SV_MEETING_TITLE -- 25 Jul 2012

<aleecia> Thank you for muting.

<eberkower> 646 654 aaaa = eberkower

<eberkower> ok great

<eberkower> thanks!

<ifette> tlr, is it bad that I instinctively typed 97294 as the conference code?

<aleecia> I doubt he's reading :-)

<ifette> aleecia, you should remember that one though :)

<tlr> ifette, arrrrrrrrrrrrrrrrgh

<ifette> or did you escape WSC?

<aleecia> I did

<ifette> oh man, missing out :)

<aleecia> Noted, thanks Shane

<ifette> Regrets, need to leave 1/2hr early

<npdoty> scribenick: Joanne

<Chris_IAB> just joined via Skype

<aleecia> https://www.w3.org/2011/tracking-protection/track/actions/overdue?sort=owner

Aleecia: looking at overdue action items

<justin> npdoty, Yes.

<aleecia> action-216?

<trackbot> ACTION-216 -- Brooks Dobbs to draft tentative agreement on financial reporting breakout discussion -- due 2012-06-28 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/216

Aleecia: Action 216 for Brooks

Brooks: went to mailing list

Aleecia: willl edit action item
... edit break session

Brooks: tainted recap of break session good starting point for discussion

<aleecia> action-213?

<trackbot> ACTION-213 -- Jonathan Mayer to draft text perhaps with roy and ifette around notion of filtering out data that is received in large amounts that should be required to be filtered out -- due 2012-07-15 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/213

Aleccia: jmayer with action 213

<npdoty> jmayer, are you on the call?

<jmayer> sent language to the list

Aleccia: sent langauge to the list. can close that

action 214 against Aleecia. Nick has done his part. Aleecia to go back to F2F meetings. stays open and completed by enod of week

<trackbot> Sorry, couldn't find user - 214

scribe: Rigo to send photos. Leave action 215(?) open

<npdoty> jmayer's language for 213 is here: http://lists.w3.org/Archives/Public/public-tracking/2012Jul/0114.html

scribe: final one Heather

<npdoty> (we had a small confusion over action numbers)

Hwest: in progress request another week

Aleecia: remind me what that is
... identify callers

<Brooks> Brooks is 678 580 2683

Nick - I will need to jump off the call at 10. Can you take over scribing at that time?

Aleecia: reminder to do doodle poll for F2F dates

<npdoty> f2f timing doodle: http://doodle.com/z3v958wixkpum4h8

Aleecia: there are no good times, looking for least painful choices
... need to resolve quickly and get decision to group by next week
... quick note on call for symetry and choice proposals.
... look for text on text on mailing list by end of this week
... looking for proposal with least amount of strong objections
... talk about state of tracking selection list doc
... after Belgium small worked on this doc and did some work but has tapered off
... there is a little additional work to do and a few remaining issues
... andy one of the editors is willing to continue do work on it. not a lot of interest and will continue for a fgew months. will publish as a note not recommendation in about 2 months
... should look at doc at this time. Objections?

<jmayer> +q

Aleecia: ok, mo

<vincent> zakim Cyril_Concolato is actually vincent

jmayer: what are the implications on th recharter process

Aleecia: no implications. continue to do work

<Chris_IAB> out of order from the agenda, but a question for reps from the browser companies that have implemented DNT:1-- do you plan to implement the DNT:0 option, and if so, what is your timeline?

Aleecia: any other questions

<vincent> thx npdoty, I got it wrong

<ifette> ISSUE-154?

<trackbot> ISSUE-154 -- Are First parties allowed to use data (either offline or online) from third parties -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/154

Issue 154

<aleecia> issue-154?

Aleecia: next agenda item issue 154 placeholder to continue Belluvue discussion. implications on issue 17 as well
... 1st party had very few restrictions but not combining data from other sources. as a first impression, data append may be an issue. should we allow this for first parties. is there info on data append that warrnats discussion

<jchester2> +q

<ifette> ISSUE-17?

