Tracking Protection Working Group teleconference -- 29 Aug 2012

<aleecia> http://www.w3.org/2011/tracking-protection/track/issues/138)

<aleecia> Thank you for dropping all of that, zakim

<aleecia> Nick, thanks for being available -- made it possible for me to avoid cutting it very close on the last flight out

<npdoty> chair: schunter

<aleecia> Sid, could you do me a favor and say something?

<aleecia> My headphones seem not to work

<sidstamm> I'm not on the call yet, still dialing in

<sidstamm> one moment

<aleecia> Oh yes

<aleecia> That does work, thanks!

<aleecia> Why I can't hear myself -- eh, not worth debugging

<sidstamm> Apologies to the room, I have to leave in 35 minutes

<aleecia> Indeed, Brendan -- yes

<aleecia> Superpowers!

<sidstamm> what magic code did you dial to block your caller ID, BrendanIAB?

<aleecia> I'm on mute -- loud background env

<aleecia> Perhaps Matial once had the same Skype number

<aleecia> Nice

<aleecia> :-)

<aleecia> Thanks for helping us straighten it out, Brendan.

<BrendanIAB> no worries - is why I join early.

<damiano> The conference code does not work

<damiano> i dialed *0, but it keeps saying to hold for an operator

<aleecia> Please dial 87225

<damiano> that is the one i dialed

<damiano> ok

<aleecia> Anyone else having trouble?

<JC> JC is at 425

<aleecia> If not, you might just try calling again, damiano?

<WileyS> Longer delay than normal on Zakim Phone System today - wait a good 30 seconds after you dial in to enter the code for this meeting.

<aleecia> Ok, thanks Shane -- so not just damiano

<damiano> no operator yet

<damiano> keeps saying to hold for an operator

<npdoty> volunteers to scribe?

<jmayer> I am, but I'm going to be very active on this topic.

<damiano> i'm on finally

<jmayer> I'll fill in for David, how about that.

<npdoty> scribe: dwainberg

<Chapell> happy to split

<npdoty> and Chapell will take over when dwainberg lets him know

<Chris_IAB> just connected via my mobile (blocked number)

<npdoty> thx both

<Chapell> i'm on via skype

overdue item 1: Roy is not present

scribe: (Matthias working through the list of overdue actions)

<schunter> http://www.w3.org/2011/tracking-protection/track/actions/212

Action 212 assigned to Shane. Shane says he will get it done by next week.

<trackbot> Sorry, couldn't find user - 212

hwest: both of my action items are done

<aleecia> Heather, please update those to Pending review if you would, please

<fielding> I am in a meeting and unable to join the phone -- give me Qs via irc

(Heather's items: 225 and 237?)

<npdoty> action-229?

<trackbot> Getting info on ACTION-229 failed - alert sysreq of a possible bug

<aleecia> So also pending review

<tl> +q

232: done

posted to mailing list

<aleecia> So noted

234: jon says no substantive change on permitted uses proposal

<WileyS> Aleecia, does this mean Amsterdam is simply a repeat of Seattle?

<aleecia> No.

235: Nick says no written text to share yet.

<WileyS> How is it not if there are no "substantive changes"?

Moving deadline to Tuesday for 235.

<WileyS> Aleecia, how is it not if there are no "substantive changes"?

<aleecia> We'll review the proposals and go through the decision process with a call for objections, just as we've done on the tri-part state

<jmayer> This should be no surprise - when we opened the ACTION, I noted the outcome was virtually certain to be no substantive changes.

<WileyS> Aleecia, we've already done that.

<WileyS> Aleecia, can you please explain how this process will be different than what occured in Seattle?

<npdoty> thx dsinger

239: schunter reviewed minutes, and sent a note. Qualifiers have been reintroduced to the draft.

<aleecia> This is the process of getting final text. Jonathan's saying his text is final.

<tl> WileyS: Perhaps we should discuss this out loud later on this call?

dsinger: qualifiers do not currently match the compliance doc.

<aleecia> Nick is working on new text. You may or may not be too.

<WileyS> Aleecia, Jonathan's text was final in Seattle - again, not seeing the difference here and I'm understanding what you feel is different this time.

