IRC log of dnt on 2012-10-03

Timestamps are in UTC.

07:01:41 [RRSAgent]

RRSAgent has joined #dnt

07:01:41 [RRSAgent]

logging to http://www.w3.org/2012/10/03-dnt-irc

07:01:45 [npdoty]

trackbot, start meeting

07:01:47 [trackbot]

RRSAgent, make logs world

07:01:49 [trackbot]

Zakim, this will be

07:01:49 [Zakim]

I don't understand 'this will be', trackbot

07:01:50 [trackbot]

Meeting: Tracking Protection Working Group Teleconference

07:01:50 [trackbot]

Date: 03 October 2012

07:02:00 [npdoty]

Meeting: Tracking Protection Working Group Face-to-Face

07:02:03 [dsinger]

dsinger has joined #dnt

07:02:05 [npdoty]

Chair: aleecia

07:03:29 [tlr]

tlr has joined #dnt

07:05:57 [npdoty]

vinay has set up a screen-sharing so remote attendees can follow slides/etc: http://my.adobeconnect.com/vigoel

07:06:08 [npdoty]

let us know how/whether that's working

07:06:27 [npdoty]

and let me know if there are phone problems, I think the teleconference may drop in 5 hours or so and I'll have to re-configure then

07:08:12 [efelten]

efelten has joined #dnt

07:08:16 [afowler]

afowler has joined #dnt

07:08:22 [vinay]

vinay has joined #dnt

07:08:30 [tedleung]

tedleung has joined #dnt

07:08:32 [bilcorry]

bilcorry has joined #dnt

07:09:27 [tl]

tl has joined #dnt

07:09:59 [justin]

justin has joined #dnt

07:10:13 [npdoty]

scribenick: npdoty

07:10:24 [npdoty]

joris: chairman of the IAB here in Holland

07:10:36 [npdoty]

... we're already very happy, you have to succeed of course in the following three days

07:10:45 [jchester2]

jchester2 has joined #dnt

07:10:47 [npdoty]

... thanks to the Telegraaf Media Group to make sure all the facilities are in place

07:10:58 [BrendanIAB]

audio sounds like there's some interference with local electronics.

07:11:13 [npdoty]

... 60 attendees here, with many years of experience each

07:11:55 [vinay]

For those not here in person, you can follow along via the web at http://my.adobeconnect.com/vigoel

07:12:03 [npdoty]

... if the mayor were here, he would tell you about openness and core values of Amsterdam

07:12:28 [npdoty]

... those same core values appropriate to the important stuff you are debating

07:12:47 [npdoty]

... last June we had a new telecommunications law, a chapter on cookies, opt in and opt out

07:12:55 [npdoty]

... politicians are very willing to listen to Do Not Track solutions to that

07:13:15 [npdoty]

... hope you have the energy to facilitate those solutions during this meeting

07:14:06 [npdoty]

... introducing others from IAB NL

07:14:06 [hwest_]

hwest_ has joined #dnt

07:14:16 [npdoty]

schunter: introductions of matthias and aleecia

07:14:30 [ifette]

ifette has joined #dnt

07:14:34 [npdoty]

... since we have some newcomers, aleecia will give a quick tutorial on current state and agreements we've already reached

07:14:38 [npdoty]

... and look at open issues

07:15:04 [npdoty]

... in prior meetings it took quite a while to understand each other, and reached agreement in the easy pieces

07:15:07 [Marc]

Marc has joined #dnt

07:15:20 [npdoty]

... identified substantial agreements, for this meeting it may not be as easy

07:15:43 [npdoty]

... we have defined how to solve unsolvable disputes, a procedure to follow from multiple alternative proposals

07:15:55 [npdoty]

... a big purpose of the meeting will be carving out sound alternatives to the problem we are facing

07:15:56 [rvaneijk]

rvaneijk has joined #dnt

07:16:30 [npdoty]

schunter: explaining scribing

07:16:50 [johnsimpson]

johnsimpson has joined #dnt

07:16:51 [RichardfromcomSco]

RichardfromcomSco has joined #dnt

07:16:52 [npdoty]

... go through the agenda and assign scribes

07:17:06 [dsriedel]

dsriedel has joined #dnt

07:17:28 [npdoty]

working drafts and open issues, ifette to scribe

07:17:33 [ChrisPedigoOPA]

ChrisPedigoOPA has joined #dnt

07:17:43 [npdoty]

compliance and definitions, robsherman to scribe

07:17:54 [npdoty]

more resolving definitions, JC to scribe

07:17:58 [amyc]

amyc has joined #dnt

07:17:59 [npdoty]

lunch, no scribe necessary

07:18:31 [Zakim]

+ +1.310.292.aacc

07:18:40 [npdoty]

permitted uses for third parties, susan to scribe

07:18:54 [npdoty]

more permitted uses for debugging, Joanne to scribe

07:19:03 [Chris_IAB]

Chris_IAB has joined #dnt

07:19:09 [npdoty]

user agent compliance, tedleung to scribe

07:19:14 [johnsimpson]

zakim, aacc is me

07:19:14 [Zakim]

+johnsimpson; got it

07:19:21 [npdoty]

final session of the day, amyc to scribe

07:19:23 [Chris_IAB]

joining in person :)

07:19:42 [tlr]

zakim, who is on the phone?

07:19:42 [Zakim]

On the phone I see Telegraaf, fielding, BrendanIAB?, johnsimpson

07:20:00 [rachel_n_thomas]

rachel_n_thomas has joined #dnt

07:20:11 [adrianba]

adrianba has joined #dnt

07:20:34 [johnsimpson]

Apologies that I am not there in person. Will follow closely.

07:20:54 [dwainberg]

dwainberg has joined #dnt

07:21:11 [JC]

JC has joined #DNT

07:21:17 [jeffwilson]

jeffwilson has joined #dnt

07:21:17 [bhuseman]

bhuseman has joined #dnt

07:21:40 [Simon]

Simon has joined #dnt

07:22:08 [npdoty]

"bring your own life preserver" :)

07:22:22 [eberkower]

eberkower has joined #dnt

07:22:27 [rigo]

rigo has joined #dnt

07:22:51 [mikeo]

mikeo has joined #dnt

07:22:52 [johnsimpson]

are slides available on line?

07:23:12 [npdoty]

johnsimpson, you should be able to follow via Adobe Connect link from vinay

07:23:16 [npdoty]

aleecia: introductions

07:23:27 [npdoty]

... history of the Web, TBL, commerce on the Web

07:23:36 [vinay]

johnsimpson - http://my.adobeconnect.com/vigoel

07:23:53 [npdoty]

... introductions of the co-chairs, and now introductions around the room

07:24:26 [Rene]

Rene has joined #dnt

07:24:59 [schunter]

schunter has joined #dnt

07:27:19 [npdoty]

scribe is not trying to keep up with these

07:27:49 [npdoty]

but the full group participants list is here: http://www.w3.org/2000/09/dbwg/details?group=49311&public=1

07:28:23 [npdoty]

"well-known standards wonk"

07:29:47 [fielding]

I am Roy T. Fielding, representing Adobe (a W3C member and sponsor) and co-editor of TPE; I am also a board member of the Apache Software Foundation (another W3C member) but am not representing Apache here.

07:29:52 [BrendanIAB]

+q

07:30:11 [npdoty]

ack BrendanIAB

07:30:17 [Marije]

Marije has joined #dnt

07:30:19 [tlr]

q?

07:30:25 [tlr]

zakim, who is on the phone?

07:30:25 [Zakim]

On the phone I see Telegraaf, fielding, BrendanIAB?, johnsimpson

07:30:28 [johnsimpson]

I am John Simpson from Consumer Watchdog, an invited expert

07:30:28 [johnsimpson]

'

07:30:38 [vinay_]

vinay_ has joined #dnt

07:30:53 [Chris_IAB]

What's 3:30am in NY look like Brendan? :)

07:31:10 [schunter]

Guys on the phone: Please put yourself into the queue and ping me to unmute you.

07:31:12 [npdoty]

aleecia: from the charter

07:31:19 [npdoty]

... need something that works for users

07:31:27 [npdoty]

... need something voluntarily implementable by businesses

07:31:34 [schunter]

Zakim, who is on the phone

07:31:34 [Zakim]

I don't understand 'who is on the phone', schunter

07:31:38 [npdoty]

... creating a shared understanding of what DNT means

07:31:42 [schunter]

Zakim, who is on the phone?

07:31:42 [Zakim]

On the phone I see Telegraaf, fielding, BrendanIAB?, johnsimpson

07:31:45 [kj]

kj has joined #dnt

07:32:06 [npdoty]

... two documents, Compliance and Tracking Preference Expression

07:32:15 [npdoty]

... Note, not Rec, on Tracking Selections List

07:32:18 [mikez]

mikez has joined #dnt

07:32:27 [lmastria-DAA]

lmastria-DAA has joined #dnt

07:32:31 [npdoty]

... talking about a Global Considerations doc, also a Note

07:32:45 [npdoty]

... congratulations to the group on getting another published set of Working Drafts out

07:32:56 [npdoty]

... thanks to editors and nick for helping get that out

07:33:19 [npdoty]

... working through dates and successive drafts

07:33:24 [ifette]

npdoty, i thought i was taking over after the intro

07:33:33 [npdoty]

... Last Call to get wider review

07:33:34 [ifette]

npdoty, Presentations: Working Drafts and open issues, presented by editors.

07:33:38 [tl_mobile]

tl_mobile has joined #dnt

07:33:54 [npdoty]

... Candidate Rec, call for implementations, though we hope to see some implementation before then

07:34:06 [npdoty]

... Proposed Rec, after which it's up to W3C Membership

07:34:14 [npdoty]

... "Getting to Closed" review

07:34:42 [npdoty]

... organically reach consensus on the direction and text, close the issue

07:34:55 [npdoty]

... chairs can re-open an issue if there is new information and new text

07:34:59 [efelten]

efelten has joined #dnt

07:35:17 [npdoty]

... if we don't happily reach consensus on a single text

07:35:28 [efelten_]

efelten_ has joined #dnt

07:35:41 [npdoty]

... might have multiple texts, or might have a Formal Objection from someone in the group who can't live with a particular decision

07:35:52 [npdoty]

... consensus is the least objectionable proposal

07:36:12 [npdoty]

... survey participants in writing, identify consensus in the least objectionable path

07:36:27 [npdoty]

... substance and strength of objections, not a count and not who screams loudest

07:37:03 [npdoty]

marc: substance and the strength of the objections as determined by... aleecia: the chairs, yes

07:37:33 [npdoty]

aleecia: file a formal objection at any decision point, with technical arguments and a proposed change

07:38:31 [npdoty]

... group can try to resolve that objection, if not, a review process up W3C management, including TBL

07:38:40 [npdoty]

(catching up a few last introductions)

07:39:15 [npdoty]

aleecia: in the US, Do Not Call list mandated by law

07:39:46 [BerinSzoka]

BerinSzoka has joined #DNT

07:39:50 [fielding]

we just lost the telecom?

07:39:58 [npdoty]

... less a privacy concern than an intrusion concern, spam faxes, users want control over their devices

07:40:07 [JBWeiss]

JBWeiss has joined #DNT

07:40:07 [Zakim]

-fielding

07:40:08 [johnsimpson]

Agree no need to dscuss harms

07:40:21 [johnsimpson]

working for me

07:40:26 [BrendanIAB]

I have not heard any interruption in audio

07:40:35 [npdoty]

... not sure privacy harm discussion will be resolved by discussion among us

07:40:39 [Zakim]

+fielding

07:41:01 [npdoty]

aleecia: Do Not Call does not prevent calls, has exceptions for political organizations etc.

07:41:21 [npdoty]

... Do Not Call has had some confusion in those cases

07:41:28 [npdoty]

... what are we building with DNT?

07:41:37 [johnsimpson]

appreciate analogy to do not track on telephone

07:41:56 [susanisrael]

susanisrael has joined #dnt

07:42:02 [npdoty]

... continue to show contextual ads to users, rather than lose them to ad blockers

07:42:13 [npdoty]

... haven't blocked all tracking, no proposals would prevent shopping carts from working

07:42:35 [npdoty]

... haven't had proposals for blocking all cookies or similar

07:42:44 [npdoty]

... we should not get in the way of users who actively want all the personalization

07:42:50 [Marc]

q+

07:43:05 [npdoty]

... some users have privacy concerns that DNT will not address

07:43:13 [npdoty]

... DNT will not be adopted by all sites

07:43:36 [npdoty]

... does not directly protect against governments or data breaches

07:43:53 [bhuseman]

q+

07:44:05 [npdoty]

... who is it for? typical users who want the Web to just work, but have privacy concern

07:44:11 [npdoty]

... reminder that we are not ourselves typical users

07:44:28 [npdoty]

... Global -- World Wide Web doesn't have the same country borders

07:44:40 [npdoty]

... uniform signals, different results

07:45:09 [Zakim]

-fielding

07:45:15 [npdoty]

... tri-part DNT signal: DNT:1, DNT:0, <no signal> -- will always be users who haven't chosen

07:45:18 [rachel_n_thomas]

+q

07:45:29 [WileyS]

WileyS has joined #DNT

07:45:34 [ifette]

q+ re dnt1

07:45:37 [schunter]

q?

07:45:44 [schunter]

ack Marc

07:45:47 [ifette]

q+ re no-dnt==dnt1 ine u

07:46:15 [lmastria-DAA]

lmastria-DAA has joined #dnt

07:46:22 [tlr]

q?

07:46:24 [npdoty]

marc: vehemently disagree with Do Not Call, a key part of privacy response, a certain kind of privacy harm

07:46:35 [schunter]

q?

07:46:35 [lmastria-DAA]

q+

07:46:41 [fielding_]

fielding_ has joined #dnt

07:47:05 [npdoty]

aleecia: thank you, that it's about privacy is interesting

07:47:12 [schunter]

ack bhuseman

07:47:22 [jchester2]

+q

07:47:56 [npdoty]

bhuseman: at FTC even before Do Not Call, events, workshops, telemarketing sales rule, before enacting the Do Not Call registry

07:48:01 [mikez]

+q

07:48:13 [npdoty]

... and subsequent litigation regarding Do Not Call

07:48:23 [schunter]

q?

07:48:35 [schunter]

ack rachel_n_thomas

07:48:39 [npdoty]

... examination of the harms and all possible solutions

07:48:48 [johnsimpson]

we are not here to debate do not call; let's talk about DNT

07:49:11 [Zakim]

+fielding

07:49:17 [BerinSzoka]

well, John, then maybe Aleecia shouldn't have brought up Do Not Call!

07:49:41 [npdoty]

rachel_n_thomas: don't understand harms being less regarding Do Not Call, consumer benefits are infinitely greater for behaviorally targeted ads

07:49:47 [ifette]

q?

07:50:08 [WileyS]

+q

07:50:15 [npdoty]

... are there studies you are relying on regarding user desires?

07:50:16 [johnsimpson]

berin, we've got real issues to discuss. why waste time on this??

07:50:58 [BerinSzoka]

John, I don't think you appreciate how incendiary Aleecia's assertions were.

07:50:59 [npdoty]

schunter: have in the back of our minds what discussions are the most important; try to focus on the normative language in the specs

07:51:02 [WileyS]

John, this is a real issue - not looking at real-world harms derails the value of this conversation

07:51:09 [tlr]

q?

07:51:10 [dsinger]

q?

07:51:10 [WileyS]

-q

07:51:11 [npdoty]

ack ifette

07:51:12 [Zakim]

ifette, you wanted to discuss dnt1 and to discuss no-dnt==dnt1 ine u

07:51:44 [schunter]

q?

07:51:57 [npdoty]

ifette: you were drawing an analogy between no signal and DNT:1 in the EU, but it's not identical

07:51:59 [schunter]

ack lmastria-DAA

07:52:20 [npdoty]

aleecia: sorry, if I indicated it was identical, I didn't mean to do so

07:52:35 [BerinSzoka]

Essentially, John, Aleecia just reminded most of the room that she's hardly an objective moderator of this process

07:52:42 [npdoty]

lmastria-DAA: difference from Do Not Call, which was based on an elected body review, which is not what we are

07:53:07 [npdoty]

aleecia: yes, there are people from self-reg and other groups

07:53:33 [WileyS]

DNC - one country, one law - exhaustive process to address a perceived harm to personal privacy. Very difficult to apply this to the DNT conversation (outside of perceived harms which hopefully comes back into scope of the discussion on DNT)

07:53:35 [npdoty]

lmastria-DAA: specifically, Do Not Call was from an elected body, which we are not

07:53:43 [npdoty]

q?

07:54:40 [npdoty]

jchester2: agree with Marc, we were there for Do Not Call, as part of self-regulatory discussion around privacy at the time

07:54:58 [BerinSzoka]

for once, I think I agree with Jeff!

07:55:14 [npdoty]

... want an opportunity to air/discuss accusations, regarding letters that have been published

07:55:15 [BerinSzoka]

Let's talk through the hard questions raised about process

07:55:39 [npdoty]

aleecia: is that going to be productive?

07:55:41 [ifette]

I can't help but thinking that http://www.imdb.com/title/tt0089530/ (Mad Max Beyond Thunderdome) ought to be required viewing before any of these meetings...

07:56:13 [npdoty]

jchester2: I would like these advertising organizations to go on the record regarding those concerns

07:56:21 [WileyS]

+q

07:56:37 [npdoty]

aleecia: want to avoid a fundamental discussion if it's not going to be productive

07:56:39 [npdoty]

q- jchester2

07:56:42 [ifette]

ack jchester

07:56:44 [ifette]

ack mikez

07:56:44 [npdoty]

q- jchester

07:57:04 [npdoty]

mikez: I think we got off on the wrong foot in the last meeting, and don't want to do that again

07:57:16 [efelten]

Can we talk about DNT please?

07:57:22 [npdoty]

... junk fax law was something that cost users money, paper, ink and time; that's why that was passed

07:57:47 [johnsimpson]

we've had a year to lay a foundation. we are here to develop a standard that allows users to express their preference. let's please get to that!!!

07:57:56 [npdoty]

... also should note exceptions regarding the junk fax law as well

07:58:24 [jchester2]

I asked that the DAA, ANA, DMA and others to go on the record about the letters they sent recently raising objections to do not track and their work to undermine the establishment of a meaningful standard. I also said several NAI members had been engaged in essence a smear campaign against W3C, etc. They dont seem to want to respond.

07:58:49 [BerinSzoka]

Jeff, I think those groups are eager to air their concerns! what makes you think they don't want to respond?

07:58:52 [rwessel]

rwessel has joined #dnt

07:58:58 [npdoty]

... regarding tri-part system, per the group decision that browsers aren't required to provide that option to all users

07:59:38 [ifette]

q+ Procedural question, did we do agenda bashing yet?

07:59:43 [jchester2]

Berin: Let them speak out know and identify their concerns for the record here today.

07:59:49 [ifette]

q+ to ask procedurally if we did agenda bashing yet

07:59:59 [WileyS]

-q

08:00:00 [dsinger]

q?

08:00:01 [johnsimpson]

There is NO reason to discuss harms. This is about developing a way for users to send a message about their preference about whether they are tracked.

08:00:33 [justin]

Discussion of harms should go in the scope and intro section eventually.

08:00:51 [npdoty]

WileyS: thought it was helpful in the breakout sessions at DC to have discussion of the harms, I think it would be useful to continue that work though I see that you didn't find it useful

08:00:55 [Stella]

Stella has joined #dnt

08:00:55 [WileyS]

John, thank you for your opinion - I respectfully disagree. We did some good work in DC (with you and others) that I believe would fit nicely here.

08:01:02 [rachel_n_thomas]

q+

08:01:05 [lmastria-DAA]

lmastria-DAA has joined #dnt

08:01:11 [npdoty]

ack ifette

08:01:11 [Zakim]

ifette, you wanted to ask procedurally if we did agenda bashing yet

08:01:12 [johnsimpson]

No need to waste valuable time speaking about harms

08:01:27 [peter]

peter has joined #dnt

08:01:52 [npdoty]

jchester2: can we take comments from IRC as well? aleecia: can add yourself to the q

08:02:18 [npdoty]

notes on IRC are also recorded, unless they are marked as off-the-record -- prepended with "/me"

08:02:28 [npdoty]

aleecia: different types of parties

08:02:39 [npdoty]

... first parties, very few restrictions

08:02:41 [ifette]

rrsagent, bookmark?

08:02:41 [RRSAgent]

See http://www.w3.org/2012/10/03-dnt-irc#T08-02-41

08:02:56 [npdoty]

... service providers, contractual relationship to 1st/3rd parties

08:03:02 [WileyS]

John, hard to build a solution if you don't know what problem you're attempting to solve. :-)

08:03:04 [dsinger]

q+ to discuss terminology

08:03:13 [peter]

peter has left #dnt

08:03:30 [npdoty]

... silo'd data

08:03:35 [npdoty]

ack dsinger

08:03:35 [Zakim]

dsinger, you wanted to discuss terminology

08:03:42 [dsinger]

q-

08:03:53 [BerinSzoka]

Lewis Carroll would have agreed with Shane on

08:03:55 [peter-4As]

peter-4As has joined #dnt

08:03:58 [npdoty]

ack rachel_n_thomas

08:04:03 [BerinSzoka]

the need to define harm: "Would you tell me, please, which way I ought to go from here?" "That depends a good deal on where you want to get to," said the Cat. "I don’t much care where--" said Alice. "Then it doesn’t matter which way you go," said the Cat. "--so long as I get SOMEWHERE," Alice added as an explanation. "Oh, you’re sure to do that," said the Cat, "if you only walk long enough."

08:04:26 [JC]

+q

08:05:01 [npdoty]

agenda: http://www.w3.org/2011/tracking-protection/agenda-2012-10-03-F2F-Amsterdam.html

08:05:13 [npdoty]

aleecia reviews the agenda slide

08:05:50 [ifette]

ISSUE: What do we mean by tracking?

08:05:50 [trackbot]

Created ISSUE-169 - What do we mean by tracking? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/169/edit .

08:06:22 [npdoty]

issue-5?

08:06:22 [trackbot]

ISSUE-5 -- What is the definition of tracking? -- raised

08:06:22 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/5

08:06:32 [ifette]

Close ISSUE-169

08:06:32 [trackbot]

ISSUE-169 What do we mean by tracking? closed

08:06:47 [ifette]

ISSUE-169: duped on ISSUE-5

08:06:47 [trackbot]

ISSUE-169 What do we mean by tracking? notes added

08:06:50 [lmastria-DAA]

q

08:06:54 [justin]

The word "tracking" is not used in the compliance document, so defining it has no substantive benefit. We address that issue in the definition of collection.

08:06:57 [lmastria-DAA]

q+

08:07:03 [ifette]

npdoty, your memory is way better than mine :)

08:07:08 [npdoty]

rachel_n_thomas: had discussion on the mailing list about the definition of tracking... can we open that issue and discuss during this meeting?

08:07:11 [JC]

-q

08:07:24 [jchester2]

Can Ms Thomas of the DMA place on the IRC record the DMA's definition of what they consider tracking.

08:07:51 [rigo]

rigo has joined #dnt

08:08:02 [ifette]

ack imastria-DAA

08:08:06 [npdoty]

rachel_n_thomas: thought we would need to cover definition of tracking before reaching last call, if we're going to do that in this meeting

08:08:08 [ifette]

ack lmastria-DAA

08:08:18 [npdoty]

aleecia: we aren't going to be publishing a Last Call document during this meeting, no

08:08:22 [efelten]

* You can remove yourself from the queue by typing "q-" on IRC.

08:08:40 [npdoty]

lmastria-DAA: echo concern about identifying what we are doing

08:08:44 [jchester2]

I would like the ANA to also place on the record what they consider tracking--which I assume reflects their members regarding tracking and privacy.

08:09:17 [tl]

+q

08:09:18 [npdoty]

aleecia: we've also had the discussion about the name of Do Not Track, need to find out what we're building

08:09:40 [jchester2]

I also would like to have Amazon clairfy whether it supports th position of the DMA regarding the DNT issues.

08:09:43 [npdoty]

lmastria-DAA: because "Do Not Track" is such a good sound bite, hard to pull back from that

08:09:48 [rigo]

q+ to push back on tracking definition because this is boiling the ocean

08:09:50 [Frank]

Frank has joined #dnt

08:10:04 [Zakim]

-fielding

08:10:24 [johnsimpson]

+1 to Tom

08:10:38 [npdoty]

tl: encourage people to review mailing list and issue tracker, where discussions may have already been covered

08:10:53 [ifette]

ScribeNick: ifette

08:10:57 [npdoty]

rigo: -1 to defining tracking, discussing it right now

08:11:03 [ifette]

Aleecia: Please don't beat up the editors

08:11:06 [ifette]

… TPE is up first

08:11:11 [ifette]

… designer will present

08:11:16 [ifette]

s/designer/dsinger

08:11:19 [ifette]

darned auto-correct

08:11:37 [npdoty]

Topic: Drafts and Issues, reviewed by the editors

08:11:40 [ifette]

dsinger: TPE is one of two docs dealing with the immediate signals going back and forth, headers from UA to server and the response

08:11:46 [justin]

http://www.w3.org/TR/tracking-dnt/

08:11:50 [ifette]

… as well as "well-known resource" and JS API

08:11:54 [ifette]

… what the parameters are and their effects

08:12:08 [justin]

There's the doc to follow along with David.

