingly, regulaotrs have built better relationships with advocacy and research community.
... Regulators will consult with research community on potential regs. Also, research will push more for ad block solutions if this fails.
... And I don't want that outcome. It would be awful.
WileyS: That happens today even in parallel to DNT.
jmayer: It will be worse if DNT fails.
<BerinSzoka> Bully for Shane for pointing out the obvious: Jonathan's threat to build the ultimate ad blocker, etc will happen regardless
<vincent> WileyS, AdBlock will stop to block ads complying with dnt
tl: Hope DNT works, but pro-privacy users will find a solution. DNT should not be a default, but we can make other privacy choices as a browser that don't need to be off by default.
<npdoty> can we get some commitments or evidence on this point: that advocates won't need to build or advocate for countermeasures if we come up with DNT?
aleecia: I'm going to put some on the spot --- what happens to your org if DNT fails. Picking on Adobe first.
meme: From an engineering perspective, maybe fielding can say better. But I agre with WileyS, companies will compete on privacy. Don't think that's necessarily the best approach, because you lose the value of standardization.
<tl> npdoty, If we have a strong DNT standard, we don't need to.
<jmayer> The research and advocacy communities haven't begun work on technical countermeasures in earnest. I expect the pace of development would accelerate exponentially if DNT fails. Again, that would be a very bad outcome for all stakeholders.
meme: DNT is good because users can reasonably expect the same thing. Adobe is looking at competing on privacy, tho, but it takes time. And we will listen to consumers to see what they are asking for.
aleecia: who else can comment with a strong int'l presence?
hwest: Globally, we think a strong DNT standard that's not fragmented is incredibly value. If we don't have a standard, we'll keep working on privacy (as everyone else will say), but we'd like the reliability of one std where everyone knows what to expect (users and companies)
aleecia: I am expecting someone to say (which I'm not hearing) is that without a standard, companies need to go country to country.
<tl> Sounds like all of the browsers are saying the same thing: DNT is the best outcome, but if DNT isn't a viable option, plan B is technical privacy protections, and we'd rather not have to do that.
fielding: you made an assumption that having a DNT standard will release that pressure. I haven't seen DNT as a fix to cookie law --- when I talk with DPAs in Europe, it's all about YOU NEED TO OBEY THE LAW REGARDLESS OF WHAT THE STD SAYS
... which is reasonable. But if DNT doesn't reach those laws, we need to deal with them anyway.
<dsinger> the other nightmare is that if we do this at the W3C, we can publish, listen, learn, discuss, revise, and be global; regulation is not like that, it tends to be publish and walk away.
ifette: But the question is do we need to try to accord DNT to accomodate every law around the world? I don't think that's a good idea, and would be impossible. I want something that protects privacy (reasonably) and is deployable.
... We'll need to country by country anyway. I take that as a given so we don't need to bog the spec down with every possible legal requirement around the world.
<npdoty> ifette: if there are things we can address cheaply, great; if there are things that are common, great
WileyS: Another outcome the press has brought up. The escalating war between publishers and browsers. We'll get to a world of apps. You access content pre-packaged in browsers. Each of those "browsers" control their own interaction with their users.
... I hope we don't get to that.
<npdoty> +1 to WileyS, I think this is an important point on the dangers of back-and-forth escalation
rigo: Quick report from last week's OBA roundtable in Brussels. I positioned DNT as a tool to help you with regulatory compliance. There aren't 27 Robs around the table or 50 Ed Feltens (for the 50 states). A DNT tool can make compliance a lot easier, and the regulators want that too, and is a good outcome.
<BerinSzoka> Shane is exactly right: turning on DNT by default could fundamentally change digital media landscape. everyone hear should read and think carefully about "Opt-In Dystopias" by Betsy masiello & Nick Lundblad http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp
rigo: We should adapt the protocol to address some regulatory concenrs.
kimon: Regulators in Brussels stated very clearly that DNT can't fix law, but you should come up with a good technical standard, and we'll take it from there.
<BerinSzoka> but to add to Shane's point, that world may not only be bad in economic terms for the diversity of richness of media, but also for (a) competition and (b) privacy
kimon: Not very helpful to focus on the legal side. This should really be about users --- what will they expect and use. If we offer a simple solution, users will take it and it will work. We need to address user concerns.
... signal from Brussels really is DON'T TRY TO CREATE A LEGAL INSTRUMENT.
BerinSzoka: Briefly, we're talking about a fundamental change in the ecosystem. You should reach Opt-in Dystopias to consider the bad results from this world. This will be bad from competition and also for privacy.
<hwest> If folks haven't seen the Opt-In Dystopias paper Berin is referencing, it's here: http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp
BerinSzoka: In this world, users will have to be opting in to a LOT MORE collection of information. Is that really what privacy advocates want? (Also, less information will be available to users).
Marc: Without DNT, much of what we have that works will still be there. There was an AdAge article this weekend that says: "When 3P data goes away, power shifts to those with 1P data." I love my big members with 1P data, but real concerns on pure 3Ps who are at the table and do great things for the ecosystem.
<jmayer> I'd like to hear from OPA and publishers, if they're in the room.
jchester2: The ecosystem has already been changed by real time bidding. We have a huge data collection ecosystem that needs to be addressed. And DNT will help address that. And advocates have made huge concesssions. We need to get privacy off the table for users.
<npdoty> +1 to Marc on the concern for shifting power by company size or by 1st/3rd, we should be cognizant of this
aleecia: So let's stop repeating points. We've talked about walled gardens and paywalls. We've talked about lawsuits and trust issues. We've talked about arms races with cookie blocking. And we've talked about the problems for a lack of standardizatiton.
... We've also talked about increased tracking in an opt-in world. And potential for increased regulation (possibly written by folks without good understanding of technology), And increased regulatory attention in Europe.
... DNT can be a useful tool for compliance in Europe. And we've heard there will be more enforcement in Europe. Some browsers have said they'll do more if no DNT. And other outlets for DNT, possibly through DAA, FTC, or IETF.
ifette: Point of clarification. On your (just made) PPT, you say that DAA will be cookie-based only --- I think that DAA wants to go for a different mechanism if this fails.
FrankWagner: If we have no DNT now, we'll have increased complexity for users.
aleecia: What would opt-in look like for your sites?
<dsinger> I do think that the W3C publish-implement-learn-discuss-revise model is hugely better than slow-moving regulatory model (and, I hope better informed in the first place)
ifette: I asked on the mailing list for good examples of opt-in. I was told about the ICO and the FT. The ICO has no third parties, and the FT has "if you don't like cookies, close this window" and 50 are installed regardless.
aleecia: How do you deal with Euro std if cookies are set before choice? No one has really done this wekk yet.