<trackbot> ISSUE-17 -- Data use by 1st Party -- closed

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/17

<ChrisPedigoOPA> +1

Aleecia: very open questions. like to understand what makes append data in that we consider this

<ChrisPedigoOPA> +q

<WileyS> User consent for use of this data (opt-in consent) or its public nature trumps DNT

<rvaneijk> data append also privacy privacy increases the risk on re-identification in a data set

JChester: acquinated growth with data append. yesterday in US Congress the issue around data brokers and changing dymanics around data append. happy to provide material and feels this is something we need to discu
... this is more than about sweepstakes

Aleecia: what I am hearing is we take this up as sep issue

<WileyS> Rob - depends on the nature of the data appended. If the appended data element is "suburban socialites" I don't believe this increases reverse identification

<fielding> I don't know what "data append" means other than the obvious storage mechanism, so someone will have to define it.

Allecia: we should look at all sides of the issue, not just one part. what we have discussed is not written down very well
... having data within a first party is fine. data from other sources is not. form this data append is not allowed

<jchester2> the kind of data append done today is far more than suburan socialites. Happy to provide examples from many of the companies

<WileyS> Jeff - if the data is restricted to 1st party use, can you explain why DNT should be applied to that limited use? I agree on its application to 3rd party reuse, but not 1st party restricted use.

ChrisP: the coming in part is the problem and from the pubs POV we append data all the time so we can market to consumers. Offline dbs and other dbs that may be acquired. its is above board

<jmayer> I would completely disagree with ChrisPedigoOPA's claim that users know about and expect offline data appending.

ChrisP: in most cases 1st party marking is expected and does not require consent. offline data is out of scope

<rvaneijk> I do not agree with the argument that because people know about appending practices it is ok to do it.

<jmayer> +q

Aleecia: offline data not being combined with online data has not been consdered

<justin> We haven't agreed on language on first party responsibilites.

<justin> At all.

Aleecia: how and why append is somehing differnet

<jchester2> append is both online and offline data

<WileyS> Justin - disagree - thought we had strong consensus on 1st party responsibilities

<rvaneijk> DNT should be about sharing data as well. So sharing between 3rd party to 1st party is part of the scope

ChrisP: offline data is different. its been used in a first party context since we saied 1st party use is fine

<justin> WileyS, I'm just saying the language isn't nailed down. We tried to crowdsource the language in Seattle and we failed.

<ifette> can we define "append"

<ifette> not everyone knows what we're talking about (myself included)

Aleecia: data collected offline from 3rd parties is different than data collected by 3rd parties online

<WileyS> Justin - that's fair - but I believe we have agreement at the conceptual level

<jchester2> Perhaps one of the examples we can discuss is Yahoo's new Genome product: http://pressroom.yahoo.net/pr/ycorp/233956.aspx

Feidling: how are we defining append? any reason to use this data is to modify user exp on 1st party site. this is not tracking. need siloing arrangement with co providing service

<jchester2> I ask that the FTC weigh in on this discussion, please

Aleecia: need to define what we mean by data append and discussion notion of user exp
... chris can you give us a def of data append

<justin> WileyS, Agreed, but agreed conceptually that first parties can't ship data off to 3Ps in ways they couldn't do otherwise. I think one of the main concerns with append is data brokers getting info about queried users by the append requests.

<tl> Do they want that?

ChrisP: it is the notion that the user has interacted with the site and we want to follow up but may not have the contact info to do so

<justin> WileyS, That is, a concern I have heard is not about NYT getting offline data, it's about Experian learn that user@mail.com is a NYT subscriber. That may be prohibited by the conceptual agreement we had on first parties.

<npdoty> so a user you don't know comes to a site, you match something about that user with address information gathered offline, and then you can send them an offer in the mail?

<justin> WileyS, I'm not arguing either way. Just trying to flesh out the argument.

<WileyS> Justin - would need to understand what you mean by "queried users" - data append is typically a one-way process.

<jchester2> We should look at IAB (US) data primer, which also discusses append

Aleecia: let me sum up/ Someone has an LLBean catalog visits NYtimes, NYTImes being 1st party gets data from LLBean to contact user in 1st party context. <hope I captured this>

<npdoty> is what Chris described the same "data append" that WileyS/justin are discussing in IRC?

jmayer; 2 diff wayys

<jchester2> From IAB primer, for ex: "Data Append – User data from one source is linked to a user’s profile from another source."

