W3C

- DRAFT -

SV_MEETING_TITLE

01 Aug 2012

See also: IRC log

Attendees

Present
Regrets
Chair
aleecia
Scribe
adrianba, justin_

Contents


<aleecia> Good morning, Brendan

<BrendanIAB> Good morning Aleecia

<aleecia> Hi, Nick!

<aleecia> …I'm thinking Friday

<aleecia> Please mute :-)

<Chris_IAB> just joined via Skype

<eberkower> 646 is eberkower

<justin_> Saturday is good.

<npdoty> volunteers to scribe?

<adrianba> scribenick: adrianba

<aleecia> http://www.w3.org/2011/tracking-protection/track/actions/overdue?sort=owner

<susanisrael> susanisrael joined from 201723 xxxx

Review of overdue action items

<npdoty> thx, adrianba

aleecia: the first few are from ian, who has not yet joined the call
... next are from roy
... also not yet here
... next against me
... some are done but need to close out the actions

<hwest> Apologies - I will be joining the call late or not at all as I deal with some crisis still here, but will try to follow on IRC

ACTION-210?

<trackbot> ACTION-210 -- Aleecia McDonald to come up with further text to get the consensus declared in this call around DNT and whether it can be set by default (no) in the spec -- due 2012-07-25 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/210

aleecia: will do this by the end of the week

ACTION-228?

<trackbot> ACTION-228 -- David Singer to update remove methods to have an appropriate failure mode -- due 2012-07-25 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/228

<aleecia> action-228

dsinger: in process but not done - working on the API at the moment

<Brooks> Brooks Calling in on 678 580

ACTION-227?

<trackbot> ACTION-227 -- David Singer to collect input (from Tom, Jonathan, Ed, Rob) on needs for a service-provider flag and compare to current draft -- due 2012-07-25 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/227

dsinger: same here

aleecia: i will send email reminders

<aleecia> http://www.w3.org/2012/06/06-dnt-minutes

<aleecia> http://www.w3.org/2012/06/13-dnt-minutes

<aleecia> http://www.w3.org/2012/06/20-dnt-minutes

Any comments on minutes posted a week ago

<aleecia> http://www.w3.org/2012/06/21-dnt-minutes

<aleecia> http://www.w3.org/2012/06/22-dnt-minutes

<aleecia> http://www.w3.org/2012/07/11-dnt-minutes

aleecia: did anyone have comments on the minutes?
... not seeing any comments

Quick check that callers are identified

<chapell> thanks nick

<aleecia> issue-97?

<trackbot> ISSUE-97 -- Re-direction, shortened URLs, click analytics -- what kind of tracking is this? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/97

<aleecia> http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0106.html

We will work our way through a number of pending review texts, all of which have had ample time for people to read and reflect upon.

<aleecia> 5. A user visits Example Social and sees the language: "Check out this

aleecia: following up on an action from Justin

<aleecia> Example News article on cooking: sho.rt/1234". The user clicks the link

<aleecia> which directs the user to a page operated by the company Example Sho.rt

<aleecia> which then redirects the user to a page operated by Example News.

<aleecia> Example Social and Example News and first parties, and Example Sho.rt is

<aleecia> a third party.

<aleecia> 6. A user visits Example Social and sees a hyperlink reading: "Check out

<aleecia> this Example News article on cooking." A user clicks the link which

<aleecia> points to framing.com/news1234. This page loads nothing but a frame

<aleecia> which contains the cooking article from Example News, but all links are

<aleecia> rewritten to pass through framing.com which is operated by Example

<aleecia> Framing. Example Social and Example News are first parties and Example

<aleecia> Framing is a third party.

aleecia: let's talk about this - there's one more para at the end but let's start here
... no objections on the mailing list

<damiano_> I'm the one on google talk sorry

<jmayer> David, stay on topic.

dwainberg: want to reiterate my concerns about agenda timing

<robsherman> Did we skip the F2F timing agenda item?

dwainberg: these are meaty issues - date from this posting is some time ago
... we haven't had much time to prep

aleecia: you're right - was behind on agenda
... i think as we go through them it's possible to handle in real time
... if you find things that you need more time for we can consider that but there has been time to discuss on the mailing list

<jmayer> We've been thinking about URL shorteners and framing for well over six months.

aleecia: agreed that 24 hours for agenda would be better but let's give it a shot

dwainberg: let's take time to discuss but not make decisions?