<aleecia> (I have a lot of background noise so I'm on mute if at all possible)

<WileyS> I'm "not" understanding...

<aleecia> His is not the only proposal

<dsinger> insert into 6.3.1 "Note: a site may remember that it has previously asked for, and been denied, an exception, if it wishes to avoid repeatedly asking the user for an exception."

240: dsinger will post proposed language today. (and see ^)

<WileyS> There were two key proposals - are you suggest we'll now revert from the work completed in Seattle to consider the proposals with smaller support again? We did this in Seattle as well - which is why we focused on the two proposals.

241: npdoty will write up text if we don't get to it on the call today.

243: schunter closing the action.

245: schunter: hasn't been done so leaving open.

<aleecia> Shane, I think you're missing state here. This will be faster by voice. My concern is that you're not the only one not following, so perhaps you and I could talk, and I could summarize to the list

<WileyS> Aleecia - sounds good.

<hwest> CFell off

tl: for headers action items, don't see any emails listed on the tracker. Anything on the list, or just added to the draft?

<aleecia> Tom -- it's in the draft

<hwest> tl, the changes are an option that we re-included in the draft, we haven't sent out the editor's draft yet

<WileyS> He's not on the call - just sent him an email and didn't get an OOO return - hope to hear from him today.

npdoty: wants to follow up on 229. If Chris isn't working on this, can we reassign.

<WileyS> Agreed

<dsinger> ACTION: dsinger to ensure that the qualifiers reflect the permissions documented in the compliance document, due 10 october [recorded in http://www.w3.org/2012/08/29-dnt-minutes.html#action01]

<trackbot> Sorry, couldn't find user - dsinger

schunter: should we set a deadline for the next call and reassign if he doesn't respond?

<tl> hwest: Glad to hear that I'm not starting to loose state =]

<dsinger> ACTION: david singer to ensure that the qualifiers reflect the permissions documented in the compliance document, due 10 october [recorded in http://www.w3.org/2012/08/29-dnt-minutes.html#action02]

<trackbot> Sorry, ambiguous username (more than one match) - david

<trackbot> Try using a different identifier, such as family name or username (eg. dsinger2, dwainberg)

npdoty: we said that last time; maybe give him a couple of days.

<dsinger> ACTION: singer to ensure that the qualifiers reflect the permissions documented in the compliance document, due 10 october [recorded in http://www.w3.org/2012/08/29-dnt-minutes.html#action03]

<trackbot> Created ACTION-249 - Ensure that the qualifiers reflect the permissions documented in the compliance document, due 10 october [on David Singer - due 2012-09-05].

<aleecia> I'll ping him

<WileyS> Not sure I want to take this one - any other volunteers?

<aleecia> I'll ping

<aleecia> And cc you

<npdoty> thanks

<WileyS> Thank you Aleecia

schunter: this concludes action item discussion.
... comments on minutes posted since last week?

npdoty: minutes posted, but not cleaned up.

(no comments on minutes)

<Brooks> Brooks on 678 492

<Craig> question. off subject but looking for speakers for Oct 3 in San Jose (Same time as meeting in NL)

<damiano> damiano 813

<Chapell> chapell is skype

<Chris_IAB> not me

<Craig> Craig Spiezle - Online Trust Alliance on skype

<Chris_IAB> I'm on my cell

<Chris_IAB> blocked number

<aleecia> Oops

<WileyS> Nick - you're a "hard typer" be sure to hand exercise daily to stave off carpal tunnel synd :-)

Service Providers

<jmayer> +w

<jmayer> +q

schunter: issue-137. Whether there should be an indication of a service provider to a 1st party.

<schunter> 1 - A user with DNT;1 visits a site

<schunter> 2 - The site sends back its own content (e.g., usually marked with Tk:1 header that says that the policies for 1st parties have been implemented)

<schunter> 3 - Embedded content from third parties is marked with "3" (following 3rd party policies; no concern there)

<schunter> 4 - Some embedded content that is marked with "1" but is coming from a different domain

<WileyS> Jonathan - that was interesting that '+w" shows when I arrived on the call - that's a new Zakim feature I wasn't aware of.