<justin> WileyS, How can it only work one way? It's a communication. Experian has to get the request about user@mail.com from a first party publisher, unless it's hashed somehow.

<justin> What jmayer is saying right now.

scribe: 1st way is 2-3 diff points of consnsus. taking 3 points together - a 1st party cannot do an append since the 1st party is sharing PII to get add'l data

<WileyS> Justin, one-way: from data broker to 1st party. Data broker argues they have either user consent for sharing or its public data. 1st party does NOT share user data back to data broker in the exchange.

scribe: agreement 1st party should not share with 3rd party. LLBean ex. user signed up with LLBean and LLBEan shares with NYTimes who at this point is a third party

<ChrisPedigoOPA> +q

scribe: there is a 1st party sharing with a 3rd party in this chain

<justin> WileyS, How does the data broker know to send the 1st party data?

<jchester2> It's clear from the congressional letter and the FTC report that few consumers in US, at least, know or have consented to the wide range data collection by the data brokers--offline or online

ifette: agfree with what jmayer siad at the end that 1st party sharing with third party is prohibited

<fielding> what I meant to say is that IF data append is being used to alter the customer experience for a first party, then we had talked about that and do not want DNT to prevent it. However, it is reasonable to limit the mechanism to same-party data and siloed outsourcing where the data-providing entity is not allowed to add to their database.

ifette: don't want to place restrictions on what data cos bring in

<jmayer> My point: two ways of getting to no appends from points of prior consensus.

ifette: getting confused when we don't discuss what we are appending to

<WileyS> Justin: a "match" is performed - typically in a contained environment so no data is leaked back to the data broker.

Aleecia: situation where we have things offline where DNT does not apply. when signing up for catalog, user may not understand data may have another use

<jmayer> 1) Combination of a) No sharing with third parties what they can't collect themselves. b) Third party can't solicit and collect PII. c) Technology agnostic. These logically entail no appending, since the first party has to send PII to a third party to do the append.

Aleecia: catalog co does not have an online presence

<jmayer> 2) We have agreement that a first party should not, in general, share with third parties. With an append, there's a first party often sharing with a third party. Just have to shift perspective.

Aleecia: 1st party could be a DNT o pledging to comply with DNT. if co doing data append, there is an agreement in place and know they are doing this. it is poss only 1st party has DNT implications

ifette: agress with restatement of issue

<npdoty> jmayer, but isn't it a first party (the catalog) that didn't receive a DNT header?

<WileyS> jmayer, 1st party does NOT share data back to the data broker for reuse with other customers.

ifette: restriction should be on parties providing data to agg service

<justin> WileyS, Thanks, then that would solve the problem, at least for the view of the problem as I've portrayed it.. (Of course, there are other complaints about appending, as jchester2 notes.)

Aleeica: why diff if data coming from ooffline vs online

<jchester2> The third party should not be able to transmit data to first party if DNT is enabled. There's no longer real distinction between online and offline anymore. It's all integrated and done in real time increasingly.

<jmayer> npdoty, depends on the hypo. In some cases, it might have DNT: 1.

ifette: don't have context of where data came from or what the setup was. what we have knowledge about we can put restrictions on

<npdoty> jmayer, so can we prohibit it only in cases where the data is collected under DNT:1?

<fielding> and because DNT does not mean that first parties do not track

<WileyS> Jeff, in your use case, if the "3rd party" has opt-in consent or the data is public, do you agree that DNT would not apply?

<jmayer> WileyS, "for reuse with other customers," sure. If the focus is properly on data collection, that use restriction doesn't buy much.

ifette: don't think group has in its scope to define ewhere cos can get data

<jmayer> npdoty, under my second approach, I think that's right. Not under my first approach.

ifette: don't want to define coll practices for all poss. scenarios

<WileyS> Jmayer, a collection model doesn't apply well to appends (nor to this entire debate) so use based restrictions are the appropriate route

Aleecia: that is what I am trying to avoid. don't think we want offline to be part of DNT

<fielding> "yourself" includes outsourced service providers that silo

ChrisP: if 1st party can't share dta, tightens up loophole. Ifette's point right on.