08:12:12 [ifette]

… about the immediate conversation, basic protocol, doesn't deal with "what is the long term effect of any of these signals" - thats the compliance doc

08:12:13 [Zakim]

+fielding

08:12:21 [ifette]

… TPE is syntax of header (request/response)

08:12:29 [ifette]

… and immediate meaning of those

08:12:40 [johnsimpson]

are there slides with this"?

08:12:42 [ifette]

… plus well-known resource expressing characteristics of the site (party definitions)

08:12:50 [ifette]

… could have contextual responses with the header

08:12:51 [vinay_]

no slides

08:12:53 [ifette]

… consent, etc

08:13:04 [ifette]

… APIs for "exceptions"

08:13:05 [johnsimpson]

thanks, vin ay

08:13:08 [ifette]

… terminology lesson

08:13:18 [jchester2]

yes there are slides for Aleecia's presentation. Can they be sent to the members not in room?

08:13:21 [aleecia]

aleecia has joined #dnt

08:13:26 [ifette]

… compliance doc says "You shouldn't track except that you can claim the following permissions for the following reasons"

08:13:31 [ifette]

… permissions come from compliance doc

08:13:32 [WileyS]

john, click on the link above to open the doc in a browser window and follow along

08:13:41 [ifette]

… site can ask a user for an exception for broader permissions

08:14:03 [ifette]

… request for a user-granted exception, that's when you see a signal saying "I believe you've given me an exception and therefore I can do xyz"

08:14:18 [ifette]

… outbound is 0/1/absent

08:14:35 [johnsimpson]

saw Aleecia's, Jeff

08:14:36 [ifette]

… return has qualifiers relating to permissions from the compliance doc. Debate as to requirements to use these

08:14:42 [ifette]

… as well as additional qualifiers

08:15:07 [Zakim]

-fielding

08:15:33 [ifette]

… exceptions have two kinds, a "first-party" saying "to continue to work with you, I need an exception for a given list of third parties" e.g. a site monetizing itself with ad revenue

08:15:40 [ifette]

… can ask for an exception for third parties on your site

08:16:24 [ifette]

… list of third party sites from the first party, user is asked (in an undefined manner) "are you ok with this" which then causes a 0 to be sent to these parties giving them permission to track the user in this context. a site-specific exception

08:16:40 [ifette]

… also site-wide exception, request from first party to say no matter what third party appears on my site, give them a DNT0

08:16:56 [ifette]

(didn't we get rid of site specific exception? or basically merge it into site-wide?) - ian

08:17:01 [ifette]

dsinger: also have web-wide exception

08:17:44 [ifette]

… user thinks it's advantageous/agreeable to be tracked by a site no matter where it turns up, e.g. "TrackMyReading.com" where you want a site to remember what sites you've visited, be able to "like" certain sites and get recommendations. Clearly want to give this site permission to track you across all sorts of different sites

08:18:00 [npdoty]

q?

08:18:01 [ifette]

… rough overview of TPE, throw to Matthias for open issues etc

08:18:06 [fielding]

fielding has joined #dnt

08:18:07 [rigo]

ack ri

08:18:07 [Zakim]

rigo, you wanted to push back on tracking definition because this is boiling the ocean

08:18:09 [rigo]

ack tl

08:18:20 [schunter]

q?

08:18:24 [johnsimpson]

cannot hear

08:18:32 [justin]

http://www.w3.org/TR/tracking-compliance/

08:18:38 [johnsimpson]

ok now

08:18:55 [ifette]

justin: compliance doc, link pasted in IRC. Walk through document, identify major areas of contention, structure. hwest will pop in

08:19:05 [ifette]

… if you object to something I say, raise hand / holler

08:19:16 [ifette]

… document structure - 1 & 2 on intro scope / goals

08:19:24 [ifette]

… parked as people disagree, will fine tune once substance is in place

08:19:36 [ifette]

… as dsinger said, this is about what the obligations are

08:19:43 [ifette]

… section 3/4 how first parties comply

08:19:52 [ifette]

… 5 how UAs comply, controversial

08:19:57 [ifette]

… 6 is how third parties comply, bulk of the document

08:20:05 [ifette]

… a few controversial definitions

08:20:21 [ifette]

… "user agent" has recent discussion around perhaps different classes of UAs - add-on vs browser

08:20:25 [ifette]

… may have different obligations

08:20:28 [ifette]

… not really fleshed out

08:20:32 [ifette]

… 3.3 is definition of party

08:20:44 [ifette]

… lots of controversy at one point

08:20:51 [ifette]

… discussions around common branding vs ownership

08:21:10 [ifette]

… settled on corporate structure being sufficient as long as it's easily discoverable

08:21:16 [ifette]

… two options in text, relatively close

08:21:16 [dsinger]

…notes that many other pieces of software other than web browsers access HTTP-loaded resources (e.g. RSS newsreaders, email agents)...

08:21:20 [BrendanIAB]

User Agent is strongly defined in the HTTP 1.1 spec - I'll need to catch up on the discussion. It's more that "intermediary" needs to be defined into subcategories.

08:21:20 [ifette]

… 3.4 on service providers / outsourcers

08:21:34 [ifette]

… a data processor / service provider need not obtain separate permission to work on your behalf

08:21:38 [ifette]

… 3 options in current draft

08:21:50 [ifette]

… one long one from jonathan/eff, two later that are less detailed

08:21:57 [aleecia]

We also have non-User Agents setting DNT. That's on the agenda for today.

08:21:59 [ifette]

… roy put in text in ML last night which might help us here

08:22:09 [ifette]

… general agreement service provider should be able to work for you

08:22:21 [ifette]

… 3.5 distinguishes between 1st/3rd parties. Long definition at first, shorter alternative

08:22:30 [ifette]

… longer one may be less controversial

08:22:37 [ifette]

… lots of discussion on this

08:23:00 [ifette]

… second option is more vague

08:23:05 [ifette]

… "first party is the site you go to"

08:23:32 [ifette]

… 3.6 is for "unlinkable" data

08:23:46 [ifette]

… lots of chatter on ML about how to decide if something is unlinkable

08:23:50 [ifette]

… 3.9 definition of tracking

08:23:53 [ifette]

… may need more work

08:24:00 [ifette]

… "tracking" not used as a term in the document

08:24:00 [robsherman]

Just for completeness, there's alternative text for multiple first parties that's been discussed on the mailing list that is based on what's in this draft.

08:24:04 [ifette]

… phrased in term of collection

08:24:04 [BrendanIAB]

aleecia - Right, wrt intermediaries setting DNT header. It sounded like the definition of user agent (the software that initiates the HTTP request) may be up for discussion. Which would be complex.

08:24:14 [ifette]

… but maybe we need to make sure definitions of collection/retention are sufficient

08:24:22 [ifette]

… 3.10 on explicit and informed consent

08:24:25 [Zakim]

+fielding

08:24:34 [aleecia]

I don't think we should re-define UAs. But we may want "UAs and others"

08:24:34 [ifette]

… used to turn DNT on int eh first place (explicit/informed consent) as well as for a user-granted exception

08:24:38 [aleecia]

Or we may not.

08:24:39 [fielding]

fielding has joined #dnt

08:24:49 [ifette]

… two options in the draft for this text as well

08:24:51 [aleecia]

Worth talking through

08:25:05 [ifette]

… Sec 4 is on first party compliance

08:25:15 [Frank_]

Frank_ has joined #dnt

08:25:19 [ifette]

… general agreement there should be few restrictions, except e.g. send all the data to a third party

08:25:31 [ifette]

… some discussions around "Data Append"

08:26:22 [ifette]

… Sec 5, next is a relatively new section taken largely from TPE document, UA must have explicit consent to turn on DNT in the first lace

08:26:33 [ifette]

… shane suggested some modifications

08:26:49 [ifette]

… section 6 on third party compliance

08:26:57 [npdoty]

I don't think "express and informed consent" in User Agent Compliance came from the TPE, I think that was just a new phrase just invented there

08:27:02 [ifette]

… will be debated over the day,

08:27:10 [ifette]

… short term collection/use

08:27:17 [ifette]

… discussion around 6-week grace period

08:27:21 [ifette]

… contextual ads

08:27:33 [ifette]

… 6.1.3 on first-party data use

08:28:00 [ifette]

… frequency capping

08:28:14 [ifette]

… financial logging / auditing

08:28:19 [ifette]

… fair amount of extent of that info

08:28:22 [ifette]

… security/fraud

08:28:31 [ifette]

… debugging

08:28:48 [rigo]

zakim, code?

08:28:48 [Zakim]

the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), rigo

08:28:50 [ifette]

… aggregate reporting, may be taken out and structured in terms of unlink ability, up in the air

08:28:53 [ifette]

… compliance with local laws

08:29:04 [ifette]

… "nothing else"

08:29:13 [ifette]

… data minimization and transparency

08:29:19 [ifette]

… requirement to disclose

08:29:22 [ifette]

… no personalization

08:29:32 [ifette]

… and how much can you collect for these purposes

08:29:36 [Joanne]

Joanne has joined #DNT

08:29:36 [aleecia]

(requirement to disclose retention period)

08:29:50 [ifette]

… no persistent identifiers is one proposal, strong disagreement on that position

08:29:58 [ifette]

… a section here for a long time on geolocation compliance

08:30:08 [ifette]

… how precisely you can target with geolocaiton. Not consensus but hasn't been discussed in a long time

08:30:13 [ifette]

… provisions for user-granted exceptions

08:30:22 [npdoty]

I thought it was basically consensus, we did a few iterations on the geolocation piece

08:30:28 [ifette]

… 6.4 is new about disregarding non-compliant user agents

08:30:53 [npdoty]

scribenick: npdoty

08:30:53 [ifette]

ifette has joined #dnt

08:31:05 [npdoty]

scribenick: ifette

08:31:11 [ifette]

justin: a very dry walk-through

08:31:14 [aleecia]

geo-loc had been at consensus. Ian rejoined the group with new-to-us information, but I don't believe there is new text. This is the sort of thing we might reopen based on Ian's information.

08:31:16 [npdoty]

q?

08:31:19 [ifette]

… seeing no questions, turn back to allecia

08:31:36 [ifette]

Aleecia: coffee outside the door. Don't have scheduled time for a break. Take a minute, caffeniate, and get back here

08:35:43 [johnsimpson]

Did we lose microphone? Now hearing nothing...

08:35:59 [johnsimpson]

heard lots of chatter during break

08:36:38 [BrendanIAB]

I think that folks turned off their mics

08:37:24 [johnsimpson]

Thanks, Brendan. Hearing chatter now.

08:38:32 [BrendanIAB]

JC is just trying to clear the room!

08:38:47 [robsherman]

robsherman has joined #dnt

08:39:13 [npdoty]

scribenick: robsherman

08:39:30 [ifette]

rob, you good

08:39:31 [ifette]

?

08:39:36 [robsherman]

Yep.

08:39:56 [npdoty]

Topic: Definitions

08:39:59 [BrendanIAB]

screen not being shared yet.

08:40:16 [justin]

For those at home, we're discussion 3.8 of the compliance draft http://www.w3.org/TR/tracking-compliance/

08:40:18 [robsherman]

aleecia: Looking at definitions in Compliance doc. Want to identify issues and assign actions to write alternative text.

08:40:33 [johnsimpson]

waiting to see screen

08:40:35 [npdoty]

vinay_, do you have a read on whether screen sharing should be working now?

08:40:41 [justin]

s/discussion/discussing

08:40:43 [vinay_]

For those who want to follow-along to what Aleecia is pointing at -- http://my.adobeconnect.com/vigoel

08:40:45 [npdoty]

otherwise, you can follow the text just by looking at that section

08:40:56 [robsherman]

… Sec 3.8 — collection/retention

08:41:00 [amyc]

amyc has joined #dnt

08:41:37 [vinay_]

npdoty - asked her to; she needs to enable it on her computer

08:41:51 [afowler]

afowler has joined #dnt

08:42:02 [robsherman]

… [reading text]

08:42:11 [johnsimpson]

still not being shared. what is section in draft, please?

08:42:16 [robsherman]

3.8

08:42:21 [amyc]

3.8

08:42:37 [npdoty]

q?

08:42:39 [amyc]

q+

08:42:42 [robsherman]

aleecia: Comments on issues in this text?

08:43:15 [robsherman]

amyc: Need to work on definition of "share" because of prospect of downstream liability.

08:43:25 [rigo]

q+

08:43:30 [npdoty]

ack amyc

08:43:55 [ChrisPedigoOPA]

q+

08:44:03 [robsherman]

… Example of a small website that uses Google Ads. Under this definition, could be "sharing" info with Google. We're really concerned about circumvention.

08:44:15 [WileyS]

+q

08:44:16 [dwainberg]

q+

08:44:21 [npdoty]

ack rigo

08:44:22 [peter-4As]

q+

08:44:38 [johnsimpson]

Amy, but isn't that a first party and allowed?

08:45:00 [robsherman]

rigo: Wants to work with Amy because "uses" prohibits forwarding. Different taxonomy from EU law.

08:45:08 [amyc]

john, not sure I understand your question?

08:45:13 [justin]

There's an argument that amyc's issue should be addressed in first-party compliance instead of the definition of "share," yes?

08:45:34 [justin]

q+

08:45:39 [npdoty]

action: Colando to draft updated 'share' definition to avoid concerns (with rigo and chris-p)

08:45:39 [trackbot]

Created ACTION-264 - Draft updated 'share' definition to avoid concerns (with rigo and chris-p) [on Amy Colando - due 2012-10-10].

08:45:45 [npdoty]

ack rigo

08:45:46 [Joanne]

+1 to help Amy

08:45:49 [npdoty]

ack ChrisPedigoOPA

08:45:56 [npdoty]

ack WileyS

08:46:28 [robsherman]

shane: We shouldn't be saying that information must be deleted if it's inadvertently collected; we should be saying that it must be used appropriately according to its appropriate context. Will update.

08:46:56 [robsherman]

dwainberg: Overlap between "collects" and "retains."

08:47:06 [robsherman]

… Also, "data coming within a party's control" seems broad/vague.

08:47:12 [npdoty]

action: Wiley to update text in 3.8.1 regarding bringing into compliance, not just deletion

08:47:12 [trackbot]

Created ACTION-265 - Update text in 3.8.1 regarding bringing into compliance, not just deletion [on Shane Wiley - due 2012-10-10].

08:47:29 [robsherman]

…. 3.8.1: unclear what "reasonable efforts to understand its information practices" means. Also seems broad/vague.

08:47:31 [fielding]

My objection has not changed. http://lists.w3.org/Archives/Public/public-tracking/2012May/0282.html

08:47:35 [Simon]

Simon has joined #dnt

08:47:51 [robsherman]

aleecia: We deliberately define "collects" and "retains" differently. Why do you think they overlap?

08:48:04 [kj_]

kj_ has joined #dnt

08:48:06 [rigo]

Amy, do you think we could merge "share" and "use"?

08:48:25 [justin]

rigo, no!

08:48:26 [npdoty]

depending on how we come down on third-party compliance, it could be that our definitions will really need retention rather than collection

08:48:27 [robsherman]

dwainberg: There may be cases when data comes within the party's control but the party holds the data only transiently. It seems like there is an element of retention in "collection."

08:48:34 [npdoty]

q?

08:48:39 [npdoty]

ack dwainberg

08:49:03 [dsinger]

+1 to Ian; collection implies you took active steps

08:49:35 [robsherman]

ifette: Agrees that distinguishing is confusing because when we use "collect" in English we ordinarily think about keeping. There's also no real way to prove that once a party has touched data that it has never been swapped to disk, for example, even instantaneously. This may be addressed by the short-term retention period we've been discussing.

08:49:37 [BerinSzoka]

+1 to Ian: COPPA is a great example of a legal regime where "collection" has a meaning beyond its normal use (including allowing kids to share personal information--i.e., communicating with other users) and it causes huge problems

08:49:53 [schunter]

schunter has joined #dnt

08:49:53 [rigo]

q?

08:50:10 [schunter]

\me test

08:50:11 [fielding]

I already did that.

08:50:20 [BrendanIAB]

Consider "receives" as opposed to "collects"?

08:50:28 [npdoty]

action: fette to suggest retention related to a timed grace period (with dwainberg)

08:50:28 [trackbot]

Created ACTION-266 - Suggest retention related to a timed grace period (with dwainberg) [on Ian Fette - due 2012-10-10].

08:50:29 [bryan_]

bryan_ has joined #dnt

08:50:30 [WileyS]

Matthias, "/"me

08:50:41 [rigo]

q+ to ask whether we can merge "collect and retain"

08:50:42 [schunter]

thx

08:50:44 [npdoty]

fielding, you're referring to your version of the "tracking" definition which incorporates the time period?

08:50:52 [dwainberg]

q+

08:50:57 [BrendanIAB]

If you're looking at something that doesn't imply retention in any way.

08:50:59 [rigo]

q-

08:51:28 [fielding]

no, I am referring to my definition of data collection

08:51:28 [robsherman]

peter-4As: Seems to be a general notion in the documents that this is focused on "data," but we actually should consider what we mean when we use the term "data." Consider pseudonymous data - treated differently?

08:51:42 [lmastria-DAA]

q+

08:52:03 [npdoty]

ack peter-4As

08:52:13 [npdoty]

s/peter-4As/ruud/

08:52:16 [rigo]

+1

08:52:17 [robsherman]

… Concern about covering anonymous/pseudonymous data in the same way as other data.

08:52:28 [robsherman]

aleecia: We've already made some decisions on these issues.

08:52:36 [robsherman]

… We decided we're not going to address children one way or the other.

08:52:43 [npdoty]

I think the unlinkable definition (and such data out of scope) might be relevant to this point

08:52:46 [robsherman]

… We decided not to categorize data (PII vs. non-PII, for example).

08:52:51 [tlr]

+1 to npdoty

08:53:00 [tlr]

q+ npdoty

08:53:16 [tlr]

queue=npdoty,justin,dwainberg,lmastria-DAA

08:53:36 [robsherman]

ruud: If we don't recognize that EU Parlaiment is taking a different approach, doesn't that hurt us?

08:53:57 [rigo]

+1 to npdoty

08:54:00 [robsherman]

aleecia: We recognize that our spec isn't going to map to any particular country's laws. We're working on a separate Global Considerations doc to give advice to people on how to manage this.

08:54:12 [rigo]

q?

08:54:56 [robsherman]

npdoty: It may be that the definition of "unlinkable" data — which would be out-of-scope largely — would address ruud's concern.

08:55:10 [justin]

Unlinkable addresses some but not all of peter-4As's concerns.

08:56:15 [npdoty]

q-

08:56:40 [robsherman]

ruud: We need to be sure that our standard is descriptive enough to be valuable. If "unlinkable" does that, we should dedicate the time to make it clear.

08:56:45 [robsherman]

ack justin

08:57:22 [robsherman]

justin: Regarding amyc's small publisher example, this should be dealt with in the first party compliance section. We should leave the definition of "sharing" the same and just deal with what first parties can do.

08:57:42 [robsherman]

…. On the "collection" point, if we leave "collection" but have a 6-week grace period as a permitted use, does that address the concern?

08:58:05 [rigo]

I suggest to merge use and sharing. I also suggest to have collect only for the things stored and "retain" for things that are stored beyond 6 weeks

08:58:06 [npdoty]

I think that might be a good approach, justin; many of the sharing use cases might be addressed by clarifying first-party compliance

08:58:08 [dsinger]

q+

08:58:09 [robsherman]

ifette: I didn't have a problem with the goal of the text, but was just pointing out that the text was confusing.

08:58:22 [robsherman]

ack dwainberg

08:58:22 [Chris_IAB]

so are we going to put the burden of implementing DNT on the millions of little mom & pop websites around the world? These are almost all exclusively monitized by 3rd party ad networks.

08:58:26 [npdoty]

zakim, close queue

08:58:26 [Zakim]

ok, npdoty, the speaker queue is closed

08:58:27 [fielding]

currntly the 6-week conflicts with the requirements on third-party as stated

08:58:57 [robsherman]

dwainberg: [wants more actions!]

08:59:15 [fielding]

BTW, ruud's comments are similar to mine in http://lists.w3.org/Archives/Public/public-tracking/2012May/0314.html

08:59:18 [robsherman]

ack lmastria-DAA

08:59:34 [justin]

fielding, expand, don't fully understand. Is it that during the 6-week you might be transferring or personalizing without knowing you're a third party governed by DNT?

08:59:36 [npdoty]

action-265: dwainberg interested, might have differing views on the first part of the unknowing piece

08:59:36 [trackbot]

ACTION-265 Update text in 3.8.1 regarding bringing into compliance, not just deletion notes added

08:59:45 [rigo]

WileyS, I think the definition of "collect" is far to harsh and creates problems IMHO

08:59:48 [jchester2]

+q

08:59:58 [robsherman]

lmastria-DAA: DAA goes through all of this in discrete detail, which can be a resource for implementation.

09:00:32 [jchester2]

I disagree. The DAAs spec is considered totally inadequate by privacy advocates and many academics,\.

09:00:37 [JC]

JC has scribe

09:00:45 [robsherman]

scribenick: JC

09:01:06 [JC]

dsinger: Roy has expressed confusion in collection term

09:01:11 [fielding]

justin, I mean that the way that the collection is constrained right now does not take into account the 6-week window concept, so it is hard to know if having a broad definition and a 6-week allowance "helps"

09:01:20 [rigo]

+1 to dsinger

09:01:21 [Chris_IAB]

jchester2, which part(s) of the DAA Principals do you consider "totally inadequate"? Could you please be more specific?

09:01:24 [JC]

... setting rules on something you already have

09:01:33 [ifette]

ACTION-266: Note that dsinger used the term "exposure" which may be a better way to phrase things than collection

09:01:33 [trackbot]

ACTION-266 Suggest retention related to a timed grace period (with dwainberg) notes added

09:01:35 [npdoty]

lmastria-DAA, if you can provide that text to the group as a submission, that would be helpful (would also give us permission to include that text)

09:01:37 [JC]

Aleecia Does 3.8 address that

09:01:44 [JC]

Dsinger: not necessarily

09:01:46 [fielding]

no, exceptions that are the rule are not a sensible solution

09:01:52 [JC]

Aleecia: I don't understand why

09:01:59 [lmastria-DAA]

links to DAA http://www.aboutads.info/obaprinciples .... http://www.aboutads.info/msdprinciples

09:02:01 [JC]

Dsinger: much longer discussion

09:02:01 [npdoty]

jchester2, I think Lou is suggesting taking advantage of definitions from the DAA document, rather than compliance on the whole

09:02:17 [JC]

Aleecia: Maybe we don't need to define collection?

09:02:39 [JC]

Dsinger: Collection sounds like an active act. Can be misleading for someone not reading definition.

09:02:39 [dwainberg]

dwainberg

09:02:55 [justin]

fielding, I understand you don't like broad definitions with exceptions that carve things out, but logically they achieve the same purpose. But I am OK with restating if it achieves that same thing.

09:02:59 [JC]

Aleecia: does exposed versus collection a meaningful description

09:03:12 [JC]

Dsinger will work with Ifette on issue

09:03:18 [npdoty]

action-266: dsinger to help, regarding a distinction regarding "exposed"

09:03:18 [trackbot]

ACTION-266 Suggest retention related to a timed grace period (with dwainberg) notes added

09:03:24 [JC]

Dwainberg: valid point

09:03:35 [jchester2]

What is says it does to address user concerns; how it describes the problem; lack of coverage for sensitive data except what is required by law, such as COPPA, oe doesn't reflect what its members actually do in practice regarding financial and health data; the icon system was not tested and is not a valid way to serve privacy. The explanation of what is collected and why versus the actual practices of the companies regarding data collecting is purposefully mi

09:03:35 [npdoty]

action-266: rigo also interested

09:03:35 [trackbot]

ACTION-266 Suggest retention related to a timed grace period (with dwainberg) notes added

09:03:47 [JC]

Aleecia: sounds like if we have five people working on it then do it during a break

09:04:02 [Zakim]

+ +1.425.214.aadd

09:04:05 [JC]

... we are out of time for this issue.

09:04:36 [fwagner]

fwagner has joined #dnt

09:04:36 [justin]

npdoty, Do we want to address the issues of unid'd callins at some point?

09:04:40 [rachel_n_thomas]

q+

09:04:52 [tlr]

zakim, reopen the queue

09:04:52 [Zakim]

ok, tlr, the speaker queue is open

09:04:56 [bryan_]

zakim, aadd is bryan_

09:04:56 [Zakim]

+bryan_; got it

09:04:58 [JC]

... definitions for first and third party

09:05:04 [npdoty]

Zakim, who is on the phone?

09:05:04 [Zakim]

On the phone I see Telegraaf, BrendanIAB?, johnsimpson, fielding, bryan_

09:05:05 [JBWeiss]

JBWeiss has left #DNT

09:05:10 [rachel_n_thomas]

move to reopen the queue

09:05:16 [JC]

... section 3.5. Do we think that these options are at final text?

09:05:17 [tlr]

q?

09:05:27 [justin]

zakim, who is on the phone?

09:05:27 [Zakim]

On the phone I see Telegraaf, BrendanIAB?, johnsimpson, fielding, bryan_

09:05:30 [npdoty]

q- dsinger

09:05:32 [Brooks]

Brooks has joined #dnt

09:05:35 [npdoty]

q+ rachel_n_thomas

09:05:36 [JC]

... Should some of these be reworked or should additional options be added?

09:05:38 [lmastria-DAA]

how do we respond to queue questions?

09:05:51 [ChrisPedigoOPA]

q+

09:06:24 [JC]

... first party the user knowingly and intentionally interacted with it. Otherwise 3rd party.