<tl> I object to "not making decisions on calls".

aleecia: not willing to do that
... if there is text nobody has seen before then okay, say new text from editors
... but for something that people have had time to go through then yes we can make decisions

<npdoty> if there are cases where something is missed, can we follow up to decisions with objections on the mailing list?

aleecia: we can look at specific issues but not as a general statement
... let's move ahead on this

<jmayer> obstruction |əbˈstrəkSHən, äb-| - noun - a thing that impedes or prevents passage or progress; an obstacle or blockage: the tractor hit an obstruction.

aleecia: there were no objections on the list - question for the group is if there are things missing that they didn't bring up before
... not hearing anyone
... one last para

<aleecia> In some cases, web requests are redirected through intermediary domains,

<aleecia> such as url shorteners or framing pages, before eventually delivering

<aleecia> the content that the user was attempting to access. The operators of

<aleecia> these intermediary domains are third parties, unless they are a common

<aleecia> party to the operator of either the referring page or the eventual

<Chris_IAB> agree with David; need ample time to review; just got the agenda last night

<aleecia> landing page.

aleecia: fairly non-controversial
... that's explaining what it is we're talking about
... may need more time to be crisp but want to get a sense from people on the call
... think it's straightforward

<Chris_IAB> need additional time to review proposed language

<jmayer> +q

<npdoty> support for the re-direct or intermediary being a third party, have we heard any objections to that?

<justin_> Chris_IAB, You've had two months to review this language.

jmayer: two thoughts
... think new examples are helpful

<efelten> Who are the people who called in just after we completed the identification-check? There were several. Some identified themselves, but others didn't.

jmayer: still using user expectations as rough guidelines

<aleecia> noted, Ed, thanks

<Chris_IAB> but didn't know it was to be decided on today, until last night my time

jmayer: since users don't expect to interact with link shorteners then in general they're not first parties
... when there is interaction then they would be

<BrendanIAB> +q

jmayer: second, a link shortener could be explicit that collecting information is the purpose

<Chris_IAB> justin_, how much of the things you read in the last 2-months are you ready to recall and decide on at the last minute-- let's not be rediculous

jmayer: i wouldn't object to adding third example that iwilltrack then we could add another example

<WileyS> A user is aware of the URL they are about to click on - its difficult to argue that party is not a 1st party due to URL construction. I agree with the general sentiment of moving redirectors to a 3rd party status but see the URL being an obvious issue with user expectation.

aleecia: i'm hearing i wouldn't mind

<WileyS> +q

<jmayer> I thought we had consensus on the user expectations issue.

brendan: i don't see specific text about redirection - what about javascript and onload

<jmayer> Not about party size, but about what's a first party vs. third party.

<WileyS> URL structure appears to break the "user expectation" rule

aleecia: think this is supposed to be technology neutral

brendan: in the javascript page the page is rendered and then the redirection happens

<WileyS> If I'm about to click on a URL "http://exam.pl.e/code1234" how do I argue that I didn't know I was about to visit "exam.pl.e"?

aleecia: justin did you have this in mind?

<npdoty> WileyS, you mean the user knew they were going to Example Sho.rt because they saw the http://sho.rt in the URL?

justin: no, i copied most of the language from a previous proposal - not sure i understand

<WileyS> Nick, correct - and had the choice to not go to "sho.rt" if they didn't want to.

<npdoty> WileyS, I think a lot of links on the Web don't have the URL visible

brendan: standard redirect is HTTP 302 - the browser just navigates on

<WileyS> Its that basic premise that supports the 1st party argument.

brendan: the second case is a page that is delivered and then after the javascript changes the URL - you're interacting here as a first party

<WileyS> All links on the internet are discoverable - easily set within the UA to make this visible (CRUCIAL for the detection of phishing sites)

brendan: difference is client-side vs. server-side
... javascript isn't considered a redirect in the HTTP spec

justin: what are you proposing?

brendan: i'm not seeing any text for this

<npdoty> "Check out <a href="http://sho.rt/abcd">example.com</a>!"

<dsinger> this is a nice question. does a page that achieves the re-direct through scripting or other client-side actions get to be a first-party as a result?

justin: i tried to be tech neutral but we can add text if we need to

<WileyS> Nick, hover over "example.com" and you'll see it links to "http://sho.rt/abcd"

brendan: both have the same end result but in the client-side the client has the opportunity to render the page so technically interacting

aleecia: sounds like so far no one is complaining about this text but different ways to expand - may need a new action to add more

dwainberg: first, haven't had much time to look at this - not participants when this language was proposed

<jmayer> How is this broad?

dwainberg: concerned that it is broad and need more time to review

<jmayer> It's one particular use case.

dwainberg: need to be narrowed to url shorteners and framing pages

<jmayer> +q

dwainberg: intermediaries text seems broad

WileyS: i believe the issue is user expectation

<vincent> WileyS, not sure we could expect that users will do that, especially if the anchor refer to a site name which is not the redirection service

WileyS: anything not a first party becomes third party
... user has opportunity to understand URL they navigate to

<dsinger> hm, few users look at the details of URLs behind links...

WileyS: if i'm about to click on link to microsoft.com or micro.soft/abcd i know one is a first party and in the other case i'm hitting third party doing redirection
... perhaps the key issue is redirection rather than shorteners or framing environments - these are manifestations

<aleecia> behave.

