IRC log of dnt on 2012-10-03

Timestamps are in UTC.

07:01:41 [RRSAgent]
RRSAgent has joined #dnt
07:01:41 [RRSAgent]
logging to
07:01:45 [npdoty]
trackbot, start meeting
07:01:47 [trackbot]
RRSAgent, make logs world
07:01:49 [trackbot]
Zakim, this will be
07:01:49 [Zakim]
I don't understand 'this will be', trackbot
07:01:50 [trackbot]
Meeting: Tracking Protection Working Group Teleconference
07:01:50 [trackbot]
Date: 03 October 2012
07:02:00 [npdoty]
Meeting: Tracking Protection Working Group Face-to-Face
07:02:03 [dsinger]
dsinger has joined #dnt
07:02:05 [npdoty]
Chair: aleecia
07:03:29 [tlr]
tlr has joined #dnt
07:05:57 [npdoty]
vinay has set up a screen-sharing so remote attendees can follow slides/etc:
07:06:08 [npdoty]
let us know how/whether that's working
07:06:27 [npdoty]
and let me know if there are phone problems, I think the teleconference may drop in 5 hours or so and I'll have to re-configure then
07:08:12 [efelten]
efelten has joined #dnt
07:08:16 [afowler]
afowler has joined #dnt
07:08:22 [vinay]
vinay has joined #dnt
07:08:30 [tedleung]
tedleung has joined #dnt
07:08:32 [bilcorry]
bilcorry has joined #dnt
07:09:27 [tl]
tl has joined #dnt
07:09:59 [justin]
justin has joined #dnt
07:10:13 [npdoty]
scribenick: npdoty
07:10:24 [npdoty]
joris: chairman of the IAB here in Holland
07:10:36 [npdoty]
... we're already very happy, you have to succeed of course in the following three days
07:10:45 [jchester2]
jchester2 has joined #dnt
07:10:47 [npdoty]
... thanks to the Telegraaf Media Group to make sure all the facilities are in place
07:10:58 [BrendanIAB]
audio sounds like there's some interference with local electronics.
07:11:13 [npdoty]
... 60 attendees here, with many years of experience each
07:11:55 [vinay]
For those not here in person, you can follow along via the web at
07:12:03 [npdoty]
... if the mayor were here, he would tell you about openness and core values of Amsterdam
07:12:28 [npdoty]
... those same core values appropriate to the important stuff you are debating
07:12:47 [npdoty]
... last June we had a new telecommunications law, a chapter on cookies, opt in and opt out
07:12:55 [npdoty]
... politicians are very willing to listen to Do Not Track solutions to that
07:13:15 [npdoty]
... hope you have the energy to facilitate those solutions during this meeting
07:14:06 [npdoty]
... introducing others from IAB NL
07:14:06 [hwest_]
hwest_ has joined #dnt
07:14:16 [npdoty]
schunter: introductions of matthias and aleecia
07:14:30 [ifette]
ifette has joined #dnt
07:14:34 [npdoty]
... since we have some newcomers, aleecia will give a quick tutorial on current state and agreements we've already reached
07:14:38 [npdoty]
... and look at open issues
07:15:04 [npdoty]
... in prior meetings it took quite a while to understand each other, and reached agreement in the easy pieces
07:15:07 [Marc]
Marc has joined #dnt
07:15:20 [npdoty]
... identified substantial agreements, for this meeting it may not be as easy
07:15:43 [npdoty]
... we have defined how to solve unsolvable disputes, a procedure to follow from multiple alternative proposals
07:15:55 [npdoty]
... a big purpose of the meeting will be carving out sound alternatives to the problem we are facing
07:15:56 [rvaneijk]
rvaneijk has joined #dnt
07:16:30 [npdoty]
schunter: explaining scribing
07:16:50 [johnsimpson]
johnsimpson has joined #dnt
07:16:51 [RichardfromcomSco]
RichardfromcomSco has joined #dnt
07:16:52 [npdoty]
... go through the agenda and assign scribes
07:17:06 [dsriedel]
dsriedel has joined #dnt
07:17:28 [npdoty]
working drafts and open issues, ifette to scribe
07:17:33 [ChrisPedigoOPA]
ChrisPedigoOPA has joined #dnt
07:17:43 [npdoty]
compliance and definitions, robsherman to scribe
07:17:54 [npdoty]
more resolving definitions, JC to scribe
07:17:58 [amyc]
amyc has joined #dnt
07:17:59 [npdoty]
lunch, no scribe necessary
07:18:31 [Zakim]
+ +1.310.292.aacc
07:18:40 [npdoty]
permitted uses for third parties, susan to scribe
07:18:54 [npdoty]
more permitted uses for debugging, Joanne to scribe
07:19:03 [Chris_IAB]
Chris_IAB has joined #dnt
07:19:09 [npdoty]
user agent compliance, tedleung to scribe
07:19:14 [johnsimpson]
zakim, aacc is me
07:19:14 [Zakim]
+johnsimpson; got it
07:19:21 [npdoty]
final session of the day, amyc to scribe
07:19:23 [Chris_IAB]
joining in person :)
07:19:42 [tlr]
zakim, who is on the phone?