09:06:40 [fielding]

My comments and alternative are at http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0055.html

09:06:49 [JC]

... possible to have multiple first parties on one page, but branding must be clear and have separate privacy poicies

09:07:02 [JC]

... the first party is not based on domain name

09:07:21 [JC]

... domain could reference different party from URL

09:07:25 [dsinger]

The second sentence in the third party paragraph is talking about first parties, and belongs in the first party paragraph.

09:07:32 [rigo]

q?

09:07:35 [JC]

... diferrent URL could belong to same party

09:07:39 [npdoty]

q?

09:07:47 [JC]

... if that is not clear raise question

09:08:05 [rigo]

q+ ask the browser folks whether we can draw from the TPE

09:08:16 [rigo]

q+ to ask the browser folks whether we can draw from the TPE

09:08:24 [tlr]

ack ChrisPedigoOPA

09:08:26 [JC]

lmastria I have a questoin about process

09:08:39 [JC]

Rachel why are not DMA proposals not listed here?

09:08:42 [lmastria-DAA]

response to jchester2...the program was tested and is tested and validated every day by users (11 mm to date). the practices do match and when they don't we have enforcement to drive compliance, the latest of which happened monday

09:08:51 [npdoty]

s/Rachel why/rachel: why/

09:08:51 [JC]

... I would like to see them added or explained why not

09:09:04 [JC]

... why have we moved on from discussion of unlinkable data

09:09:05 [fielding]

s/DMA/DAA/

09:09:20 [JC]

Aleeca: we have run out of time and will come back to unlinkable data at end of day

09:09:21 [justin]

ChrisPedigoOPA, here is the definition of party discussing affiliateness http://www.w3.org/TR/tracking-compliance/#def-party

09:09:36 [ChrisPedigoOPA]

thanks Justin

09:09:48 [lmastria-DAA]

+q

09:10:00 [lmastria-DAA]

q-

09:10:03 [JC]

... this is not the DAA or self-reg group

09:10:22 [JC]

Rachel: I feel there are many DAA members here

09:10:32 [justin]

rachel_n_thomas, Can you link the defs for us?

09:10:41 [fielding]

Imastria-DAA, please send those proposals to the mailing list

09:10:42 [JC]

... I have concrete proposals and can add them to IRC

09:10:46 [npdoty]

does someone have a summary of how the DAA definitions would vary from the current options?

09:11:01 [JC]

Aleecia: We can assign an action item to you and you can respond with your text to mailing list

09:11:02 [rigo]

rachel_n_thomas: please share link to DAA definitions

09:11:09 [JC]

... let me know if you have question on process

09:11:15 [npdoty]

q?

09:11:15 [rigo]

q?

09:11:18 [npdoty]

ack rachel_n_thomas

09:11:19 [rigo]

ack rachel_n_thomas

09:11:19 [JC]

Rachel: I am comfortable taking action item

09:11:51 [npdoty]

action: rachel to propose first/third party definitions from existing DAA documents

09:11:51 [trackbot]

Created ACTION-267 - Propose first/third party definitions from existing DAA documents [on Rachel Thomas - due 2012-10-10].

09:11:53 [JC]

Rigo:We have a very sophisticated system in TPE on first and third party distinction. Should we use that.

09:12:05 [rachel_n_thomas]

DAA definitons of first party and third party are available for review here http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf

09:12:14 [JC]

... Can technology address this?

09:12:40 [JC]

Aleecia: the two docs are not in sync and maybe we can address this.

09:12:41 [robsherman]

q+

09:12:46 [npdoty]

ack rigo

09:12:46 [Zakim]

rigo, you wanted to ask the browser folks whether we can draw from the TPE

09:12:47 [rigo]

ack rigo

09:12:47 [JC]

Dsinger: yes they should be in sync

09:13:09 [JC]

... I will take action to bring the docs into sync

09:13:13 [JC]

Rigo: I will help

09:13:23 [npdoty]

I think even with fielding's proposal and the existing TPE text, we still have concepts of user expectations/understanding in interaction

09:13:36 [dsinger]

action: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications

09:13:36 [trackbot]

Sorry, couldn't find dsinger. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

09:13:41 [JC]

Aleecia: Does either author wish to revise them based on feedback

09:13:52 [JC]

... one from Johanthan tom and peter

09:13:55 [justin]

q+

09:13:59 [JC]

... another from Shane et. al.

09:14:03 [dwainberg]

dwainberg

09:14:13 [JC]

Shane: what is disucssion

09:14:21 [JC]

Aleecia: first and third party

09:14:44 [dsinger]

action: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications

09:14:44 [trackbot]

Sorry, couldn't find dsinger. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

09:14:57 [dwainberg]

q+

09:14:59 [dwainberg]

:)

09:15:15 [JC]

Justin: I wanted to modify definition to address multiple-first party issue. How would TPE address that

09:15:23 [npdoty]

action: singer to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications

09:15:23 [trackbot]

Created ACTION-268 - Edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [on David Singer - due 2012-10-10].

09:15:25 [JC]

Dsinger: it doesn't

09:15:27 [fielding]

Why would it matter?

09:15:28 [WileyS]

+q

09:15:43 [justin]

-Q

09:16:01 [JC]

... substantial chunks of the TPE looks at top level domain

09:16:04 [tlr]

ack WileyS

09:16:21 [mischat]

mischat has joined #dnt

09:16:27 [JC]

WileyS: It should be no different from multi-domain structure. Each party responds as first parties.

09:16:42 [JC]

... handle it in that the beacon responds as first party

09:17:03 [JC]

Aleecia: That's great if they are co-first parties, but how does that work for FB button

09:17:05 [justin]

Thanks, rachel_n_thomas. I find the definition of third party too narrow given where we are (only OBA companies are first parties), but the first party definition tracks pretty closely to what we have as Option 2 right now.

09:17:15 [justin]

Ugh, s/first/third

09:17:23 [JC]

... same for clicking on an ad and why the discussion matters

09:17:29 [JBWeiss]

JBWeiss has joined #DNT

09:17:36 [JC]

Dsinger: the TPE discusses promotion

09:17:56 [npdoty]

ack robsherman

09:18:10 [JC]

Robsherman: Need to discuss how to manage multiple first parties

09:18:20 [fielding]

It is not relevant to TPE. It could be "solved" in a tracking policy document, or even an array of policy links, but it is still not relevant to the protocol.

09:18:42 [JC]

... both address but not clearly. I sent proposed text to email list

09:18:57 [JC]

Aleecia: Nick will assign action number to work

09:18:59 [johnsimpson]

Explain more please, Roy

09:19:00 [tlr]

q?

09:19:00 [npdoty]

have we reviewed robsherman's text? maybe that would supplant existing options?

09:19:11 [justin]

Agree with fielding, I think that has to be addressed specifically in compliance doc.

09:19:13 [fielding]

That does not stop it from being relevant to compliance.

09:19:28 [JC]

Dwainberg: There was more discussion about determining with high probability, but now description on how that is done

09:19:34 [JC]

... can someone describe

09:19:34 [amyc]

as a process question, why isn't proposed text included as option?

09:19:41 [JC]

Aleecia: that is in first option

09:20:15 [JC]

Dwainberg: in 3.5.2 websites is discussed and the work applies beyond websites and we should address

09:20:26 [tlr]

robsherman's text is here:

09:20:34 [JC]

Aleecia: could Shane or Heather address

09:20:43 [tlr]

http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0247.html

09:20:50 [JC]

... Justin will address

09:20:50 [rigo_]

rigo_ has joined #dnt

09:20:55 [JC]

Justin: Address what?

09:21:27 [JC]

WileyS: need to elaborate on websites to something more appropriate

09:21:54 [npdoty]

action: brookman to update 3.5.2 to expand beyond "Web site"

09:21:54 [trackbot]

Created ACTION-269 - Update 3.5.2 to expand beyond "Web site" [on Justin Brookman - due 2012-10-10].

09:21:55 [JC]

Dwainberg: Can clarification be made on option 1. It's not clear to me

09:21:58 [WileyS]

Justin, more expansive term than "web site" in 3.5.2. Perhaps "user interaction" instead?

09:22:13 [JC]

Aleecia: I believe that Rob suggested some text and we should look at that

09:22:36 [npdoty]

q?

09:22:36 [WileyS]

Justin, or perhaps a list: "site, server, or application central to user interaction"?

09:22:37 [JC]

Robsherman: I will paste link into IRC

09:22:39 [npdoty]

ack dwainberg

09:22:40 [schunter]

q?

09:22:40 [vinay_]

q+ kevinsmith

09:22:57 [robsherman]

http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0247.html (HT tlr)

09:23:00 [npdoty]

ack kevinsmith

09:23:32 [npdoty]

q+

09:23:34 [JC]

Kevinsmith: I'm concerned about having a link to separate privacy policies. There can be situations where it will be difficult due to realestate issues.

09:23:56 [JC]

... I don't have an obvious example, but I believe it is an issue

09:24:14 [JC]

WileyS: We didn't look at idea of promotion for multiple first parties

09:24:40 [JC]

... after clicking on a widget the privacy policy can be accessed

09:25:00 [rigo_]

note that "branding" is a commercial concept and DNT goes beyond commerce only

09:25:13 [justin]

Multi first party should be fairly rare.

09:25:21 [fielding]

This is another topic I already provided written comments for … http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0114.html

09:25:37 [robsherman]

+q

09:25:49 [lmastria-DAA]

q+

09:26:22 [robsherman]

-q

09:26:47 [npdoty]

aleecia: suggestion, in 3.5.2 and Option 2, make the privacy policy a should, relying on screen real estate

09:26:48 [npdoty]

q?

09:26:49 [dsinger]

dsinger has joined #dnt

09:27:11 [amyc]

as housekeeping matter, we need to move interaction/promotion section to option 2 as well, right?

09:27:21 [justin]

+1 to npdoty --- these two definitions are functionally the same.

09:27:39 [amyc]

in other words, both option 1 and option 2 need to accommodate multiple first parties and promotion to first party

09:27:46 [WileyS]

Let's work on combining them then - I'm open to that

09:27:55 [bryan]

bryan has joined #dnt

09:28:02 [robsherman]

+1

09:28:14 [justin]

+q

09:28:21 [lmastria-DAA]

q-

09:28:22 [npdoty]

ack npdoty

09:28:31 [dsriedel]

dsriedel has joined #dnt

09:28:38 [justin]

-q

09:29:35 [npdoty]

npdoty: I think these two definitions may not be all that different, both rely on user expectations for the sake of promotion / interaction

09:29:53 [justin]

WileyS, if you have an action item here, may want to consider fielding's test too: http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0114.html

09:30:21 [justin]

s/test/text

09:30:22 [rachel_n_thomas]

q+

09:30:28 [npdoty]

... think there's a good chance we could combine these, particularly since we need to update "visiting" a "site" already, which might correspond to the concept of intending to in interact with

09:30:43 [Chapell]

Chapell has joined #DNT

09:31:23 [johnsimpson]

q?

09:31:30 [WileyS]

Justin, got it - shared the text with David as we work on the rewrite

09:32:00 [dsinger]

option 3 only talks about first parties, which is a problem

09:32:05 [WileyS]

Justin - rewrite of 3.8.1 to be specific

09:32:23 [tlr]

tlr has joined #dnt

09:32:32 [hwest_]

+q

09:32:51 [npdoty]

WileyS, justin - I thought we were talking about the first/third party definition updates -- for which we don't have an action

09:32:58 [amyc]

q+

09:33:01 [dwainberg]

dwainberg

09:33:05 [npdoty]

q+ dwainberg

09:33:11 [npdoty]

ack hwest_

09:33:12 [dwainberg]

q+

09:33:19 [dwainberg]

I don't know why I keep doing that :)

09:33:38 [rigo_]

q+

09:33:38 [johnsimpson]

sorry, lost track what section?

09:33:51 [tlr]

tlr has joined #dnt

09:34:00 [npdoty]

ack rachel_n_thomas

09:34:13 [npdoty]

scribenick: npdoty

09:34:33 [justin]

npdoty, Yes, I think you should make an option on WileyS on this, but I'm willing to take it on --- I am fine with killing "high probability" in favor of the other text (though I still think you have subjective questions either way).

09:34:37 [npdoty]

rachel_n_thomas: happy to add definitions from DAA as an option, especially since most people in the room were involved with that

09:34:41 [WileyS]

q?

09:34:42 [tlr]

q?

09:34:46 [rigo]

ack amyc

09:34:47 [tlr]

ack amyc

09:35:02 [johnsimpson]

Rachel: Don't think everyone in room developed that. I sure didn't have a hand in it.

09:35:05 [JC]

JC has joined #DNT

09:35:06 [npdoty]

amyc: I do like option 3, though it would need to be broadened to third party as well

09:35:06 [rwessel]

rwessel has joined #dnt

09:35:13 [rigo]

ack tlr

09:35:20 [npdoty]

... service providers to detect fraud and monitor security

09:35:28 [WileyS]

+q

09:35:40 [npdoty]

... those service providers need to aggregate that information across multiple clients

09:35:48 [npdoty]

... talks to the permitted uses, not just silo'ing

09:35:51 [JC]

Amy: I like option 3 since it doesn't specifically require siloing

09:36:04 [tlr]

ack dwainberg

09:36:07 [hwest_]

Not sure whether this got in there - but intention to option 3 is to have a pure definition that's simple and in line with consensus of gthe group in Seattle.

09:36:09 [npdoty]

aleecia: is the siloing just around security/fraud, or all of them?

09:36:14 [justin]

q?

09:36:16 [efelten]

efelten has joined #dnt

09:36:17 [npdoty]

some people in the room: all of them

09:36:43 [fielding]

I consider such data-gathering for security to be a permitted third party, not a service provider relationship.

09:36:45 [npdoty]

dwainberg: language about "no independent rights" could be too limiting, service providers will have certain needs (debugging, maintaining)

09:36:58 [amyc]

options need to include ability to use across clients, rather than strict siloing. Example is fraud detection services that need to aggregate data across multiple clients in order to effectively detect fraud

09:37:15 [adrianba]

adrianba has joined #dnt

09:37:16 [npdoty]

... scoped to instead be "no independent rights" for a particular use

09:37:23 [Rene]

+q

09:37:25 [npdoty]

npd: fielding, I assumed that as well

09:37:27 [amyc]

fielding, first parties are prohibited from sharing with third parties, can only share with service provider

09:37:30 [ksmith]

ksmith has joined #DNT

09:37:46 [amyc]

sites need to share with service provider that may be aggregating information for security detection

09:38:13 [npdoty]

rigo: if the service provider on your behalf uses the data to secure their own service, that's fine

09:38:23 [npdoty]

... the key is the *independent* use

09:38:31 [fielding]

amyc, I think we would need additional text to allow it -- tightly scoped to not be a huge privacy hole

09:38:45 [rwessel]

rwessel has left #dnt

09:38:57 [rigo]

ack rig

09:39:12 [Simon]

Simon has joined #dnt

09:39:20 [npdoty]

action: rachel to propose existing DAA text for service providers

09:39:20 [trackbot]

Created ACTION-270 - Propose existing DAA text for service providers [on Rachel Thomas - due 2012-10-10].

09:39:27 [fielding]

q+

09:39:31 [ChrisPedigoOPA]

q+

09:39:31 [amyc]

fielding, I wonder whether option three, which speaks to permitted uses as well in context of service provider relationship - and fraud detection is permitted use

09:40:03 [Simon]

Simon has joined #dnt

09:40:11 [dwainberg]

dwainberg

09:40:18 [npdoty]

q+ dwainberg

09:40:22 [npdoty]

ack WileyS

09:40:34 [fielding]

I proposed rough text on the list for service provider within first party rather than as a separate party

09:40:50 [Chris_IAB]

Chris_IAB has joined #dnt

09:41:01 [susanisrael]

susanisrael has joined #dnt

09:41:24 [susanisrael]

roy thanks for clarification re: security use

09:41:24 [npdoty]

action: west to update service provider language to apply to first and third parties

09:41:24 [trackbot]

Created ACTION-271 - Update service provider language to apply to first and third parties [on Heather West - due 2012-10-10].

09:41:26 [Ionel_IAB]

Ionel_IAB has joined #dnt

09:41:27 [dwainberg]

q-

09:41:38 [Chris_IAB]

npdoty, fyi, I was kicked out of IRC and had trouble re-joining

09:41:38 [rigo]

I can live with option 3 but for the sake of beauty and simplicity, legally we would not need anything beyond "no independent right to process"

09:41:49 [npdoty]

action-271: WileyS said the s// language aloud, but I couldn't capture that

09:41:49 [trackbot]

ACTION-271 Update service provider language to apply to first and third parties notes added

09:41:55 [npdoty]

scribenick: npdoty

09:42:09 [dwainberg]

rigo, I'm not sure whether we disagree

09:42:16 [Ionel_IABEU]

Ionel_IABEU has joined #dnt

09:42:30 [rigo]

David, I'm pretty sure we aren't

09:42:40 [npdoty]

WileyS: added the permitted uses text to that third option regarding service providers

09:42:43 [JC]

JC has joined #DNT

09:42:44 [npdoty]

q?

09:42:54 [rigo]

failed

09:43:04 [dwainberg]

I'm comparing to contractual language I've seen in the US, and in that context, I think companies will find the no independent use language confusing.

09:43:23 [JC]

Rene: in EU we have industry bodies representing owner of data. Is this something we can place under unlinkable?

09:43:25 [npdoty]

rene: audience measurement, working on behalf of the owner of the data -- is this a service provider relationship?

09:43:29 [npdoty]

scribenick: JC

09:43:40 [dwainberg]

what we generally see is "no independent rights, except..."

09:43:53 [mikeo]

mikeo has joined #dnt

09:44:00 [JC]

... Is sharing by SP covered by unlinkable?

09:44:07 [npdoty]

q?

09:44:12 [JC]

Aleecia: depends on the definition

09:44:12 [rigo]

ack Rene

09:44:15 [tlr]

ack fielding

09:44:28 [WileyS]

Heather - new Option 3: Service Providers acting on the behalf of another Party and with no independent rights to use that Party’s data outside of the context of that that Party and Permitted Uses are also considered to be acting as the that Party.

09:44:35 [susanisrael]

David and Shane I have an idea for service provider definition clarification-will try to help if you want

09:44:49 [WileyS]

Susan - definitely - please let us know

09:44:56 [npdoty]

fielding, I thought we've just asked that we extend service provider beyond just first parties

09:45:06 [JC]

Roy: I want to know in addition to Aleecia's list is there a broader definition of a first party versus sprinkling throughout the document

09:45:17 [tlr]

http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0055.html

09:45:22 [justin]

That would be hard for me too!

09:45:25 [JC]

... since it would affect the entire definition section it would be tough to write a new compliance document

09:45:26 [vinay]

vinay has joined #dnt

09:45:44 [jchester2]

I agree with Justin

09:45:44 [fwagner]

fwagner has joined #dnt

09:45:47 [JC]

Aleecia: We can't go through it now, but it should be in tracker

09:45:54 [tlr]

ACTION: roy Fielding to propose text for party and outsourcing definitions

09:45:54 [trackbot]

Created ACTION-272 - Fielding to propose text for party and outsourcing definitions [on Roy Fielding - due 2012-10-10].

09:45:59 [tlr]

ACTION-272: done in http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0055.html

09:45:59 [trackbot]

ACTION-272 Fielding to propose text for party and outsourcing definitions notes added

09:46:01 [JC]

... we will have an action that points to the text if that is okay

09:46:04 [tlr]

action-272?

09:46:04 [trackbot]

ACTION-272 -- Roy Fielding to fielding to propose text for party and outsourcing definitions -- due 2012-10-10 -- OPEN

09:46:04 [trackbot]

http://www.w3.org/2011/tracking-protection/track/actions/272

09:46:07 [JC]

Roy: that's fine

09:46:11 [npdoty]

q?

09:46:28 [tlr]

ACTION: robsherman to draft text on first party

09:46:28 [trackbot]

Sorry, couldn't find robsherman. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

09:46:53 [npdoty]

action: sherman to propose text regarding multiple first parties

09:46:53 [trackbot]

Created ACTION-273 - Propose text regarding multiple first parties [on Rob Sherman - due 2012-10-10].

09:46:55 [JC]

ChrisPedigo: Going back to David and Rigo statement about SP using data to improve service, does independent right include that?

09:47:04 [JC]

Rigo: I doubt that it would

09:47:07 [WileyS]

+q

09:47:17 [npdoty]

ack ChrisPedigoOPA

09:47:44 [dwainberg]

dwainberg

09:47:46 [lmastria-DAA]

q+

09:47:47 [JC]

... a person that processes on behalf of first party then it depends on reslationship. The first party is still in control

09:47:49 [tlr]

ACTION-273: done in http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0247.html

09:47:49 [trackbot]

ACTION-273 Propose text regarding multiple first parties notes added

09:48:06 [tlr]

q?

09:48:06 [WileyS]

q?

09:48:08 [tlr]

ack w

09:48:12 [dwainberg]

q!

09:48:15 [dwainberg]

q+

09:48:25 [dwainberg]

(boy I'm having trouble using this thing today)

09:48:27 [rvaneijk]

q+

09:48:38 [tl]

+q

09:48:53 [JC]

WileyS: I believe there is a difference in understanding. You can take learnings in those you work for. You can't use the data itself, but you can learn from it. Anything that is unlinkable can be used.

09:49:04 [tlr]

q?

09:49:04 [jchester2]

Shane: Including if such learning is used for tracking?

09:49:13 [rwessel]

rwessel has joined #dnt

09:49:24 [WileyS]

Jeff, no - that would be an independent use - not allowed

09:49:28 [tlr]

q?

09:49:40 [JC]

Rob: The first party determines the purpose and means. It is important to distinguish between learning and use, but work should not go beyond original agrement

09:49:47 [tl]

-q

09:50:05 [JC]

Aleecia: two people are reading same statement and coming up with different meanings. This should be fixed.

09:50:08 [rvaneijk]

controller determines purpose and means. Any serviceprovider who does anything with the actual data beyond that scope becomes a controller himself

09:50:16 [jchester2]

Shane: So what happens with the "learnings"--it wuld be used for some part of the targeting function at some point, no?

09:50:34 [npdoty]

WileyS, is your suggestion that a service provider can make unlinkable data of a customer's data and then use it for other purposes not for the customer?

09:50:34 [JC]

WileyS: I don't think Rob was commenting on text, but EU position. If not I would like to get his response

09:50:41 [tl]

q?

09:51:06 [JC]

Aleecia: WileyS will take action to add non-normative text to clarify text

09:51:12 [rigo]

rigo has joined #dnt

09:51:30 [npdoty]

action: wiley to propose non-normative text on service providers to clarify "independent use" (with rvaneijk)

09:51:30 [trackbot]

Created ACTION-274 - Propose non-normative text on service providers to clarify "independent use" (with rvaneijk) [on Shane Wiley - due 2012-10-10].

09:51:33 [tlr]

q?

09:51:33 [JC]

Rob: we had text already, maybe we could copy and paste it. I will work with wileyS on it.

09:51:47 [npdoty]

q- rvaneijk

09:51:47 [rvaneijk]

q-

09:52:38 [JC]

Lmastria: Bridges between Rachel's action item and Rigo's independence could be addressed. A large portion of our businesses are subject to enhanced notice and control around data usage.

09:52:44 [JC]

... that should be considered.

09:52:50 [npdoty]

ack lmastria-DAA

09:53:06 [JC]

Aleecia: One of our proposals has less notice vs. more.

09:53:21 [JC]

Dwainberg: I look forward to extra text because I'm confused by it

09:53:55 [JC]

... we dont want to unintentionally cause a problem between SP doing work for a party and a first party that can do it themselves

09:54:13 [JC]

... this would create a competitive disparity that we should try to avoid

09:54:28 [JC]

Aleecia: Basically we see the SP standing in the shoes of the first party

09:54:51 [tlr]

q?

09:54:56 [tlr]

ack dwainberg

09:54:57 [schunter]

ack dwainberg

09:55:10 [JC]

Aleecia: SP can be seen as the same, but they cannot for example share data across first parties

09:55:25 [justin]

Link?

09:55:33 [rvaneijk]

@shane: "For the EU, the outsourcing scenario is clearly regulated. In the

09:55:33 [npdoty]

I think there's support for that principle (from dwainberg) in general, although limiting independent use gets at the potential privacy difference between a company performing the practice itself and a service provider doing it

09:55:34 [rvaneijk]

current EU Directive 95/46/EC, but also in the suggested regulation

09:55:36 [rvaneijk]

reforming the data protection regime, an entity using or processing data

09:55:38 [rvaneijk]

is subject to data protection law. A First Party (EU: data controller)

09:55:39 [rvaneijk]

is an entity or multiple entities (EU: joint data controller) who

09:55:41 [rvaneijk]

determines the purposes, conditions and means of the data processing

09:55:43 [rvaneijk]

will be the data controller. A service provider (EU: data processor) is

09:55:44 [JC]

... Dwainberg came up with some text for data append.

09:55:45 [rvaneijk]

an entity with a legal contractual relation to the Data Controller. The

09:55:46 [rvaneijk]

Service Provider does determine the purposes, conditions and means of

09:55:48 [rvaneijk]

the data processing, but processes data on behalf of the controller. The

09:55:49 [rvaneijk]

data processor acts on behalf of the data controller and is a separate

09:55:51 [rvaneijk]

legal entity. An entity acting as a first party and contracting services

09:55:52 [rvaneijk]

of another party is responsible for the overall processing. A third

09:55:54 [rvaneijk]

party is an entity with no contractual relation to the Data Controller

09:55:55 [rvaneijk]

and no specific legitimacy or authorization in processing personal data.