<dsinger> +d

<WileyS> David - LOL, only works for me?

<jmayer> Neither was I, typo FTW.

<jmayer> +jmayer

schunter: current spec solves this problem by saying if a site is operating on a different domain as first party, include domain in the sits attribute.

<WileyS> +dsinger

<npdoty> this is the Yahoo/yimg.com case? a different domain but entirely part of the same party

<WileyS> Sorry David - Zakim just isn't into you. :-)

<tl> +q

<jmayer> (I don't think we have consensus that a TPE status means "is intended for [X] party use" vs. "complies with [X] part of the Compliance spec.")

schunter: two questions: 1. is this a problem we agree needs to be solved; 2. is this a solution.

<jmayer> Heh, Apple - secretive as always.

schunter: start w/ clarifications of the scenario.

<dsinger> So, the TPE now has qualifiers that match the permissions, and we expect a permission for service provision; this makes it clear that only agents that are end-points of HTTP are involved in this (not e.g. hosting or firewall providers); the only question I have is whether it's mandatory to set it

<schunter> Clarification: We only talk about service providers that are visible http endpoints

dsinger: we've had a defined exception for service providers, so we've mostly dealt with this question, so question remaining is are you obliged to indicate you are a service provider?

<npdoty> we were adding back the qualifiers for "permitted uses" which I don't think includes service providers, that's defined in a different section of the Compliance doc

jmayer: 2 framing point: whether something is a service provider or not is not the only ambiguity
... (sent an email to the list a while back)

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0197.html

jmayer: so this solves a lot but there may be other issues.
... 2. I don't we're agreed that if you're not clearly visible over http you don't have to do anything, but that's another issue.

schunter: if I understood correctly you're talking about service providers that exist but are not part of the http transaction.

<jmayer> yep

schunter: is this right?

tl: confused about the current state here. Roy said he removed the qualifier and added requirement to .... want to confirm I have the right state here.

<schunter> Unclear: a) Is the first party required to point to service providers using the same-party attribute

tl: if a service provider is acting on behalf of 1st party, it can send the 1st party response
... is there a different field the first party should identify them as
... is the first party obliged to identify service providers?

<npdoty> but you're identifying an uncertainty/ambiguity, right, tl?

tl: was asking about the state of the document.

schunter: it's probably not clear.

<aleecia> Roy might be able to respond if you type into IRC

<fielding> it's finished ;-)

<npdoty> fielding, tl's question, as I understand it, is the following:

<npdoty> does a user determine service provider status by following the policy link from the service-provider's domain?

<schunter> An optional member named same-party may be provided with an array value containing a list of domain names that the origin server claims are the same party, to the extent they are referenced by the designated resource, since all data collected via those references share the same data controller.

<npdoty> or is the service provider listed in the `same-party` or some other field in the first party's tracking status resource?

tl: right now there's no sp qualifier in the doc. so right now we don't have any 3rd party signal.

<fielding> same-party is optional -- think of it as a recommended whitelist

dsinger: assuming the compliance doc ends up with a permission for service provider there will be a qualifier to match.

<npdoty> dsinger, I'm not convinced that's what fielding has intended

<fielding> the policy URI points to the first-party

<npdoty> fielding, are we expecting to add a service provider to the list of tracking status qualifier values?

<schunter> ?roy?: Will services providers be listed as same-party?

tl: so now if a website uses a cdn, how does the client know whether the cdn is operated on behalf of or otherwise.

<fielding> … or, if no policy, then the domain is owned by first-party

dsinger: we don't currently have a way of indicating I'm acting as a service provider for whom.

tl: Roy thought he'd solved it, but it sounds to me like this issue is not closed.

schunter: take a step back and quickly summarize what we want this feature to do.

<npdoty> fielding, `policy` is an optional field -- does not having a policy field imply something specific about your service-provider status?

schunter: I tried by email to validate what we want it to do and then we need to see if it does it.