07:19:42 [Zakim]
On the phone I see Telegraaf, fielding, BrendanIAB?, johnsimpson
07:20:00 [rachel_n_thomas]
rachel_n_thomas has joined #dnt
07:20:11 [adrianba]
adrianba has joined #dnt
07:20:34 [johnsimpson]
Apologies that I am not there in person. Will follow closely.
07:20:54 [dwainberg]
dwainberg has joined #dnt
07:21:11 [JC]
JC has joined #DNT
07:21:17 [jeffwilson]
jeffwilson has joined #dnt
07:21:17 [bhuseman]
bhuseman has joined #dnt
07:21:40 [Simon]
Simon has joined #dnt
07:22:08 [npdoty]
"bring your own life preserver" :)
07:22:22 [eberkower]
eberkower has joined #dnt
07:22:27 [rigo]
rigo has joined #dnt
07:22:51 [mikeo]
mikeo has joined #dnt
07:22:52 [johnsimpson]
are slides available on line?
07:23:12 [npdoty]
johnsimpson, you should be able to follow via Adobe Connect link from vinay
07:23:16 [npdoty]
aleecia: introductions
07:23:27 [npdoty]
... history of the Web, TBL, commerce on the Web
07:23:36 [vinay]
johnsimpson -
07:23:53 [npdoty]
... introductions of the co-chairs, and now introductions around the room
07:24:26 [Rene]
Rene has joined #dnt
07:24:59 [schunter]
schunter has joined #dnt
07:27:19 [npdoty]
scribe is not trying to keep up with these
07:27:49 [npdoty]
but the full group participants list is here:
07:28:23 [npdoty]
"well-known standards wonk"
07:29:47 [fielding]
I am Roy T. Fielding, representing Adobe (a W3C member and sponsor) and co-editor of TPE; I am also a board member of the Apache Software Foundation (another W3C member) but am not representing Apache here.
07:29:52 [BrendanIAB]
07:30:11 [npdoty]
ack BrendanIAB
07:30:17 [Marije]
Marije has joined #dnt
07:30:19 [tlr]
07:30:25 [tlr]
zakim, who is on the phone?
07:30:25 [Zakim]
On the phone I see Telegraaf, fielding, BrendanIAB?, johnsimpson
07:30:28 [johnsimpson]
I am John Simpson from Consumer Watchdog, an invited expert
07:30:28 [johnsimpson]
07:30:38 [vinay_]
vinay_ has joined #dnt
07:30:53 [Chris_IAB]
What's 3:30am in NY look like Brendan? :)
07:31:10 [schunter]
Guys on the phone: Please put yourself into the queue and ping me to unmute you.