09:55:57 [rvaneijk]

If the third party has own rights and privileges concerning the

09:55:58 [rvaneijk]

processing of the data collected by the first party, it isn't a data

09:56:00 [JC]

... a lot of these use cases may be addressed else where

09:56:00 [rvaneijk]

processor anymore and thus not covered by exemptions. This third party

09:56:02 [rvaneijk]

is then considered as a second data controller with all duties attached

09:56:04 [rvaneijk]

to that status. As the pretensions of users are based on law, they apply

09:56:05 [rvaneijk]

to first and third party alike unless the third party acts as a mere

09:56:07 [rvaneijk]

data processor."

09:56:21 [JC]

... my suggestion is that we leave this at is and come back to it

09:56:28 [JC]

... once definition is done

09:57:11 [JC]

... there is an action for data append, but no issue so we should create one

09:57:14 [johnsimpson]

makes sense

09:57:14 [ChrisPedigoOPA]

q=

09:57:32 [WileyS]

Q?

09:57:47 [JC]

ChrisPedigo: I don't believe there should be a data append restriction as it may be out of scope

09:57:56 [JC]

Aleecia: let's define it and then decide

09:58:08 [npdoty]

issue: definition of and what/whether limitations around data append

09:58:08 [trackbot]

Created ISSUE-170 - Definition of and what/whether limitations around data append ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/170/edit .

09:58:11 [lmastria-DAA]

ditto ChrisPedigo re data append

09:58:18 [npdoty]

issue-170: see action-229

09:58:28 [npdoty]

postpone issue-170

09:58:30 [JC]

... Npdoty will create new issue and attach to action 229

09:58:30 [trackbot]

ISSUE-170 Definition of and what/whether limitations around data append notes added

09:58:55 [JC]

... covered everything except unlinkable and now will go to lunch

09:58:58 [npdoty]

issue-170: let's come back to this issue after we've made decisions around service providers

09:58:58 [trackbot]

ISSUE-170 Definition of and what/whether limitations around data append notes added

09:59:10 [Zakim]

-johnsimpson

09:59:12 [rigo_]

rigo_ has joined #dnt

09:59:25 [BrendanIAB]

I'm going to disconnect from phone for the next 60 minutes

09:59:40 [npdoty]

adjourned for lunch.

09:59:47 [npdoty]

rrsagent, pointer?

09:59:47 [RRSAgent]

See http://www.w3.org/2012/10/03-dnt-irc#T09-59-47

10:00:11 [Zakim]

-BrendanIAB?

10:00:19 [npdoty]

rrsagent, draft minutes

10:00:19 [RRSAgent]

I have made the request to generate http://www.w3.org/2012/10/03-dnt-minutes.html npdoty

10:00:52 [Zakim]

-bryan_

10:00:57 [Zakim]

-fielding

10:23:23 [dtauerbach]

dtauerbach has joined #dnt

10:46:55 [dwainberg]

dwainberg has joined #dnt

10:47:55 [Joanne]

Joanne has joined #DNT

10:49:31 [ksmith]

ksmith has joined #DNT

10:55:18 [justin]

justin has joined #dnt

10:56:46 [npdoty]

npdoty has joined #dnt

10:57:45 [Simon]

Simon has joined #dnt

10:59:23 [ksmith1]

ksmith1 has joined #DNT

10:59:24 [Zakim]

+??P1

10:59:42 [BrendanIAB]

Zakim, ??P1 is probably me

10:59:42 [Zakim]

+BrendanIAB?; got it

11:00:51 [Zakim]

+bryan_

11:02:20 [Zakim]

+fielding

11:02:29 [amyc]

amyc has joined #dnt

11:03:24 [johnsimpson]

are we back

11:03:44 [amyc]

not quite yet

11:04:00 [justin]

We are working out boat-dinner logistics.

11:04:10 [npdoty]

Zakim, who is on the phone?

11:04:10 [Zakim]

On the phone I see Telegraaf, BrendanIAB?, bryan_, fielding

11:04:19 [justin]

We're assuming you're a no, johnsimpson.

11:04:26 [afowler]

afowler has joined #dnt

11:04:29 [Zakim]

+johnsimpson

11:05:02 [johnsimpson]

A no on what?

11:05:26 [johnsimpson]

I'll be there in spirit...

11:06:07 [Rene]

Rene has joined #dnt

11:06:35 [dsriedel]

dsriedel has joined #dnt

11:06:43 [BerinSzoka]

BerinSzoka has joined #DNT

11:06:57 [npdoty]

screen should be shared now, let us know if you're having problems

11:07:14 [vinay]

Those can follow Aleecia screen at http://my.adobeconnect.com/vigoel

11:07:38 [npdoty]

scribenick: susanisrael

11:07:46 [johnsimpson]

yes have screen

11:08:06 [ChrisPedigoOPA]

ChrisPedigoOPA has joined #dnt

11:08:06 [susanisrael]

aleecia: will be talking about financial logging, don't have enough text to discuss clearly

11:08:21 [susanisrael]

have text originally in draft and action 235 from nick, discussed a bit on phone

11:08:32 [susanisrael]

there is a lot of nonnormative text that's useful

11:08:43 [npdoty]

from me: http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0141.html

11:08:45 [susanisrael]

ran into trouble with "to the extent required by law."

11:08:46 [JBWeiss]

JBWeiss has joined #DNT

11:09:00 [susanisrael]

[read text]

11:09:05 [rigo_]

rigo_ has joined #dnt

11:09:15 [ifette]

q+

11:09:21 [rvaneijk]

rvaneijk has joined #dnt

11:09:42 [susanisrael]

there is a lot of additional text re: permitted uses, this is just one of them

11:09:50 [Ionel_IABEU]

Ionel_IABEU has joined #dnt

11:10:06 [susanisrael]

in editor's draft have different text right now. [read 6.1.1.5

11:10:19 [susanisrael]

those are the 2 texts we are looking at

11:10:22 [npdoty]

regarding action-255, we also had a proposal from Alan: http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0243.html

11:10:28 [susanisrael]

have not started to flesh out differences

11:10:30 [WileyS]

+q

11:10:30 [justin]

q?

11:10:32 [npdoty]

q+

11:10:34 [WileyS]

-q

11:10:35 [susanisrael]

will take comments/questions about this text

11:11:01 [susanisrael]

ian: i will note that nick's text introduces term of tracking and that is not defined or used elsewhere

11:11:02 [justin]

Replace tracking with "collection, retention, and use"?

11:11:14 [susanisrael]

aleecia: there may be an action on that elsewhere already

11:11:20 [susanisrael]

nick: happy to do that

11:11:30 [Chris_IAB]

q+

11:11:36 [Chapell]

Chapell has joined #DNT

11:11:38 [justin]

ack ifette

11:11:39 [susanisrael]

aleecia: if that isn't in action form already it should be created

11:11:41 [justin]

ack npdoty

11:11:42 [Marije]

Marije has joined #dnt

11:12:04 [susanisrael]

nick: in queue to talk about "not my text"--alan took action to provide info re: financial reporting

11:12:16 [susanisrael]

.....that's how we got into discussion re: contract

11:12:18 [WileyS]

+q

11:12:43 [susanisrael]

nick: i was using law because of suggestion from shane that there might be applicable law

11:12:49 [npdoty]

regarding action-255, we also had a proposal from Alan: http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0243.html

11:12:49 [susanisrael]

aleecia: which action?

11:12:53 [susanisrael]

nick: 244

11:12:56 [npdoty]

action-255?

11:12:56 [trackbot]

ACTION-255 -- Alan Chapell to work on financial reporting text (with nick, ian) as alternative to legal requirements -- due 2012-09-19 -- PENDINGREVIEW

11:12:56 [trackbot]

http://www.w3.org/2011/tracking-protection/track/actions/255

11:12:58 [susanisrael]

sorry, nick: 255

11:13:06 [efelten]

s/244/255/

11:13:11 [susanisrael]

got it

11:13:33 [npdoty]

I think most of the discussion on that thread is not directly related, but the start of it has the proposal about contracts

11:13:42 [susanisrael]

aleecia reads from email chain

11:13:48 [hwest]

hwest has joined #dnt

11:13:52 [npdoty]

q?

11:14:00 [Brooks]

Brooks has joined #dnt

11:14:13 [susanisrael]

chris: my concern is "required by law."

11:14:14 [ksmith1]

q?

11:14:20 [npdoty]

ack Chris_IAB

11:14:45 [susanisrael]

chris: i did some research on auditing since 60s by MRC which requires retaining data for a year

11:14:48 [jchester2]

+q

11:14:55 [efelten]

q+

11:14:55 [tl]

+q

11:15:00 [npdoty]

ack WileyS

11:15:03 [susanisrael]

chris: i don't think this organization should have ability to override another organization's standards

11:15:04 [Chapell]

+q

11:15:29 [susanisrael]

shane: the issues with contracts are not with contracts directly but just with proving you performed under contract

11:15:37 [efelten]

q-

11:15:46 [dsinger]

Indeed, I believe even financial auditing is technically not law, often, but required e.g. to get listed on a stock exchange, or to conform to an industry norm

11:16:13 [susanisrael]

need to prove having performed is an issue across jurisdiction. don't know how to get around this problem.

11:16:23 [rigo_]

q?

11:16:25 [dsinger]

q+ to check to what extent the general provisions make life easier here

11:16:38 [susanisrael]

shane: contracts not the problem: but proof of contract

11:16:54 [Chris_IAB]

According to the Media Rating Council (MRC), the normal retention period for "source data" required for industry accreditation of third-party audience estimates is 1-year, as documented in their published standards: "Minimum Standards for Media Rating Research" (available for download at http://mediaratingcouncil.org/MRC%20Standards.htm).

11:17:03 [npdoty]

WileyS, I hear your point about proof of fulfillment of a contract, rather than fulfillment directly required by the contract itself

11:17:08 [susanisrael]

aleecia: getting a sense of other needs may help

11:17:32 [WileyS]

Nick, how could we integrate that perspective into the proposed text from Alan?

11:17:34 [susanisrael]

jeff: i do think it's important that we have identified what is required by law

11:17:45 [justin]

I think someone should take an action to write Shane's middle ground text.

11:18:03 [susanisrael]

jeff: we did research on sarbox and couldn't find any specific language re: interactive advertising

11:18:20 [lmastria-DAA]

lmastria-DAA has joined #dnt

11:18:29 [susanisrael]

can't depend on contractual procedures industry has developed before privacy crisis. don't have enough documentation

11:18:38 [npdoty]

q?

11:18:42 [Chris_IAB]

q+

11:18:44 [justin]

ack jchester

11:18:44 [tl]

-q

11:18:45 [susanisrael]

jeff: there is resistance to providing proof to govt agencies

11:18:47 [justin]

ack tl

11:18:48 [npdoty]

ack jchester2

11:18:50 [justin]

ack chapell

11:18:51 [tlr]

tlr has joined #dnt

11:18:52 [npdoty]

ack Chapell

11:19:13 [susanisrael]

alan: point i was trying to make is that there are standards created by other bodies that companies i work with will have to make

11:19:22 [rigo_]

WileyS, do I understand you right that you want limited purpose to have it retained for audit purpose only and for financial proof. That could be added to the spec

11:19:26 [dwainberg]

q+

11:19:32 [rachel_n_thomas]

rachel_n_thomas has joined #dnt

11:19:42 [susanisrael]

alan: there are hobson's choices for these companies. they will try to do right thing but it speaks to goal here if it's industry implementability

11:19:46 [tl]

+q

11:20:07 [susanisrael]

alan: i am not here to say which other standards are legitimate but it is uncomfortable

11:20:28 [efelten]

q+

11:20:33 [susanisrael]

alan: jeff: i love you but there has been a lot of information that has gone around pls acknowledge

11:20:36 [rwessel]

rwessel has joined #dnt

11:20:53 [WileyS]

For those interested - this is only SOX (many financial laws outside of this one): http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW-107publ204.htm

11:20:58 [ifette]

q+

11:21:04 [susanisrael]

jeff: one of the organizations that just joined has said it could provide more if ms default taken off the table

11:21:40 [susanisrael]

david singer: how much will general permissions help? if you demo that you only collected data for permitted use for the specified time that may help

11:21:46 [justin]

+q

11:21:53 [npdoty]

ack dsinger

11:21:53 [Zakim]

dsinger, you wanted to check to what extent the general provisions make life easier here

11:21:54 [susanisrael]

q+

11:22:08 [JBWeiss]

JBWeiss has joined #DNT

11:22:29 [susanisrael]

david singer: we will not police collection or retention but it helps to be able to point to an industry requirement. does that help off pressure?

11:22:42 [susanisrael]

aleecia: quick straw poll

11:23:08 [susanisrael]

does anyone want to continue to argue for to the extent required by law?

11:23:17 [susanisrael]

jeff: only vote for this

11:23:25 [johnsimpson]

i think law is important

11:23:35 [susanisrael]

rigo: the relation is different. req'd by law will trump anyway

11:23:51 [WileyS]

law trumps all else in the standard

11:24:08 [susanisrael]

rigo: qu is whether anyone opposed to adding other requirements, i would be opposed to removing reqmt' to comply with law

11:24:32 [susanisrael]

aleecia: jeff was concerned that sox compliance could become indefinite

11:25:17 [dsinger]

…and much auditing is a requirement of e.g. belonging to a trade group, being listed on a stock exchange, isn't it?

11:25:18 [tlr]

action-235?

11:25:18 [trackbot]

ACTION-235 -- Nick Doty to draft middle way draft on permitted uses -- due 2012-09-04 -- PENDINGREVIEW

11:25:18 [trackbot]

http://www.w3.org/2011/tracking-protection/track/actions/235

11:25:19 [susanisrael]

jeff: i agree with you that you could interpret -- i do have this concern that sarbox is so vague that you could make lots of arguments

11:25:32 [susanisrael]

jeff: at the same time i think my point is show me the tofu

11:25:37 [susanisrael]

chris: i provided tofu

11:25:48 [justin]

q?

11:25:58 [susanisrael]

jeff: i have not seen evidence of legal requirements and extent of data retained

11:26:21 [npdoty]

action: doty to update middle way proposals to avoid relying on "tracking"

11:26:21 [trackbot]

Created ACTION-275 - Update middle way proposals to avoid relying on "tracking" [on Nick Doty - due 2012-10-10].

11:26:25 [susanisrael]

ed: difficult question what's the limiting principle. if entities got together and decided keep everything that could be a problem

11:26:36 [tlr]

http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0141.html

11:26:38 [susanisrael]

q+

11:26:42 [tl]

-q

11:27:01 [susanisrael]

aleecia: not seeing huge support for to the extent required by law

11:27:05 [johnsimpson]

the key is what is he limiting factor

11:27:10 [tlr]

ack Chris_IAB

11:27:18 [npdoty]

aleecia: I think we are moving to something else besides "required by law"

11:27:30 [susanisrael]

chris: i think i agree with david singer's principle so we could find a place to start there

11:27:45 [susanisrael]

chris: i think we already have text without required by law

11:28:01 [Stella]

Stella has joined #dnt

11:28:14 [susanisrael]

ed: so limiting principle is requirements for collection and use?

11:28:16 [tl]

+q

11:28:19 [tl]

-q

11:28:24 [susanisrael]

chris: could interpret it that way

11:28:27 [dsinger]

q?

11:28:27 [tlr]

ack dwainberg

11:28:28 [efelten]

q-

11:28:32 [tlr]

ack efelten

11:28:38 [tlr]

q- ifette

11:28:40 [tlr]

ack justin

11:29:03 [susanisrael]

justin: a lot of my question is similar to what ed is pointing out but i guess 6. 1. 2.2 is data minimization principle

11:29:05 [npdoty]

chris is referring to the existing Working Draft / editors' draft text on financial reporting

11:29:05 [tl]

+q to say that we don't want to oblige people to break the law, but we don't want contracts to allow for a hole you could drive a double-decker bus through, and the same applies to other standards.

11:29:11 [dwainberg]

q+

11:29:17 [tlr]

ack next

11:29:20 [susanisrael]

justin: contracts shouldn't be dispositive

11:29:44 [tlr]

susanisrael: Is the principle best expressed not through contracts -- but proof of delivery of the ad is the basis?

11:29:50 [tlr]

... not necessarily required that data linkable

11:29:56 [npdoty]

susanisrael: is the principle best expressed through contracts, "proof of delivery" -- which doesn't require that data be linkable

11:29:57 [tlr]

... maybe that's also something to work with?

11:30:22 [amyc]

q+

11:30:24 [Chris_IAB]

q+

11:30:30 [susanisrael]

susan scribing again

11:30:34 [WileyS]

Jeff, here is a direct SEC mandate requiring data used for transacational audits be retained for 7 years: http://www.sec.gov/rules/final/33-8180.htm

11:31:09 [Chris_IAB]

would need to know definition of "linkable"

11:31:13 [tlr]

ack tl

11:31:13 [Zakim]

tl, you wanted to say that we don't want to oblige people to break the law, but we don't want contracts to allow for a hole you could drive a double-decker bus through, and the

11:31:16 [Zakim]

... same applies to other standards.

11:31:16 [npdoty]

susanisrael: question whether linkable data is required for this purpose

11:31:19 [Brooks]

it might be a useful term

11:31:25 [efelten]

Shane, doesn't that SEC doc apply only to accounting firms?

11:31:31 [susanisrael]

aleecia: linkable not part of definition right now

11:31:37 [rachel_n_thomas]

q+

11:31:41 [susanisrael]

tl: standard should not require breaking law

11:31:57 [jchester2]

Thanks. I had lawyers review this and they did not find any evidence that Sarbannes requires online ad companies to keep data linked to users. We will have them review this. But at the moment, we don't believe that sufficient evidence has been given.

11:31:59 [Simon]

There are other industry standars, such as GAAP accounting standards that may come into play

11:32:02 [Chapell]

+q

11:32:06 [lmastria-DAA]

q+

11:32:12 [tlr]

ack dwainberg

11:32:17 [susanisrael]

tl: i think compliance with contracts or other standards could make standard emptyt

11:32:22 [Brooks]

q+

11:32:28 [justin]

I think we can incorporate the workaround that contracts DNT following the law, but that issue is somewhat orthogonal to what is reasonable retention/use for financial logging.

11:32:31 [jchester2]

Can Tom propose how it should be written?

11:32:35 [justin]

s/DNT/DNE/

11:32:39 [WileyS]

Ed, in this case it does - but the orgin of the records has the same retention requirement OR GREATER - looking for the exact reference now. IRS requirements not as easy to thread in this context (receipt/financial record retention laws).

11:32:46 [rigo_]

rigo_ has joined #dnt

11:32:57 [fielding]

I think the standard should be written based on Do Not Track, not Do Not Collect, since these issues have nothing whatsoever to do with tracking.

11:33:03 [susanisrael]

david w: i think we are somewhere in gap between required by law but don't want big loophole permitting throwing it out

11:33:08 [rigo_]

q?

11:33:14 [rigo_]

q+ to respond to Ed and finding purpose limitation an option, concerned by the level of document required.

11:33:20 [susanisrael]

david w: might help to hear bad things we think might result so we can protect against them

11:33:21 [npdoty]

q+

11:33:28 [rigo_]

q- later

11:33:32 [hwest]

hwest has joined #dnt

11:33:33 [dsinger]

q+ to suggest a note on contracts and practices

11:34:01 [susanisrael]

aleecia: can i sum up as worry be able to have contracts do away with the standard and global protection entirely

11:34:17 [susanisrael]

aleecia: i think that is the concern rather than any specific thing

11:34:31 [tlr]

ack amyc

11:34:34 [npdoty]

(want to: identify concern over billing of past/subsequent activity; billing of profile of the audience)

11:35:02 [justin]

+1 to amyc

11:35:02 [susanisrael]

amy: i was going to highlight that i have an action pending re: not using the contract to circumvent the spec. so rather than trying to deal with this piecemeal

11:35:15 [tlr]

ack Chris_IAB

11:35:15 [susanisrael]

...let's rely on that global requirement

11:35:20 [susanisrael]

aleecia: could be helpful

11:35:22 [WileyS]

+1 to AmyC

11:35:31 [npdoty]

+1 on global requirement, amyc

11:35:52 [susanisrael]

chris: in arguing vs the way the draft is today, i am trying to understand why it's a problem...

11:36:04 [rigo_]

q?

11:36:06 [npdoty]

ack rachel_n_thomas

11:36:08 [susanisrael]

are you trying to protect against bad actors? spec requires some level of trust

11:36:08 [Joanne]

+1 to Amy

11:36:20 [npdoty]

s/are you/... are you/

11:36:41 [susanisrael]

rachel: newbie question: why legal requirements in standard

11:36:47 [tlr]

rachel, different discussion.

11:36:55 [ifette]

q+

11:37:13 [susanisrael]

rachel: my question is why does it need to be in doc if w3c standard process and if not why not

11:37:38 [Brooks]

q-

11:37:39 [susanisrael]

aleecia: we have said we are for law compliance and we're not going down that path so don't need to discuss this

11:37:46 [susanisrael]

aleecia: it's dead

11:38:12 [efelten]

q?

11:38:37 [npdoty]

ack Chapell

11:38:37 [susanisrael]

alan: trying to use reasonable person standard, but in hypo that i have given there may be a requirement to report

11:38:39 [npdoty]

ack lmastria-DAA

11:38:44 [Chris_IAB]

q+

11:39:16 [susanisrael]

lou: we have certainly found language acceptable to broad swath of language acceptable to industry. not sure what we would want beyond that

11:39:18 [jmayer]

jmayer has joined #dnt

11:39:24 [Zakim]

-bryan_

11:39:41 [susanisrael]

aleecia: so are you suggesting read daa text? was originally suggested but people may not have read recently

11:39:53 [Zakim]

+Jonathan_Mayer

11:40:03 [tl]

+q to say that this is not the DAA

11:40:32 [jchester2]

Consumer and privacy groups were not involved with the DAA process at all. Consequently it is narrowly drawn and does not reflect the interests of users, esp on privacy.

11:40:36 [susanisrael]

aleecia: lou has action to provide text re data retention which is applicable to financial logging

11:40:39 [npdoty]

action: luigi to provide text regarding data retention, applicable to finanical logging data

11:40:39 [trackbot]

Created ACTION-276 - Provide text regarding data retention, applicable to finanical logging data [on Luigi Mastria - due 2012-10-10].

11:40:55 [Walter]

Walter has joined #dnt

11:41:12 [jchester2]

Hello Walter!

11:41:17 [susanisrael]

nick: i wanted to pick up on point ed was making and i think alan or david w re: what we might have concern about that is not captured in text

11:41:19 [djm]

djm has joined #dnt

11:41:27 [Walter]

Good afternoon Jeffrey (and the rest)

11:41:40 [susanisrael]

nick: examples that have come up in thread with alan. one is billing re: past or subsequent activity

11:42:02 [susanisrael]

nick: contract where i get paid differently if someone sees ads then purchases, that might be a concern

11:42:34 [npdoty]

q?

11:42:36 [susanisrael]

nick: other might be billing based on profile of audience. do i need to keep data re: type of people who saw ad for financial reporting?

11:42:38 [npdoty]

ack npdoty

11:42:43 [jchester2]

Nick. That's what the industry calls attribution, and where a user's history and actions are tracked and stored so billing can be shared with multiple parties.

11:42:44 [npdoty]

ack rigo_

11:42:44 [Zakim]

rigo_, you wanted to respond to Ed and finding purpose limitation an option, concerned by the level of document required.

11:43:21 [susanisrael]

rigo: as the other contributor to epic thread with alan, i think thread is epic because it goes beyond financial logging, so generally alan is saying certain business practice required

11:43:55 [susanisrael]

we would pull in activity through financial reporting. my concern is that you create consortium, create standard then dissolve

11:44:00 [dwainberg]

q+

11:44:04 [Chapell]

+q

11:44:27 [susanisrael]

rigo: as soon as no requirement on business practice we open up hole in ground where other group can decide whether our docs useful or not

11:44:47 [lmastria-DAA]

q+

11:44:53 [susanisrael]

rigo: this is the concern. you have document here but can dismiss through consortium you create

11:45:03 [susanisrael]

alan: that is exactly what we are doing here

11:45:39 [susanisrael]

alan: if we here are prepared to say that standards bodies have to be ignored then that's what we are doing

11:45:40 [npdoty]

ack dsinger

11:45:40 [Zakim]

dsinger, you wanted to suggest a note on contracts and practices

11:46:22 [susanisrael]

david singer: reacting to ed's concern and reasonable man idea, and idea that contract may be a good reference but not if it's unreasonable

11:46:38 [npdoty]

ack ifette

11:47:04 [susanisrael]

david s: a large reputable auditor should be considered but this is not a get out of jail free card

11:47:18 [susanisrael]

david: it's something that you can say in your defense

11:47:22 [ChrisPedigoOPA]

+q

11:47:26 [dsinger]

add the note on the general principles (on "the data as reasonably needed, and as long as reasonably needed") – a contract or other specification might be a reference of reasonable need for the data or period, but may not suffice if its requirements are not reasonable"

11:47:26 [lmastria-DAA]

q-

11:47:30 [susanisrael]

mike z: not sure it works but couldn't agree more

11:47:46 [rigo_]

rigo_ has joined #dnt

11:47:50 [rigo_]

rigo_ has joined #dnt

11:47:52 [susanisrael]

aleecia: so non-normative text for implementation

11:48:09 [johnsimpson]

q?