<jchester2> Shane, generally opt-in consent okay. But few users know that such data is shared with others in a real-time targeting environment; mixed with other data sources; and may be used in sensitive cases related to finance or health. Best way is if user says DNT, third party data should bot be used for targeting inside a first party site.

ChrisP: what DNT is about is the browser sending a signal.

<hwest> +q

ChrisP: to extend that to the offline world is problematic

<WileyS> Jeff, Disagree - opt-in consent trumps all (not DNT)

<jchester2> This isn't about offline and online. It's all together now.

tedleung: we should use agreements we already for 1st parties. does that include service providers?

<jchester2> Shane. That's why FTC called for new legislation on data brokers. Because the opt-in mechanism isn't working fairly.

tedleung: use offline contractor to let you build scrapbook. is that a service providre? would htis be allowed?

<WileyS> Jeff, then let that conversation play out there rather than driving this working group to attempt cover this on top of everything else we're trying to cover (which I've argued in the past is already way too much) - we're never going to complete this spec if we keep attempting to cover every single privacy issue out there in a single pass.

Aleecia: as long as service provider is siloing the data and process it for Disney. there is no problem. data is not being combined with other data

<jmayer> Agree with what Aleecia just said. A data aggregator would not come within the service provider exception.

Aleecia: service provider is actiing as agent on yourbehalf

<jchester2> Shane. I am just weighing in to help provide context for this discussion. I only want to focus on the issue at hand. No data append is DNT is enabled

Fielding: comment for Ted, service provider would solve Ted's question. what is unclear is restrictions on what hte 1st party can do. not sure if answer to Ted is correct.

<WileyS> Jeff - agreed, and I'm arguing we shouldn't try to apply DNT to data append in the 1st party context.

Aleecia: what are we telling 1st party that they can't do?

Fiedling: not sure what we mean by data append

<jchester2> Shane. I know that and we disagree. Perhaps we need to do use case here.

<jmayer> I wrote two examples on the mailing list.

<vinay> What Ted is saying is a good point (that I don't know if it was summed up properly). A publisher's use of data providers may actually help the consumer experience. The publish sometimes tries to get data from the provider that could collect itself (like age range, gender, income level based on general location, etc.).

<johnsimpson> Agree with Roy. Still Don't understand what data append means.

<WileyS> Jmayer, I replied to your use cases.

Aleecia: good next step is to have people provide def on what data append means and a couple of use cases

<vinay> Seems like publishers should be able to get that info from providers to better the consumer experience and not have every website ask for the user's age, gender, etc.

Aleecia: will ask someone to take action item

<jchester2> The data append can harm the user experience: such as identifying them as less worthy for various financial products, etc.

<WileyS> Jeff, we've agree user consent trumps DNT. We've agreed that 1st parties are out of scope. When you combine the two I don't see the logic that DNT is now somehow magically applied.

<Zakim> dsinger, you wanted to discuss actions which, while not prohibited, are probably imprudent; we might usefully have a note.

Hwest: you read my mind. its good to have examples and clear up confusion

Dsinger: agreed and include advisory notes

<jmayer> WileyS, talismanic invocation of "it's out of scope" doesn't do much.

<npdoty> +1 to dsinger, might address some of the concerns we've heard here

<jchester2> We should include, Aleecia, how data append does violate DNT

Aleecia: can one or meore people to write a crisp def of data append and expalin how it can be implement w/o violatiing DNt for 1st party

ChrisP: happy to help

<WileyS> Jmayer, I'll avoid using that phrases going forward - perhaps another way to state it is to say the rules we've already agreed upon would state that application of DNT on a 1st party appending user opt-in consent data is not appropriate.

<hwest> aleecia, can we back up and have people j ust write up WHAT data append is, in practice?

<hwest> I think a lot of us don't have a clue.

<hwest> (Me included)

<npdoty> actio: pedigo to draft crisp definition of data append / proposed response -- does that sound reasonable?