07:31:12 [npdoty]
aleecia: from the charter
07:31:19 [npdoty]
... need something that works for users
07:31:27 [npdoty]
... need something voluntarily implementable by businesses
07:31:34 [schunter]
Zakim, who is on the phone
07:31:34 [Zakim]
I don't understand 'who is on the phone', schunter
07:31:38 [npdoty]
... creating a shared understanding of what DNT means
07:31:42 [schunter]
Zakim, who is on the phone?
07:31:42 [Zakim]
On the phone I see Telegraaf, fielding, BrendanIAB?, johnsimpson
07:31:45 [kj]
kj has joined #dnt
07:32:06 [npdoty]
... two documents, Compliance and Tracking Preference Expression
07:32:15 [npdoty]
... Note, not Rec, on Tracking Selections List
07:32:18 [mikez]
mikez has joined #dnt
07:32:27 [lmastria-DAA]
lmastria-DAA has joined #dnt
07:32:31 [npdoty]
... talking about a Global Considerations doc, also a Note
07:32:45 [npdoty]
... congratulations to the group on getting another published set of Working Drafts out
07:32:56 [npdoty]
... thanks to editors and nick for helping get that out
07:33:19 [npdoty]
... working through dates and successive drafts
07:33:24 [ifette]
npdoty, i thought i was taking over after the intro
07:33:33 [npdoty]
... Last Call to get wider review
07:33:34 [ifette]
npdoty, Presentations: Working Drafts and open issues, presented by editors.
07:33:38 [tl_mobile]
tl_mobile has joined #dnt
07:33:54 [npdoty]
... Candidate Rec, call for implementations, though we hope to see some implementation before then
07:34:06 [npdoty]
... Proposed Rec, after which it's up to W3C Membership
07:34:14 [npdoty]
... "Getting to Closed" review
07:34:42 [npdoty]
... organically reach consensus on the direction and text, close the issue
07:34:55 [npdoty]
... chairs can re-open an issue if there is new information and new text
07:34:59 [efelten]
efelten has joined #dnt
07:35:17 [npdoty]
... if we don't happily reach consensus on a single text
07:35:28 [efelten_]
efelten_ has joined #dnt
07:35:41 [npdoty]
... might have multiple texts, or might have a Formal Objection from someone in the group who can't live with a particular decision
07:35:52 [npdoty]
... consensus is the least objectionable proposal
07:36:12 [npdoty]
... survey participants in writing, identify consensus in the least objectionable path
07:36:27 [npdoty]
... substance and strength of objections, not a count and not who screams loudest
07:37:03 [npdoty]
marc: substance and the strength of the objections as determined by... aleecia: the chairs, yes
07:37:33 [npdoty]
aleecia: file a formal objection at any decision point, with technical arguments and a proposed change
07:38:31 [npdoty]
... group can try to resolve that objection, if not, a review process up W3C management, including TBL
07:38:40 [npdoty]
(catching up a few last introductions)
07:39:15 [npdoty]
aleecia: in the US, Do Not Call list mandated by law
07:39:46 [BerinSzoka]
BerinSzoka has joined #DNT
07:39:50 [fielding]
we just lost the telecom?
07:39:58 [npdoty]
... less a privacy concern than an intrusion concern, spam faxes, users want control over their devices
07:40:07 [JBWeiss]
JBWeiss has joined #DNT
07:40:07 [Zakim]
07:40:08 [johnsimpson]
Agree no need to dscuss harms
07:40:21 [johnsimpson]
working for me
07:40:26 [BrendanIAB]
I have not heard any interruption in audio
07:40:35 [npdoty]
... not sure privacy harm discussion will be resolved by discussion among us
07:40:39 [Zakim]
07:41:01 [npdoty]
aleecia: Do Not Call does not prevent calls, has exceptions for political organizations etc.
07:41:21 [npdoty]
... Do Not Call has had some confusion in those cases
07:41:28 [npdoty]
... what are we building with DNT?