<fielding> we don't need a way to indicate that "I am a service provider" -- the domains already exist for that purpose

<tl> fielding: When I visit example.com and see resources from examplecdn.net, how do I know whether examplecdn.net is actually operated by Example Inc, or by CDNInc on Example's behalf?

schunter: service providers following the first party rule; we need a mutual pointer for both 1st and 3rd party to indicate relationship.

<npdoty> fielding, but sometimes a different domain isn't a service provider but is part of the same party (like yimg.com)

<fielding> your service provider status is irrelevant -- what matters is who is a data controller

<tl> fielding: Again, that doesn't satisfy the use case Ed provided.

dsinger: I'd like to have a list of questions this and the tracking status resource are trying to answer.

<tl> +q

<fielding> tl, yes it does. If you disagree, write the case on the mailing list.

adrianba: question of whether you know whether the CDN operates as service provider or on its own. If there is a service provider status qualifier then the provider would say

<npdoty> adrianba, but fielding thinks you shouldn't ever need to indicate that you're a service provider

adrianba: I'm a service provider and I'm acting as first party, so I don't think we need a way to indicate which party, but we may need a way for a service provider to a 3rd party.

<jmayer> Worst case, it's a bit redundant. There can be ambiguities. Example: Multiple first parties.

<dsinger> yes, Adrian, the question is whether that presumption -- that the current first party agrees that foo.com is their service provider -- is OK, or whether the link needs to be confirmed one way or another

tl: having trouble understanding the process we're using. we have requirements. In Seattle we agreed on a structure that satisfied my requirements, and Roy could live with, but that's not what we're doing.

<adrianba> dsinger, isn't that a problem of any site claiming to be a particular party?

tl: I don't want to have to keep explaining myself when we already reached consensus on a protocol stack that's just not being copied into the document.

npdoty: to clarify: do you think we had an agreement in Seattle that satisfied the concerns?

tl: I recall clearly standing at a whiteboard with Roy standing next to me, making mods to a series of letters related to a pile of things that should be included.
... I recall that we had reached a configuration that Roy said had met his requirements.

<fielding> no

tl: we definitely reached consensus on a very particular point.

schunter: I read the minutes and I didn't find this piece. Either we didn't document it or we didn't reach this agreement.
... there's a clear statement we agreed on the basic headers.

<fielding> I said I would write a draft. I did that. We did not have consensus. I have repeated that over and over again.

schunter: if we had agreements that are somewhere documented but are not in the document it's not intentional.
... we've had discussion and we're now trying to put it in.
... it's our job to work this text until we reach consensus on the text.

tl: seems like we've lost the work. perhaps we need to do it again.

<fielding> I am still waiting for ANY use case to be documented that calls for what TL is requesting. As I said I would, in Seattle.

<fielding> and in DC

schunter: fine with me. small group can make a proposal to the larger group.

<tl> fielding: This is still Ed's example.

<fielding> Ed has not written his example, so I don't know.

<dsinger> to adrian: the concern is that some site gets pulled in, and it in turn has a service provider; the service provider says it has status first-party/service-provider but it's not servicing the actual first party, and we can't tell from the outside, since the 'who' is not identified at either end

tl: I suspect that might work, but the communication difficulties we have are making that difficult.

<dsinger> to Tom: do you have the ability to suggest specific edits? that might be the best way ahead?

dsinger: cal tl propose specific text edits that are needed. Or I can help find stuff that got lost from the draft.

<aleecia> You'll need to type in IRC for Roy

<jmayer> +q

<tl> 1030PST

schunter: so, to move forward, we'll schedule time for fielding, tl, dsinger to get together to discuss. item remains open until then.

<tl> Roy, can you spend half and hour re-doing this work at 1030PST next Wednesday?

jmayer: different actions a site might be up to that we need proposals on.

<fielding> Adobe objects to the service provider description unless it is backed by a use case that demonstrates the need from a privacy perspective. It will not go in the editor's draft until that justification is made because Adobe objects. The WG can make a formal decision to override the editor's decision.

jmayer: I was hoping we'd be able to close the of the service provider flag.

Alan, can you take over scribing?