11:48:10 [susanisrael]

aleecia: david has action item

11:48:15 [ChrisPedigoOPA]

-q

11:48:41 [Chris_IAB]

q- (I yielded my time to Mike Zaneis who couldn't get in the q)

11:48:54 [npdoty]

action: singer to propose non-normative text regarding contracts/other specifications

11:48:54 [trackbot]

Created ACTION-277 - Propose non-normative text regarding contracts/other specifications [on David Singer - due 2012-10-10].

11:48:55 [susanisrael]

ian: would be useful to go through practices like conversion tracking to see how they work under standard

11:49:01 [rigo_]

ack Chris_IAB

11:49:01 [Chris_IAB]

q-

11:49:06 [npdoty]

action-277: add the note on the general principles (on "the data as reasonably needed, and as long as reasonably needed") – a contract or other specification might be a reference of reasonable need for the data or period, but may not suffice if its requirements are not reasonable"

11:49:06 [trackbot]

ACTION-277 Propose non-normative text regarding contracts/other specifications notes added

11:49:16 [jchester2]

David. But industry could change the standards--and the financial crisis showed the inadequacies of leading auditing firms. So I am afraid that here will still be loopholes that permit practices that override user expectations related to the permitted uses.

11:49:20 [susanisrael]

ian: there are toher things not a standard practice that would also be interesting to review

11:49:43 [susanisrael]

ian-aleecia dialogue: first party in first example

11:49:44 [vinay]

ebates.com is an example of Ian's use case

11:49:54 [susanisrael]

aleecia: not sure these 2 are very different

11:50:14 [Chris_IAB]

what does "ack" mean rigo_ ?

11:50:20 [tlr]

"acknowledge"

11:50:24 [susanisrael]

aleecia: we have a bunch of non-normative examples here

11:50:31 [Chris_IAB]

got it, thanks

11:50:38 [johnsimpson]

q?

11:50:40 [susanisrael]

aleecia: actually we just have the note, don't yet have the examples

11:50:42 [npdoty]

Zakim, close the queue

11:50:42 [Zakim]

ok, npdoty, the speaker queue is closed

11:50:44 [dsinger]

(In IRC only as it's historical --on 'good and bad actors'). Our restrictions are for organizations that (a) wish to claim with a straight face that they comply yet (b) will take every inch of the permissions -- will 'drive right up to the fence'. Where the fence is matters a great deal for us, for those organizations. We have much less to say about organizations whose apsirations are well within the fence, and nothing to those who will go where they want and

11:50:44 [dsinger]

not care about the fence at all.

11:50:51 [tl]

-q

11:50:56 [npdoty]

ack dwainberg

11:50:59 [Simon]

It appears that the "reasonable standard" would be a rebuttable presumption so if someone was making a claim that this standard is violated then it is up to the trier of fact to determine reasonableness

11:51:05 [Chris_IAB]

dsinger, great point

11:51:29 [jmayer]

The "good actors" argument has been made again and again. Not helpful.

11:51:35 [susanisrael]

david wainberg: we have already enumerated allowed uses, and beyond that good actors don't have a desire to retain the data and bad actors will ignore standard anyway

11:51:37 [npdoty]

ack Chapell

11:52:05 [susanisrael]

alan: nick you and i were going to draw up some additional text on this--maybe first thing tomorrow? [nick yes]

11:52:06 [npdoty]

Chapell: can volunteer, to help with Nick tomorrow

11:52:20 [susanisrael]

tlr: against which text is david s's action item

11:52:31 [kj]

kj has joined #dnt

11:52:58 [susanisrael]

aleecia: i think i heard the text in action 235 does not survive, but 255 alan is suggesting he and nick try to work through so 255 goes back to open

11:53:00 [tlr]

reopen action-255

11:53:00 [trackbot]

ACTION-255 Work on financial reporting text (with nick, ian) as alternative to legal requirements re-opened

11:53:16 [tlr]

action-235: decided not to do legal requirement for financial

11:53:16 [trackbot]

ACTION-235 Draft middle way draft on permitted uses notes added

11:53:36 [susanisrael]

aleecia: they should have 2 weeks or so to go through and we still have editor's draft - any questions?

11:53:53 [susanisrael]

kathy joe: we have text pending re: market research and will put it in

11:54:09 [susanisrael]

aleecia: we are looking at financial right now

11:54:39 [susanisrael]

nick: can i clarify my understanding? i am not wedded to my text if we come up with something better

11:54:57 [susanisrael]

nick: hope we can get our action done in 24 hours

11:55:39 [susanisrael]

nick: does group think conversion tracking and audience profiling are permitted uses?

11:55:53 [jmayer]

+q

11:56:18 [susanisrael]

jeff: i think it's a very good question, i put it in irc and would like to know whether attribution is a practice under what you suggested

11:56:37 [tlr]

zakim, reopen queue

11:56:37 [Zakim]

ok, tlr, the speaker queue is open

11:57:04 [npdoty]

should we have a permitted use for these things?

11:57:20 [justin]

I'm OK with the first use case, npdoty, as a subcategory within reporting.

11:57:32 [susanisrael]

jonathan mayer: want to make sure i understood nick's question--is it are we assuming whether we have these things? ok i got clarification from irc

11:57:54 [susanisrael]

jonathan: my position is that you should not be able to collect whatever you want for these things

11:58:08 [WileyS]

Unlinkable data doesn't meet the needs in this case.

11:58:57 [npdoty]

justin, you think it would be consistent with a Do Not Track preference to track subsequent activity of an ad impression in order to bill differently?

11:59:02 [susanisrael]

mike z: we are having a discussion about permitted uses. obviously it's what david says that obviously we have permitted uses. But we are not having discussions about what type of data you need to have

11:59:08 [rachel_n_thomas]

q+

11:59:35 [susanisrael]

aleecia: there has been growing discussion re: doing all of these if data is unlinkable but ther ehas been no support for ad industry

11:59:40 [jmayer]

Chris_IAB: "If you look at the DAA, just to beat that drum a little bit more..."

11:59:41 [dtauerbach]

q+

11:59:51 [Brooks]

difficult to think about exceptions in terms of non-defined terms

11:59:52 [Chris_IAB]

what does "unlinkable" mean? We need a definition in order to evaluate and move forward

12:00:01 [susanisrael]

mike z: we have permitted uses but ......de-identification, not either/or

12:00:07 [npdoty]

s/Chris_IAB: "if you/mikez: "if you/

12:00:14 [Chris_IAB]

Aleecia, for at least a month we have asked for a definition of "linkable"

12:00:27 [jmayer]

Thanks Nick.

12:00:28 [Joanne]

Susan - I'll take over scribing

12:00:28 [susanisrael]

aleecia: these permitted uses all ok if unlinkable

12:00:48 [susanisrael]

mike z: not in scope, not permitted uses but unlinkability

12:00:53 [Chris_IAB]

npdoty, sorry, I don't understand your text?

12:01:00 [jmayer]

+q

12:01:10 [jchester2]

+q

12:01:19 [susanisrael]

aleecia: but that could be a way out if we could agree that these uses ok if unlinkable, this is not out of scope

12:01:36 [susanisrael]

mike z: so is it the same type of data to be used for permitted use:

12:01:36 [jmayer]

Mike Zaneis, please stop arguing with Aleecia and allow the queue to comment.

12:01:41 [justin]

npdoty, Yes, our proposal has allowed for this from the beginning. I understand that the user is monitored across sites, but it's a very narrow set of tracking (did action occur on this one site) for a narrow purpose.

12:01:41 [Joanne]

Mike Z: are we having a disucssion around permitted uses

12:01:52 [Joanne]

Aleecia: we are moving off of this

12:01:53 [lmastria-DAA]

q+

12:02:03 [jchester2]

-q

12:02:04 [Joanne]

Aleecia: how many in queue

12:02:06 [dtauerbach]

-q

12:02:08 [susanisrael]

aleecia: it is still within the concept of permitted uses to say you could do if unlinkable

12:02:09 [WileyS]

Jonathan, he is still discussing his item in this queue and is allowed to work through that.

12:02:11 [Joanne]

answer: 5

12:02:20 [Joanne]

Nick: down to three

12:02:26 [npdoty]

ack rachel_n_thomas

12:02:27 [susanisrael]

aleecia: pls drop from q if you think we have discussed

12:02:36 [jchester2]

I think the unlinkability issue is relevant.

12:03:11 [susanisrael]

rachel: don't see how we could say industry has not agreed to unlinkability if we haven't found defintion, and linking of that to tracking definition

12:03:21 [npdoty]

ack jmayer

12:03:23 [jmayer]

-q

12:03:27 [susanisrael]

aleecia: i ahve heard that a couple of times looking for new points

12:03:29 [jmayer]

-q

12:03:32 [rachel_n_thomas]

wq+

12:03:35 [rachel_n_thomas]

q+

12:03:41 [npdoty]

ack lmastria-DAA

12:04:01 [jmayer]

rachel_n_thomas, there is nothing new about the unlinkability proposal.

12:04:10 [susanisrael]

lou: i think we heard a couple of use cases that require data to be used in a couple of way s that are different than what is being proposed

12:04:35 [susanisrael]

lou: have trouble because we are trying to make some of these things binary

12:04:43 [efelten]

We have been discussing these issues for over a year.

12:04:49 [WileyS]

Jonathan, would you agree that we've not yet come to consensus on the definition of unlinkability and until we do so its difficult to look a Permitted Uses through that lens?

12:04:56 [jmayer]

I dropped myself from the queue.

12:05:00 [susanisrael]

lou: there are exceptions/use cases that need to be factored in

12:05:09 [susanisrael]

aleecia: we have been doing that

12:05:49 [jmayer]

WileyS, we have a range of definitions on unlinkability. Any should be adequate. There's not a dependency there.

12:05:53 [susanisrael]

aleecia: re: financial reporting. hearing this allows businesses to prove they have done what they said they would do vs. very expansive approach

12:06:01 [rigo_]

rigo_ has joined #dnt

12:06:12 [susanisrael]

also heard concerns about standards for limiting

12:06:25 [WileyS]

+q

12:06:38 [johnsimpson]

so what would be*reasonable*?

12:06:40 [rachel_n_thomas]

q+

12:06:56 [susanisrael]

david wainberg: clarification: we aren't talking about unlimited retention

12:07:05 [lmastria-DAA]

q+

12:07:17 [susanisrael]

aleecia: so what is the way out? set period for retention?

12:07:35 [lmastria-DAA]

q-

12:07:38 [WileyS]

indefinite and not defined are already not allowed

12:07:41 [npdoty]

I think we may have that text (specific to indefinite retention) in the spec already

12:07:49 [WileyS]

Please see Nick's version

12:08:02 [susanisrael]

david wainberg: but no one wants indefinite. idea of loophole to retain data forever is kind of a fairy tale

12:08:14 [susanisrael]

aleecia: but some people think that idea has validity

12:08:21 [dsinger]

q?

12:08:27 [jmayer]

David Wainberg, people in your industry have been talking about 7+ year retention.

12:08:38 [npdoty]

ack rachel_n_thomas

12:08:45 [jmayer]

That may not be unlimited, but it's close enough.

12:08:54 [jmayer]

Who is talking?

12:09:04 [jmayer]

And could she decrease her volume a bit?

12:09:05 [susanisrael]

rachel: no one wants unlimited retention: want only as long as is necessary or required by law. all of industry has already commited to it

12:09:07 [Simon]

Rachel Tomas DAA talking

12:09:27 [susanisrael]

aleecia: in global section you will find language that is similar but not as restrictive

12:09:32 [JC]

Rachel thomas DMA

12:09:34 [Zakim]

-fielding

12:09:45 [susanisrael]

rachel: but you say there are people who don't believe it

12:09:48 [jmayer]

Ok, would you mind asking her to decrease her volume a bit? Thanks.

12:09:52 [jchester2]

It's not about forever. It's kept too long for when people send DNT: 1

12:10:14 [susanisrael]

aleecia: some people feel global section not ok

12:10:26 [JC]

There is no individual way to do that

12:10:31 [jmayer]

+q

12:10:33 [efelten]

To point out the obvious, not all companies belong to DAA.

12:10:48 [WileyS]

WileyS has joined #DNT

12:10:56 [jmayer]

There are two separate issues - whether a standard is enforceable, and what the standard requires.

12:10:56 [susanisrael]

rachel: if an existing self-reg framework not sufficient what is

12:11:02 [jmayer]

I'm glad we agree on enforceability.

12:11:08 [susanisrael]

aleecia: that's what we are looking for

12:11:20 [justin]

q?

12:11:36 [jchester2]

Only if the FTC has the knowledge and political will to enforce meaningful privacy safeguards

12:11:47 [rvaneijk]

q+

12:11:55 [susanisrael]

lou: apologize that i will not offer any additional text but this is not just us based, other reg bodies not engaged

12:12:27 [susanisrael]

aleecia: queue closed

12:12:27 [dsinger]

q?

12:12:45 [WileyS]

-q

12:13:11 [justin]

I thought the proposal was Chapell works with npdoty on language.

12:13:20 [Joanne]

Susan, good job scribing this session

12:13:25 [jmayer]

-q

12:13:35 [susanisrael]

aleecia: if no concrete proposal we keep one of these texts, and decide global language ok

12:13:45 [rvaneijk]

q-

12:14:16 [susanisrael]

david w: does data minimization and retention section solve this if parties have to disclose retention period

12:14:25 [rvaneijk]

my answer to the sufficiency of data collection by 3rd parties under DAA principles is: Do Not Collect.

12:14:27 [susanisrael]

aleecia: that is the question

12:14:33 [johnsimpson]

When do you need the text proposal?

12:14:45 [Chris_IAB]

how many people think David Singer's proposal is not sufficient?

12:14:54 [susanisrael]

jeff: i will take it on to write some text will do in 2 weeks and will go to my privacy colleagues

12:15:12 [jmayer]

q+

12:15:22 [justin]

The existing language in the text is broader than the DAA requirement (requires disclosure).

12:15:22 [npdoty]

dsinger, we have proposals from Alan, from the editor's draft, from my proposal (although perhaps that won't get support)

12:15:23 [susanisrael]

jeff: are you saying default will be daa text if no alternative? then i will write it

12:15:37 [jmayer]

q-

12:15:38 [susanisrael]

aleecia: does anyone else want to help

12:15:39 [johnsimpson]

Isn't there text already from Mozilla/Stanford/EFF

12:16:02 [susanisrael]

tl: i would like to repropose the text that jonathan peter and i proposed

12:16:14 [susanisrael]

jeff: then i will withdraw my action

12:16:28 [npdoty]

I think Chapell and I are going to find time in the next 24 hours

12:16:38 [npdoty]

right, Chapell?

12:16:39 [johnsimpson]

Can we please see recap the three options?

12:16:42 [susanisrael]

aleecia: next debugging

12:16:48 [npdoty]

Topic: Debugging

12:16:50 [npdoty]

scribenick: Joanne

12:17:04 [npdoty]

thanks to susanisrael for scribing!

12:17:31 [Joanne]

Aleecia: looking for info on debugging. 6.1.1.7

12:17:31 [susanisrael]

nick, shane, my pleasure. hope i captured it

12:17:55 [Joanne]

...text from Nick.

12:18:03 [Joanne]

Nick: action 235

12:18:56 [npdoty]

Operators MAY retain data related to a communication in a third-party context to use for identifying and repairing bugs in functionality. As described in the general requirements [reference to Minimization section], services MAY collect and retain data from DNT:1 users ONLY when reasonably necessary to identify and repair errors in functionality. Services SHOULD use graduated responses where feasible.

12:19:02 [Joanne]

Nick: suggestions from last week's call to add non-normative text and normative text around that it is short term

12:19:10 [Chris_IAB]

seriously, just to be clear, industry does not retain data "forever" (what's the point of this debate then?)

12:19:12 [adrianba]

q+

12:19:18 [WileyS]

+q

12:19:40 [Joanne]

Aleecia: anything further to discuss or wait for Nick to add text. May want to discuss graduated response

12:19:41 [npdoty]

Chris_IAB, I think the concern is about retaining data too long, rather than forever

12:19:54 [Chris_IAB]

<efelten> To point out the obvious, not all companies belong to DAA (neither to the W3C)

12:20:22 [Chris_IAB]

"too long" is vague... we are saying, as long as we need it to do our legitimate business, within our rules, and as GOOD actors

12:20:37 [Chris_IAB]

good luck regulating bad actors-- they aren't here in Amsterdam

12:20:43 [efelten]

Chris_IAB, point taken. Was responding to an assertion that nothing is needed here because "the industry" is following the DAA program.

12:20:58 [johnsimpson]

Isn't most debugging by first party site?

12:21:00 [tl]

+q

12:21:08 [Joanne]

Ifette: issue is if discver a bug, you want to go back and look at log data to fix it. if small percentage of users, then may need to log additional data to track and fix bug

12:21:18 [Joanne]

...minimal scope for fixing bug

12:21:19 [npdoty]

I think we are debating a variety of business practices; behavioral targeting is a legitimate business practice that would be limited in part by DNT, for example

12:22:17 [Joanne]

Allecia: we don't have minimazation for debugging and something useful to write up

12:22:35 [Chris_IAB]

efelten, we do however have representatives from industry representing thousands of companies

12:23:03 [lmastria-DAA]

efelten: re: DAA not all, but many many do and the number continues to grow each day...our umbrella covers thousands of companies in the space in the US and internationally

12:23:18 [Joanne]

Adriaanb: purpose of text was that data minzation to capture data that was necessary

12:23:24 [rachel_n_thomas]

efelten, you're correct that no group represents every single company...but the DAA - through the associations that form it - represents more than 5,000 companies. That includes all of the major players in every sector of the online advertising ecosystem. It's the most inclusive and representative group ever created in the industry, and the only one to successfully bring all of those companies on board wiht one self-regulatory standard. No small feat.

12:23:25 [Joanne]

Aleecia: thanks for context

12:23:40 [Joanne]

Shane: disagree with graduated response in reality

12:23:50 [ifette]

q+

12:23:55 [lmastria-DAA]

q+

12:23:56 [ksmith1]

q+

12:24:00 [jmayer]

+q

12:24:01 [ifette]

q+ to give examples of additional information we may collect

12:24:09 [Joanne]

...its that information we can't predict what is going to break. there the graduated response isnt helpful

12:24:12 [npdoty]

ack adrianba

12:24:14 [npdoty]

ack WileyS

12:24:18 [amyc]

q+

12:24:41 [Joanne]

...like to understand how how this works, esp for 3rd party

12:25:12 [Joanne]

Aleecia: not all companies are the same

12:25:25 [Simon]

"should whenever reasonably possibe"

12:25:33 [amyc]

wouldn't the global principles on data minimization get us out of this box?

12:25:36 [Joanne]

Shane: Roy has helped us understand a should be interperted as a must

12:25:57 [Joanne]

...isolate this as a May

12:26:21 [ksmith1]

q-

12:26:43 [Chris_IAB]

that's just not how debugging works

12:26:49 [tlr]

tlr has joined #dnt

12:26:58 [Joanne]

Aleecia: text as it stands, Should use graduated response. then use debugging for non-DNT users. can we collect less data upfront. not all cos aren't going to do this the sames.

12:27:14 [Joanne]

...we suggest not using the phrase "graduated response"

12:27:48 [Joanne]

TL: concenr we collect data now becuase something might go wrong

12:27:49 [jeffwilson]

not only are not all companies the same, debugging scenarios differ. each scenario is by nature 'graduated'.

12:27:59 [Joanne]

Aleccia: do you have something to address that

12:28:01 [dsinger]

q+

12:28:06 [Chris_IAB]

q+

12:28:14 [ksmith1]

q+

12:28:40 [npdoty]

ack tl

12:29:05 [Joanne]

TL: suggestion substantially different from graduated response

12:29:20 [WileyS]

+q

12:29:30 [Joanne]

...may collect information necessary to resolve issue as long not used beyond that purpose

12:29:32 [jmayer]

I would note that this is a new concession. The EFF/Mozilla/Stanford proposal does not allow collection of linkable data as a graduated response to debugging.

12:29:49 [Joanne]

...security discussion around fraud and malicous behavior

12:29:53 [npdoty]

tl is suggesting that "once you have identified a problem," rather than ongoing graduated response

12:29:54 [Joanne]

not applicable here

12:30:01 [jmayer]

The latest EFF/Mozilla/Stanford text is at http://jonathanmayer.github.com/dnt-compromise/compromise-proposal.html.

12:30:06 [Joanne]

...will write up sentence in IRC write now

12:30:33 [justin]

If you're allowing for prophylactic collection for security, what is the privacy advantage of . . . what ifette is saying now.

12:30:53 [Joanne]

ifette: without reopening wounds...data may collected another use may now be used for this purpose

12:31:10 [npdoty]

action: lowenthal to suggest an alternative to debugging graduated response ('once identified a problem')

12:31:10 [trackbot]

Created ACTION-278 - Suggest an alternative to debugging graduated response ('once identified a problem') [on Thomas Lowenthal - due 2012-10-10].

12:31:14 [Joanne]

...back to Shane's point, audio example

12:31:27 [jmayer]

Justin, once you allow collection for *any* purpose, the privacy advantages of focusing on uses quickly diminish.

12:31:32 [damiano]

damiano has joined #dnt

12:31:50 [Joanne]

Aleecia wants Ian to write up something

12:32:12 [Joanne]

Aleecia: explaniation around graduated use cases and how that may work

12:32:17 [justin]

jmayer, I'm just trying to envision a scenario where data collection for debugging > data collection for security.

12:32:20 [ksmith1]

q

12:32:22 [dsinger]

q?

12:32:22 [npdoty]

action: fette to write an explanation of graduated response and a list of explanatory use cases

12:32:22 [trackbot]

Created ACTION-279 - Write an explanation of graduated response and a list of explanatory use cases [on Ian Fette - due 2012-10-10].

12:32:23 [Joanne]

ifette: say something ends up with action

12:32:27 [npdoty]

ack ifette

12:32:27 [Zakim]

ifette, you wanted to give examples of additional information we may collect

12:32:28 [ksmith1]

q?

12:32:33 [npdoty]

ack lmastria-DAA

12:32:50 [amyc]

q-

12:33:10 [Joanne]

lou: good practie inside a company but not sure if policy that needs to be pushed down. not sure worthy of full on conversation

12:33:13 [fwagner]

fwagner has joined #dnt

12:33:16 [npdoty]

ack jmayer

12:33:45 [Joanne]

Jmayer: ask for more info about debugging in general to learn more

12:33:48 [amyc]

q+

12:33:54 [npdoty]

ack dsinger

12:34:44 [dwainberg]

Is David saying that a best practice should be read as a MUST?

12:34:46 [npdoty]

dsinger, would a "SHOULD where feasible" work for that?

12:34:50 [rvaneijk]

q+

12:34:57 [npdoty]

ack Chris_IAB

12:34:58 [Joanne]

Dsinger: agree with Lou and disagree with Shane a little. Collecting data for debugging is a best practice. Document what Ian described. Collecting data for bug you are aware of to fix it then get rid of it

12:35:15 [Joanne]

Chris_IAB: lots of cos read that as a MUST

12:35:29 [tl]

npdoty, my text: "After identifying an error that impairs existing intended functionality, it is acceptable to collect additional data which may be needed to identify the cause of the error and resolve it, so long as the resolution of that error is as prompt as possible, and that the data is used only for that purpose and deleted immediately afterwards."

12:35:48 [npdoty]

action-278: "After identifying an error that impairs existing intended functionality, it is acceptable to collect additional data which may be needed to identify the cause of the error and resolve it, so long as the resolution of that error is as prompt as possible, and that the data is used only for that purpose and deleted immediately afterwards."

12:35:48 [trackbot]

ACTION-278 Suggest an alternative to debugging graduated response ('once identified a problem') notes added

12:35:56 [jmayer]

Is this the "good actors" argument again?

12:35:56 [dsinger]

maybe we need an explicit note on this 'should' explaining why it's not a must?

12:35:58 [Joanne]

...what harm are we trying to prevent in putting further restrictions on debugging

12:36:00 [adrianba]

agreed - don't think this is a SHOULD here - it's an english suggestion that it would be a good idea to only collect what is needed when it is needed

12:36:16 [tl]

Thanks, npdoty!

12:36:26 [npdoty]

action-278 pending review

12:36:33 [npdoty]

action-278 pending-review

12:37:22 [Joanne]

Aleecia: two possilbe wasy to address Should v May. 1. change the word Should. 2. provide example when graduated response does not make sense and add as non-normative text

12:37:27 [WileyS]

+q

12:37:41 [Joanne]

Chris_IAB: doesn't agree with approach. should remove the word "shoud"

12:37:42 [npdoty]

ack ksmith

12:38:03 [rachel_n_thomas]

q+

12:38:23 [amyc]

q-

12:38:42 [Joanne]

KevinS: agress with both sides. in enterprise world, graduated response is not fesible. wishes it was. however, cos are dealing with 1000's of bugs

12:39:09 [justin]

If we don't use SHOULD, I'd prefer a non-normative example using graduated response instead of MAY which is irrelevant.

12:39:13 [Joanne]

...can;t turn on off collection. not very practical

12:39:21 [WileyS]

+q

12:39:25 [npdoty]

Zakim, close queue

12:39:25 [Zakim]

ok, npdoty, the speaker queue is closed

12:39:28 [Joanne]

Aleecia: good direction.closing queue

12:40:03 [jmayer]

Many third parties don't collect ID cookies from opted-out users. They do debugging just fine.