<justin_> WileyS, I tried to address this issue with the last sentence: The operators of these intermediary domains are third parties, unless they are a common party to the operator of either the referring page or the eventual landing page.

jmayer: i disagree - i think this is a clear violation of user expectations - users don't hover over links to see where they go
... seems so straightforward that if a user clicks a link and there is chain of redirects most users won't understand and shouldn't have to

<WileyS> JMayer - why don't user understand? What proof or research do you have?

jmayer: i don't think this is just a redirect thing
... think this misses discoverability

<npdoty> WileyS, I think we all agree that they're examples of the more generic question of re-directions, the question was just whether the re-directing parties were third parties to the interaction?

justin: trying to understand Shane's point - if micro.soft goes to microsoft think the language is okay
... but if micro.soft goes to NY times then that might be different

<WileyS> Agreed - the last sentence (with some work) can fit this situation.

justin: the language says the redirector is third party unless they are common with the destination

WileyS: agreed - common party issue is addressed

<aleecia> "The operators of

<aleecia> these intermediary domains are third parties, unless they are a common

<aleecia> party to the operator of either the referring page or the eventual

<aleecia> landing page."

WileyS: trying to also cover for where party injecting shortener bears some cost and putting them into third party may cause negative monetary pressure
... struggling with wholesale throwing them into third party

<jmayer> +q

WileyS: disagree with jmayer that people do look

<jmayer> Shane, I agree it's "discoverable

WileyS: not everyone blindly clicks
... would like time to research internally - we do have a shortener that we use
... trying to understand if this would destroy some of our uses

<dwainberg> Do we need to distinguish between the sender of the shortened URL vs the recipient?

<jmayer> Shane, I agree it's "discoverable" - but that's not the test. It's user expectations. Moving to "discoverable" would blow away the first party vs. third party divide.

WileyS: first party might still want the data

<jchester2> But the consumer wouldn't want their data collected if they have sent DNT

WileyS: if yahoo had shortener in mobile space sounds like jmayer's view is this would be third party

<jmayer> I'm also, on reflection, not entirely comfortable with treating the referring site as a first party.

WileyS: definitely agree the same party case is covered - can improve the language

<Zakim> dsinger, you wanted to say maybe a first party has to 'present itself' to the user in order to become a first party? so any kind of 'silent intermediary' does not become so?

aleecia: pretty close on this

dsinger: clear that definition of first party is something user realises interacts with

<WileyS> Jmayer, 1st party definition is already hinged on "discoverable"

dsinger: silent site that the user is unaware of probably doesn't count as first party
... this is question of site normally third party becoming first party
... not banishing site to third party - determining if it is becoming first party

<BrendanIAB> case: I own a URL shortener. I have a Twitter account. I use my URL shortener in my Twitter post to link to a NYT article. Is the URL shortener a 3rd party?

dsinger: think we can talk about evident first parties

aleecia: i thought that - we could add text to be clearer

justin: if someone on yahoo uses yahoo shortener to go to NYtimes then that's okay as first party
... but if it is bit.ly then see Shane is saying there is a problem with monetisation
... have a problem saying that is first party
... but do get the idea that people aren't happy with that

<jmayer> Shane, the size of a party is determined by discoverable + affiliation. That's different from whether a party's a first party or a third party - where we agreed to user expectations.

<WileyS> Jmayer, agreed - so the referring site would fit that rule.

<npdoty> WileyS, in addition to the internal re-direction service, you also raised a question about monetization of third party URL shorteners -- do you think we would need to remove this third-party status altogether to cover that case?

jmayer: refering site collecting destination - my concern is in many cases this could violate user expectations

<WileyS> Nick, need more time to figure out how redirectors make money to support the services they provide seemingly for free today.

jmayer: reading a news article and clicking on a source - one web site is learning something about what a user is doing on another site

<tl> WileyS: Not sure even they know that one...

jmayer: so the refering is a different case rather than where there is a landing page

<WileyS> Nick, We could inadvertantly kill the redirection market without looking at this more closely.

<jchester2> Shane: Can you also add to this research what data is collected by redirectors and what is sold, monetized, etc.

jmayer: user expectations is often who does the user expect to be talking to but it's also what are they sending to whom

<WileyS> Jeff - yes, want to know these items myself.

jmayer: not clear users expect to be sending info about where they are going to

<WileyS> Tl - agreed, but hopefully someone knows. :-)

<justin_> And tl at one point . . .

aleecia: think this was worked on by david and justin - they are agreeing with Shane that not expecting to affect single first party but text not as clear as it could be (and tom)

<BrendanIAB> Outbound link tracking - if I click on a link that goes through a link shortener vs if I click on a link that redirects through a same origin as the site I'm interacting with?

