Tracking Protection Working Group teleconference

11 Jul 2012

See also: IRC log


aleecia, +1.609.981.aaaa, tl, npdoty, +1.202.587.aabb, +1.202.494.aacc, jchester, +1.703.265.aadd, jeffwilson, +1.202.684.aaee, +1.202.587.aaff, jmayer, +1.813.366.aagg, +1.425.269.aahh, +1.919.388.aaii, +49.721.913.74.aajj, +1.415.520.aakk, +1.202.326.aall, Lia, +1.415.520.aamm, +1.703.265.aann, Simon_CableLabs?, dsriedel, KevinT, Peder, dsinger, [Microsoft], +1.714.852.aaoo, +1.202.346.aapp, Joanne, +1.425.269.aaqq, +1.781.472.aarr, justin, +1.813.366.aass, fielding, hefferjr, +1.207.619.aatt, suegl, hwest, dwainberg, alex, vincent, +1.646.666.aauu, +1.425.985.aavv, +1.646.654.aaww, +1.201.723.aaxx, +1.646.654.aayy, SusanIsrael, samsilberman, chapell, +1.408.349.aazz, adrianba, WileyS, eberkower, Chris_IAB?, BrendanIAB?, +1.919.388.bbaa, AnnaLong, [Apple], +1.202.370.bbbb, robsherman, erikn, +1.202.524.bbcc, cblouch, +1.917.318.bbdd, Chris_IAB, Chris_AOL, laurengelman
EdFelten, JCCannon




<trackbot> ACTION-218 -- Nick Doty to write up proposal on issue-112 that we do exceptions based on origin -- due 2012-06-29 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/218

npdoty: overlooked, should be available this week

<fielding> all of mine are +1 week

<laurengelman> i am in the room with Justin

<npdoty> I'll try for faster than +1 week, since I only have one

aleecia: three open actions on fielding


<trackbot> ACTION-209 -- Jonathan Mayer to draft a definition of DNT:0 expression -- issue-148 -- due 2012-06-14 -- CLOSED

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/209


<trackbot> ACTION-224 -- Roy Fielding to ensure that Section 4 reflects the latest DomAPI proposal by Nick -- due 2012-07-01 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/224


<trackbot> ACTION-217 -- Roy Fielding to change text around DNT "on"/"off"/ -- due 2012-06-29 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/217

fielding: not any progress on these issue, well be done next week
... not sure 224 for is it for dsinger ?

<BrendanIAB> +??P5 is BrendanIAB

npdoty: I'll follow up on this issue as it is realted to the JS API


<trackbot> ACTION-221 -- Jonathan Mayer to draft optional version of explicit/explicit exception api -- due 2012-06-29 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/221

jmayer: this end-up being redundant something is in the TPE already

<WileyS> AKA - We've not worked on this ACTION:-)

dsinger: agree this is in the TPE already

<npdoty> jmayer, was this action for explicitly making it an optional method?

aleecia: closing 221 as redundant
... dsinger is doing an independant cnsistency check on TPE


<trackbot> ACTION-170 -- Heather West to provide an alternative approach to well-known URI for resources that are used in both first-party and third-party contexts without changing the resource URI -- due 2012-06-13 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/170

<jmayer> npdoty, think this was focused on the API design

<tl> +1 - has been bypased

hwest: we moved passed that in the discussion we can remove that action

aleecia: close action 170

now looking for unidentifeid people

<aleecia> sorry - talking is still killing me

<eberkower> 646 = eberkower

<eberkower> 646 is eberkower

<Chris_IAB> blocked number

<AnnaLong> 919 is AnnaLong. i lost my connection and i'm dialing back in

Editors review compliance draft

<justin_> Here is the draft: http://www.w3.org/2011/tracking-protection/drafts/EditorsStrawmanComp.html

aleecia: justin will walk through the strawman draft,
... looking for structural problems
... just going the part that have changed

justin_: not updated for a couple of months and now bringing the proposal together
... the doc was chage from HTML to other format so there are some fomrating issue

<aleecia> TODO: editors note note note

justin_: putting it in the right shape
... introduction and scope have not changed at all
... will have to go back and rewrite scope and goals at some point
... user and user agent have not changed
... parties: has changed due to the compromise, agreed in Bellevue that Shane draft will be the base
... but Shane draft was not in that form, so started from jmayer draft

<aleecia> TODO: tagging non-normative sections as such

<fielding> I would really appreciate it if the editors considered comments other than the two diametrically opposite and equally unacceptable proposals.

justin_: notion of affiliate, the link describing the affiliate have to be easily discoverable
... outsourcing should be considered as first parties, if a person is a third aprty under outsourcing provisin, they can act as a first party

<hwest> q+

justin_: agreement on the language of service providers and service providers is good?