... Maybe DNT can offer some ease there, if regulators might be OK with that.
Wheeler33: Two points. Publishers make a lot of revenue from third parties. The impact will be felt by 3Ps and the publishers.
... (2) Impact on users. Not clear that users really understand difference between 1P and 3P cookies. Or understand how DNT differentiates.
... There's a belief by users that DNT will make behavioral advertising will go away, and that's wrong. It will still be done, just through 1Ps.
aleecia: You're making a different point. How will it be different if no DNT.
Wheeler33: Without DNT, the money will flow better.
aleecia: That's not clear for all the reasons we've just heard.
Wheeler33: That's my answer
... AND, not clear that if this really does work, users will be confused because they don't get 1P v 3P.
<BerinSzoka> To Aleecia: I think there are actually three scenarios we need to be talking about here: (i) DNT premised on the default-off consensus of this group, (ii) DNT that is coerced to be default-on (what Wheeler is speaking to, and (iii) DNT fails--which likely leads to #2 by legislative or regulatory means
<Chris_IAB> Why is the speaker not allowed to make his position without interruption by the Chair?
aleecia: To be clear, we're talking about : "In a world . . . without Do Not Track"
jmayer: BT.com has an interesting approach to cookie law. They drop cookies, but then delete immediately if you don't grant consent. Some regulators might be OK with that.
... Want to address the economic issues. You're right that 1P and 3P is blurred. The economic impact --- not clear who will suffer. But we can be clear that 1Ps will *really* suffer with AdBlock because with technical solutions, all ads are blocked regardless of party status.
<sidstamm> Chris_IAB, he was making a point relevant to what happens if DNT *does* exist, which is not the scenario we're discussing. The speaker was allowed to make his point relevant to the scenario after the intteruption
BerinSzoka: I like Wheeler33's comments. Options are (1) DNT on when default is off, (2) this group breaks down, or (3) DNT on by default. I'm concerned about this last scenario when DNT-on is coerced by Hill or FTC which is different than contemplated by this group. This group needs to stay on track to keep DNT off by default.
<Chris_IAB> sidstamm, it doesn't matter what his point was, it's that he get's to state it without interruption...
aleecia: To be clear, the group isn't saying DNT off by default, it's DNT is *not set* by default.
... (tiredly) anyone else on this?
<BerinSzoka> I take Aleecia's point, but I don't see how it changes what I said
<jmayer> A few asked for a pointer to my paper on third-party tracking (including some economic analysis). See https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf.
<Chris_IAB> let's not get into a semantics war here
rigo: We are all working on the assumption that no one ever changes their browser. But IAB Europe put out a very interesting poll saying that 56% of Euro users delete all their cookies once a month.
<npdoty> BerinSzoka, I think Aleecia was just clarifying; it might help us in the press to clarify that the default question is not a default to tracking, but a default to no preference
<justin_> But that could just be anti-virus, yes?
aleecia: not really on point.
<Chris_IAB> I think the gentleman was quite clear actually
<asoltani> +1
<Wheeler33> The w3c solution MUST reflect user preference - without DNT user preference remains with the users
<sidstamm> +1 to "more pressure for better cookie management tools if no DNT" from WileyS
WileyS: Another option could be better cookie management tools from the browsers. Especially in Europe to deal with cookie directive.
JC: Disagree with WileyS. Cookies don't work. Need to look at non-cookie options.
WileyS: We're talking past each other. Rigo's point is more that you may not need DNT since people delete cookies.
<Wheeler33> agree - OBA cookie targeting effectiveness drops off a cliff after 30 days
Brooks: To rigo's point, the presumption isn't that tools aren't being used, because without DNT people are finding way to express choice today.
asoltanti: One more observation: one of the benefits of DNT is innovations of tracking will be more accepted.
<Wheeler33> if there were standards for cookie deletion after a certain time period - would we need DNT?
<rigo> WileyS, that's actually not what I meant. I meant that people make a choice if we give them a tool to do that
asoltanti: Because there will be cross-technology express of preference, new technologies in innovation might be more accepted where DNT off on exception is granted.
<jmayer> I completely agree with Ashkan's point. In other words, in a world without Do Not Track, new tracking technologies continue to result in public debacles.
* aleecia notes that asoltani is a disembodied voice from the ceiling
aleecia: Different people have different concerns. Some OBA companies may not want DNT at all, which is understandable from their perspective. Europe has a particular perspective that we should take into account, though recognie ifette's point that we can't accomodate all legal frameworks.
... so what happens if we leave here without an agreement? This discussion continues in other forums. We'd do a better job dealing with the issues here rather than fighting on Capitol Hill for the next year and half. Not fun <laughter>
... So what are our options now?
... We had 5 proposals in DC. We whittled them in DC to 2. We've whittled both closer together, but several people are unsatisfied with both.
aleecia: We could write up both in standards fashion, and get comments on both and then adopt the least objectionable. That's not a great result, but that's the default of where we go to.
<npdoty> aleecia: that is the default, but not an attractive option
aleecia: Or we could pick one. Or we could come up with new ones. Or we could go back to other options that sound better now.
... Or we could fail.
... So what should we be doing?
... Looking for guidance from people who aren't proposal authors?
Chris_IAB: I propose that if we want a solution that includes 90+% adoption, we go with WileyS's proposal. It's realistic and based on lots of years of learning and industry experience.
<npdoty> adoption immediately, i.e. in the next couple months
Chris_IAB: It's realistically implementable by industry.
<BerinSzoka> Maybe we should make like the French Revolution and re-seat after lunch according to which side of the aisle we're on: Shane or Jonathan!
jchester2: There is movement here, There is an understanding that things have to move. Consumers have moved a lot. On 1Ps, we've moved. On defaults, we've made concession. Or logging protocol data, we've moved. And I acknowledge that industry has moved too.
<hwest> I think it's important to simply accept that everyone has made significant progress and concessions
<sidstamm> hwest, +1
<robsherman> +1
aleecia: I'm reading that as support for the idea of continuing to move toward each other.
<efelten> So let's figure out how to close the remaining gap.
dwainberg: As a distant observer, the group has gotten a bit into the weeds. Rather than horsetrade, we should back up and understand the bigger picture and go from there. And we need to consider the possible unintended consequences.