<justin_> And we'll try to address BrendanIAB's point too.

aleecia: does anyone object to david and justin working to add one more sentence in a couple of days - throw this open until monday

<jmayer> Could you explain this one point?

<npdoty> it sounds like WileyS might have an objection if it affects a certain revenue model?

aleecia: maybe work with Shane to ensure this is handled

<jmayer> (Concisely.)

<WileyS> ok

aleecia: editing action for due date to monday and note that we are looking for one more sentence from justin and david to cover first party case

Discussion of face-to-face meeting

<jmayer> If the point is that a URL shortener is first party if it's provided by the first party and linking to the first party, I think we definitely have agreement there.

<WileyS> How many people do we lose with Yom Kippur?

aleecia: jewish holiday during the time we picked

<jmayer> If the point is that a URL shortener is first party if it's provided by the first party, we don't have agreement.

aleecia: had a couple of personal messages on this that such things shouldn't come to a vote
... the problem is that this is when room is available - haven't been successful in finding another room
... please hold off booking travel for now
... looking for more options and will get back to you on monday

<Chris_IAB> whoa, already booked and paid for travel

aleecia: comments?

<jchester2> Let's meet in Brussels and have the EU supply the room

<Chapell> me too

aleecia: know a couple of people have booked travel
... this isn't straightforward - we're going to see if we have options - if you have not yet booked please don't
... apologies for confusion

<WileyS> Jmayer, I agree its not that simple. But if the owner of the shorter uses that in their 1st party context, I believe the shortner (redirector) should be considered 1st party in that context.

<WileyS> +q

<tl> And, Zakim, how long have you known me?

<tl> I'm hurt, truly hurt.

<johnsimpson> I'll need to leave call in a few minutes

<WileyS> Aleecia, ETA on decision?

<damiano_> damiano fusco, the nielsen company. Not sure what my phone is i'm using google talk

<WileyS> Aleecia, thank you.

aleecia: by monday of next week will have a decision - if someone has space in europe they can volunteer please get in touch with nick

Discussion of how we move forward on permitted uses

aleecia: great progress in Seattle on permitted uses

<damiano_> np

aleecia: now spending some time talking about SOX compliance
... trying to get some auditors to review
... is there any other information people think we need that we don't have in the group

<WileyS> Aleecia, we'll need representatives from every legal juristiction in the world if you're using that as guiding point for the Financial Permitted Use

aleecia: please let me know
... we've discuss a lot of these issues for a year - we are getting to the point where we will have final text

<dwainberg> I don't see why we need info on SOX -- there's always going to be a "legally required" exception, yes?

aleecia: and if we can't agree the text will come to the chairs to figure out the least objectionable text

<Brooks> I am muted at the telphone level

Third parties should be prohibited from acting or representing themselves as first parties

ACTION-116?

<trackbot> ACTION-116 -- Thomas Lowenthal to draft text prohibitng third parties from acting or representing themselves as first parties -- due 2012-03-06 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/116

<aleecia> http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0618.html

aleecia: should be fairly straightforward

<WileyS> "knowingly represent" seems more fair

aleecia: that seems fine

<jmayer> "or with reason to know"

aleecia: any other comments?

<dsinger> "for example, by …"

<jmayer> Ignorance shouldn't be an excuse.

<aleecia> David speaking

<tl> +q

<npdoty> do we need clarity about service providers?

dsinger: trying to think, people will have questions about how to do that

tl: think the example is right in there

<WileyS> Agreed, Service Providers will need to do this.

tl: specific case was a 3rd party might send 1st party response header and that was previously not prohibited and this makes it prohibited

aleecia: any objections to "knowingly represent"

dwainberg: not a ton of time to think about this
... if concern is narrowly about headers and responses then we should link it to that
... right now it is broad

<jmayer> Once again, there's nothing broad here.

dwainberg: i don't know what the standard is for falsely representing

<jmayer> If you're a third party, don't tell users you're a first party.

dwainberg: not sure what all the contexts are
... should narrow to this

aleecia: when is it okay for 3rd party to say it is 1st party?

dwainberg: think there is a case where someone might need to be represented as first party and this might cause a problem for that
... thinking outside header and response

aleecia: for example a privacy policy, which could be many formats

<WileyS> Aleecia, Service Providers can say they are a 1st party. An affiliated site, while technically a 3rd party from a domain perspective, can also say they are a 1st party.