<johnsimpson> Roy, do you have specific text to which you are referring?

justin_: or do we want other language propose

<npdoty> fielding, do you think that applies to the party size and outsourcing questions?

fielding: same comment as before: not acceptable

justin_: any alternative or ther option?

fielding: posting on irc

hwest: problem with the language and the specificity

<dwainberg> +q

<jmayer> +q

hwest: number of option has been proposed in bellevye that are simpler
... most people have the same context in their head but the language is not there

<hwest> I think most folks are in the same place in terms of what the language SHOULD say, but I don't think the language in the straw man now reflects that

<aleecia> sorry - jmayer next

<aleecia> agreed, David

<aleecia> this will not be the only opportunity to comment

<jmayer> -q

dwainberg: hope we're not getting in a substantive discussion, we should keep that open

<aleecia> knowing where there are issues is very helpful, though

<dwainberg> agreed, Aleecia. thx.

<npdoty> what I'm hearing: same context in our head, but not set on the language

jmayer: what's overly specific and would ask what's out of sope but that'd be too long

<aleecia> david getting text on that would help

dsinger: party definition: we need to say someting about the responsability following the data

<jmayer> Yep, this is a concern David has frequently expressed that isn't in the draft as an option.

justin_: 3.4 distinction between first and third parties
... what is the first party

<hwest> I have a problem with the first and third party definitions in there right now

justin_: Shane proposal say that the first party is the site you're going too
... we consider several example like multiple first party

<dsinger> an issue we need to grapple with is when 'promotion' happens (from 3rd to 1st party) and whether the two ends agree and notice

justin_: I think there was general agreement that link shortener are not first party

<aleecia> TODO: grep for &emdash; and fix

justin_: concerns about this language?

hwest: it does not make sense to say that first parties have to infer

<fielding> my comments on service providers: http://lists.w3.org/Archives/Public/public-tracking/2012Mar/0001.html

justin_: if there is an alternative

<aleecia> TODO: editors to review Roy's service provider text above

<tl> I think that the infer language has been consensus for a while?

hwest: we could use corporate ownership

<amyc> agree that definition should be objective

justin_: hwest taking an action item on a definition of first/third party

<aleecia> Heather I'm not seeing how ownership solves this, but look forward to seeing what you write

<npdoty> ACTION: heather to propose an alternative definition of first party (based on ownership? alternative to inference?) [recorded in http://www.w3.org/2012/07/11-dnt-minutes.html#action01]

<trackbot> Created ACTION-225 - Propose an alternative definition of first party (based on ownership? alternative to inference?) [on Heather West - due 2012-07-18].

justin_: unlinkable data, I've freezed the two option

<hwest> aleecia, it may be that I'm framing the two definitions differently in my head than others are - but they feel to me like they're not even internally consistent

justin_: one dervied from Shane text, let me know if I'm wrong there
... second option taken from jmayer draft

<aleecia> Perhaps we could add that to the FAQ, actually

justin_: we did not come on an agreement on that yet

<fielding> my detailed comments on outsourcing sections: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0462.html

justin_: netwrok transcation, transcational data are quite stable definition, no complaint
... what it data collection/view/sahrng and what is tracking
... the use of unique identifier (point of contention) would go there

<aleecia> TODO: definitions of collection, retention, use, sharing, tracking

<npdoty> TODO: use the several definitions of tracking that Roy has extracted

justin_: section 3.10 explicit and informed consent
... when you need the consent to have DNT on in the first place and when you have consent for user granted exception

<npdoty> is there general agreement that this applies both to setting a preference and overriding a preference?

justin_: two options, one from jmayer draft, defined initilaly for UGE but can be used to dnt on as well

<WileyS> Yes - I agree - we can dig that up if needed

<aleecia> if we're doing "choice mechanism" but using it in both places, that may get confused