<Zakim> npdoty, you wanted to ask about adoption timing
<Chris_IAB> to clarify the comment that was made after my statement, IAB was not listed as an author on Shane's proposal, but I personally support it
npdoty: Want to follow up on Chris_IAB's point. And the question of how fast adoption will happen. We need to consider adoption rate, and how fast we want to move. Do we want to phase some parts in?
aleecia: Maybe you were suggesting that a phased proposal is the way to go. Phase 1 then Phase 2, etc if they would faciliate compromise.
tl: Don't want phased proposal. If folks lag on implementation we have option options as browser (duh-duh-DUH)
<Chris_IAB> I like the "let's get out of the weeds and see the forrest statement"-- Shane's proposal will likely have 90+% industry adoption in no time. Are we here to get a "DNT win" or are we here to keep hashing something out until we ultimately kill it?
jmayer: I want to second the phasing point. To the extent that comlanies are going to have to implement new tech, totally reasonable to giving cos some grace period to implement if that narrows the gap.
aleecia: This was discussed on a call and industry didn't really want that approach.
<Chris_IAB> see the forest guys...
erikn: What should we do next? We should focus on text. Talking in abstract not terribly helpful.
<justin_> +1 to erikn
<jmayer> I've had more conversations with ad companies than I can remember; some really wanted phase-in, others didn't. Mixed response.
erikn: Going through the points will help move us toward the center.
rvaneijk: The proposal I have is to focus on added value of DNT. The WileyS proposal just reflects a lot of what the DAA has already done. Starting at Do Not Target doesn't really focus on the added value of Do Not Track.
... We need something extra from this process, not just existing self-reg.
hwest: On phase in, phase out, we can't decide that until we know what spec means.
WileyS: I see the counterproposal from EFF as aspirational. I don't disagree with their aims, but will require significant cost and time to get there. We should agree on what we can do now NOW and then work on technical, standardized approach to dealing with the other aspirations in EFF/Stanford/Moz proposal.
... We should immediately begin working on those issues, and one day they could become the DNT standard. But technology isn't there yet.
<hwest> I don't think that's reflective of industry
aleecia: So you see your proposal as Phase 1 and EFF proposal at Phase 2 but with no time limit?
<hwest> In terms of phase one/two and the two proposals
<npdoty> WileyS: we could, suggesting a second round of this Working Group
<npdoty> <laughter> on "job security"
<BerinSzoka> I'd say this is more like Job than a job
WileyS: Yes, there's no planned Phase 2 for this group, but we should have one. Job security <laughter except from aleecia>
aleecia: We could have two standards that come out of this group.
WileyS: I strongly disagree with THAT. Would be too confusing.
aleecia: How is that not what you just said?
WileyS: It's not responsible to put out the EFF proposal as a standard right now.
... Too many blanks to be filled in at a future data. Can't reach those aspirational goals today. Two standards might be worse than none.
... And eventually that proposal could supplant the interim (?) WileyS proposal?
aleecia: So what you're saying is you like the direction of Jonathan's proposal, but it's not baked yet?
<npdoty> supplant the original DNT, rather than "interim"
WileyS: I don't think it's achievable yet?
npdoty: Could we bridge the proposal with MUST/SHOULD language?
<Zakim> npdoty, you wanted to comment on MUST/SHOULD, or iterations
<justin_> I don't think advocates would be comfortable with that.
<rigo> avk ifette
ifette: SHOULDs are problematic in the spec. SHOULDs may create unreasonable expectations from users and regulators. I'd like a spec with all MUSTs.
<npdoty> I do recognize the concern about SHOULDs, I was only proposing it because maybe it could be an attempt at a middle ground
<npdoty> ... and give people a direction/confidence in a future iteration
rigo: I don't think a version 1 debate will spare us from testing out the pain points of how far industry is willing to go today. Also, big issue of trust --- will industry come back to the room for a rematch?
... But that said, it's a valid option.
<johnsimpson> I agree with Ian. Specs should be musts. Where I suspect we disagree is what the musts should be..
<WileyS> Fair - amend proposal to "MUST" from Industry proposals and "MAY" for advocate proposal
<Chris_IAB> how about we get a balanced v.1 spec out, see if it works, and go from there?
<Chris_IAB> iterative work
<Chris_IAB> seems rather agile, actually
ifette: As far as a version 2, would be better to circle back. My reading of jmayer et al proposal is "We don't want 3Ps to have a record of your browsing activity." But industry approach is: "We charge based on impressions, and that valid business model can be done without violating privacy."
... We need to find a way to charge people while protecting privacy. jmayer may point to papers, but I think more research and testing needs to be done to make sure CPM (etc) model can be done with privacy respected but without rampant click fraud, etc.
aleecia: We could have two last call docs, first the WileyS approach, and second the jmayer proposal that folks will have to get to eventually (?)
<npdoty> ifette: wait for a certain successful deployment of a technique, and only then standardize that as an additional version [am I capturing that right?]
aleecia: that's in line with what you propose, to spend more time on the jmayer proposal but to implement what can be done today TODAY
ifette: I want to make sure that jmayer approach is implementable before we put it in Last Call.
... I can't vote yes on a LC until I know it's implementable. That's my bottom line.
<hwest> Last call should not be fragmented, IMHO
SusanIsrael: I agree with that. We should implement what we can now while commiting to work on the harder options. But it's somewhat unclear, which is why we can't put in a LC document today. But would like to have a commitment to work on another LC later.
<Simon> Speaking from experience (CableLabs has put out alot of succesful specs) any spec will need revision as technology changes. Need to get something out that can be used now.
tl: Let's presume the only thing we're concerned about in 3Ps having total view into browsing activities. If they can do what they want to do without that, great. But if they can't, those are illegitimate business models. (Don't want to bless short-term?)
<npdoty> susanisrael, I'm curious how we could phrase those commitments
jmayer: This may be soundly rejected. But it may be worth it to have a very difficult conversation on PETs. It will be very technical and uncomfortable, but there are some wonderful technical people in this room who can chart a way to move the ball forward.
aleecia: Yeah, we often do that, are we usually disagree. So that gives me pause.
Arvind: The researchers have done all the necessary research to find privacy-protective ways to achieve your business models. But just saying "Hey, we need new research."
... isn't fair.
<npdoty> are there ways to encourage iterations to move forward without waiting for a new standardization effort? could we say "best available and feasible efforts"?
Alan: Not saying that we need new research. Question about whether Google, Yahoo!, etc can implement. But concerned about two standards. If we have two, regulators are going to want to require Version 2 right away.
... Unless we bend over backward to say that Version 2 is not implementable today (which some would object to!) concern with two different standards.
Chris_IAB: Clarifying earlier statement. Want to be clear that we can't boil the ocean. Over the last two years, I've created technical spec with IAB. Any company that subscribes to agile development would say let's put out now what works, test, iterate, and then evolve the spec.
... That's how it works on the industry side, and by and large, everyone has over time adopted v1, v2, v3, etc.