12:40:23 [jmayer]

I'm aware of several third parties that presently use graduated response on debugging.

12:40:29 [JC]

They probably use IP info

12:40:48 [Joanne]

ShaneW: made it in the queue. 3rd parties wanting to be fast and reactive. collecting more data to determine root cause not realistic. moved beyond collection v use. graduated response is not real. strongly support moving to a "may"

12:40:55 [tl]

And you don't think you can rely on non-DNT users?

12:41:00 [jmayer]

JC, that would be OK under our proposal.

12:41:19 [Joanne]

Aleecia: alternative - don't change collection styles, but change retention

12:41:20 [Chris_IAB]

WileyS, one good example of such a company is Unicorn, Inc.

12:41:29 [johnsimpson]

q?

12:41:39 [npdoty]

WileyS, when you say we've moved beyond "collection v. use", which way do you mean that we've moved past it?

12:41:43 [johnsimpson]

Rob is breaking up

12:41:43 [npdoty]

ack WileyS

12:41:48 [npdoty]

ack rvaneijk

12:41:55 [Joanne]

Rob: quick Q. talking about debugging in a general sense or in a prod dev sense

12:42:03 [Joanne]

Aleecia: reading text

12:42:15 [tl]

+q to say "bugs"

12:42:21 [npdoty]

ack rachel_n_thomas

12:42:22 [tl]

=[

12:42:37 [adrianba]

i don't think a MAY is appropriate - we're definitely not saying graduated response needs permission in the spec - perhaps this is a non-normative suggestion?

12:42:49 [dsinger]

q+

12:42:54 [Joanne]

Rachel_N_Thomas: it should be "may". lawyers will interpert "should" as a "must"

12:42:54 [adrianba]

(i also don't think SHOULD is appropriate)

12:43:01 [Joanne]

...request it be "may"

12:43:23 [Chris_IAB]

Joanne, to clarify my audible comment, the 2nd point was that we have already agreed not to use the data for targeting, so I don't think this should be a debate any longer.

12:43:25 [Joanne]

Aleecia: "should" is a strong statement and you are hearing it correctly

12:43:33 [Joanne]

thanks Chirs

12:43:35 [schunter]

http://www.ietf.org/rfc/rfc2119.txt

12:43:36 [Joanne]

Chris

12:43:40 [npdoty]

q?

12:43:48 [schunter]

... defines the keywords SHOULD, MUST, ...

12:43:59 [Chris_IAB]

I support Rachel's request to change "should" to "may"

12:44:01 [Joanne]

Aleeica: action item to clean up text a bit

12:44:03 [dsinger]

we can avoid 'should' by being clearer "the best and safest practice is to use graduated response; an un-graduated response has some risks..."

12:44:34 [dsinger]

I do not think "may" has quite the right formal sense, either.

12:44:43 [Chris_IAB]

dsinger, good suggestion to make this non-normative best practice

12:44:46 [adrianba]

+1

12:44:48 [justin]

Yes, MAY is clearly wrong.

12:45:10 [Joanne]

Aleecia: genuie differnce on graduated response. solid text on this proposal and we'll go from there

12:45:16 [justin]

"best and safest practice is to use graduated response WHEN FEASIBLE"?

12:45:18 [Chris_IAB]

should may be should? who's on first? :)

12:45:27 [Joanne]

...break 15 minutes early and hoepfully we can keep ahead

12:45:32 [npdoty]

break early, back in half an hour.

12:45:33 [Zakim]

-johnsimpson

12:46:02 [fwagner_]

fwagner_ has joined #dnt

12:57:38 [ksmith]

ksmith has joined #DNT

13:01:21 [Simon]

Simon has joined #dnt

13:08:52 [dsriedel]

dsriedel has joined #dnt

13:11:05 [vincent]

vincent has joined #dnt

13:17:17 [johnsimpson]

are we back?

13:19:52 [vinay]

vinay has joined #dnt

13:19:52 [johnsimpson]

Cant't telephone in. says conference is "restricted"

13:21:01 [amyc]

amyc has joined #dnt

13:21:14 [ifette]

q+

13:21:24 [ifette]

zakim, open the queue

13:21:24 [Zakim]

ok, ifette, the speaker queue is open

13:21:25 [npdoty]

Zakim, open the queue

13:21:25 [Zakim]

ok, npdoty, the speaker queue is open

13:21:26 [tedleung]

scribenick tedleung

13:21:26 [amyc]

Aleecia: next discussion is user agent compliance

13:21:32 [npdoty]

scribenick: tedleung

13:21:44 [amyc]

oops, sorry ted, I will scribe next

13:21:55 [tedleung]

ok, that's fine

13:21:57 [justin_]

justin_ has joined #dnt

13:21:58 [johnsimpson]

having trouble calling in. Says conference is "restricted" and won't let me in

13:21:58 [johnsimpson]

13:22:00 [npdoty]

make sure we have the universe of issues that we need to resolve

13:22:15 [npdoty]

Zakim, who is on the phone?

13:22:15 [Zakim]

On the phone I see Telegraaf, BrendanIAB?, Jonathan_Mayer

13:22:15 [tedleung]

scribenick amyc

13:22:32 [tedleung]

npdoty: amyc will scribe, not me

13:22:39 [JBWeiss]

JBWeiss has joined #DNT

13:22:39 [tedleung]

gaaah

13:22:56 [tedleung]

me

13:22:58 [Chapell]

Chapell has joined #DNT

13:23:03 [tedleung]

since i am already the nick

13:23:30 [tedleung]

reviewing section 5 on UA compliance

13:23:31 [afowler]

afowler has joined #dnt

13:23:52 [jmayer]

dsinger and hober, how does Apple feel about a mandatory link in the browser UI?

13:24:00 [jchester2]

jchester2 has joined #dnt

13:24:01 [tedleung]

taking WileyS;s point

13:24:04 [dsinger]

q+

13:24:06 [tedleung]

pionts

13:24:10 [hwest]

hwest has joined #dnt

13:24:12 [dsinger]

-q

13:24:22 [jmayer]

*raises hand*

13:24:23 [ifette]

q+

13:24:27 [johnsimpson]

still locked out of call

13:24:32 [dsinger]

q+

13:24:34 [tedleung]

browser folks object to link to explanatory text when DNT is enabled

13:24:46 [johnsimpson]

did that and am holding for an operator....

13:24:48 [npdoty]

ack ifette

13:25:14 [WileyS]

+q

13:25:16 [tedleung]

ifette in chrome, when user checks the box, more info will be given in an additional dialog as opposed to a link to a document

13:25:18 [tl]

+q

13:25:33 [npdoty]

ack dsinger

13:25:35 [tedleung]

ifette prefer less prescription, but agree with the spirit

13:25:48 [npdoty]

s/ifette in/ifette: in/

13:25:48 [jmayer]

+q

13:25:55 [npdoty]

s/ifette prefer/ifette: prefer/

13:25:55 [WileyS]

The goal is a "pre-selection" option

13:26:00 [johnsimpson]

still holding for an operator

13:26:00 [stella]

stella has joined #dnt

13:26:21 [ifette]

q+

13:26:29 [tedleung]

dsinger don't want to stray into product / ui design. also unhappy with a MUST that says you have to explain how your product works to your users

13:26:49 [Chapell]

q+

13:26:52 [ifette]

q+ to suggest we probably want a middle ground between "a link right next to the checkbox" and "go dig in the manual"

13:27:11 [Marije]

Marije has joined #dnt

13:27:14 [npdoty]

s/dsinger don't/dsinger: don't/

13:27:18 [johnsimpson]

looks like nobody plans to answer the telephone

13:27:24 [npdoty]

ack WileyS

13:27:24 [johnsimpson]

still holding

13:27:29 [tedleung]

aleecia are you changing the MUST to SHOULD, non-normative text, or deleting?

13:27:37 [tedleung]

dsinger any of those

13:27:50 [jmayer]

Proposal: SHOULD provide users with information about Do Not Track. Don't specify the form of that information.

13:28:02 [jmayer]

Why does pre- or post-selection matter, Shane?

13:28:07 [jmayer]

One click to deselect.

13:28:10 [johnsimpson]

thanks, nick. should i hang up and call back? still getting message to hold for an operator

13:28:11 [tedleung]

WileyS the goal here is to have pre-selection means of informing the user, not a post-selection means

13:28:31 [jmayer]

We've talked about the "balance" argument before. Many in the group don't buy it.

13:28:36 [lmastria-DAA]

lmastria-DAA has joined #dnt

13:28:37 [npdoty]

q?

13:28:39 [lmastria-DAA]

q+

13:28:41 [tedleung]

WileyS goal was to bring balance between UA's and servers

13:28:44 [mikez]

mikez has joined #dnt

13:29:22 [tedleung]

aleecia I hear no disagreement with moving away from link

13:29:24 [npdoty]

violent agreement that we don't need language specific to a link

13:29:31 [johnsimpson]

Still no operator. Am hanging up and redialing...

13:29:50 [ifette]

Shane, I think what you said was "Inform the user as part of enabling" was a good way to approach this

13:29:55 [tedleung]

no one in the room in favor of link, so moving on

13:30:01 [rigop]

rigop has joined #dnt

13:30:13 [ifette]

q?

13:30:14 [tedleung]

aleecia still have a question on MUST vs SHOULD

13:30:37 [npdoty]

ack tl

13:31:15 [tedleung]

tl current test builds for Firefox have a tri-state build, but we don't think people should be forced to do this. We might find a better way, this language seems restrctive

13:31:30 [mischat1]

mischat1 has joined #dnt

13:31:37 [tedleung]

tl very worried that this will be used to rule UA's non—compliant.

13:32:01 [johnsimpson]

Nick, called back still holding for an operator to answer,

13:32:05 [tedleung]

tl this is oriented towards mouse based GUI's. What about curl or UI less extension

13:32:15 [dwainberg]

dwainberg

13:32:19 [npdoty]

q+ dwainberg

13:32:25 [tedleung]

npdoty: ok

13:32:26 [ksmith]

Tom, is that the actual text? Has anyone ever checked the box "Tell sites I want to be tracked?"

13:33:10 [johnsimpson]

Nick, any ideas?

13:33:26 [tedleung]

aleecia: if we change the MUST to SHOULD, and then give examples of best practices, give an example with no UI, and give info about DNT at the point of download, could people live with that

13:34:09 [afowler]

ksmith, the tri-state with explanatory link that Tom mentioned is still in our experimental builds and not in our full releases, yet.

13:34:15 [Chris_IAB]

cURL? Seriously Tom, what's the installed based of cURL users surfing websites?

13:34:27 [tedleung]

WileyS: concern is over making sure people understand DNT before turning it on

13:35:42 [Chris_IAB]

cURL is the use case we hinging on?

13:35:50 [tedleung]

tl: still concerned over ruling browsers non-compliant, and still feel that curl isn't covered

13:36:10 [dwainberg]

Can we have an explicit exception for Curl?

13:36:10 [mikez]

+q

13:36:21 [tedleung]

tl: don't want a situation where browser vendor says "we're compliant" and site says "no, your not"

13:36:24 [johnsimpson]

Nick, should I hang up or keep on "holding for an operator"

13:36:33 [jmayer]

Shane, we're not renegotiating the working group charter.

13:36:43 [Chris_IAB]

Shane: what's good for the goose should be good for the gander - agree

13:36:52 [justin_]

There are no UX requirements on servers.

13:36:58 [tedleung]

WileyS: we have all these rules for servers, but not allowed to have rules for UAs?

13:37:16 [johnsimpson]

Nick, so hang up?

13:37:22 [dsinger]

q+

13:37:25 [tedleung]

WileyS: we could work on the text so that curl could be covered

13:37:32 [Marc]

Marc has joined #DNT

13:37:38 [Chris_IAB]

jmayer, Shane is arguing within the working group charter, as he reads it

13:37:38 [dsinger]

q-

13:37:48 [dsinger]

three suggestions (a) 'should

13:38:00 [johnsimpson]

zakim, who is on phone

13:38:00 [Zakim]

I don't understand 'who is on phone', johnsimpson

13:38:01 [jmayer]

Chris, the working group charter explicitly excludes UI. You know that.

13:38:33 [npdoty]

Zakim, who is on the phone?

13:38:33 [Zakim]

On the phone I see Telegraaf, BrendanIAB?, Jonathan_Mayer

13:38:41 [Chris_IAB]

jmayer, We are talking about requirements, not actual UI

13:38:44 [tedleung]

tl: we can get around this by making a SHOULD suggestion that enough information is provided for a GUI Browser, a UI less extension, and, a program like curl. A combination of normative and non-normative text

13:38:49 [dsinger]

three suggestions (a) 'should' (b) 'as well documented as other user choices and operations' and (c) a gentleman's agreement not to use this as a way to deem UAs non-compliant (as a compromise on the 'should')

13:39:28 [tedleung]

WileyS: to update text

13:39:35 [npdoty]

action: wiley to draft updated text on UA requirements; explanatory text made more general; add 'prior to selecting DNT'; add examples; change MUST to SHOULD

13:39:35 [trackbot]

Created ACTION-280 - Draft updated text on UA requirements; explanatory text made more general; add 'prior to selecting DNT'; add examples; change MUST to SHOULD [on Shane Wiley - due 2012-10-10].

13:39:37 [jmayer]

Chris, if mandating a particular format (link) for information in a particular place (before clicking the DNT button) isn't a UI requirement, I don't know what is.

13:39:43 [Chris_IAB]

jmayer, general requirements don't = specifying UI

13:39:50 [justin_]

Gentleman's agreement?

13:39:58 [npdoty]

q?

13:40:14 [WileyS]

Jonathan, we already agreed to remove link

13:40:23 [tedleung]

dwainberg: was going to propose review of charter statement on UI

13:40:28 [jmayer]

I agree that, sans link, we're in scope.

13:40:38 [tedleung]

aleecia: we are walking close to the line, but not crossing it

13:40:54 [Chris_IAB]

jmayer, just because you don't understand how this fits, doesn't mean it's not a valid proposal for discussion (many here, including Shane and obviously the Chairs agree that this is something to talk about)

13:41:07 [johnsimpson]

Nick, should I hand up or keep holding?

13:41:08 [tedleung]

review of charter content around UI/UE

13:41:24 [ifette]

q-

13:41:38 [npdoty]

q?

13:41:49 [npdoty]

ack jmayer

13:41:52 [ksmith]

Shane - rather than "Prior to selecting" you might consider "Prior to enabling" or some such which would allow for Ian's suggested workflow in which turning on DNT is a 2 (or more) step process of selecting, and then accepting

13:42:02 [johnsimpson]

I'll hang up now.

13:42:14 [WileyS]

Kevin, I like that "prior to enabling"

13:42:30 [WileyS]

Kevin, consider it borrowed/stolen :-)

13:43:41 [tedleung]

jmayer: what about current implementation of help pages - is that enough for DNT?

13:43:44 [WileyS]

+q

13:44:05 [WileyS]

Jonathan, do you feel comfortable if I make an opt-in choice work in the same way?

13:44:07 [tedleung]

WileyS: does the current implementation of Firefox and IE satisfy the test

13:44:28 [johnsimpson]

Nick, please let me know when to call back.

13:45:06 [johnsimpson]

thanks for your help, I don't mean to sound impatent

13:45:06 [Chris_IAB]

tl, what does the one sentence next to the DNT check-box mean?

13:45:23 [Chris_IAB]

sorry, what does it say?

13:45:23 [jmayer]

Then I strongly object.

13:45:26 [Chris_IAB]

and mean?

13:45:29 [rvaneijk]

@WIleyS: users have made an active and informed choice to allow or disallow DNT... ?

13:45:32 [tedleung]

WileyS: it does not meet the text

13:46:16 [npdoty]

q?

13:46:23 [Chris_IAB]

tl, what I meant to ask is, "what does that sentence next to the check-box say exactly"

13:46:27 [tedleung]

aleecia: does anyone want to draft alternative text

13:46:28 [jmayer]

I can draft alternative text.

13:46:49 [dwainberg]

q-

13:46:50 [johnsimpson]

vinay, are you sharing on screen?

13:47:00 [schunter]

q?

13:47:07 [schunter]

ack Chapell

13:47:12 [WileyS]

-q

13:47:13 [tedleung]

mikez: DAA will supply alternative text

13:47:17 [johnsimpson]

vinay, thanks got it.

13:47:20 [npdoty]

Zakim, who is on the phone?

13:47:20 [Zakim]

On the phone I see Telegraaf, BrendanIAB?, Jonathan_Mayer

13:47:28 [npdoty]

Zakim, drop Jonathan_Mayer

13:47:28 [Zakim]

Jonathan_Mayer is being disconnected

13:47:30 [Zakim]

-Jonathan_Mayer

13:47:32 [npdoty]

Zakim, drop BrendanIAB

13:47:32 [Zakim]

BrendanIAB? is being disconnected

13:47:34 [vinay]

johnsimpson - sorry. didn't see your request for access. You should see her screen now

13:47:34 [Zakim]

-BrendanIAB?

13:47:36 [npdoty]

Zakim, drop Telegraaf

13:47:36 [Zakim]

Telegraaf is being disconnected

13:47:36 [tl]

Chris_IAB: The release implementation right now has a checkbox and the phrase "Tell websites I do not want to be tracked."

13:47:37 [mischat]

mischat has joined #dnt

13:47:38 [Zakim]

Team_(dnt)06:49Z has ended

13:47:38 [Zakim]

Attendees were +31.20.585.aaaa, Telegraaf, +1.714.852.aabb, fielding, BrendanIAB?, +1.310.292.aacc, johnsimpson, +1.425.214.aadd, bryan_, Jonathan_Mayer

13:48:14 [johnsimpson]

can I dial back in now?

13:48:30 [jmayer]

...so now everyone's off the call...

13:48:41 [Chris_IAB]

tl, thanks-- what does "Tell websites I do not want to be tracked" mean? Websites = ALL websites, including first party?

13:48:42 [efelten]

q?

13:48:45 [schunter]

q?

13:48:46 [Joanne]

*Nick is working in the phone issue

13:48:56 [rigop]

q?

13:49:21 [johnsimpson]

let us know when to call back in

13:49:23 [dsinger]

q+ to point out that not every UA is a browser

13:49:27 [tedleung]

Chapell: asking drafters to supply more meat around the framework in addition to the details

13:49:27 [tl]

Chris_IAB: If the box is checked, a "DNT:1" header is sent with every HTTP request.

13:49:38 [npdoty]

Zakim, move 26631 to here

13:49:39 [Zakim]

ok, npdoty; that matches Team_(privacy)13:48Z

13:49:54 [npdoty]

okay phone folks, please dial back in, and use code 26631

13:49:57 [npdoty]

sorry for the drop

13:50:02 [Chris_IAB]

tl, can you please answer my actual question?

13:50:06 [Zakim]

+Jonathan_Mayer

13:50:13 [npdoty]

Zakim, who is on the phone?

13:50:13 [Zakim]

On the phone I see Telegraaf, Jonathan_Mayer

13:50:16 [dsinger]

q?

13:50:23 [susanisrael]

to those who were on the phone, nick is working on getting you all back on

13:50:28 [tl]

Chris_IAB: I'm not sure I understand your question?

13:50:29 [Chris_IAB]

tl, I get what happens

13:50:47 [tl]

Chris_IAB: What confuses you?

13:50:50 [rigop]

ack dsinger

13:50:50 [Zakim]

dsinger, you wanted to point out that not every UA is a browser

13:50:52 [tedleung]

dsinger: not every UA is a browser: RSS feed readers, Mail UA's, etc

13:51:24 [Chris_IAB]

what I want to know, is what does Mozilla (and presumably it's users) mean by "websites" in this sentence you are using to turn on the sending of DNT:1. It's a simple question Tom.

13:51:28 [tedleung]

mikez: can't live with suggested proposal to change MUST to SHOULD

13:51:30 [dsinger]

q+

13:51:33 [johnsimpson]

do we use a different code?

13:51:41 [rigop]

q?

13:51:54 [justin_]

mikez, you just argued that SHOULD was effectively the same as MUST for graduated response :)

13:51:56 [jmayer]

Mike Zaneis, there was nothing clear about that White House "agreement." One of your own member companies thought it allows a silent default.

13:51:57 [schunter]

q?

13:52:05 [Zakim]

+johnsimpson

13:52:36 [tl]

Chris_IAB: The recipient of any HTTP request from the browser.

13:53:15 [tl]

Chris_IAB: When you check the box, Firefox tells everyone that you don't want to be tracked by sending them a signal in the form of a DNT header.

13:53:26 [johnsimpson]

q?

13:53:34 [tlr]

tlr has joined #dnt

13:53:44 [npdoty]

ack dsinger

13:53:46 [tedleung]

lmastria-DAA: forthcoming language on mobile; DAA representing many in ecosystem, browser vendors will be gaining responsibility

13:53:49 [mikez]

justin, no, I argued that browsers should have an affirmative, non subjective obligation

13:54:42 [tedleung]

dsinger: if we have rules about what browsers must present to users, then we will have to contemplate rules about what sites must present to users. at the moment we are silent. on bot h sides. it's a balance argument

13:54:58 [dsinger]

issue-150?

13:54:58 [trackbot]

ISSUE-150 -- DNT conflicts from multiple user agents -- raised

13:54:58 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/150

13:55:23 [Chris_IAB]

tl, so ALL websites then? Since ALL websites would receive the HTTP request... So by checking your box, the user is asking that ALL WEBSITES (including first party sites) not "track" them. Ok, that's clear now, thanks. Ad industry has HUGE issue with this.

13:55:24 [WileyS]

David Singer - UAs have zero business impactful implications from DNT - having a single requirement for user disclosure prior to selecting DNT IS BALANCE.

13:55:26 [mikez]

jmayer, read this and then get back to me about whether our position on defaults are unclear - https://www.documentcloud.org/documents/445384-daa-commitment.html

13:55:45 [jmayer]

mikez, take it up with Microsoft.

13:55:57 [tedleung]

going to close 150 with: up to the browsers to resolve DNT conflicts beween multiple plugins

13:56:27 [dsinger]

it's non-compliant to send multiple headers, and it is non-compliant to send a header that does not reflect the user's intent. do we need to say more?

13:56:27 [ifette]

q+ to answer matthias' questions

13:56:30 [dsinger]

q+

13:56:41 [tedleung]

schunter: can browser plugins set headers?

13:57:28 [tl]

q+

13:57:40 [johnsimpson]

thanks for all your help, Nick

13:57:44 [dwainberg]

q+

13:57:48 [lmastria-DAA]

to dsinger: DAA has specific rules on what "sites" have to tell users and how that is accomplished

13:57:54 [tedleung]

ifette: depends on which browser. flash for example does not use the browser's network stack in some browsers. In some browsers extensions can add headers, multiple extensions can set multiple headers

13:57:56 [Zakim]

+??P31

13:58:00 [npdoty]

do I need to create action items for mikez and jmayer for proposals on UA requirements?

13:58:02 [jeffwilson]

q+

13:58:12 [ifette]

q+

13:58:34 [BrendanIAB]

Zakim, ??P31 is probably me

13:58:34 [Zakim]

+BrendanIAB?; got it

13:59:03 [npdoty]

ack ifette

13:59:03 [Zakim]

ifette, you wanted to answer matthias' questions and to

13:59:04 [tedleung]

ifette: hard to enforce "there must be only 1 DNT header"

13:59:09 [rigop]

ack ifette

13:59:18 [Chris_IAB]

ALL, if you read up, tl points out that Mozilla's UI of asking websites not to track the user, applies to ALL websites (if I read it right). That seems to be why we are having the UI discussion here.

13:59:20 [npdoty]

Zakim, who is making noise?

13:59:33 [Joanne]

Can an out of band request to confirm the user preference help in the case of multiple DNT header request?

13:59:37 [Zakim]

npdoty, listening for 10 seconds I could not identify any sounds

13:59:45 [tedleung]

dsinger: HTTP only allows on instance of a given header. Therefore it's up to the browser to ensure a single header

13:59:46 [ksmith]

q+

13:59:46 [rigop]

ack dsinger

13:59:50 [npdoty]

ack tl

13:59:52 [Chris_IAB]

q+

13:59:52 [Chris_IAB]

can we please define "user intent"?

14:00:21 [npdoty]

I believe it's already invalid, at the HTTP level, per discussion with fielding

14:00:22 [tedleung]

tl: 2 dnt headers in a single request is an invalid HTTP request

14:00:28 [rigop]

q?

14:00:33 [dsinger]

from HTTP: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. " this is not the case for the DNT header

14:01:03 [WileyS]

+q

14:01:48 [ksmith]

q-

14:02:02 [WileyS]

If multiple DNT signals come in the same header, DNT:0 wins.

14:02:07 [tedleung]

disagreement over HTTP compliance of multiple DNT headers.

14:02:21 [adrianba]

q+

14:02:42 [WileyS]

Similar outcome in MSFT's TPL white/black list conflict resolution (I'm in no way supporting TPLs - they are still horrible)

14:02:59 [tedleung]

aleecia: propose "UA may only send 1 DNT signal", "A transaction with 2 DNT headers is invalid and is equivalent to DNT unset"

14:03:02 [npdoty]

lmastria-DAA, can you take on the action item with Mike Z.?

14:03:23 [jmayer]

Sounds very reasonable to me.

14:03:34 [npdoty]

q?

14:03:45 [jmayer]

Language in the TPE about invalid syntax, that is.

14:04:45 [tedleung]

dsinger: whoever added the 2nd DNT header is non complient

14:04:50 [jmayer]

+q

14:05:06 [tedleung]

tl: let's not rule pieces compliant, lets just say the request is invalid

14:05:08 [jmayer]

I was totally onboard... until the multiple headers component.