Aleecia: what I think jmayer raised, for data append to work, 1st party wants to get additional data they will need to send to the third party data so the third party to do the append. if 1st party can't share with 3rd party, how can they append data

<jchester2> I am happy to work with colleagues to show how this violates DNT. I am on deadline until end of month so can't fully focus on it alone.

jmayer: soewhere there is a 1st party sharing with 3rd party depening on perspective. how do we work around that.

<jchester2> +q

<justin> I don't understand the second argument, jmayer.

Aleecia: lets not tackle that in this action. lets keep scope simple so ChrisP has a chance to complete action item. Chris has 2 weeks

<jmayer> justin, some have argued that we have consensus on no first parties sharing with third parties, but not no third parties sharing with first parties. My point is that it's just a matter of perspective. From the LL Bean perspective, it's a first party sharing with a third party.

<npdoty> ChrisPedigoOPA, aleecia -- does that action text sound reasonable?

<WileyS> ChrisP, happy to work with you on this if you like

<npdoty> actio: pedigo to draft crisp definition of data append / proposed response -- does that sound reasonable?

<ifette> so why don't we let chris draft some text and then respond to it?

JChester: another response to show why it violates DNT. Happy to help draft this and would like others to work with me.We have to whow why this could viollate DNT

Allecia: ChrisP will define append and how that works and give him a chance to present what he has in mind

<vincent> npdoty, missing a n in action?

<npdoty> ACTION: pedigo to draft crisp definition of data append / proposed response (potentially with Shane and Jeff) [recorded in http://www.w3.org/2012/07/25-dnt-minutes.html#action01]

<trackbot> Could not create new action (failed to parse response from server) - please contact sysreq with the details of what happened.

<trackbot> Could not create new action (unparseable data in server response: local variable 'd' referenced before assignment) - please contact sysreq with the details of what happened.

Aleecia: moving to issue 150

<justin> jmayer, I still don't think I understand, or at least see how it's different from the previously stated concerns about a publisher sending id'ing info to a data broker.

<npdoty> trackbot, init

<dsinger> issue-150?

<trackbot> ISSUE-150 -- DNT conflicts from multiple user agents -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/150

<npdoty> ACTION: pedigo to draft crisp definition of data append / proposed response (potentially with Shane and Jeff) [recorded in http://www.w3.org/2012/07/25-dnt-minutes.html#action02]

<trackbot> Created ACTION-230 - Draft crisp definition of data append / proposed response (potentially with Shane and Jeff) [on Chris Pedigo - due 2012-08-01].

<jmayer> justin, one is about the flow from the first party to the append provider; the other is about the flow back from the append provider to the first party.

Issue 150 -- conflicts in user agents

<npdoty> +1 to Aleecia's proposal, up to the UA to handle conflicts

Aleecia: only one DNT should be sent, not three. Compliance editors add language but want to makes sure we aren't missing anything. Comments? Sggestions?

<npdoty> aleecia: will just ask the editors to add those two lines

<dsinger> totally agree, this is out of scope, the UA's problem with their plug-in architecture etc.

Aleecia: no one thinking that is bad idea. editors will add text to compliance draft

<aleecia> Issue-151?

<trackbot> ISSUE-151 -- User Agent Requirement: Be able to handle an exception request -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/151

<npdoty> Topic Issue 151 -- requirement for handling exceptions

Aleecia: Issue 151. rigo not on call. Outcome will impact how we handle other issues
... without Rigo to present we can take up but lets move forward with discussion

<Zakim> npdoty, you wanted to comment on JavaScript-disabled UAs

Nick: will follow up with Rigo. shouldn't need this requirement.

<npdoty> npdoty: users who have JavaScript disabled can still use DNT, doesn't change the meaning of a preference, simpler to just not have additional text on this

Brooks: this creates confusion adn conflict due to def of user agent. UA only thing that can capture user pref. if a non-UA sets user pref but can't respond. how will that work.

ifette: agree with Brooks, there is a definition problem

<dsinger> is there a practical difference between a UA that is hard-wired to say "no", and a UA that doesn't have the API?

ifette: not aware of UA with js disabled by default. can't use internet w/o js so shouldn't be an issue

Aleecia: disagree with Ian's statement.

ifette: dos break most sites users go to

<npdoty> have we only been talking about compliance for default configurations of shipping browsers?