<aleecia> second option was silence, leave to local law

<aleecia> TODO: David Singer & Shane to work with Justin on alternative text on consent

<WileyS> +q

justin_: compliance broke in three parties

<WileyS> -Q

justin_: first aprty compliance, I don't think this language work but none propose
... anyone else taking an action item on it

<aleecia> TODO: reworking section 4 first party language

justin_: sec 5 user agent compliance
... second paragraph taken from tpe draft
... WileyS had a couple of extra requirement on user agent, reported there
... section 6: third party compliance
... 6.1 not sure there is a consensus

<aleecia> we'd walked through geo-targeting and closed things, then Ian had new suggestions on the mailing list

<WileyS> +q

justin_: consensus on the geolocation ?

<hwest> I know Ian will want to take another look

dwainberg: I'd like to go back and discuss that letter

<tl> Isn't this reopening a closed issue?

WileyS: flag the behavior example and not mix element about other user agent details

justin_: not problem revising that

<aleecia> TODO: revisit invasive behavior example (though yes, this was closed, Shane's point is also reasonable)

justin_: section general agreement depend on the defintion of hat collection is

<aleecia> Tom might work with Justin to find an example we're all clearer about

<WileyS> +q

justin_: "content delivrery that could be conextual" we might want to revisit that

WileyS: content delivrery based on context, we thought it was out of the scope, not confortable to have it in the permitted uses section

<aleecia> TODO: revisit if contextual belongs some place other than permitted use

<jmayer> (This is plainly within scope.)

<aleecia> this suggests collect is data about a user, perhaps

<npdoty> WileyS: could put this in the Collection section, for example [trying to capture the suggestion]

justin_: frequency capping, financial logging and auditing based on WileyS proposal
... issue rasied in bellevue, could a contract llow you to log data forever

<WileyS> I thought we agreed that contracts would NOT trump the standard

<tl> +1 shane

aleecia: much of this could be solved by the third party acting as a first party
... to come back to WileyS point, we agreed that there are exisitng contract that DNT should not trump but DNT should impact future contracts

justin_: sounds liek there is an agreement on that

<aleecia> TODO: for financial logging/ auditing, look to 3rd parties as 3rd parties

justin_: security and fraud prevention, we could had jmayer gratuated response
... debugging, language come from bellevue or WileyS draft

<aleecia> TODO: write down end point in Seattle of existing contracts remain in force, but new contracts to be written with DNT in mind

<susanisrael> susan israel rejoined the call, this time from 202 379 XXXX

<WileyS> Correct

<susanisrael> susan israel is also on the call

<aleecia> confused?

justin_: different opinion: you can use the data avaialble, fear that it would encourage long data retention for other purposes

<aleecia> ok so this is a new use case we haven't explored

fielding: security and fraud prevention is inherently based on a sharing data process (have I capture that correctly?)

<aleecia> TODO: add examples on security without outsourced parties

<fielding> vincent, yes

justin_: 6..2.2 addition requirement from WileyS proposal
... how long do you keep the data and eventually explaining reason, no personalisation of user experience except fro frequency capping
... 6.3 user granted exception, is also in the TPE doc
... 6.3.1 explain interaction with other controls, quite stable

<WileyS> Depends on the consent conveyed by the user in entering the logged in state

<aleecia> We had pretty much deadlock around logged in / logged out, with people to write both sides, and one of those dropped.

justin_: 6.3.2 consent from a login state, have we a consensus on that

<tl> +1 Shane

<npdoty> +1 to dropping this section and relying on the definitions around consent

justin_: 6.4 is a new section

<aleecia> (If we have extra time on this call, which it looks we will, let's come back to 6.3)

<susanisrael> is it possible to repost the link to the document justin is walking through. I apologize, I was not on IRC before.

<npdoty> http://www.w3.org/2011/tracking-protection/drafts/EditorsStrawmanComp.html

<WileyS> Of course, I strongly disagree with option 1 - would you mind moving this to the last option?

justin_: non compliant user agent, first option : if the header is correctly form you have to respect it

<susanisrael> thanks

<aleecia> That sounds like a good solution to me, speaking as me and not as co-chair

justin_: second option, if we can beleive that the user did not set the preference, the party may not respect the request

<justin_> ?