... By boiling the ocean, you stop something from getting to consumers. Getting something workable today is a win for DNT and advocates. We'll find out from v1 if we need to do more.
... If there are complaints, then we start a new working group.
<npdoty> is there a clear way for us to determine exactly how many complaints are necessary to support a new iteration?
jchester2: I appreciate what WileyS and ifette are saying, it just won't work to have a phased-in approach. Regulators and advocates want a reasonable standard TODAY. Industry approach as is is unacceptable. Let's get the proposals closer together and continue to evolve.
... Won't be acceptable to say "let's do an OK approach and then wait ten years and fix later."
<Snarky cross-talk>
<jmayer> Chris_IAB, it's hard to focus on the conversation when you keep interrupting. Could you please add yourself to the queue?
aleecia: Why aren't we just putting the two docs out for vetting? Because both are objectionable to a large swath of folks.
... Has anyone moved from "Can't live with" to "Can live with" on either of these proposals?
<Chris_IAB> jmayer, sorry, I was following your previous examples :)
aleecia: No one seems to have moved.
<npdoty> "easier to live with"
<Chris_IAB> but in any case, I believe the scribe got it right here, so go ahead and read up
aleecia: We are still in the world of pain. If we flip a coin, either way we lose. And we've received feedback from regulators around that world that industry proposal is not sufficient.
<npdoty> I'm also in the category of not being familiar with all the details of latest proposal from Shane
aleecia: And we've had feedback from jmayer standard that current proposal is not implementable.
... So we fifteen minutes. No one has any bright ideas.
<justin_> Why not Zoidberg? (CDT proposal)
<npdoty> justin, maybe we could do a comparison or merge of the CDT proposal with the latest from Shane et al. and Jonathan et al.?
rigo: There are some pain points. The pain points are not as bad as some might have us believe. Seeing the differences in details will help advance us significantly
BerinSzoka: No cost opt-outs don't scale.
... It seems to be that we are all here because we've assumed that we're assuming a certain low opt-in-to-DNT threshold.
aleecia: scolding BerinSzoka for not staying on topic.
hwest: A lot of us have a problem with multiple LC docs. We very much don't want a fragmented approach, and that's what two LCs does.
aleecia: Does anyone really want multiple LC docs? (No one raises hand)
efelten: We only get ONE bite at this apple. When we get a consensus proposals, then all the forces we talked about earlier come into play.
... Echoes erikn's point that we need to focus on text.
... Let's talk through nuts and bolts and stop claiming "everyone want this" and "no one wants that"
<james> +1
<npdoty> efelten: a focus on text
asoltani: Echo idea that merging the proposals is the best way to go given the political pressure.
... Maybe we should have DNT-beta --- you can respect one of two proposals. Let consumers opt for which one they want. We'll then have metrics as to what people want. It's a little bit complicated, and not necessarily the right idea, but could work as a back-up plan
<rigo> +1 to ashkan, W3C can organize joint development around DNT v.2 Beta if this has sufficient support
<WileyS> Wasteful suggestion - doubles implementation overhead
<hwest> Let's focus on moving forward instead of the "what if it doesn't work" ideas
aleecia: And of course, you might see different treatment of users, because users might see firewalls, paywall, etc. So not a survey but test of different implementations.
<justin_> +1 to WileyS on this point!
<rvaneijk> I rather see one DNT than forked versions.
aleecia: This testing assumes that good data would actually change anyone's mind!
<sidstamm> +1 hwest ... phased deployment and versioning adds confusion and implementation overhead
rigo: W3C can organize this testing.
<npdoty> I think Ashkan was talking about not getting behaviorally targeted ads, like "Do Not Target"
ifette: I understand asoltani's basic point. But I don't think that anyone in this group would be willing to offer and support a "Do Not Advertise To" signal and continued to offer free content. Users need to see consequences.
<asoltani> clarification: DNT:0 = unset, DNT:1 = shane's proposal , DNT:2 = eff/mozilla
<asoltani> if many people send DNT:2 but sites only support DNT:1, then we need to revisit
ifette: Key point: Don't see how we can implement jmayer's approach without significant hit to revenue. Until we get to the point that we're comfortable with understanding the economic impact, you won't see implementation.
<npdoty> 'until we actually get to the point where people are confident on the effect (in terms of revenue) they aren't going to implement'
<sidstamm> asoltani, how do users express consent for tracking (as per each proposal)? negative numbers?
ifette: The industry proposal, we understand what we think the impact is going to be. Not knowing the impact is holding back the jmayer proposal?
aleecia: So what do you propose to get industry to get data?
<npdoty> ifette: need to be able to show the impact of a proposal, details on data
ifette: Get a big third party to implement it and publish the results.
<BerinSzoka> Well said, Ian. When I said that "No Cost Opt-Outs Don't Scale," this is precisely what I was talking about: not just the default question but also the question of users making choices that don't reflect real-world tradeoffs inherent in exercising DNT
<asoltani> sid, settings needs to have 4 states. unset, allow tracking, opt-out of targeting, opt-out of collection
ifette: jmayer keeps saying that client-side scales. Google has bought companies who had this business model AND IT DIDN'T SCALE. We've really tried. So this is why I'm skeptical. I understand aleecia's desire to move forward, but we have no data points to say how jmayer model will work.
aleecia: But none of this has seen proven data point that this will work.
<rigo> I think W3C can offer a framework and platform to test out stuff, organize research, help with acquiring funding for advanced development and test things out
<sidstamm> asoltani, thanks
aleecia: we're low on time. If you have a new point, then you can talk.
<susanisrael> +1
<hwest> +1 - this will be an iterative process if it's going to succeed
Alan: Not sure we only have one bite at the apple. We may be able to finesse this to allow iterative approach that satisfies everyone.
<rigo> kind of stable + unstable approach and moving
tlr: Timing is slipping --- need to figure out what to do about charter.
<susanisrael> my +1 was to the idea that this will be an iterative process. That was my point rather than the fact that only one proposal is acceptable. Let's work through text, do what we can agree on, and agree to keep iterating
tlr: Current working assumption is that at some point we'll announce an extension of the charter without a change to the scope of the charter.
<jmayer> Thanks for taking great notes justin!
tlr: If there are changes to the scope that people think are important or desirable, come talk to me.
... Enjoy your lunch.
<BerinSzoka> drinks tonight: Tracktinis for all!
<aleecia> Time to get started again...