<jmayer> +q

Aleecia: think in terms of plugins and add-ons. I think that is what we are talking about more than broqsers as UAs

<ifette> apologies, i have a conflict at 10 and need to drop off the call

dwainberg: in all cases, a UA needs to take that consent and override conseent given by other software

Nick: need to jump. can you scribe?

<npdoty> it sounds like Brooks and dwainberg are talking about conflicting plugins/UAs, like the last issue

<npdoty> scribenick: npdoty

<Joanne> thanks Nick!

adrianba: if the JS API is in the spec, then compliance requires implementing it

<dwainberg> s/override consent given/override DNT set/

adrianba: but a separate question of how to handle UAs that don't support the exception

<ifette> adrian, the software you're contemplating should have some way to fit in with the spec and support exceptions

<ifette> unfortunately, i've a conflict and need to drop off

adrianba: of course it's not compliant with the whole spec, but the key issue is how we'll handle them

<ifette> but i agree it's a "what makes a valid spec-compliant UA" and then that gets tangled in with "what do you do if you get a signal from a UA that doesn't comply with the spec"

<scribe> scribenick: hwest

jmayer: I agree with Adrian and Ian that if this becomes a matter of non compliant UAs, then it does get entangled with honoring noncompliant user agents. I think the answer is yes.
... I want to argue that we shouldn't call a UA noncompliant just because it doesn't support the API. I've implemented this API, and it's not extraordinarily hard. Asynchronous work, needs UI. Lots harder to add on developers than implementing response header. Shouldn't put that on every developer.
... but websites will need a fallback or OOBC mechanism.

<npdoty> in particular for extension developers

jmayer: sites will need an alternative, we can make that easier with JS libraries etc.
... should not be considered out of compliance w/o JS API

dsinger: We're working no the API design, and open question whether API is better than OOBC
... some prefer out of band. If header in a plugin, don't think plugins get to handle JS calls, no idea how to do a compliant plugin with JS API.

<npdoty> depends on the exact structure of your plugin architecture, but it's certainly a lot harder to handle JS calls in an extension/plugin

dsinger: not sure that I see the difference between not having API and having the always-no browser.

<WileyS> Jmayer, very few in industry will implement W3C's version of DNT if there is a requirement to honor non-compliant UA DNT signals. If the goal is to have implementation, this needs to be seriously considered.

<jmayer> +q

aleecia: at a technical level, do add ons get to handle js?

jmayer: varies by browser, FF you can add a JS API. Some browsers you have to add a script tag to the DOM that brings in the API script and does callbacks. Can get complicated, haven't verified that it works in other browsers.

<npdoty> I've gotten it to work in Chrome, though it is tricky

adrianba: IE doesn't have a reliable mechanism
... suggestion that jmayer made is possible, but have ordering problems if page wants to access the API first

aleecia: To sum up, hearing some support, and hearing concerns that this is a high implementation cost on developers. Have at least one case of an OS sending DNT as a signal, so lots of different examples/implementations that dont' fit this mold.

<jmayer> adrianba, getting ordering right can be annoying in Chrome/Safari too. Certainly a hacky approach.

aleecia: should write up this and figure out how to mitigate those concerns.

<Zakim> npdoty, you wanted to ask does anyone think sites should feel free to ignore DNT signals if a JS api isn't present?

npdoty: does anyone think sites should feel free to ignore DNT signals if a JS api isn't present?
... because if not, we can set that aside and just figure out how easy it is for extension developers

<jchester2> I have to go. sorry

<WileyS> Nick, if there is no way to determine if a sites 3rd parties are receiving site-wide exception signals (DNT:0) then I find it hard to hard that that UA without the API should be supported. Unbalanced situation.

<WileyS> Nick, "hard to argue"

<tl> +q

dwainberg: I think we'd feel that UAs without the API are noncompliant and should be ignored. It's part of the package, if we're about user choices. If it doesn't go both ways, it all breaks down.