14:05:18 [jmayer]

If you get multiple "DNT: 1"s, that should be "DNT: 1"

14:05:23 [justin_]

DNT: muffins = DNT unset

14:05:35 [jmayer]

Example: both browser and extension blindly add "DNT: 1"

14:05:36 [dsinger]

action: dsinger to add to the TPE that at most one DNT header is permitted in any HTTP request

14:05:36 [trackbot]

Sorry, couldn't find dsinger. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

14:05:43 [adrianba]

q-

14:05:44 [tedleung]

result of this discussion to go into TPE

14:05:45 [WileyS]

DNT:1, DNT:0, DNT:1 = DNT:<null>

14:05:57 [npdoty]

action: singer to add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150)

14:05:57 [trackbot]

Created ACTION-282 - Add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150) [on David Singer - due 2012-10-10].

14:06:13 [tl]

WileyS: well, not DNT:<null>, just not DNT header.

14:06:36 [johnsimpson]

Sounds good

14:06:40 [jmayer]

I would like to volunteer to draft alternative text.

14:06:48 [npdoty]

aleecia: if we're fine with that text, then we'll close issue-150

14:07:00 [WileyS]

tl, fair

14:07:02 [jmayer]

We do not have agreement on duplicate headers for ISSUE-150.

14:07:03 [npdoty]

action-282: if this text goes through, we can close issue-150

14:07:03 [trackbot]

ACTION-282 Add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150) notes added

14:07:08 [tedleung]

issue-153?

14:07:08 [trackbot]

ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised

14:07:08 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/153

14:07:17 [tl]

+q

14:07:23 [schunter]

The statement that aleecia made is different: She concluded: If you have multiple DNT headers (no matter what they contain), the http request is invalid (and a 505 error will be returned9.

14:07:24 [justin_]

jmayer, David already volunteered, do you want to write an alternative?

14:07:46 [npdoty]

my proposal with dave singer: http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0001.html

14:07:46 [jmayer]

Yes.

14:07:49 [BrendanIAB]

q+

14:07:50 [WileyS]

Matthias, that's not what we all just agreed to

14:08:00 [dsinger]

issue-153?

14:08:00 [trackbot]

ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised

14:08:00 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/153

14:08:08 [tl]

I think Aleecia just mis-stated it.

14:08:13 [npdoty]

action: mayer to draft an alternative for multiple DNT headers (issue-150)

14:08:13 [trackbot]

Created ACTION-283 - Draft an alternative for multiple DNT headers (issue-150) [on Jonathan Mayer - due 2012-10-10].

14:08:16 [npdoty]

q?

14:08:20 [rachel_n_thomas]

q+

14:08:21 [npdoty]

ack dwainberg

14:08:22 [npdoty]

q+

14:08:58 [npdoty]

I don't believe there is any such encompassing piece of software.

14:09:03 [dsinger]

q+

14:09:12 [tedleung]

dwainberg: i submitted some text around this to ensure that user choice is reflected

14:09:20 [dwainberg]

"A UA that allows or enables other software to alter the DNT setting MUST ensure that such alteration reflects the user's intent."

14:10:10 [tedleung]

aleecia: we are looking at going beyond a UA. A UA or anything else that sets DNT

14:10:15 [tedleung]

objections from the room

14:10:24 [npdoty]

ack jeffwilson

14:10:26 [rigop]

rigop has joined #dnt

14:11:12 [tedleung]

jeffwilson: referring to multiple DNT header situation, is that true in relation to the JS API?

14:11:32 [tedleung]

dsinger: that can't happen

14:12:26 [WileyS]

Issue - 143: requires naming the setter of the DNT signal

14:12:51 [npdoty]

what are the objections in the room to moving towards requirements beyond the user agent?

14:13:00 [ifette]

q+

14:13:19 [npdoty]

issue-116?

14:13:19 [trackbot]

ISSUE-116 -- How can we build a JS DOM property which doesn't allow inline JS to receive mixed signals? -- pending review

14:13:19 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/116

14:13:26 [dsinger]

the objection is that whatever is behind the HTTP end-point is opaque and out of scope, and it's a waste of time to discuss it.

14:13:50 [ksmith]

q?

14:13:55 [tedleung]

tl: the API's that we currently have defined do not have a consistency problem. We haven't figured out how to build the API in issue-116.

14:15:03 [npdoty]

issue-116 is pending review because I think we actually do have it resolved, and we include language noting that a JS API signal won't guarantee a future value of a DNT header, which governs

14:15:32 [tedleung]

aleecia: AVG was the driver for issue 153

14:15:47 [adrianba]

q?

14:15:57 [tedleung]

dsinger: that's a poorly engineered UA

14:16:26 [Marc]

Marc has joined #DNT

14:16:41 [ksmith]

Tom - I think the question I heard from Jeff (correct me if I am wrong Jeff) - if there are multiple headers (say both a DNT:1 and DNT:0), thereby making the DNT request invalid, will the JS API also get an invalid response, or will it get a 1 or 0?

14:16:47 [rigop]

ack Chris_IAB

14:16:48 [npdoty]

ack Chris_IAB

14:16:56 [dsinger]

-q

14:16:57 [jmayer]

Chris, please stop interrupting. It's very difficult to follow.

14:17:18 [jeffwilson]

ksmith, overall question about getting status of conflicting preferences, regardless of the source

14:17:31 [jeffwilson]

in all such cases, should be treated as dnt not set

14:17:45 [tedleung]

Chris_IAB: do we have a common definition of user expectation?

14:18:02 [jmayer]

Chris, this is totally off-topic.

14:19:12 [rigop]

issue-153?

14:19:12 [trackbot]

ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised

14:19:12 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/153

14:19:15 [justin_]

q?

14:19:29 [jmayer]

Chris, please stop fighting with the chair.

14:19:32 [dsinger]

q?

14:19:32 [justin_]

qq

14:19:35 [npdoty]

ack WileyS

14:19:37 [amyc]

amyc has joined #dnt

14:19:43 [dsinger]

issue-143?

14:19:43 [trackbot]

ISSUE-143 -- Activating a Tracking Preference must require explicit, informed consent from a user -- raised

14:19:43 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/143

14:20:03 [tedleung]

WileyS: issue-143 is related. It is difficult for one UA to know what another UA is doing

14:20:15 [amyc]

ted, let me know when you want me to take over

14:20:18 [amyc]

scribing

14:20:32 [justin_]

scribenick: amyc

14:20:32 [tedleung]

let me finish this part out

14:20:41 [justin_]

scribenick: tedleung

14:20:48 [jmayer]

q+ later

14:20:52 [jmayer]

q-

14:21:04 [dsinger]

to WileyS: the user-agent header tells you what the user-agent is.

14:21:12 [tedleung]

discussions about whether issue-143 should come over from TPE

14:21:16 [npdoty]

ack tl

14:21:17 [Brooks]

q?

14:21:18 [jeffwilson]

q+

14:21:21 [Chris_IAB]

dsinger, you asserted the notion of "user expectation" in your argument. I asked if there was a definition for "user expectation" (since it's so commonly used here, but in many different contexts, and can be confusing)

14:21:55 [dwainberg]

q+

14:22:00 [WileyS]

dsinger, not true, installed software can overwrite UA settings and make it appear as if its still coming from the UA. For example, AVG. :-)

14:22:18 [Chris_IAB]

since I was cut off by the chair, can someone here please point me to the definition or tell me that there is not one?

14:22:43 [dsinger]

to WileyS: But your complaint is then to the user-agent that allowed that to happen. THAT is what terminated the HTTP transaction.

14:22:45 [rigop]

q?

14:22:52 [Chris_IAB]

to be clear, is there a definition of "user expectation"?

14:22:54 [tedleung]

tl: Browser vendors cannot vet their add-on's. All addon's should convey user intent - different addon's ascertain intent via different mechanisms.

14:22:55 [ifette]

ISSUE-153?

14:22:55 [trackbot]

ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised

14:22:55 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/153

14:22:56 [Chapell]

q+

14:23:08 [Marc]

q+

14:23:25 [vincent]

Chris_IAB, I remember at least one paper mentioned about user expection of DNT mention during princeton workshop and then some recall during santa clara meeting

14:23:32 [lmastria-DAA]

follow up to Chris_IAB: this discussion was suspended without all of the stakeholders in the q were heard

14:23:46 [adrianba]

WileyS, we're only allowed to use APIs in IE to store settings in Windows that any other software is allowed to use - we can't prevent other people calling them

14:23:47 [Chris_IAB]

vincent, can you please point to the definition in this doc?

14:23:56 [tedleung]

tl: i have no objection to clarifying

14:23:57 [npdoty]

ack BrendanIAB

14:24:19 [Chris_IAB]

vincent, that's what I'm looking for-- a definition in of "user expectation" in this document

14:24:33 [efelten]

The record shows who was allowed to speak in that session, and who spoke how often.

14:24:50 [rigop]

I think that defining "user expectation" is boiling the ocean

14:25:26 [Chris_IAB]

efelton, the record does not reflect that the chair cut me off before I was done making my point, because she didn't understand the point I was trying to make, and decided it was off topic

14:25:37 [vincent]

agree with rigo, defintion would not be stable at all and varies for each user

14:26:12 [rachel_n_thomas]

efelten, the record shows that chris and i were both in the queue and were cut off without being given the opportunity to speak to the issue raised at the time we entered the queue. TPWG is not following its own processes, let alone those of W3C's process document.

14:26:21 [Chris_IAB]

rigop and vincent, then we should remove it from the documents -- if we can't define something, it shouldn't be in the document (context is everything)

14:26:33 [amyc]

that argues against using user expectation in docs, or in justifications

14:27:15 [rachel_n_thomas]

removing myself from the queue, i want to know that there seems little point in trying to closely follow the W3C / TPWG processes if the chairs do not comport with them in their management of the meeting.

14:27:20 [rachel_n_thomas]

q-

14:27:23 [rigop]

Chris_IAB: it says currently: "We do not specify how tracking preference choices are offered" so this is the verbose claim of not defining anything

14:27:39 [rvaneijk]

@rachel: you can paste what you want to say in IRC or post it to the mailing list. Anything decided in the meetings here will need to go through the mailinglist anyways.

14:28:17 [npdoty]

Zakim, close queue

14:28:17 [Zakim]

ok, npdoty, the speaker queue is closed

14:28:20 [tedleung]

BrendanIAB: browser plugins are like a new/2nd class of intermediary, should we be viewing this through the lens of intermediary compliance?

14:28:22 [justin_]

ack npdoty

14:28:24 [Chris_IAB]

rigop and vincent- if we can't agree to talk "apples and apples" in this forum, especially with all the language barriers, then it's work product will be clouded. What's wrong with nailing down definitions of terms commonly used in the documents and in discussions/debates/arguments?

14:28:36 [rachel_n_thomas]

if we are allowed to entere the queue, we should be allowed to speak.

14:28:38 [npdoty]

http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0001.html

14:28:43 [rigop]

Aleecia: Intermediary compliance is a good topic for the mailing list <= me agrees

14:29:54 [dsinger]

from HTTP 1.1 "user agent

14:29:55 [dsinger]

The client which initiates a request. These are often browsers, editors, spiders (web-traversing robots), or other end user tools."

14:30:00 [BrendanIAB]

dsinger - what is the scope of "these requirements"?

14:30:07 [dsinger]

notes that that does NOT include plug-ins

14:30:08 [justin_]

I think existing text already does that, but fine adding this too.

14:30:13 [tedleung]

npdoty: submitted language around software that modifies the DNT header needing to preserve the user intent

14:30:14 [hwest]

hwest has joined #dnt

14:30:24 [jmayer]

I would like to suggest best practice language.

14:30:38 [ifette]

q?

14:31:04 [rachel_n_thomas]

Rehashing an earlier conversation from Chris_IAB and tl in order then respond to it in IRC... [15:48] <Chris_IAB> tl, thanks-- what does "Tell websites I do not want to be tracked" mean? Websites = ALL websites, including first party? [15:49] <tl> Chris_IAB: If the box is checked, a "DNT:1" header is sent with every HTTP request. [15:51] <Chris_IAB> what I want to know, is what does Mozilla (and presumably it's users) mean by "websites" in this sentence

14:31:10 [jmayer]

If software affects the DNT setting for other software, it is a best practice to clearly explain that to the user.

14:31:17 [npdoty]

ack ifette

14:31:18 [dsinger]

to BrendanIAB: the requirements are on all HTTP request headers. They must contain at most one DNT header which must reflect the user's intent.

14:31:35 [Chris_IAB]

so rigop, in response to your "We do not specify how tracking preference choices are offered", a valid user agent could say "I don't like pink unicorns" and the agent can send DNT:1? Is that acceptable to you?

14:31:49 [tedleung]

ifette: propose not allowing other software to modify the header

14:32:08 [Marije]

Marije has joined #dnt

14:32:09 [jmayer]

*hand up*

14:32:17 [rigop]

Chris_IAB: sure, have you seen the opera bork browser? It is valid

14:32:17 [tedleung]

dsinger: propose the null proposal

14:32:20 [dsinger]

to ifette: but that again is a rule for the user-agent author to write. don't modify existing headers

14:32:21 [rachel_n_thomas]

[15:55] <Chris_IAB> tl, so ALL websites then? Since ALL websites would receive the HTTP request... So by checking your box, the user is asking that ALL WEBSITES (including first party sites) not "track" them. Ok, that's clear now, thanks. Ad industry has HUGE issue with this.

14:32:24 [johnsimpson]

+1 David Singer

14:32:43 [rigop]

Chris_IAB: normal language can also be used to tell nonsense

14:32:43 [tedleung]

jmayer: see my IRC proposal

14:32:58 [npdoty]

action: fette to propose barring other software from altering a DNT signal if the browser already set it

14:32:58 [trackbot]

Created ACTION-284 - Propose barring other software from altering a DNT signal if the browser already set it [on Ian Fette - due 2012-10-10].

14:33:34 [rachel_n_thomas]

Want to reiterate that this is a huge issue for the entire ad industry. I cannot object more strenuously to tl's understanding that ALL websites would be required not to track (including first party) when box is checked.

14:33:35 [rigop]

q?

14:33:39 [rigop]

ack jmayer

14:33:40 [tedleung]

amyc: over to you

14:33:44 [ifette]

q?

14:33:48 [tedleung]

scribenick: amyc

14:33:49 [npdoty]

action: mayer to propose non-normative text to add on to action-231 (with nick)

14:33:49 [trackbot]

Created ACTION-285 - Propose non-normative text to add on to action-231 (with nick) [on Jonathan Mayer - due 2012-10-10].

14:34:06 [amyc]

Aleecia: quite a thread on unlinkability, disheartening

14:34:22 [amyc]

... have two world views on unlinkable

14:34:28 [npdoty]

jeffwilson, dwainberg, Chapell, Marc -- if you have more comments on 153 but not new action items, maybe you can follow up with us over coffee or dinner?

14:34:29 [npdoty]

q?

14:34:41 [npdoty]

Topic: Unlinkability

14:34:48 [amyc]

... as a group, haven't talked about Shane's proposal; EFF proposal was reviewed in DC

14:34:51 [npdoty]

q=

14:35:03 [npdoty]

Zakim, open the queue

14:35:03 [Zakim]

ok, npdoty, the speaker queue is open

14:35:05 [npdoty]

q=

14:35:10 [npdoty]

queue=

14:35:25 [npdoty]

scribenick: amyc

14:35:43 [amyc]

Shane: end goal is that resulting data (not raw form) then take unique identifiers like cookies and IP addresses

14:35:53 [dsinger]

to Rachel: we should chat about why the DNT header is sent to everyone, even though what it means varies depending on whether you are first or third party

14:36:06 [amyc]

... undergo one way hash, so that resulting info cannot be linked back to original production idenfiers

14:36:09 [jmayer]

+q

14:36:14 [dtauerbach]

q+

14:36:16 [efelten]

+q

14:36:30 [tl]

+q

14:36:40 [amyc]

... notes that there are technical discussions about hashing, but end goal is that info cannot be used directly to link back to production system

14:37:03 [amyc]

... not meant to say that can't be associated to real world user or browser, wouldn't affect

14:37:16 [ifette]

q+ clarifying question to shane

14:37:23 [ifette]

q+ to ask clarifying question to shane

14:37:33 [amyc]

... 32 byte idenfiier, one way hash, could rotate

14:37:50 [ifette]

when you say "not tied to a production system" i assume what you mean is being able to link back to a given user or computer?

14:37:55 [amyc]

... result may be longer or shorter in byte length, but would not link back to original idenfier

14:38:09 [jmayer]

+q

14:38:19 [amyc]

Aleecia: two options in text 3.6.1 and 3.6.2

14:38:45 [amyc]

... goes to queue, but need to end at 545

14:38:51 [rvaneijk]

q+

14:38:57 [amyc]

... please keep civil

14:39:15 [npdoty]

ack jmayer

14:39:26 [lmastria-DAA]

q+

14:39:50 [amyc]

jmayer: what exactly does unlinkability mean? what should not be linked after hash?

14:40:09 [amyc]

... user ID from data, or ability to connect various actions

14:40:27 [Chris_IAB]

rigop, are you serious that if the UI of a DNT UA says "I don't like pink unicorns", you would consider this a valid UI for the W3C? I want to ensure I got this right...

14:40:57 [amyc]

... which would be unlinking with respect to browser, but questions whether one way hash would make more difficult to connect to original source of data

14:41:14 [amyc]

... but would retain linkability across events or sessions

14:41:49 [amyc]

... seems like tension between one way hashes OK, but saying that OK to connect across sessions

14:42:17 [amyc]

Shane: connection back to device or browser, looking at maintaining longitudinal connection

14:42:31 [amyc]

... major goal is delinking from production sets

14:42:45 [vincent]

q+

14:42:49 [jmayer]

q+

14:43:04 [Rene]

q+

14:43:04 [jmayer]

Can I follow up on that with another technical clarifying question?

14:43:06 [amyc]

... so could not affect user in real world, but could be used to maintain value of data

14:43:42 [amyc]

... differences between option one and option two, difference in granularity, but maintain value of data while addressing harms

14:44:30 [amyc]

Aleecia: how does this fit into document, this is data that is outside of DNT, anyone can use without worrying about permitted use

14:44:38 [amyc]

... not replacement for actually reading doc

14:44:48 [npdoty]

while there may be several differences between Option 1 and Option 2, the key question seems to be whether the data can't be re-linked, or isn't linkable back to the production identifier?

14:44:57 [npdoty]

ack dtauerbach

14:45:24 [Chris_IAB]

rigop, just want to make sure you don't miss my question (above): are you serious that if the UI of a DNT UA says "I don't like pink unicorns", you would consider this a valid UI for the W3C? I want to ensure I got this right...

14:45:37 [amyc]

dtauerbach: two separate definitions, what Shane is describing requires prior state, this is more like hashed data, need common sense definition

14:46:00 [dsinger]

q?

14:46:03 [npdoty]

ack efelten

14:46:05 [amyc]

Aleecia: option one should be named something else?

14:46:33 [amyc]

efelten: linkability back to original identifier vs to user or device, need to understand distinction

14:46:50 [schunter]

Chris: My take is that the preference collected via the "pink unicorn" UI (if used alone) would not satisfy the requirement that the resulting DNT values are reflecting the (unbiased) user preference.

14:47:06 [johnsimpson]

Shane, why wouldn't the 'should' in the last sentence be a 'MUST'

14:47:23 [schunter]

note: "Chris" meant "response to chris" not anything chris said.

14:47:27 [amyc]

Shane: one is unlinkable to production systems, so that even if using unique cookie, when you hash then info could not be associated with that user in real world

14:47:36 [schunter]

q+ aleecia

14:47:37 [npdoty]

s/Chris: My/Chris, My/

14:47:48 [jmayer]

Shane: is this a technical claim you're making?

14:47:53 [amyc]

... but could be used longitudinally across data set, identifiers simply don't relate back to real world

14:47:54 [npdoty]

ack tl

14:48:02 [npdoty]

s/Shane: is/Shane, is/

14:48:05 [jmayer]

Because one-way hashing does not provide the technical properties you described.

14:48:09 [WileyS]

Jonathan, I'm not sure I understand your question

14:48:10 [dsinger]

…wonders if what we want is data that is detached from any specific user, user-agent, or device. maybe we are using the wrong term of art?

14:48:25 [amyc]

tl: thinks that all of the privacy folks are thinking about academic definition of unlinkable

14:48:28 [npdoty]

ack ifette

14:48:28 [Zakim]

ifette, you wanted to ask clarifying question to shane

14:48:29 [jmayer]

Are you claiming that one-way hashing prevents associating production data with hashed data?

14:48:49 [npdoty]

tl, so is your concern just with the name "unlinkable"?

14:49:00 [dtauerbach]

q+

14:49:00 [amyc]

ifette: even in academic community it is difficult to determine or define whether data set is re identifiable

14:49:45 [Marc]

Question for clarification for Dan. Was Dan proposing that neither options are appropriate or that 3.6.1 is the right option? I simply didn't follow.

14:49:47 [amyc]

... this is unsolved problem, so best thing that we can do is de-identify to do one way hash, not a strict guarantee that there is no technical way to re-associate

14:50:09 [amyc]

Aleecia: dumping cookies is not part of what Shane is associated

14:50:12 [Rene]

q-

14:50:19 [amyc]

... where dumping is equivalent of deletion

14:50:46 [WileyS]

Jonathan, if you look at the larger definition there is a further restriction to NOT attempt to link unlinked data with linkable data. There will always be ways to break encryption given the appropriate tools and access. If I give you a list of data records (breach/gov't request) that has been "unlinked" you, with only that data, be able to re-identify that data.

14:51:04 [efelten]

It would be useful to have some non-normative text giving examples that we can agree are still linkable, and some that are definitely unsinkable.

14:51:05 [Chris_IAB]

npdoty, point of clarification please: how do we (DAA and DMA) open an action item?

14:51:06 [WileyS]

would not be able

14:51:06 [Chris_IAB]

npdoty, a new action item?

14:51:12 [amyc]

rvaneijk: if goal is to de-anonymize so that law does not apply, will be difficult case for NL and EU, Second proposal addresses technical and organizational measures

14:51:19 [npdoty]

ifette, the definitions suggest certain levels of confidence or use of legal means to prevent re-identifiability; but it seems like Shane's intent is not to prevent re-identifiability

14:51:20 [WileyS]

ed, "unsinkable" - LOL

14:51:36 [ifette]

npdoty, that's a fair assessment

14:51:38 [johnsimpson]

Shane, did you see my question about "should" vs "must"?

14:51:53 [amyc]

... may still be considered personal data, also concerned about safeguards for further uses

14:52:01 [rigop]

rigop has joined #dnt

14:52:04 [ifette]

npdoty, i think all we can do is say "de-identify the data you have collected" e.g. one-way salted hash of cookies, not "guarantee the data could not be reidentified in any manner"

14:52:05 [WileyS]

John, I didn't - speaking so unable to watch IRC at the same time - what is your question?

14:52:27 [susanisrael]

i understood shane to be discussing preventing the likelihood but not the absolute possibility of de-identification.

14:52:31 [amyc]

... if go with option one, still need to comply with laws. but in option two, then that would not be personal info

14:52:34 [johnsimpson]

Why not a "Must" in item 3 instead os "should"?

14:52:35 [efelten]

Ian, I think that's what the "reasonable" in some definitions is trying to address

14:52:35 [WileyS]

Susan - spot on

14:52:45 [npdoty]

Chris_IAB, we can open action items for any DAA or DMA folks that are listed as participants in the group (currently Luigi, Rachel, respectively)

14:53:01 [amyc]

Aleecia: what would work in EU?

14:53:28 [npdoty]

Chris_IAB, which we can do from IRC or from https://www.w3.org/2011/tracking-protection/track/actions/new

14:53:38 [susanisrael]

if there is no solution, how can we meet the standard?

14:53:41 [jmayer]

q?

14:53:42 [Chris_IAB]

npdogy and rachel_n_thomas, thank you Nick.

14:53:58 [npdoty]

Chris_IAB, I suggested that we open an action on Luigi for something that Mike Z volunteered to do

14:53:59 [npdoty]

q?

14:54:02 [npdoty]

ack rvaneijk

14:54:04 [amyc]

rvaneijk: not really a solved problem in academia, process of anonymization still tricky, concerned about "reasonable" not being prescriptive, doesn't have solution

14:54:05 [npdoty]

ack lmastria-DAA

14:54:18 [johnsimpson]

Shane, Why not a "Must" in item 3 instead of "should"?

14:54:35 [amyc]

lmastria: tend to look at one issue at a time, would fall under many different regimes

14:54:52 [amyc]

... additional legal protections

14:55:13 [amyc]

... thinks that one way hash is a solution, but don't think that would work for everyone

14:55:13 [kj]

q+

14:55:25 [rvaneijk]

option 1: data protection law applies, also for permitted uses: ie companies still need a legal ground. option 2: if done correctly, we are not dealing with (in)direct identifyable data anymore.

14:55:45 [amyc]

... plenty of industries where much more senstive data is de-identified and kept for long periods of time (medical, education)

14:56:14 [amyc]

... no harms come out of those, don't discount, simply because of fear of unknown, needs to be practical solvable solution

14:56:34 [amyc]

... DAA has specific text on de-identified data, could draft up and send along

14:56:56 [amyc]

... companies working on indirect identification, would boil the ocean

14:57:14 [WileyS]

John, SHOULD due to the level of detail required to find the balance between not giving too many details to help bad guys figure out what you're doing and enough information for you and others to understand our approach generally.