<npdoty> scribenick: jmayer
aleecia: talking about user agents
... talked before, day before microsoft announcement
... mostly about anti-virus software now
... some language in TPE, not Compliance
... looking at a couple issues
npdoty: new members, here's how to join irc
aleecia: thanks
... help available if you need it
... back to issues
... talking about ISSUE-150
... start there
<aleecia> A given device may have multiple sources of user preferences, for example a browser could have a DNT user setting, plus an add-on or plug-in could have a DNT user setting. One DNT choice must be sent. We do not specify how conflicts are resolved.
aleecia: decision that while there might be conflicting user choices on a device (e.g. browser + plugin/addon), leave it to those sources of preference to resolve
... language pasted in irc
... looking to get consensus, hear dissent
tl: middle part should not be normative
aleecia: move to example section?
tl: ok
aleecia: npdoty is editing in realtime
... proposal: new paragraph with former middle part, example section
dwainberg: doesn't this interact with the defaults discussion?
aleecia: yes, for example, if mozilla doesn't have DNT on by default and a plugin does, they have to reconcile
... could imagine the same by IE
... up to user agents to resolve conflicts
... in other words, it's related to defaults, but a separate discussion
<cross-talk managing queue>
<bryan> Re "One DNT choice must be sent", does that mean any and all Web user agents (any Web-enabled application) must send the same value for a particular default or domain? Multiple UAs/apps in a single device would need system-level support for that. Any device that did not provide such support would be inherently non-compliant. Is that what is intended?
bryan: asking question pasted in irc
aleecia: how about rephrasing, you must not send more than one DNT value per request
bryan: to be clear, we're not saying every user agent / app has to have the same setting
aleecia: right
<dwainberg> Would a program setting DNT outside the UA, e.g. injecting into the http request, be an "intermediary"?
hwest: concerned about a different issue
... but related to defaults
... if this is just about sending only one value per request, ok
aleecia: ok, yep, seemed an easy point of consensus
<erikn> ISSUE-150?
<trackbot> ISSUE-150 -- DNT conflicts from multiple user agents -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/150
ifette: what about identifying who set the preferences?
aleecia: that's ISSUE-143, a separate discussion
ifette: less fine with this if information about attribution isn't there
tl: don't like notion of attribution, adding lots of information to user-agent
aleecia: again, ISSUE-143, another conversation
... group ok with text?
<crickets>
aleecia: moving on to ISSUE-149
<hwest> I think the group will need to confirm that we're ok with that text once we address 143
aleecia: roy added language about on vs. off vs. unset
<hober> ISSUE-149?
<trackbot> ISSUE-149 -- Compliance section for user agents -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/149
aleecia: section 3 in tpe, determining user preference
... comments?
<rigo> scribenick: rigo
<scribe> scribe: rigo
hwest: two choices may not be sufficient. Alternative to unset or only two
AM: minimum of two is currently in the spec
HW: we have an open issue on that. Not fixed yet
AM: show of hands of
Roy: this is what the choice that is offered to the user
MTS: questions: Does not allow for a german user "an" "aus"? and a tool that only send DNT:1
... so even a tool that only sends DNT:1 must be able to be switched off
npdoty: even with the current text that would require at least on and off
jmayer: does that mean that uninstall is sufficient?
<jmayer> Or if the browser offers a "Disable" option, is that enough?
HW: DNT should fully implement the Specification
AM: is it sufficient to remove tool
HW: no
<asoltani> what if the notice is in the privacy policy?
<justin> That's not in the spec yet.
<asoltani> in for example, http://www.google.com/policies/privacy/
<jmayer> I think this conversation is conflating different issues: notice, defaults, choices, ...
adrianba: 1/ lot of discussion about tools and add-ins. user agent has the collective thing that user uses, including all plugins
2/ spec talks about the ua have to offer choices, but offer is not defined (how choices are offered is out of scope).
jmayer: language proposal: instead of offer (user agent has to do something) "a user must be reasonably able to ". Any tool must be able to put the user in one of those states
MTS likes this
<justin> hwest, can you elaborate why we should prescribe that a privacy-protective add-on must be able to send DNT:0? What's the point?
tl: dislike this. If I have my add-on to only should send DNT:1.
<justin> That's totally fine.
<justin> I have no problem with a DNT:0 add-on that doesn't send DNT:1
<justin> If it's installed deceptively, I am comfortable informing the FTC about this add-on.
<tl> justin +1
aleecia: would you be comfortable having an add-on that only makes DNT:0 headers?
tl: yes
<adrianba> If the user can turn off an add-on in their user agent then the user agent (as a whole) offers a way of turning the signal off
<WileyS> Ian made my point (individual vs. collective)
<hwest> justin, it's the DNT0 plugin example - would you be ok with that? What if it's loaded without user interaction?
<justin> hwest, yes I'm fine with a DNT:0 plugin.
ifette: agree with Jonathan (laughter). User must be able to express on off or unset. If we look at individual tool than must be able to express all. If the entire environment (adrianb's point) than should be sufficient
<justin> If it's loaded without user interaction, I look forward to the cy pres award funding my work for the next several years.
erikn: does DNT:0 have to be supported?
AM: what requirements on what you want send, what is the minimum bar we have
<npdoty> can we just delete the whole paragraph? user choice requirement is present above
hober: does a UA have to do 3 options, that is distinct from the UI question of how to present that. People are concerned about limitations on UI to must be able to express 3 states
<BerinSzoka> I just wanted to know how this conversation intersects with negotiations between sites and users
tl: some UA like tor browser -> defaults on high privacy. tor - browser will not offer dnt:0. Should they be non-compliant
<BerinSzoka> might sites offer plugins to turn off DNT:1, for example?
<justin> This seems like a different point.
jmayer: practical impacts 1/ if we set must on DNT:0 every single implementation is non compliant
... 2/ there is a UI implication, you have to have a choice
<erikn> (a choice that can't be a checkbox)
<BerinSzoka> my question simply put: It's important to me that we don't do anything to thwart negotiations between sites and users because, as I said before, no-cost opt-outs don't scale. So my specific question is: Might sites offer plugins to users as an easy way of either turning off DNT:1 OR creating an exception for their site/network as a quid pro quo to gain access to content?
<justin> I don't think anyone is saying that DNT:0 needs to be presented clearly and prominently --- just that it needs to available.
jmayer: 3/ same sementics could be done out of band
<justin> BerinSzoka, plugins aren't how sites will do negotiation. We have separate mechansisms for allowing the negotiation you're discussing (in-band and out-of-band consent).
<justin> BerinSzoka, I mean, they can require a plug-in if they want to, but there are easier ways.
rigo: need for on off unset needed for consent. Also the ecosystem is a bundle with the 3 options
<justin> I would strongly object to saying that DNT:0 must be as prominently offered as DNT:1
ifette: good to have concerns, but requirement is limiting to the point that a user shouldn't be forced to uninstall, symmetry of turning on and off being equally painful or easy
brooks: AVG and so on: none of those are UAs, so should we accommodate. "Able to do HTTP request".