07:41:37 [johnsimpson]
appreciate analogy to do not track on telephone
07:41:56 [susanisrael]
susanisrael has joined #dnt
07:42:02 [npdoty]
... continue to show contextual ads to users, rather than lose them to ad blockers
07:42:13 [npdoty]
... haven't blocked all tracking, no proposals would prevent shopping carts from working
07:42:35 [npdoty]
... haven't had proposals for blocking all cookies or similar
07:42:44 [npdoty]
... we should not get in the way of users who actively want all the personalization
07:42:50 [Marc]
07:43:05 [npdoty]
... some users have privacy concerns that DNT will not address
07:43:13 [npdoty]
... DNT will not be adopted by all sites
07:43:36 [npdoty]
... does not directly protect against governments or data breaches
07:43:53 [bhuseman]
07:44:05 [npdoty]
... who is it for? typical users who want the Web to just work, but have privacy concern
07:44:11 [npdoty]
... reminder that we are not ourselves typical users
07:44:28 [npdoty]
... Global -- World Wide Web doesn't have the same country borders
07:44:40 [npdoty]
... uniform signals, different results
07:45:09 [Zakim]
07:45:15 [npdoty]
... tri-part DNT signal: DNT:1, DNT:0, <no signal> -- will always be users who haven't chosen
07:45:18 [rachel_n_thomas]
07:45:29 [WileyS]
WileyS has joined #DNT
07:45:34 [ifette]
q+ re dnt1
07:45:37 [schunter]
07:45:44 [schunter]
ack Marc
07:45:47 [ifette]
q+ re no-dnt==dnt1 ine u
07:46:15 [lmastria-DAA]
lmastria-DAA has joined #dnt
07:46:22 [tlr]
07:46:24 [npdoty]
marc: vehemently disagree with Do Not Call, a key part of privacy response, a certain kind of privacy harm
07:46:35 [schunter]
07:46:35 [lmastria-DAA]
07:46:41 [fielding_]
fielding_ has joined #dnt
07:47:05 [npdoty]
aleecia: thank you, that it's about privacy is interesting
07:47:12 [schunter]
ack bhuseman
07:47:22 [jchester2]
07:47:56 [npdoty]
bhuseman: at FTC even before Do Not Call, events, workshops, telemarketing sales rule, before enacting the Do Not Call registry
07:48:01 [mikez]
07:48:13 [npdoty]
... and subsequent litigation regarding Do Not Call
07:48:23 [schunter]
07:48:35 [schunter]
ack rachel_n_thomas
07:48:39 [npdoty]
... examination of the harms and all possible solutions
07:48:48 [johnsimpson]
we are not here to debate do not call; let's talk about DNT
07:49:11 [Zakim]
07:49:17 [BerinSzoka]
well, John, then maybe Aleecia shouldn't have brought up Do Not Call!
07:49:41 [npdoty]
rachel_n_thomas: don't understand harms being less regarding Do Not Call, consumer benefits are infinitely greater for behaviorally targeted ads
07:49:47 [ifette]
07:50:08 [WileyS]
07:50:15 [npdoty]
... are there studies you are relying on regarding user desires?
07:50:16 [johnsimpson]
berin, we've got real issues to discuss. why waste time on this??
07:50:58 [BerinSzoka]
John, I don't think you appreciate how incendiary Aleecia's assertions were.
07:50:59 [npdoty]
schunter: have in the back of our minds what discussions are the most important; try to focus on the normative language in the specs
07:51:02 [WileyS]
John, this is a real issue - not looking at real-world harms derails the value of this conversation
07:51:09 [tlr]
07:51:10 [dsinger]
07:51:10 [WileyS]
07:51:11 [npdoty]
ack ifette
07:51:12 [Zakim]
ifette, you wanted to discuss dnt1 and to discuss no-dnt==dnt1 ine u
07:51:44 [schunter]
07:51:57 [npdoty]
ifette: you were drawing an analogy between no signal and DNT:1 in the EU, but it's not identical
07:51:59 [schunter]
ack lmastria-DAA
07:52:20 [npdoty]
aleecia: sorry, if I indicated it was identical, I didn't mean to do so
07:52:35 [BerinSzoka]
Essentially, John, Aleecia just reminded most of the room that she's hardly an objective moderator of this process
07:52:42 [npdoty]
lmastria-DAA: difference from Do Not Call, which was based on an elected body review, which is not what we are
07:53:07 [npdoty]
aleecia: yes, there are people from self-reg and other groups
07:53:33 [WileyS]
DNC - one country, one law - exhaustive process to address a perceived harm to personal privacy. Very difficult to apply this to the DNT conversation (outside of perceived harms which hopefully comes back into scope of the discussion on DNT)
07:53:35 [npdoty]
lmastria-DAA: specifically, Do Not Call was from an elected body, which we are not
07:53:43 [npdoty]
07:54:40 [npdoty]
jchester2: agree with Marc, we were there for Do Not Call, as part of self-regulatory discussion around privacy at the time
07:54:58 [BerinSzoka]
for once, I think I agree with Jeff!