<susanisrael> I don't understand the comments from nick and shane about service providers. Can you explain the concern?

dwainberg: could be some interstitial, or an interface to request consent

<tl> +q

<WileyS> +q

<efelten> Doesn't "knowingly" help with David's issue?

aleecia: trying to understand why it would ever be okay for 3rd party to say it is a 1st party

dwainberg: not saying that - think the text is unclear
... falsely represent is not a clear standard

<npdoty> efelten also proposes that "knowingly" might help dwainberg; dwainberg, does that help?

tl: i find this objection pretty shocking - the language is clear - don't falsely represent yourself as a first party if you're a third party
... it's not supposed to say how

dwainberg: part of the problem is that first or third parties are not going to say which they are

<npdoty> "knowingly" might help dwainberg's concern if it's about uncertainty

dwainberg: sometimes more vague signals such as logos or language

<jmayer> +q

dwainberg: to avoid the problem, remember this is text for lawyers, we need to be clear what we're getting at

<eberkower> Perhaps it would help to add the word "knowingly"?

dwainberg: this raises a flag as kind of vague because it doesn't give enough guidance to avoid running afoul of this
... agree misrepresenting should not be allowed

WileyS: i think with knowingly we get out of the accidental
... agree with jmayer that ignorance shouldn't be a valid out

<dwainberg> "knowingly" and "intentionally"?

<dwainberg> not sure…I'll need to think about it further

WileyS: but truly not knowing technically such as iframe'd content where you honestly think you're always a first party
... service providers is one case and so is affiliated domains

<tl> As we discussed in Seattle, service providers should not claim to be first parties.

WileyS: truly trying to go after bad actors here
... wanted to give some examples where third party will respond as first party

aleecia: don't think those cases are covered here
... service providers not considered 3rd parties
... not 1st either - they are service providers
... could add language to exclude service providers
... domain names shouldn't be an issue

<susanisrael> ok, i understand the point about service providers now.

<npdoty> when editors integrate this text, they'll need to make it fit in with the text on service providers in any case

<jmayer> -q

aleecia: suggestion to add couple of different modifiers - knowingly or intentionly
... intention seems difficult to get at

<jmayer> I haven't heard anyone agree with David, so no need to consume the group's time.

aleecia: knowingly also difficult but maybe easier

<tl> I see no need for a change to this text.

dsinger: in protocols there is usually a blanket rule you don't state falsehoods - seem to picking on a particular area here
... do we need to say this as a more general statement - you must state the truth about who you are

aleecia: is there standard language for this?

dsinger: don't think this is something people usually talk about

<WileyS> T1, I disagree. Any first party that has their content hijacked will be breaking this rule.

aleecia: in this case we appear to

<tl> Matthias objected to putting that content in the DNT doc, and suggest it be added to the TCS instead. That is the reason for this text.

<amyc> why do we need to address?

<amyc> +1

<amyc> +q

<npdoty> can we suggest that the editors add this to the draft and they can see how best to integrate it (regarding fitting in with service providers, and whether it's part of a more general section)?

<Chris_IAB> Agree with David Singer; this is enforceable by local authorities, without the need for further clarification

aleecia: we don't currently have any text that says if you are X you must represent yourself as X

amyc: i think it's interesting that this isn't used in other protocols - wondering if we need to focus on this specific part
... think we're defining the parties in each transaction and we can evaluate them objectively
... okay with shane's proposal but don't know why we're spending time on this

<dsinger> we also say that that the UA can't lie and say the user wanted DNT when they have not asked the user; we also say that you can't say I'm not tracking, and go ahead and track; and so on...

aleecia: is this harmful?

amyc: if it takes time away from this

<tl> Let's have more language prohibiting other lies too!

dsinger: implication that if we ban lying here it's okay to lie in other places

<WileyS> t1, LOL - NO!

aleecia: two viewpoints: we should be silent vs. we should adopt this or something like it

<WileyS> -1

<Chris_IAB> -1

<tl> +1

<dwainberg> -1

<jmayer> +q

<JC> -1

<jmayer> -q

<Brooks> -1

<jmayer> +1

<jchester2> +1

aleecia: please +1 if this is a loophole we need to close or -1 if we should not address at all

-1

<amyc> -1

<ninjamarnau> +1

<robsherman> -1. I wonder if the gap that Aleecia and others identified is reflected by the fact that the TPE provides a header response but doesn't specifically say that if you give a response it has to be consistent with the first/third party definitions. If that's right, can we just fix that gap?

<rvaneijk> +1

<WileyS> 8 to 5 (-1s have it)

<susanisrael> -1

<justin_> 0

<Simon> -1

<WileyS> 9 to 5

aleecia: interesting - few people participating

<samsilberman> -1

<eberkower> 0

<Chapell> 0

<WileyS> 11 to 5 (3 obstain)

aleecia: what's 0?

<eberkower> same

justin: both are justifiable - doesn't matter - happy either way

<Chapell> same

<Chris_IAB> effectively a 0 = status quo then

<WileyS> Final: 11 to 5 (4 obstain)

<jmayer> mistype

aleecia: most say don't need text explicitly on this

<dsriedel> -1

aleecia: of those saying we need text, is there anyone who can't live with "of course you can't lie" - i.e. having no text

<tl> +q

<WileyS> Updated Final: 12 to 5 (4 obstain)

<susanisrael> i'm kind of a zero too as long as the language is more precise. I am hearing david's concern as more of a lawyer's perspective on precise drafting than an advocacy for lying.