AM: how does that affect
<npdoty> Ian, is this what you're talking about?
<npdoty> A user agent MUST make it equally easy to configure their agent to each of a minimum of {two|three} choices for a Do Not Track preference.
brooks: AVG is just changing an entry in the registry, not issuing HTTP request
aleecia: different issue that we take differently?
brooks: it is bundled
aleecia: re-defining user agent is not next 15 min
rigo: tie it to ISSUE-151 because it also requires exception mechanism to be present
<npdoty> ISSUE: what are the implications on software that changes requests but does not necessarily initiate them?
<trackbot> Created ISSUE-153 - What are the implications on software that changes requests but does not necessarily initiate them? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/153/edit .
AM: tools that change settings, but do not issue HTTP requests
adrianba: I disagree that symmetry of UI is necessary. I think how options are offered to a user is up to the user agent. Products should be free to compete on this basis.
dwainberg: are we in issue freeze?
aleecia: only at last call
... 1/ on off unset
2/ implicit on off by uninstall
3/ on off unset per entire system
aleecia: started with 2 options, nobody supported that
so opposition between one option and three options
<npdoty> adrianba, was your point that we could leave this paragraph out and leave it up to the UA?
4/ need on and off and unset and same level of effort to set on, off or unset
<justin> ifette, So on the symmetry point, you think we should prescribe that upon install (or in settings), everyone would need to offer equally weighted options for "do you want to tell websites not to track me" and "alternatively, do you want to tell websites they can track you all the time"? We want to put that in the spec?
Chris_IAB: question to tl: What exactly is the problem with disabling the feature. What is the rationale not being able to set off
tl: we should not increase complexity of simple tools
... browser add on will just turn on DNT:1
<bryan> what is being referred to as "the whole ecosystem"? if by this it's meant (as Rigo suggested) that a system-level setting MUST be provided for all user agents on the device, that is *possible* but is unlikely to be *enforceable* given the diversity of devices, UA types, and Internet software stacks.
<aleecia> queue closed
<npdoty> does "Keep My Opt Outs" satisfy the principle of user choice?
<BerinSzoka> but here's my question: What happens when a user running the DNT:1 plugin tries to negotiate with a site to get access to content? Will the user have to remove that plugin on his own before getting access?
<BerinSzoka> if so, won't that frustrate negotiation?
<hwest> Nick, no, Keep My Opt Outs is a blunt tool - my understanding of this working group was to have a more effective, nuanced tool rather than a blunt object a la existing tools
<justin> BerizSzoka, no
<BerinSzoka> I ask in ignorance
<BerinSzoka> how would this work?
<BerinSzoka> would the exception negotiated by the site simply supersede the general preference set by the plugin?
<justin> BerinSzoka, The industry proposal requires that UAs need to be able to handle exceptions.
<BerinSzoka> ok, so to respond to Tom: the plugin wouldn't "just" set DNT:1; it would also have to allow exceptions
aleecia: bryan wants to have a setting per user agent, not per device
<BerinSzoka> right?
ifette: should not be limited to DNT:1 tools.
<tl> BerinSzoka: Yes. Add-ons can break things. If I installed an add-on that disables cookies, that would likewise break things. I don't think sites should be able to ignore preferences that come from simple tools.
aleecia: 1/ user agent must be able to do one choice
<justin> BerinSzoka, I think tl's assumption is that the browser will be able to handle the exceptions. I do not believe that the advocate proposal requires dealing with exceptions.
aleecia: 2/ three choices on, off, unset
<tl> Also, I am not in favor of the industry proposal.
aleecia: 3/ 3 choices with equal effort of setting of all
<BerinSzoka> so, Tom, just to make sure I understand clearly: you envision plugins that would make negotiation impossible because they couldn't process exceptions? the user's only recourse would be to uninstall the plugin that "breaks things?"
tl: only signal on the wire
... should not specify user must configure. Signal means the user has made a choice if you see the signal
... nothing represents my opinion, not the first
<bryan> +1 to Tom's suggestion: we should talk about expressions over the wire and not how they have to be manageable in UAs
tl: would delete the sentence. Must reflect the users choice ... and no sentence on offer choice
dwainberg: where do we make that choice? OS, UA, ecosystems
aleecia: we talked about plugins, user agents
... something that can change the value of an HTTP request is one issue
dwainberg: want to get that first
aleecia: will re-open later
<susanisrael> sorry if this is resolved, but to the point david is making, is it possible that different user agents could be treated differently? and have different requirements?
jmayer: question: there me be a substantive difference: around when a browser claims compliance with the spec, we want at minimum to express DNT:1
... difference is that it would be installed and does just that
<hwest> I think this discussion is whether or not we want to have blunt tools or fleshed out tools
aleecia: what is threshold for sufficiency...
<schunter> ian: want to speak?
<bryan> I think the inability to nail down what a user agent is (e.g. in terms of the diversity of ways in which Web-enabled clients can be built and deployed), indicates that the best approach is to remain silent on this UA configuration point.
aleecia: straw poll
for silence: 14 hands
for three choices: 23
<tlr> for rough magnitude, we're fine
for one choice: 14
aleecia: if you can't live with one choice
7 people can not live with silence
16 can not live with 3 choice
aleecia: fairly even split
<justin> And that's not even accounting for required symmetry!
<BerinSzoka> "Do you prefer 2 over 3?" This is like having an argument with your ophthalmologist! "Better 2, or better 3?
<npdoty> ?
<npdoty> ACTION: aleecia to issue a call for objections on symmetry/minimum number of choices [recorded in http://www.w3.org/2012/06/21-dnt-minutes.html#action01]
<trackbot> Created ACTION-214 - Issue a call for objections on symmetry/minimum number of choices [on Aleecia McDonald - due 2012-06-27].