<tl> +q

<npdoty> scribenick: Chapell

<dwainberg> jmayer: it's clear where Roy's coming from on this.

yes

<dwainberg> ... I'm wondering if anyone shares Roy's perspective.

tl: we have an impasse

<jmayer> Let me be more concrete: straw poll?

tl: need to have a call for objections (unless roy is only person who olds that opinion)

<WileyS> I see issues in either direction

<aleecia> And Jonathan's suggestion for a straw poll sounds like a good one

jmayer: wants to gauge groups pulse on the issue

<adrianba> dsinger, that's always a problem for a service provider or a resource from a domain that's a first party - it needs to indicate whether it thinks it is behaving as a first party (and as the spec says it can only declare what it thinks is the case)

<WileyS> From a privacy policy perspective, companies don't need to reveal their Service Providers (vendors) - so why should DNT be different?

<dsinger> Roy: I think the case is of a site that has a *distinct site name* that is not apparently part of the first party, that IS is an end-point of the HTTP transactions (not a hosting, firewall, or other intermediary), and that claims first-party tracking status: the UA needs to know (a) that it's claiming that because it is a service provider and (b) that it's providing service for someone with actual 1st party status.

mattias: the discussion re: SP is "should it be mandatory or not"

<dsinger> Otherwise, the UA may well identify it as 'acting out of status' and flag it to the user, etc.

tl: having it be optional is not acceptable
... sp must identify itself as a sp on behalf of a given first party

<fielding> dsinger, already solved that use case

<WileyS> This will allow anyone to decode any and all service providers a company has hired to work on their behalf - will be a market changing event if this goes through.

tl: use case: user must be able to distinguish

<aleecia> Privacy policies do not seem like a bar we should lower ourselves to... Regardless of which way this goes, I'm not seeing privpols as useful framing

<dsinger> Roy, can you point at what in the current draft covers that?

<dsinger> (we can't find it)

<WileyS> Aleecia, disagree strongly - privacy policies get a bad rap but are this the leading vehicle for consumer communication on these topics.

<jmayer> Let's start with service providers that are semi-visible over HTTP, e.g. CNAMEd in.

dsinger: says roy's text covers TL's use case

<jmayer> Backend service providers are a different issue.

<fielding> requirements must be acceptable to those who are expected to implement them

<WileyS> are "still" the leading vehicle...

tl: if not going to straw poll, we add this to list of things we call for objections

<fielding> dsinger, service providers must always point to the first party, either via policy URI or the domain ownership.

dwainberg: lots of ambiguity here

<WileyS> From a regulatory perspective, if a Service Provider falsely states its acting as a 1st party - when its not, you have all the evidence you need to take them to the cleaners. I'm not sure what advocates are trying to gain here in forcing SP visibility?

dwainberg: hard to object or not without a concrete proposal

<jmayer> +q

dwainberg: need more info

<dsinger> to Roy: what is the nature of the pointer?

tl: there doesn't appear to be consensus, if more work is needed to clarify, that's ok

<fielding> a URI or a domain

<jmayer> I think we can get agreement on a minimum use case.

<jmayer> Example: Does Google Analytics need to set a service provider flag?

<jmayer> Yes or no?

mattias: we should understand which use cases have a solution and which do not

<fielding> Google analytics does not qualify as a service provider -- they are a third party

mattias: so we should go forward with a discussion to gain clarification
... or we risk throwing out much of what we've agreed upon

tl: suggests a 30 min call next week, pending roy's avail

<fielding> We have a mailing list for detailed technical discussions. Please start using it for something other than hot air.

<tl> Roy: are you available for a 30min call at 1030PST next week discussing this issue synchronously?

matthias: proposes meeting with roy, tl and dsinger

<fielding> no, put it on the mailing list -- I am tired of these private conversations that just waste our time.

<npdoty> if the group can't find a common resolution, then it can come back with multiple conflicting texts that we have to choose between

TL: given the back and forth last time and the noisy nature of the mailing list, this may not be productive using email

Matthias: first step: talking...
... next step: counter proposals

<npdoty> schunter: I believe talking in a small group first is the best way forward

<aleecia> From memory, Roy is not available by phone this week

schunter: move to issue 112

<aleecia> Which is why next week is suggested rather than, say, tomorrow

<dsinger> issue-112?