<WileyS> +1 to David

tl: If users make a choice, and the choice is to always say DNT1, don't ask me when a site wants an exception, shouldn't make it noncompliant.

dwainberg: sure, that could be an option,but not an excuse to not have the API

<WileyS> t1, I thought we agreed a UA must support all 3 states to be compliant - that includes user granted exceptions

aleecia: Please do the scheduling doodle!
... We want to get that done vey soon and work on the F2F

<WileyS> If the site/3rd party is blocked from a dialogue with the user I don't see this as a compliant outcome.

<npdoty> WileyS, tl, I think that's an open and very disputed question for which we'll have a call for objections coming shortly

<dsinger> issue-153?

<trackbot> ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/153

aleecia: Next issue is ISSUE-153
... what happens when a non-UA changes the DNT setting

<dsinger> I don't understand. Something is at the end of the HTTP protocol, that's rrespnsible'

adrianba: Clarify, question was based on how the spec applies to software that you may run on your PC that changes settings on a browser but is not itself a browser
... Something is changing the user preference that impacts how the browser sends the signal

<WileyS> Nick, can you explain what you mean by "call for objections"? Doesn't that preclude that we've reached a consensus point?

adrianba: All browsers store their prefs somewhere, what happens when the browser doesn't have visibility

dsinger: this is out of scope, that's part of your system design

dwainberg: Issue there about question of what set the DNT and how the relevant pieces of software and parties down the chain know. Second issue, something at the end of the HTTP protocol controls what goes out.
... Do we need that thing to be able to take in and apply exceptions?
... If no JS API or user interface, how do you take in exception requests?

<npdoty> WileyS, yes, Aleecia mentioned it on the call earlier (I recognize you're not with us on the phone), at the last f2f when we reached an impasse on that question it sounded like further discussion wasn't going to help, the chairs said they would send out a call for objections to different proposals to the Working Group

<rvaneijk> @dwainberg: I see a new feature for ccleaner

brendanIAB: Have done some relevant research. AAVG implementation is a plugin that modified HTTP after browser hands it off to the plugin.

<WileyS> Nick, could someone send a more detailed explanation of this issue to the mailing list? Seems like a significant issue if we're at the "Formal Objection" stage.

brendanIAB: that means the browser is not aware of the modification.

<dwainberg> @rvaneijk: or maybe a header signal to request exceptions?

brendanIAB: that means interaction with the plugin is more user friendly.

aleecia: Does this run into no third party interception and changing of the signal?

<npdoty> WileyS, yes, definitely have more details on the list; this isn't the formal objection stage, fwiw

<aleecia> (JC speaking)

JC: so this could change the header?

BrendanIAB: Yes, so the UA isn't the only entity that is responsible. Giving browser full control might require restructuring of some browser functino.
... plugins can modify outbound headers in three of five browsers.

<Chris_IAB> it's relatively easy for any user agent to "hijack" and propagate the DNT header signal (that's a problem)

<WileyS> Nick, Thank you.

aleecia: Two approaches possible. Dsinger suggests that we can't handle this as an issue, we shouldn't address it.

<Chris_IAB> ...this hijacking can be done without explicit knowledge of the user.

aleecia: Or we could handle this through requiring a user presentation, either through exception handling requirement or choice requirement or some other mechanism.
... Useful to hear from folks what they think and how they'd address this.

<Chris_IAB> in the case of AVG, they look to send DNT:1 WITHOUT modifying the setting in the user's browser (thus the user has no way to change this)

aleecia: So right now because of UA definition we would not have an issue of AVG as a UA, since it wouldn't be a UA.
... So to push it back to the modifier, then we need a "UA and friends" category.

<npdoty> do we just need to add a sentence, "Other software MUST NOT modify DNT preferences without following the requirements of this section."?

dwainberg: I'll take the action. Also question, at some point someone had the idea to add a signal in the header to indicate who set the signal. What happened there?

aleecia: That is an open issue in the TPE doc.

<npdoty> dwainberg, I don't think that actually helps us here, though, right? if we're talking about rogue software changing your preferences without your knowledge...

aleecia: so a hypothetical, that you must state who set the DNT header, then you can imagine UAs needing to coordinate with their plugins to get that info. What we'er hearing is that that may be difficult with current architecture.