<Chris_IAB> not necessary

tl: if we all think obviously we can't lie then shouldn't be a problem with saying it

<efelten> Looks like at least 25 people abstained

<Chris_IAB> all such standards depend on voluntary adherence

<jmayer> +q

aleecia: trouble was trying to phrase it without suggesting can lie in other areas or for companies that don't realise they got it wrong for no fault of their own

<WileyS> Ed, true, I should capture the 4 "0"s as something other than an abstain

<justin_> Companies can already get in trouble for accidental lies under at least US law.

jmayer: can't we address this explicitly too
... say other lying isn't also okay

aleecia: anyone who can't live with counter suggestion - actually text already says this
... jmayer, can you suggest other text

<Chris_IAB> make the rule in the affirmative and the negative is not required

jmayer: will think of something and type in

<robsherman> +q

<JC> +1

Chris_IAB: anyone adhering to the standard has to adhere to the standard - it's not necessary to say you're doing it and you're not going to lie about it

<tl> "It it PROHIBITED send a signal described in the TPE doc which is deceptive."

Chris_IAB: if you choose to lie it doesn't matter what it says in the standard

robsherman: we already have laws that say can't lie to consumers - don't need to include in spec

<npdoty> if we all agree about the requirement and the question is just whether we need this text in the spec, we could just leave it up to the editors?

robsherman: main concern heard is that TPE doesn't say you have to correctly state 1st or 3rd party

<tl> +q

tl: pasted text counter proposal

<WileyS> Object

aleecia: anyone who would object to that

<WileyS> No need to state this...

<Chris_IAB> object to the need for this language

WileyS: core argument - why do we need to state this?

<jmayer> "This section is not intended to allow or prohibit any practices other than those explicitly addressed."

<jmayer> +q

WileyS: if you state your compliant then you are following it
... if someone sends an untrue signal then already not following spec
... this text doesn't change that

<efelten> Would this text change the meaning of the spec, or not?

<justin_> Are deceptive business practices prohibited in the EU?

WileyS: my concern more on unintended consequences
... wasteful language and we're all trying to have straightforward text

<jmayer> efelten, it would. Third parties are substantively prohibited from acting as first parties. But the rest of the spec doesn't address what a party claims to be.

<rvaneijk> @justin, yes, but this is outside data protection legislation

<WileyS> Aleecia, agreed

aleecia: seems like already covered by party definitions
... says what a company reasonable expects what is going on - what is different here?

<WileyS> The spec already covers this topic - this is unneeded additional text.

aleecia: question from ed - would text change meaning of spec?
... hearing both

<WileyS> You already had a vote on this and the group overwhelmingly (13 to 5) agreed this text should NOT be added

<WileyS> Straw vote - apologies.

<efelten> If it doesn't change the meaning, then it seems like a clarification. It it does change the meaning, then we should discuss whether to make that change.

aleecia: straw poll not a vote - trying to understand intensity of disagreement

<tl> WileyS: We operate by consensus.

<Chris_IAB> intense on this side-- can't live with it

aleecia: if people have a preference but can live with the other approach

<WileyS> tl, remember that point :-)

<justin_> rvaneijk, Right, so DPAs couldn't bring a case based on deception? Though would they be able to bring an enforcement action just based on violating a technical spec? Or does it depend on jurisdiction at this point?

<Chris_IAB> they just changed the semantics...

aleecia: asked if can't live with no text - counter proposal suggested

<WileyS> Inadvertant consequence

aleecia: now asking can people live with this statement

<rvaneijk> @justin, depends on local jurisdiction. In NL we have civil law.

<robsherman> +q

dwainberg: agree with sentiment don't want deception - language is either redundant or creates new standard at w3c for deceptive

aleecia: how does this create new standard for w3c?

<efelten> Question to people who can't live with this: How does it change the meaning of the spec?

<WileyS> Was is the legal defintion of "deceptive" in Korea? In Japan? In Italy?

dwainberg: to put in a spec a party must not do something that is deceptive - what is the standard for deceptive

<WileyS> Its a legally loaded term - that's the concern here.

dwainberg: decades of case law on meaning of deceptive
... are we including that by reference

<npdoty> are tl, jmayer comfortable with existing regulations against deception covering the common sentiment?

<aleecia> "falsely represent themselves as a first party"

<rvaneijk> @justin: the obligation to inform is an important data protection principle however..

dwainberg: don't know how that will work - adds risk to parties trying to be compliant with standard

<tl> If we can't use any language which has actual meaning and consequence because lawyers don't understand what it means, then we have a real problem.

jmayer: now we have agreement that changes what text says

<efelten> The word "deceptive" does not appear in the proposed language (in any form).