<trackbot> ISSUE-112 -- How are sub-domains handled for site-specific exceptions? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/112

<npdoty> I think schunter is taking responsibility for finding the process way forward

<tl> dsinger: If Roy isn't interested, perhaps you and I could chat, so that we can pin down the use case and the requirements that fall out it?

<WileyS> I sent a fairly long email on this topic - suggesting we'll need wild cards.

how are sub domains handled for site specific exceptions, http://www.w3.org/2011/tracking-protection/track/issues/112

dsinger: the tech issue is that if we allow paramaters to include wildcards, then we have issues in allowing exception
... much more complex.

<WileyS> We shouldn't over engineer for bad guys

<WileyS> We do need this

dsinger: working with use cases - call out to advertising industry folks to specify use cases

<WileyS> DSinger, we've gone through this deeply in the email list

dsinger: exceptions for sub-domains are easier to handle

<schunter> ?Tom:? could you re-post pointers to the use cases that you want satisfied? Also please point out if there is documented consensus in the minutes that is not (or wrongly) reflected in the TPE draft.

dsinger: for site exceptions do we need sub-domain trees

adrian: position from bellevue - we don't have to distinguish between multiple subdomains

<npdoty> adrianba: try without, and we can add it later, but if we put it in now we can never take it out

<dsinger> 2 questions: (a) for site exceptions, do we need to be able to ask for *.x.com? (b) for web-wide, does x.com need to be able to ask for *.x.com as well? The second is easy, teh first pulls in the whole public suffix question.

dwainberg: important functionality that is used by many companies
... creating a burden on companies and users

<adrianba> for example *.co.com is allowed and *.co.uk is not allowed

dwainberg: in browsers, the code is already built and can be repurposed

<npdoty> not sure which part we're talking about requires industry re-engineering?

dwainberg: other than the complexity of dealing with public suffix issue, are there other objections?

<dsinger> So, the big question is for those in the industry; how complex (and particularly, maybe not fully enumerable) are the sub-domain usages in the industry?

npdoy: need to be specific about what we're talking about

<Brooks> to clarify when we say "public suffix" we are talking about new TLDs right?

npdoy: most recent response on mailing list is nick's

<WileyS> Yahoo! has HUNDREDS of sub-domains (news.y.c, sports.y.c, my.y.c, maps.y.c, etc.)

npdoy: one issue is that it changes the breadth of the request in a way that the user may not want
... so we're left with creating a complications for users

<Craig> agree. complexitiy of mtuiple domains of the same 1P. Subdomains can be used for content and image serving as well as other wholly owned subsidaries (WSJ & Dow Jones)

schunter: so how do we make progress here?

<WileyS> Craig - what are you agreeing to? Support or do not support wild cards (*.y.c) for exceptions?

dsinger: is it possible for the first party to enumerate all of the sub domains for each third party?

<WileyS> Yes - many ad networks use sub-domains to split load (www1.ad.net, www2.ad.net, etc.)

<dwainberg> yes

npdoty: 1st issue: expanding 1st party exeptions or 3rd party exceptions?

<dsinger> but the parts of the 1st party can and will say "I operate under first party rules, I don't need no exception"

<npdoty> 1) (as dsinger just described) a first party wants to ask for a *.ad.net as it's asking for a site-wide exception, but can't just use "*"

schunter: lets focus on 3rd party case

<dwainberg> right, dsinger

<npdoty> 2) a first party wants to ask for a broader set of first parties on which the site-wide exception (to its third parties) should apply

<npdoty> and then 3) (Vinay's case) a Web-wide exception to apply to other subdomains of mine that will be 3rd parties on other parts of the Web

dwainberg: the list is either too long, or unknown to the first party

dpdoty: but you can use the wildcard?