<WileyS> +1 to what David said

justin_: third option, you can do nothing wathsoever

<npdoty> I think we might be able to use the TPE response character for "we have consent"

<WileyS> +q

<aleecia> This is an open issue against TPE

<hwest> Apologies, I'll need to drop in a minute

dsinger: we could be silent on that, and on the TPE describe the response "we're not respecting you're header and here is why"
... that would solve the problem

<aleecia> noted; Heather, let's touch base soon?

<johnsimpson> What was David's suggestion?

<aleecia> David's suggestion was we not have text here in compliance

WileyS: in agreement with david positin, as long as we can inform users that we're not respecting the signal

<jmayer> There's not agreement on this. Move on.

WileyS: it is important to convey that to the user

<Chapell> zakim bbdd is chapell

<aleecia> perhaps some day we'll even have a DNT logo

<WileyS> I thought Issue 65 was closed with a "Yes" response?

justin_: 6.6.1 third party auditing, there was not much there intially

<WileyS> Oops - I meant Issue 93

<johnsimpson> Seems to me if you get a technically valid DNT:1, you've got to honor it.

<fielding> agreed

<WileyS> Disagree John

<npdoty> action-219?

<trackbot> ACTION-219 -- Roy Fielding to add optional audit field array -- due 2012-06-29 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/219

aleecia: about section 6.6.1 we can move that to the TPE
... or we can add a cross reference to the TPE

justin_: ok

<jmayer> +q

<johnsimpson> I know Shane. That's why it's open issue.

justin_: few change should be available on friday, concern can be sent to the lsit

jmayer: different approach on the proposal I worked on about the permitted uses

<aleecia> TODO: change section 6.6.1 3rd party auditing to point to TPE on an array of URIs, likely move it as well

<WileyS> John - If our goal is to have companies implement DNT, forcing them to honor "ANY" DNT:1 signal regardless of compliance with the specification will not be helpful and will likely drive most companies to not implement this version of DNT

jmayer: unlinkable data has broader exception, we could add something to limit the use of these data (is that correct jmayer? )

<jmayer> s/about permitted uses/about permitted uses, please add an option/

<Chris_IAB> any news about the next face-to-face?

aleecia: come back to the login/logout state
... about the f2f couple of options, doodle poll at the end of this week or next week

<npdoty> also feel free to follow up with me via email re: charter

aleecia: rechartering discussion are happening, contact thomas for furhter info
... npdoty could you explain your suggestion

npdoty: we could remove the section about login/logout and just refer to the consent

<justin_> How about just an example where someone gets consent through a login process?

<dsinger> I think this is covered by the needing explicit/separate/informed consent. I think logged-in/out implying consent to track is roughly in the same state as the argument over UA defaults. Unless the service's primary purpose and explicit function is to track logged-in users (my example of TrackMyReading.com), it's not OK.

dsinger: I think this is covered by the consent section

<Chris_IAB> how do you define what an explicit service for privacy David?

aleecia: my concern is that people who read the doc may not know that login/logout case is covered by the consent section

<dsinger> to Chris_IAB - an explicit servce for *tracking*" is the example

aleecia: agreement on that, it should be in the next draft

<Chris_IAB> dsinger, I'm not sure I understand, sorry.

<npdoty> TODO: aleecia suggests that we just make logged-in a section in consent with an example, and point to it elsewhere

<aleecia> And sorry again for being quiet / sick

<tl> aleecia Sorry that we're making you sick.

<Chris_IAB> dsinger, my concern is that the definition of "an explicit service" can be left to gray area, and thus open for 'interesting' interpretation...

<dsinger> Chris_IAB: yes, quite. But I don't know how to do better - I am open to conversation. It's one of those tricky edge-cases.

<aleecia> Chris, we also need to work that out for UAs

<aleecia> We have people reading the text and coming to different views on anti-virus software

<aleecia> Whatever you think the answer *should* be there, I think we can all agree we ought at least be clear enough that people walk away thinking the same thing

<aleecia> Same idea for explicit service

<Chris_IAB> dsinger, fair enough. Let's work on it together... I think it's unavoidable to make clear and hard-line definitions when it comes to compliancy.

Summary of Action Items

[NEW] ACTION: heather to propose an alternative definition of first party (based on ownership? alternative to inference?) [recorded in http://www.w3.org/2012/07/11-dnt-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2012/07/25 08:13:50 $