<Chris_IAB> Is this right: the UA cannot access the user's setting in the browser to change them? (ref AVG implementation)

<rvaneijk> plugins and other software can still override the header info. The underlying problem remains, how can a site reliably trust a DNT signal.

dwainberg: Lots of signals here will lead to a lot of confusion for the consumer.
... is there a way to make this consistent and easy for the user?

<WileyS> Issue 143

<WileyS> David, Issue 143

vincent: Maybe give priority to UA

<rvaneijk> s/underlaying/underlying/

<dsinger> I am deeply concerned about the idea that sites can second-guess how 'valid' the dnt:1 signal is. That's a recipe for spiralling lack of trust and compliance.

<Chris_IAB> <rvaneijk>, when you say "override", you mean just send a DNT signal without notifying the user?

npdoty: Conflicts could be bad, especially for rogue software
... but may not impact most u sers

<WileyS> have to drop - have a great day everyone

<Chris_IAB> and moreover, the user has no way to toggle back via their browser...

<aleecia> take care, Shane

<vincent> Maybe give priority to UA that support user exception if such UA is installed

<tl> Every other setting?

dwainberg: Are there similar cases where settings have to fight it out?

<vincent> that's what I meant

<rvaneijk> @Chris_IAB: with override I mean like a proxy, browser sends DNT:0, and software changes that to DNT:1

npdoty: cookie management, some people have extra tools

dwainberg: Anything in common use?

<Chris_IAB> <rvaneijk>, thanks... but the UA could just send an ADDITIONAL (perhaps conflicting) signal too

<rvaneijk> @Chris_IAB: it is just text in a header. ANY additional info can be altered/deleted/overwritten

aleecia: Action item for... who? Write up any sort of sane alternative for how we deal with this case.

<npdoty> I can take an action for a very short proposal per my above suggestion

<Chris_IAB> Example: I set DNT:0 via my browser, then I install AVG and it just starts sending DNT:1 in addition to my DNT:0 signal (both signals are set)-- how does a pub/ad-network deal with that?

<dsinger> "The software that is responsible for causing a DNT header to be sent is also responsible for assuring it reflects the user's intention"

<Chris_IAB> <rvaneijk> , I get how headers work, thanks :)

<npdoty> ACTION: doty to write a very short proposal (with dsinger) on issue-153 [recorded in http://www.w3.org/2012/07/25-dnt-minutes.html#action03]

<trackbot> Created ACTION-231 - Write a very short proposal (with dsinger) on issue-153 [on Nick Doty - due 2012-08-01].

<dwainberg> @npdoty: is that different from the Action I just agreed to take?

<npdoty> action-231: dsinger: "The software that is responsible for causing a DNT header to be sent is also responsible for assuring it reflects the user's intention"

<trackbot> ACTION-231 Write a very short proposal (with dsinger) on issue-153 notes added

<Chris_IAB> meant to write "both signals are sent" (not set, but that's also true ;)

aleecia: All for today! Adjourned.

<sidstamm> thanks aleecia!

<dsinger> cheers, everyone

<johnsimpson> cheers

<npdoty> dwainberg, I think we're proposing an alternative

<npdoty> dwainberg, though if we come to the same conclusion: great!

<npdoty> action-231: "Other software MUST NOT modify DNT preferences without following the requirements of this section."

<trackbot> ACTION-231 Write a very short proposal (with dsinger) on issue-153 notes added

<dwainberg> ok. thanks, nick.

<dwainberg> did that get assigned to me in the issue tracker?

<npdoty> I think I missed it, let's create it now

<npdoty> ACTION: wainberg to write a proposal for issue-153 [recorded in http://www.w3.org/2012/07/25-dnt-minutes.html#action04]

<trackbot> Sorry, couldn't find user - wainberg

<dwainberg> it's dwainberg

<dwainberg> ACTION:dwainberg to write a proposal for issue-153 [recorded in http://www.w3.org/2012/07/25-dnt-minutes.html#action05]

<npdoty> dwainberg, let's get you signed up formally (will send email offline) and then Tracker can handle an action for you

<dwainberg> ok

- DRAFT -

SV_MEETING_TITLE

25 Jul 2012

Attendees

Contents

Issue 154

Issue 150 -- conflicts in user agents

Summary of Action Items

Scribe.perl diagnostic output