<npdoty> s/dpdoty/npdoty/

<tl> +q

brendanIAB: the pub has a very common use case... i may trust my initial first parties, but don't want to open the door to another set of third parties that the pub doesn't know

<dsinger> I think for site-exceptions, the case is that you do NOT want to ask for "*" (all third parties), but you also CANNOT enumerate all the specific third party sites you DO need (e.g. the list is too long, or you simply do not know all the X's for [X].ad.com). In that case you want to ask for *.ad.com, and today you can't

<npdoty> the concern we heard a few months ago was the exact opposite :)

<npdoty> to clarify, BrendanIAB wants to have the ability to ask for an exception just for the first set of third parties and not for any re-directions (which isn't necessarily trusted)

<npdoty> , right?

dsinger: if a pub id delegating to subdelagators, then they need a site wide exception

dwainberg: what do we mean by delegate? does that then mean that a first party has a relatonship with ad.net who then offers the impression on an exchange...

<BrendanIAB> Not necessarily *want*, but calling it out as a scenario.

dwainberg: does that exception follow through the ad call to the exchange?

dsinger: not unless the publisher has asked for a site wide exception

<npdoty> BrendanIAB, okay, but if you don't want it and nobody else wants it, then it'll be easy for us to drop it, rather than engineering for it

<dsinger> notes that the question of whether DNT headers are inherited by re-directs is a DIFFERENT issue (and we previously tentatively decided 'no')

schunter: under this scenario, all exceptions are explicitly listed, and ONLY those third parties will get the exception (unless the site asks for site wide exception)

<npdoty> right, correct description of current state

schunter: whomever is on the list gets dnt 0

<BrendanIAB> More specifically, it's a technical situation that I recognize, but will need to do some research and education to understand whether it's better than other options.

schunter: all else get dnt 1
... if you want to specify a range of 3rd party domains that should be excepted, are wild cards ok?
... or must each 3rd party be specifically listed?

<npdoty> most ad exchanges would use the * site-wide exception, because they don't know the list of third parties for which they want to request an exception

schunter: lets focus on the case where the 1st party has a list of domains --- shoudl the 1st party be able to shorten the list of domains by using a wild card?

dsinger: we'd prefer NOT to allow wildcards
... as it complicates things

<WileyS> DSinger - what were you assigning to me? :-)

<aleecia> Reminder: call for objections on mandatory equal difficulty for tri-part in UAs closes today

npdoty: to add an action item for BrendanIAB

<ninjamarnau> we already discussed this issue extensively in DC.

<WileyS> Aleecia, where did the pool end out? Or is that what you're referring to with the "call for objections"?

<npdoty> ACTION: BrendanIAB to research breadth of use cases for *.thirdparty.net in asking for site-wide exceptions without a wildcard [recorded in http://www.w3.org/2012/08/29-dnt-minutes.html#action04]

<WileyS> Aleecia - can't type today - "poll"

<aleecia> I'm not sure what you're asking, but today is the final day for responses

<WileyS> The betting pool is another matter :-)

@WileyS -- it is summer, after all

<aleecia> Heh

<WileyS> Aleecia - thank you

<aleecia> You can view them all

Schunter: current spec, simple solution that does not include a wild card

<WileyS> Aleecia, do you have the link handy?

Schunter: he will call for use cases to justity the wild card solution

<npdoty> https://www.w3.org/2002/09/wbs/49311/tripart/

<aleecia> Matthias & I will start to discuss on Friday (thanks, Nick!)

Dwainberg: there are already use cases

dsinger: brendan is taking the lead

<aleecia> We don't have a time estimate yet, but should have more clarity after we compare notes and start to talk it through

<WileyS> Brenden - Yahoo! use case - Yahoo! applies DNT to 1st party activities as well as 3rd party. So we'll need to request exceptions for our sub-domains which number in the 100s. A wild-card will be needed for our situation. For everyone else - let's not build a standard that attempts to twart bad buys by throwing the good guys under the bus.

<Zakim> npdoty, you wanted to note reminder

<BrendanIAB> Thanks WileyS

<aleecia> Thanks, Nick

<npdoty> WileyS, it sounds like you're describing increasing the breadth of first party, not third party, is that right?

- DRAFT -

Tracking Protection Working Group teleconference

29 Aug 2012

Attendees

Contents

Service Providers

how are sub domains handled for site specific exceptions, http://www.w3.org/2011/tracking-protection/track/issues/112

Summary of Action Items

Scribe.perl diagnostic output