<Chris_IAB> if you want parties to voluntarily comply with this standard, you should probably stay away from legally loaded terms like this

jmayer: current text prohibits 3rd party acting as 1st party

<WileyS> Ed, its in the offered up revision (look higher up in the IRC chat)

<justin_> rvaneijk, Right, so it should be a transparency/notice violation under existing data protection law under either iteration.

jmayer: what spec doesn't say is what a 3rd party sends when acting in a certain way

<Chris_IAB> just define 1st party and 3rd party FOR THIS SPEC, and we are done with this

<JC> That language should be fixed then

<Chris_IAB> make the definitions clear

jmayer: would not be a violation for third party to be a third party but say it is a first party

<Chris_IAB> that's working in the affirmative

<amyc> not sure I understand

jmayer: no doubt we're changing the substance of the spec
... as to the legal implications, that will vary, in the US the FTC might already give you most of this if not all
... even without the language

<Chris_IAB> How many attorneys do we have on the call today? Jurisdiction of practice?

<dsriedel> If the standard is specified technically in a decent manner, a first party and its contracted third parties, working in "silo"mode, have an easy time to make their status transparent while a deceptive third party would have a hard time. Especially when audits or clever browsers investigate "DNT complaint" parties.

jmayer: might not be deceptive just because of this spec- think this does change legal enforcement in some countries

<WileyS> +1 DSinger - sounds like a better path "'knowingly' reflect the party's status and behavior"

<tl> dsinger, as in "The communications described in the TPE MUST accurately represent the party's status and behavior." ?

robsherman: question is this is new language that there is not precedent for
... so can discuss if this changes a practice
... we don't know how this will be interpreted later

<dsriedel> So maybe this is also something a first party should be able to within this standard to have at least some control about its status and the status of its partners.

<justin_> 0

robsherman: if we don't need it then we should have it
... if we have specific cases we should just address those

<jmayer> Rob, there is specific behavior we're concerned about: a third party claiming it's a first party.

<dsinger> tl: maybe. you can 'under-act' (it's true you are a first party, but you do less tracking than many thirds)

<efelten> From the HTTP 1.1 standard: Since the protocol version indicates the protocol capability of the sender, a proxy/gateway MUST NOT send a message with a version indicator which is greater than its actual version

robsherman: favour minimalism here because it gets hard to structure language

<efelten> (took ten seconds to find that one)

robsherman: and difficult to know how regulators will interpret that language

<Zakim> dsinger, you wanted to agree with Rob that we need the TPE to say that the response header and well-known resource 'reflect the party's status and behavior'

<Chris_IAB> let's keep it to a technical specification: define what is a 1st and 3rd party, specifically, for this spec

<rvaneijk> @Robsherman: lying is not allowed, not telling the whole truth is a different thing

dsinger: can we just edit the TPE doc to say what you claim in your header or well known resource must reflect your status

<justin_> Which would mirror the language that efelten just sent around.

<WileyS> "your actual status" - so if a 1st party's content is hijacked they are non-compliant?

aleecia: would you take an action to write that?

dsinger: sure, if the group wants that to happen

aleecia: think text will be useful and won't take long
... let's look at that approach vs. what we currently have and go from there

<justin_> dsinger, Take note of the HTTP 1.1 language that efelten pasted above.

aleecia: we'll take another look with text from david

<npdoty> ACTION: singer to draft very short text in TPE about representing party status [recorded in http://www.w3.org/2012/08/01-dnt-minutes.html#action01]

<trackbot> Created ACTION-233 - Draft very short text in TPE about representing party status [on David Singer - due 2012-08-08].

<aleecia> Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? (ISSUE-49)

<aleecia> http://www.w3.org/2011/tracking-protection/track/actions/161

ACTION-161?

<trackbot> ACTION-161 -- Shane Wiley to work on issue-49 -- due 2012-05-07 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/161

<justin_> adrianba, Sure

<justin_> Shortest scribing FTW.

<scribe> scribenick: justin_

<aleecia> A Third-Party MAY operate as a First Party if the following conditions are met:

<aleecia> • Data collected is separated for each First Party by technical means and organizational process, AND

<aleecia> • The Third Party has no independent rights to the collected information outside of Permitted Uses (see Section X.Y), AND

<aleecia> • A contractual relationship exists between the Third Party and the First Party that outlines and mandates these requirements.

<aleecia> A Third-Party acting on the behalf of a First Party is subject to all of the same restrictions of a First Party.

aleecia: Reading above for those not on IRC

<jmayer> +q

<npdoty> WileyS, you intend this as an elaboration/definition of "Service Provider", yeah?