Resolution: MTS and Aleecia will issue a call for objections
=============
aleecia: We had 8 page table and had an incredible amount of agreement
<ifette> ScribeNick: ifette
Aleecia: Back in DC we had lots of tables where people had a lot of agreement, and a few disagreements
... we were going to write this up, Aleecia ended up doing this
... would like to work through this as much as possible, do some live editing
<npdoty> http://w3.org/2011/tracking-protection/drafts/combo-draft.html
Aleecia: and get pieces we appeared to be near consensus to actual consensus
... this "should" be easy
... going to skip to Section 2, information practices for all parties
... going to go through this, please scream/q+ if you want to speak against something
... additional voluntary measures (reads)
... reads 2.2 user permission and consent
<susanisrael> i would like to return to some of these definitions at some point as i believe they are not as precise as intended.
hwest: how granular do you want to get
aleecia: want this to be the language in spec
hwest: well then
... first sentence, consensus was closer to "a party is not bound by these requirements" as opposed to "a party may now do these things"
aleecia: ok
hwest: an out of band consent for option b (just say "an out of band consent")
... we need to be clear/consistent around "consent" vs "choice mechanism"
aleecia: "choice mechanism" will probably cause us less problems
hwest: a party is not bound by these guidelines if a user grants an exception to that party/parties
tl: disagree, out of band consent may not be "please ignore my dnt signal"
hwest: fine with language "as granted by the user"
aleecia: please, IRC
... ya'll (hwest+tl) work on that
rigo: assumes permission and consent, out of band, we have two
<hwest> "A party is not bound by these requirements and guidelines to the extent that a user grants an exception to that party or parties"
rigo: for dnt:0 we have in-band consent
<hwest> tl, does that work for you?
aleecia: you're saying we have a and b but there should also be c
<tl> What's the URI of the doc that npd is editing?
aleecia: i understand
... (third option for you receive dnt:0 not by an exception but because the UA is sending dnt 0)
<justin> tl, http://www.w3.org/2011/tracking-protection/drafts/combo-draft.html
aleecia: thx
... think jmayer next
jmayer: since we're discussing language, don't intend to substantively change meaning but instead clarify
... sites may override dnt preference if they receive explicit informed consnet
... seems contradictory
... propose party may engage in info practices otherwise prohibited by this specification if a) b) c)
npdoty: can I combine with heather's sentence?
aleecia: same idea
<jmayer> Here's what I just read: "A party MAY engage in information practices otherwise prohibited by this recommendation..."
johnsimpson: don't understand MUST vs SHOULD here
... when seeking an exemption, sites MUST communicate these requests clearly
fielding: MUST is a hard requirement, won't occur successfully without this
... SHOULD is MUST unless you have a good reason not to
... read RFC2119
http://www.ietf.org/rfc/rfc2119.txt
scribe: in SHOULD case there may be good exceptions but you don't know them a priori, for MUST you have to list the exceptions apriori
<tl> Everyone should read RFC2119
<tlr> +1 re RFC 2119
<tlr> http://www.ietf.org/rfc/rfc2119.txt
npdoty: reads
<tl> hwest, how about: When a user provides a party or parties with an exception to one or all of these requirements and guidelines, that exception overrides their DNT signal.
schunter: should be more general, through other means
aleecia: oob consent handled in other doc
<justin> As I have noted before, approval of the language around consent for UGEs needs to be dependent upon approval of the language around consent for UAs to set DNT:1 in the first place. The point is worth noting, but I don't want to interrupt the convo . . .
rigo: Matthias says this section doesn't apply, but we then don't get to meaning of dnt0
... may be tweaking necessary
... in another section we may want to define what dnt0 menas
... have to make sure this section doesn't contradict the other one
aleecia: open issue
jmayer: party is not bound by requirements in this section - presumably there are things not just in this section that applies
... anyhow "this section" seems ambiguous
... believe intent is anything prohibited in the doc is now allowed
... haven't discussed level of specificity
aleecia: section -> document
... ?
jmayer: specificity
... "a party is not bound by"
... they are bound, just not required to do so
... document still has force, they just are not required to do certain things
aleecia: text?
<jmayer> resend: "A party MAY engage in information practices otherwise prohibited by this recommendation ..."
ChrisPedigoOPA: section "MUST comply with and align with consumer protection laws..." is problematic
<hwest> jmayer, that's the direction I was going for too, that looks fine
ChrisPedigoOPA: its assumed you will comply with the law
<robsherman> "applicable law"?
ChrisPedigoOPA: when you say operate, rigo can correct but operate is a dicey term in the EU
<efelten> +1 robsherman
aleecia: debated to death around comply with law
... not attempting to get in jurisdiction
... only looking at normative sections
... close on this
<jmayer> The language now only provides exception from "...for All Parties"
<jmayer> Should be broader, right?
aleecia: reads "a party may receive conflciting signals, specific overrides general, ..."
tl: stuff about what should go in the status resource should go in the TPE
aleecia: which sentence
tl: if a party chooses to track based upon... must indicate ... supply a link
aleecia: if a party chooses to track based on prior consent, their response must be as defiend in the TPE etc.
<tlr> +1, don't put normative language about protocol into this spec.
aleecia: just point to the TPE, take out the middle sentence
jmayer: might be two separate issues
... prior consent in mode of you give consent at some point, come back
... some might interpret as "prior consent from before you even turn on DNT"
... and even after you turn on DNT subsequently
... not sure if we have agreement there
... suggest reframe from prior consent to "consent when DNT is on"
aleecia: would add a note here, not to the point of talking about decisions prior to DNT being on
... more complex
... we not spend a whole lot of time here now, note that it's open issue
... this is issue xyz still to be addressed
... final statement in section, oob choice mechanism must satisfy following...
dwainberg: party can get permission to do whatever they want, up to that party and regulators etc to determine if they got appropriate permission
aleecia: general principle that the more granular choice is the one that controls, not the more global one
schunter: if i have a well known uri which says my whole site doesnt do any tracking, and then i have headers that conflict, headers are more specific and take precedence
dwainberg: confusion between technical specificity/generality vs
rigo: the technology actually conveys the semantics
... specific statement by the user
<jmayer> npdoty, are you still workshopping the "A party is not bound..." sentence?
rigo: equally applies that a specific always overrides general
<susanisrael> request for clarification re: prior consent. We tabled this issue, rather than dismissing the possibility of prior consent, correct?
<jmayer> I think both hwest and I were looking for clarifications there.
<npdoty> jmayer, do you have alternatives?
dwainberg: if a party puts up a big consent thing "we want you to consent to do everything"
... that overrides any little granular settings
rigo: other way round
<jmayer> resend x2: "A party MAY engage in information practices otherwise prohibited by this recommendation ...""
aleecia: you're talking about which types of things you might consnet to rather than which parties
<npdoty> "DNT: 1" does not tell you the scope of my permission, does it?
aleecia: written in a way that this might not be clear, that's important
<jmayer> maybe "engage in" -> "conduct"
<npdoty> jmayer, hwest, please duke that out and get back to me
aleecia: need it to be understandable
... specifics about specific parties
<hwest> I actually have a comment on the next piece :)
aleecia: if you are sending a DNT signal to the entire world, that is global, you can have something specific about a given party
<jmayer> hwest, are you good with that language?