14:57:15 [amyc]

Aleecia: not talking about security, separate issue

14:57:23 [efelten]

q?

14:57:25 [amyc]

q+

14:57:57 [amyc]

vincent: hashing cookies and IP addresses, what about info in referral, personal info in referrer

14:58:09 [npdoty]

action: luigi to propose DAA text regarding de-identification (for unlinkability discussion)

14:58:09 [trackbot]

Created ACTION-286 - Propose DAA text regarding de-identification (for unlinkability discussion) [on Luigi Mastria - due 2012-10-10].

14:58:50 [amyc]

shane: at yahoo look at suspected PII in headers, and transforms, websites shouldn't be sending PII in referrers

14:59:12 [amyc]

... best efforts should be made

14:59:15 [npdoty]

ack vincent

14:59:20 [amyc]

Aleecia: can text reflect that?

14:59:32 [amyc]

Shane: previously drafted non normative text

14:59:40 [WileyS]

John, remember SHOULD in this case means you should do it unless you have a good reason not to

15:00:22 [npdoty]

action: west to update unlinkable with non-normative text from Shane

15:00:22 [trackbot]

Created ACTION-288 - Update unlinkable with non-normative text from Shane [on Heather West - due 2012-10-10].

15:00:24 [npdoty]

q?

15:00:26 [johnsimpson]

Shane, seems to me ought to be a MUST on transparency, because you have the qualifier "to the extent it will not provide confidential details...

15:00:28 [npdoty]

ack jmayer

15:00:31 [rigop]

rigop has joined #dnt

15:01:00 [amyc]

jmayer: first, with response to technical claim that one way hash would mean unusable in production systems, not accurate

15:01:14 [ifette]

that would be why you drop the key

15:01:14 [amyc]

... as long as still have key, just one operation to reassociate

15:01:31 [amyc]

... could have dictionary list of hash matches

15:01:34 [ifette]

what jonathan is describing is not at all what shane/others are describing

15:01:50 [justin_]

ifette, you can't drop the key if you're doing longitudinal research

15:01:53 [amyc]

... second, likes DAA language

15:01:56 [justin_]

ifette, right?

15:02:01 [amyc]

... prefers FTC language

15:02:06 [ifette]

justin, that would depend on the timeperiod

15:02:28 [ifette]

e.g. are you hashing with a salt you drop after 1 day, or do you do this on a 90-day or N-day period

15:03:01 [npdoty]

q?

15:03:02 [justin_]

ifette, sure, but WileyS's language doesn't seem to envision a time limitation

15:03:10 [amyc]

lmastria: if not going down harms road, let's not go down path of speculating

15:03:12 [jmayer]

I didn't understand that last comment.

15:03:37 [amyc]

aleecia: not as chair, other than data breach, is there a big difference practically between these two?

15:04:01 [efelten]

q?

15:04:02 [amyc]

... just hard, as opposed to k-anon option

15:04:06 [efelten]

q+

15:04:14 [npdoty]

ack aleecia

15:04:25 [amyc]

... may be cross-linked data, but a problem in both options

15:04:35 [tl]

+q

15:04:38 [jmayer]

The second part of my comment: I don't understand how Shane's proposal aligns with the DAA text. It seems like a much more rigorous requirement than what Shane's proposed.

15:04:50 [amyc]

Shane: primary difference is that option 2 forces much stronger anon end state

15:05:02 [ifette]

not 1024 buckets

15:05:05 [ifette]

100M / 1024

15:05:06 [amyc]

... but it limits usefulness of data

15:05:07 [tl]

+q to say that there's a big difference in secondary use risks which aren't leaks

15:05:08 [ifette]

(approx)

15:05:39 [amyc]

... correct that you could look back after hashing, but spec says that you can't do that

15:06:27 [amyc]

.. focus on one is breaking conneciton with prod data, the focus on two is significant less value

15:06:27 [jmayer]

Data breach is far from the only concern.

15:06:41 [jmayer]

Access or use by anyone.

15:06:47 [amyc]

Aleecia: if change keys, then also losing value?

15:06:54 [jmayer]

I imagine government access, for example, weighs on the mind of some.

15:07:14 [amyc]

Shane: yes, matters when you hash, when you rotate hash, each time boundary will impact how you use info and value going forward

15:07:18 [JC]

The govt can get the data anyway

15:07:36 [amyc]

Aleecia: does anyone disagree with Shane's description?

15:07:40 [jmayer]

+q

15:07:50 [amyc]

ifette: how different are these to implement, or risk to user?

15:08:07 [vincent]

I beleive using public comments that are posted on webstie, it is is enough to deanonymize the browsing history of someone

15:08:25 [amyc]

... not much difference in risk to user

15:08:26 [jmayer]

I disagree.

15:08:38 [amyc]

Aleecia: so other than breach, no difference to users?

15:08:55 [amyc]

tl: many types of data sharing and disclosure, outside of breach

15:09:16 [amyc]

... for example, company is acquired or sharing info with affiliates

15:09:17 [susanisrael]

q+

15:09:44 [amyc]

... really, this is transofrming data, as opposed to k-anon

15:10:03 [WileyS]

Vincent, fair - how often has that occurred in the real-world with 3rd party ad serving data?

15:10:05 [rigop]

rigop has joined #dnt

15:10:05 [npdoty]

ack dtauerbach

15:10:12 [amyc]

dtauerbach: need to have a real standard, rather than some sort of hash

15:10:17 [adrianba]

q+ rigo

15:10:19 [amyc]

... option two makes more sense

15:10:43 [amyc]

Aleecia: can we adjust to make more acceptable, need to have complete understanding

15:10:49 [tl]

ack tl

15:10:49 [Zakim]

tl, you wanted to say that there's a big difference in secondary use risks which aren't leaks

15:11:03 [amyc]

... may be ways to address breach and other concerns with option one

15:11:12 [npdoty]

ack kj

15:11:34 [amyc]

kj: concerned about going into technical implementatin, technology will change quickly

15:11:57 [KevinT]

KevinT has joined #dnt

15:11:58 [amyc]

... DPR has proportionality and balance of interest, we should take that into account

15:12:15 [amyc]

... supports research, while being careful about security and linkability

15:12:26 [rigop]

rigop has joined #dnt

15:12:26 [rvaneijk]

the text Kathy is putting forward applies to SCIENTIFIC RESEARCH, not commercially data use

15:12:46 [vincent]

WileyS, as far as I am aware of, there has not been any concrete example, but someone inside the ad-network could easily do it... and I would still not be aware of it

15:12:52 [amyc]

Aleecia: we should try to avoid specific text, focus on outcomes

15:12:55 [npdoty]

ack amyc

15:12:58 [npdoty]

scribenick: npdoty

15:13:02 [ifette]

q+

15:13:03 [eberkower]

Kathy IS talking about research - "market research"

15:13:16 [npdoty]

amyc: echo Shane and Kathy in proportionality and value of the data

15:13:45 [npdoty]

... for a voluntary standard that is not required to implement, please implement this (even though your competitors might not), want to entice as many as possible to implement

15:13:54 [Simon]

+q

15:14:12 [npdoty]

... language in there about protecting intellectual property

15:14:14 [dtauerbach]

let's get into the nitty gritty of how the data is valuable

15:14:31 [npdoty]

... value of the data in improvement of research

15:14:32 [amyc]

thanks Nick

15:14:36 [jmayer]

The "we want broad implementation" argument has very limited force. Taken to the limit, we would just declare Do Not Track a nullity. There are countervailing considerations, of course.

15:14:36 [npdoty]

scribenick: amyc

15:14:48 [amyc]

Aleecia: anything else?

15:14:51 [npdoty]

ack efelten

15:15:08 [amyc]

efelten: lauren gelman may propose language?

15:15:11 [dtauerbach]

is the data valuable because you want to retroactively bucket the data?

15:15:14 [amyc]

aleecia: not a member or IE

15:15:19 [dtauerbach]

or do you want to use it in a non-bucketed way?

15:15:32 [dtauerbach]

q+

15:15:36 [amyc]

efelten: thread went a lot of places, but didn't answer my questions

15:15:48 [rachel_n_thomas]

q+

15:15:49 [amyc]

... perhaps shane and I should chat

15:16:01 [amyc]

Shane: thought I had answered, happy to follow up

15:16:08 [npdoty]

ack jmayer

15:16:10 [amyc]

Aleecia: suggests doing this in real time

15:16:36 [amyc]

jmayer: wanted to get more information about what the business uses for this info are

15:16:39 [jchester2]

+Jonathan

15:17:01 [amyc]

... what are business uses?

15:17:19 [amyc]

... and do they overlap with other permitted uses

15:17:40 [Chapell]

Jmayer - to the extent that industry shares more about uses of this data, would you be willing to share you insights re: the harms you are trying to prevent?

15:17:46 [amyc]

Shane: simplest form of reporting, product improvement, review through lens of being able to run reports

15:17:47 [dtauerbach]

"able to run reports" -> bucketed data

15:18:03 [dtauerbach]

so 1024-unlinkable

15:18:04 [jmayer]

Chapell, sure, take a look at my paper "Third-Party Web Tracking: Policy and Technology."

15:18:05 [dtauerbach]

should be no problem

15:18:20 [amyc]

... can't specify all, so really want to make sure that busienss can understand its operations better

15:18:20 [dtauerbach]

do you need raw data ever?

15:18:22 [dtauerbach]

for what?

15:18:30 [Chapell]

does every example in that paper address issues that are in the scope of DNT?

15:18:37 [amyc]

... want to remove from production use

15:18:52 [jmayer]

Chapell, I believe so. Read it and get back to me.

15:19:12 [Chapell]

Will do

15:19:13 [amyc]

Aleecia: what if option two is DAA, and option one is data transformation, with retention period and new permitted uses

15:19:15 [Chapell]

link?

15:19:26 [amyc]

... who hates it

15:19:52 [npdoty]

dtauerbach, I think it depends on exactly what kind of reporting you would want to do -- some of it might require longitudinal linkable data

15:19:53 [npdoty]

q?

15:19:55 [amyc]

... Rob, Jeff and Shane don't seem to like, unlikely to get traction

15:19:57 [npdoty]

ack susanisrael

15:20:24 [dtauerbach]

you can link data into buckets

15:20:39 [dtauerbach]

npdoty, can you give a concrete example?

15:20:40 [amyc]

susanisrael: the kind of standard that Shane suggests, may not need to be same level of debate about permitted uses, if agreement that level of protection is adequate

15:20:43 [dtauerbach]

it can be hypothetical

15:21:04 [Chapell]

Jmayer: thanks, but found it.... to be clear, are you referring to section THIRD-PARTY WEB TRACKING POLICY III. PRIVACY PROBLEMS?

15:21:06 [amyc]

Aleecia: can we get economic value of data, while not providing get out of jail free card

15:21:22 [npdoty]

ack rigo

15:21:35 [jmayer]

Chapell, sounds right.

15:21:39 [dtauerbach]

amyc, i would love an example of the economic value

15:21:43 [amyc]

Rigo: two suggestions, this is pseudonymity discussion that Ruud raises

15:22:10 [jmayer]

Chapell, presently multitasking. Always glad to chat about my academic research offline.

15:22:12 [amyc]

... warning againt fog (in) mess

15:22:57 [amyc]

... we need to think about data breach

15:23:11 [amyc]

... with option one, concerned about sharing with others

15:23:37 [Chapell]

Jmayer: Ok thanks. would love to discuss at some point.

15:23:43 [Chapell]

.... "Each particular scenario may have a low probability of occurring. But the chance of some scenarios occurring is substantial, especially when considered over time and across many companies."

15:23:47 [lmastria-DAA]

q+

15:23:54 [amyc]

... maybe with publsihing, would look at k-anon for external use

15:24:18 [amyc]

Shane: maybe sharing outside of service provider would require additional anon, as opposed to external sharing

15:24:49 [amyc]

Aleecia: could be direction to consider, where we have option one for internal use plus service provider

15:25:01 [Chapell]

...."Third, an action that harms the consumer. The action could be, for example, publication, a less favorable offer, denial of a benefit, or termination of employment. Last, a particular harm that is inflicted. The harm might be physical, psychological, or economic."

15:25:04 [amyc]

... then option two for external

15:25:06 [rigop]

q?

15:25:16 [npdoty]

q- ifette

15:25:24 [npdoty]

ack Simon

15:25:41 [amyc]

Simon: staring at two options, not that far apart

15:25:54 [amyc]

... commercially reasonably but not less than 1024

15:26:01 [Chapell]

.... I would like to discuss how these issues are being addressed by the W3C DNT effort AND why they are not addressed by the current industry standards.

15:26:10 [Chapell]

..... JMayer: I welcome the discussion. Thanks.

15:26:34 [amyc]

Aleecia: Shane would reject

15:26:54 [amyc]

Shane: reduce viable buckets of data to very small number

15:27:20 [amyc]

.. by using by k-anon 1024 bar

15:27:38 [amyc]

... and reduces value of data

15:27:56 [amyc]

Aleecia: for some companies, may be case by case as to value

15:28:11 [npdoty]

ack dtauerbach

15:28:16 [stella]

stella has joined #dnt

15:28:30 [amyc]

dtauerbach: give me example of report, unless the report is by request

15:28:55 [schunter]

schunter has joined #dnt

15:29:06 [amyc]

Shane: thousands of employees, billions of records daily, unrealistic

15:29:19 [amyc]

... would never be able to look back

15:30:02 [amyc]

Aleecia: k-anon would require that you never have a bucket of fewer than 1024

15:30:21 [tl]

+q

15:30:29 [amyc]

Shane: can't build tables on fly, doesn;t make sense in real business

15:30:40 [jmayer]

You don't have to predetermine reports. You can build an unlinkable dataset, then use that to generate reports.

15:31:03 [rachel_n_thomas]

none of this is in the queue...

15:31:07 [npdoty]

q?

15:31:28 [amyc]

lmastria: number of assumptions going unchallenged

15:31:52 [amyc]

... no one gives data to man on street, many professionals and contracts and security

15:32:20 [amyc]

... can't pretend that we can preconceive buckets of data

15:32:22 [npdoty]

ack lmastria-DAA

15:32:27 [amyc]

... don't want to prevent innovation

15:33:04 [jchester2]

Lou. I have to disagree. Online ad industry in US--despite having privacy employees-are continually expanding their data collection practices. Innovation is about more data mining and invading privacy of users. We have not seen much on promoting innovation to protect privacy in an online ad context.

15:33:34 [amyc]

Rigo: put into one bucket for internal use data

15:33:59 [dwainberg]

q+

15:34:09 [amyc]

dtauerbach: don't need to detemine in advance

15:34:20 [amyc]

... can come up with tables on fly, add to pipeline

15:34:29 [amyc]

... still with k-anon

15:34:32 [WileyS]

+q

15:34:56 [justin_]

ack rachel_n_thomas

15:34:57 [amyc]

rachel: wants to point out that DAA sent letter to W3C

15:35:08 [jmayer]

Why is Rachel talking about the DAA letter to the W3C leadership? We're talking about technical issues related to data linkability.

15:35:43 [amyc]

... wants to post letter, this is not appropriate process or means to move forward

15:35:58 [amyc]

... should not try to refine industry practice where there is already a consensus

15:36:00 [npdoty]

q+

15:36:04 [jmayer]

"The working group shouldn't try to refine industry practice where there isn't already widespread consensus..."

15:36:11 [amyc]

... out of scope of w3c mission of developing web techology

15:36:36 [amyc]

... looks like w3c thinking about more policy issues, let's focus on technology rather than policy

15:36:41 [WileyS]

q+

15:36:57 [amyc]

Aleecia: will take process discussion offline

15:37:13 [rachel_n_thomas]

DAA letter to W3C https://www.aboutads.info/blog/press-release-daa-issues-open-letter-w3c-actions-working-group-threaten-ad-supported-internet

15:37:25 [amyc]

tl: don't need to know in advance what you are doing

15:37:46 [amyc]

... just need to collect it correctly, then reports wouldn't go back to data

15:37:56 [stella]

stella has joined #dnt

15:37:56 [npdoty]

q?

15:38:02 [npdoty]

ack tl

15:38:08 [npdoty]

Zakim, close the queue

15:38:08 [Zakim]

ok, npdoty, the speaker queue is closed

15:38:30 [npdoty]

ack WileyS

15:38:33 [jchester2]

The DAA/IAB admitted last week in DC that they did not test itse self-regulatory system using the icon. They did not test, for example, how its system interacts with the optimized system designed to process users to conversion, inc. data collection. I ask again for the IAB/US and DAA to submit to this list any research any any outside independent research they used to establish its so-called privacy system.

15:38:56 [jmayer]

Shane fifteen minutes ago: this can't be done. Shane now: OK, it can be done. But it's hard.

15:39:00 [amyc]

Shane: not disputing philosphically that this can be done, Google is large company, but speaking from own experience buidling data tables on the fly is incredibly expensive, current software packeage don't offer

15:39:09 [amyc]

... so likely no one would implement

15:39:34 [susanisrael]

jeff I was at the meeting you are describing and i did not hear the dialogue quite that way.

15:39:36 [npdoty]

q?

15:39:37 [lmastria-DAA]

ditto shane

15:39:40 [johnsimpson]

q?

15:39:49 [npdoty]

ack dwainberg

15:40:22 [rachel_n_thomas]

jchester2 DAA admitted no such thing with regarding to testing the icon. An unrelated party made that assertion, when in reality TRUSTe did significant testing on the icon with extremely positive findings.

15:40:32 [lmastria-DAA]

ditto dwainberg

15:40:37 [amyc]

dwainberg: dpn't want to adopt standard that disadvantages small companies

15:40:38 [npdoty]

q?

15:41:05 [amyc]

npdoty: w3c process questions, happy to follow up

15:41:42 [amyc]

Aleecia: will submit DAA text, see whether everyone can live with this

15:41:50 [rachel_n_thomas]

from DAA letter: •DAA expressed strong opposition to the current posturing of the W3C’s effort to establish a “do-not-track” standard.

15:41:53 [amyc]

... Shane making some modifications

15:41:57 [jchester2]

IAB could not say any research was done. It referred to World Privacy Forum, which its researcher said wasn't a study. Provide the Evidon research and its design, and the outside review it undertook.

15:41:58 [rachel_n_thomas]

•This agenda states, “We will now accept that many issues cannot be resolved in a way that does not raise any objections.”1 oTPWG states that the goal of this meeting is to come to a decision on a standard through the following non-consensus process: “we will put more focus on creating viable alternative texts as input for our decision procedure where the chairs call for objections and then analyze the resulting input to come to a conclusion th

15:42:05 [rachel_n_thomas]

•This is not an appropriate process or means for moving forward on decisions that could affect the future of an entire online ecosystem. oA non-consensus decision by the TPWG, an organization of unelected individuals who do not represent the interests of all stakeholders, should not be substituted for the consensus judgment of the participants given the impact such a decision could have on consumers, commerce, national and global economies, jobs, an

15:42:09 [efelten]

s/will submit/Lou will submit/

15:42:13 [rachel_n_thomas]

•The TPWG should not try to redefine established industry practice and consumer expectations in an area where widespread consensus already exists.

15:42:17 [ksmith]

Nick - I don't see an action item for me, but I was assigned to edit section 3.5.2 slightly. Did you get that? Or am I looking in the wrong place?

15:42:18 [amyc]

... will contine when we see texts

15:42:18 [rachel_n_thomas]

•The DAA has developed a comprehensive standard governing web-viewing data practices.

15:42:23 [rachel_n_thomas]

•To my knowledge, W3C is a technology standards organization that has traditionally focused on developing consensus around specifications and guidelines for web technologies. The W3C’s recent foray into setting public policy standards is outside the oThe public interest is not served by this expansion of the W3C’s efforts, especially because the method by which the W3C is seeking to achieve results is not through consensus and gives all stakehold

15:42:25 [Zakim]

-BrendanIAB?

15:42:31 [rachel_n_thomas]

•The TPWG should remain true to the W3C’s mission of developing consensus around specifications for web technologies and oshould not seek to expand its scope into public policy issues that would be better addressed in other policy forums that have the experience and qualifications to evaluate these issues.

15:42:33 [npdoty]

ksmith, I may have missed that one, what's the action?

15:42:35 [rachel_n_thomas]

•The DAA strongly believes that the W3C should not undertake further forays into privacy policy issues. oWe ask that the W3C leave these areas to the established industry and policy bodies that have already been successfully addressing them.”

15:42:37 [amyc]

adjourned

15:42:52 [hwest]

Thank you Aleecia!

15:43:12 [Zakim]

-Jonathan_Mayer

15:43:23 [ksmith]

to addresss the requirement for a privacy policy link for 1st parties

15:43:29 [hwest]

Anyone headed to Centraal, Rob and I are headed straight there to get checked in first

15:43:33 [ksmith]

in widget scenarios

15:44:05 [Zakim]

-johnsimpson

15:44:23 [johnsimpson]

johnsimpson has left #dnt

15:44:46 [Zakim]

+??P1

15:44:52 [BrendanIAB]

Zakim, ??P1 is probably me

15:44:52 [Zakim]

+BrendanIAB?; got it

15:45:07 [Zakim]

-BrendanIAB?

15:45:17 [Zakim]

-Telegraaf

15:45:18 [Zakim]

Team_(privacy)13:48Z has ended

15:45:18 [Zakim]

Attendees were Telegraaf, Jonathan_Mayer, johnsimpson, BrendanIAB?

15:45:24 [npdoty]

rrsagent, draft minutes

15:45:24 [RRSAgent]

I have made the request to generate http://www.w3.org/2012/10/03-dnt-minutes.html npdoty

15:48:10 [npdoty]

rrsagent, bye

15:48:10 [RRSAgent]

I see 27 open action items saved in http://www.w3.org/2012/10/03-dnt-actions.rdf :

15:48:10 [RRSAgent]

ACTION: Colando to draft updated 'share' definition to avoid concerns (with rigo and chris-p) [1]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T08-45-39

15:48:10 [RRSAgent]

ACTION: Wiley to update text in 3.8.1 regarding bringing into compliance, not just deletion [2]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T08-47-12

15:48:10 [RRSAgent]

ACTION: fette to suggest retention related to a timed grace period (with dwainberg) [3]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T08-50-28

15:48:10 [RRSAgent]

ACTION: rachel to propose first/third party definitions from existing DAA documents [4]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-11-51

15:48:10 [RRSAgent]

ACTION: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [5]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-13-36

15:48:10 [RRSAgent]

ACTION: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [6]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-14-44

15:48:10 [RRSAgent]

ACTION: singer to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [7]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-15-23

15:48:10 [RRSAgent]

ACTION: brookman to update 3.5.2 to expand beyond "Web site" [8]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-21-54

15:48:10 [RRSAgent]

ACTION: rachel to propose existing DAA text for service providers [9]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-39-20

15:48:10 [RRSAgent]

ACTION: west to update service provider language to apply to first and third parties [10]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-41-24-1

15:48:10 [RRSAgent]

ACTION: roy Fielding to propose text for party and outsourcing definitions [11]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-45-54

15:48:10 [RRSAgent]

ACTION: robsherman to draft text on first party [12]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-46-28

15:48:10 [RRSAgent]

ACTION: sherman to propose text regarding multiple first parties [13]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-46-53

15:48:10 [RRSAgent]

ACTION: wiley to propose non-normative text on service providers to clarify "independent use" (with rvaneijk) [14]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T09-51-30

15:48:10 [RRSAgent]

ACTION: doty to update middle way proposals to avoid relying on "tracking" [15]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T11-26-21

15:48:10 [RRSAgent]

ACTION: luigi to provide text regarding data retention, applicable to finanical logging data [16]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T11-40-39

15:48:10 [RRSAgent]

ACTION: singer to propose non-normative text regarding contracts/other specifications [17]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T11-48-54

15:48:10 [RRSAgent]

ACTION: lowenthal to suggest an alternative to debugging graduated response ('once identified a problem') [18]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T12-31-10

15:48:10 [RRSAgent]

ACTION: fette to write an explanation of graduated response and a list of explanatory use cases [19]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T12-32-22-1

15:48:10 [RRSAgent]

ACTION: wiley to draft updated text on UA requirements; explanatory text made more general; add 'prior to selecting DNT'; add examples; change MUST to SHOULD [20]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T13-39-35

15:48:10 [RRSAgent]

ACTION: dsinger to add to the TPE that at most one DNT header is permitted in any HTTP request [21]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T14-05-36

15:48:10 [RRSAgent]

ACTION: singer to add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150) [22]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T14-05-57

15:48:10 [RRSAgent]

ACTION: mayer to draft an alternative for multiple DNT headers (issue-150) [23]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T14-08-13

15:48:10 [RRSAgent]

ACTION: fette to propose barring other software from altering a DNT signal if the browser already set it [24]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T14-32-58

15:48:10 [RRSAgent]

ACTION: mayer to propose non-normative text to add on to action-231 (with nick) [25]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T14-33-49

15:48:10 [RRSAgent]

ACTION: luigi to propose DAA text regarding de-identification (for unlinkability discussion) [26]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T14-58-09

15:48:10 [RRSAgent]

ACTION: west to update unlinkable with non-normative text from Shane [27]

15:48:10 [RRSAgent]

recorded in http://www.w3.org/2012/10/03-dnt-irc#T15-00-22

15:48:12 [npdoty]

Zakim, bye

15:48:12 [Zakim]

Zakim has left #dnt