+q

<WileyS> Yes

<rvaneijk> WIleyS, the limitation of futher use is lacking in the normative text.

aleecia: This is text from WileyS

jmayer: Two points: This conflates service providers and first parties.
... There's value in treating them separately.
... O
... Otherwise, it's easy to think that service providers have the same complete lack of restrictions that first parties have (or don't have).

<WileyS> JMayer, could you give an example that worries you?

jmayer: Second, glad that service providers can't use for their own purposes, but what if service providers can get access to extra data?

<npdoty> re-use for market research, is that an example?

<WileyS> Okay with placing "Service Provider" at the top of the text (as that's what we're trying to cover here)

<WileyS> Justin, yes.

<npdoty> justin: is this language just meant to replace outsourcing/service provider language?

<Zakim> dsinger, you wanted to say "operate as a First Party" should be "operate under the rules for a first party", but otherwise agree

<jmayer> Q: How is this supposed to substantively change the current text?

<WileyS> Disagree with the removal for the permitted use protection

justin_: Is this language just meant to be a replacement to the current language in the Strawman draft on outsourcing?

WileyS: yes.

<WileyS> David, I'm fine with that change

<WileyS> Got it

dsinger: I'd prefer that the language say that the service provider isn't a first party, but that they may act as a first party.

<jmayer> I'd much prefer to be more explicit.

aleecia: Remember, that the third parties can have outsourcing service providers too, so we may need to adapt this definition to reflect that.
... Asks WileyS to accomodate the language.

<WileyS> Aleecia, yes - makes sense

aleecia: Some editing needs to get done here. Seeing no one on queue, wants to know what can be done to address jmayer's concerns.
... Notes that there are limitations, contractual relationships, etc. --- other than permitted uses, what do you need jmayer?

<jchester2> sorry

<jchester2> I heard the static. thks

<WileyS> We disagreed with your language and approach -- and feel this is a better position (less prescriptive but meets the same goals)

jmayer: I'd prefer our language that was rejected by folks in the ad industry. This language looks much less stringent. Weaker siloing. More ability to use information . Weaker legal protections.

<WileyS> Feel free to compare

<WileyS> +q

jmayer: Would like to see a comparison between our language and this language. What's in here that solves their problems?

<jchester2> I also would like to hear.

WileyS: This is cleaner, less prescriptive, more flexibile through a variety of mechanisms.

jmayer: How?

<jchester2> How is it prescriptive, Shane?

<npdoty> WileyS, when we're talking about "prescriptive", is that on the example technical means?

WileyS: Feel free to point out why what you suggested is needed, but no one will implement.

<WileyS> Nick, yes

aleecia: Take this to the mailing list and look at side-by-side.

<jmayer> You mean the explicitly "Non-Normative" language?

<WileyS> Got it

<jmayer> That was prescriptive?

aleecia: Reopening action item for WileyS to make the two edits that we seemed to agree upon on the call.

<WileyS> jmayer, the structure of the normative language as well.

aleecia: Not seeing movement toward the middle, so we may be moving down the path of taking formal objections.
... That's probably where we're headed :(
... Take care and see you later.

Summary of Action Items

[NEW] ACTION: singer to draft very short text in TPE about representing party status [recorded in http://www.w3.org/2012/08/01-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2012/08/01 17:30:21 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.136  of Date: 2011/05/12 12:01:43  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/i don'/i don't see specific text about redirection - what about javascript and onload/
Found ScribeNick: adrianba
Found ScribeNick: justin_
Inferring Scribes: adrianba, justin_
Scribes: adrianba, justin_
ScribeNicks: adrianba, justin_

WARNING: No "Present: ... " found!
Possibly Present: AnnaLong Apple BrendanIAB Brooks Chapell ChrisPedigoOPA Chris_IAB Final GVoice HenryGoldstein Ian JC KevinT Lia Microsoft Mozilla P13 P31 P32 P5 P50 Shane Simon WileyS aa aaaa aabb aacc aadd aaee aaff aagg aahh aaii aajj aakk aall aamm aann aaoo aapp aaqq aarr aass aatt aauu aavv aaww aaxx aayy aazz adrianba aleecia alex amyc bbaa bbbb bilcorry brendan bryan case cblouch damiano_ dnt dsinger dsriedel dwainberg eberkower efelten henryg hwest jchester2 jeffwilson jmayer johnsimpson joined justin justin_ left ninjamarnau npdoty robsherman rvaneijk samsilberman schunter scribenick sidstamm suegl susanisrael tedleung tedleung1 tl tlr trackbot vincent
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy


WARNING: No meeting title found!
You should specify the meeting title like this:
<dbooth> Meeting: Weekly Baking Club Meeting

Got date from IRC log name: 01 Aug 2012
Guessing minutes URL: http://www.w3.org/2012/08/01-dnt-minutes.html
People with action items: singer

[End of scribe.perl diagnostic output]