<hwest> But can duke out this piece too
aleecia: that thing specific to the given party trumps the generalized signal
npdoty: fact you received dnt1 doesn't imply it's general to whole world
tl: only applies to this network interaction
aleecia: dont have to worry about specific vs general, just say OOB trumps DNT signal
schunter: principle is ok but need to spell out instances
... OOB trumps signal, response header trumps well known URI, etc
<jmayer> hwest, [14:31] <hwest> jmayer, that's the direction I was going for too, that looks fine
schunter: spell it out
<hwest> Yes, that still works, jmayer
aleecia: try for that now
<jmayer> Ok. Nick, please swap it in.
<hwest> But I like the out of band consent trumps general anything language
<jmayer> That seems to be the consensus view.
tl: if i have a bunch of settings on a site, that i dont use regularly but they have widgets all over, nd i get a new browser and i turn on dnt1
... but i haven't gone back to that site to modify the preferences
... think its ok because im setting dnt1
hwest: comment on next piece
susanisrael: quick clarification, earlier we dismissed idea of prior consent
... not asking to talk about now
... but think we tabled issue of prior consent
... that might remain valid despite a later setting
... as opposed to dismissing it
... clarify here
<jmayer> message was that heather agreed
tl: question is if i've gone and opted into xyz or only opted into a couple of things, THEN i turn on dnt1
... and they have added more features since then
... their state about me is incomplete
... would they then assume that the DNT applies only to the things that i've already picked, vs newly added things
<JC> Too complex
tl: or am I opted into things that werent previously options
<Zakim> ifette, you wanted to say if you didnt go back to that site you didn't go log into that site
ifette: you are talking about prior consent, i will hold my comments until then
npdoty: OOB may override an expressed DNT signal, suggesting as replacement for specific overrides general
hwest: can we enumerate "an oob may override a DNT:1 and the other option we put in"
tl: think perfect
fielding: confused
... OOB overrides DNT signal period
... it overrides
<rigo> +1 to Roy
fielding: feel MAY is problematic
aleecia: also feel MAY problematic
... anyone want to fight for MAY?
jmayer: segue
... as we did before, get rid of "override" and say "you MAY do things inconsistent with elsewhere"
hwest: "or you are no longer bound by this signal"
... instead of re-granting permission, say "the requirements in this spec no longer apply" written nicely
jmayer: same fix from above
hwest: similar, yes
fielding: opposite of what i just said
... reason to say OOB overrides DNT is so that a user who has set DNT:1 globally
... has a means of still consenting to the one website they have an interest in having tracking enabled
... if you make taht optional, user can't use OOB to do thayt
jmayer: consent is not "and you must track me down"
tlr: guess wondering where we are
... editors may be in a position to rpoduce a strawman
aleecia: trying to do that
tlr: at a point where discussion is editorial
... let editors do another pass for later review
aleecia: basically happy with this, modulo roy's point
... if we move forward, hwest in queue for next section
hwest: generally when we talk about policy, we dont talk about an ordinary user, we talk about a reasonable user
... is that change OK?
aleecia: fine
hwest: anything else on OOB?
aleecia: great, reasonable user must understand
... skipping next non-normative section
... moving on
<hwest> I do not believe that we had consensus on 2.3 Unidentifiable Data
aleecia: skipped over unidentifiable as we haven't yet gotten consensus here
... will talk about later
... moving to additional requirements based on party status
... pulled out to have informatin practices for first party
... at bottom
... think we can agree on "1st party must not share with 3rd party that 3rd party is prohibited from collecting itself"
... reads
ChrisPedigoOPA: can also cover offline data
<jmayer> While I would prefer some bright-line rules around out-of-band consent, like the EFF/Mozilla/Stanford proposal, I'm willing to compromise on the "reasonable user" approach.
tl: disagree with "if it covers offline that's a problem"
ChrisPedigoOPA: host of case law about offline data
... going back 200 years, publishers have collected information off line about their customers, much case law here, this is out of scope
aleecia: great, next?
<james> out of scope
rigo: have trouble with "receive"
... creates a lot of issues we shouldnt have, what we mean here is collect not receive
aleecia: receive -> collect
robsherman: may be overreading, in which case need clarity, but DNT signal is supposed to be scoped to an interaction, here 1st party must not receive/collect data about a user
... broader than "an http request"
... other users e.g. can post info about you on facebook
... "I'm with Aleecia at MSFT"
... that's not intended to be in scope of this document, e.g. "Nick can't post about her"
... this sentence might imply that
... in my example npdoty is another party. FB cannot receive info from npdoty if aleecia has dnt on
WileyS: our definition of third party excludes users
robsherman: don't think this is intended company is never intended to receive info, e.g. billing relationship
aleecia: billing is outsourcing
... if you can give me problematic example please do
amyc: general observation, don't think we've defined "share" etc
<robsherman> Can someone point me to the definition of "outsource relationship"?
amyc: if we haven't defined key words, we may place obligations on publishers to montior all third parties
<susanisrael> +1 to need to clarify definitions
amyc: look at each verb we use
dwainberg: how do first parties know what third parties are prohibited from receiving
aleecia: from the spec
dwainberg: any third party may have consent
... api or OOB
... first party needs to know
tl: ask third party
<npdoty> A <a>party</a> <dfn title="share">shares</dfn> data if the party enables another party to collect the data.
dwainberg: shouldkn't it be up to third party
... if third party gets info they dont have consent to receive, their job to comply witht he spec
aleecia: coming up on 15h
... 30m break
... piece that came out that we have not taken on as a group is, so far we've been saying "no sharing in and out"
... hearing from chris that's problematic
... barely skimmed the surface
... should capture as a new issue
... more time on this
<jmayer> I thought we had agreement on this principle a long time ago.
ChrisPedigoOPA: have agreed first parties won't share data with third parties
<jmayer> We're technology agnostic -- first parties can't give third parties data they can't collect themselves.
ChrisPedigoOPA: question about bringing in other data to a first party still up for debate
... problem with offline data being covered under this standard
... requiring that a first party can't get data from a third party isn't an issue here
... third parties can't collect the data anyways except for specific conditions
aleecia: not sure if that is the case
ISSUE: Are First parties allowed to use data (either offline or online) from third parties
<trackbot> Created ISSUE-154 - Are First parties allowed to use data (either offline or online) from third parties ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/154/edit .
Brooks: ... to go back to definition of issue
... sharing is a defined term and we're almost contradicting it here
... "cause to receive"
... that is the problem
... if i'm cnn and i put a mazda ad on my site
... brooks drives a mazda, has a mazda cookie, have caused mazda to receive info it shouldnt have
... i dont know what the third party has/knows/doesn't have/know