07:55:14 [npdoty]
... want an opportunity to air/discuss accusations, regarding letters that have been published
07:55:15 [BerinSzoka]
Let's talk through the hard questions raised about process
07:55:39 [npdoty]
aleecia: is that going to be productive?
07:55:41 [ifette]
I can't help but thinking that (Mad Max Beyond Thunderdome) ought to be required viewing before any of these meetings...
07:56:13 [npdoty]
jchester2: I would like these advertising organizations to go on the record regarding those concerns
07:56:21 [WileyS]
07:56:37 [npdoty]
aleecia: want to avoid a fundamental discussion if it's not going to be productive
07:56:39 [npdoty]
q- jchester2
07:56:42 [ifette]
ack jchester
07:56:44 [ifette]
ack mikez
07:56:44 [npdoty]
q- jchester
07:57:04 [npdoty]
mikez: I think we got off on the wrong foot in the last meeting, and don't want to do that again
07:57:16 [efelten]
Can we talk about DNT please?
07:57:22 [npdoty]
... junk fax law was something that cost users money, paper, ink and time; that's why that was passed
07:57:47 [johnsimpson]
we've had a year to lay a foundation. we are here to develop a standard that allows users to express their preference. let's please get to that!!!
07:57:56 [npdoty]
... also should note exceptions regarding the junk fax law as well
07:58:24 [jchester2]
I asked that the DAA, ANA, DMA and others to go on the record about the letters they sent recently raising objections to do not track and their work to undermine the establishment of a meaningful standard. I also said several NAI members had been engaged in essence a smear campaign against W3C, etc. They dont seem to want to respond.
07:58:49 [BerinSzoka]
Jeff, I think those groups are eager to air their concerns! what makes you think they don't want to respond?
07:58:52 [rwessel]
rwessel has joined #dnt
07:58:58 [npdoty]
... regarding tri-part system, per the group decision that browsers aren't required to provide that option to all users
07:59:38 [ifette]
q+ Procedural question, did we do agenda bashing yet?
07:59:43 [jchester2]
Berin: Let them speak out know and identify their concerns for the record here today.
07:59:49 [ifette]
q+ to ask procedurally if we did agenda bashing yet
07:59:59 [WileyS]
08:00:00 [dsinger]
08:00:01 [johnsimpson]
There is NO reason to discuss harms. This is about developing a way for users to send a message about their preference about whether they are tracked.
08:00:33 [justin]
Discussion of harms should go in the scope and intro section eventually.
08:00:51 [npdoty]
WileyS: thought it was helpful in the breakout sessions at DC to have discussion of the harms, I think it would be useful to continue that work though I see that you didn't find it useful
08:00:55 [Stella]
Stella has joined #dnt
08:00:55 [WileyS]
John, thank you for your opinion - I respectfully disagree. We did some good work in DC (with you and others) that I believe would fit nicely here.
08:01:02 [rachel_n_thomas]
08:01:05 [lmastria-DAA]
lmastria-DAA has joined #dnt
08:01:11 [npdoty]
ack ifette
08:01:11 [Zakim]
ifette, you wanted to ask procedurally if we did agenda bashing yet
08:01:12 [johnsimpson]
No need to waste valuable time speaking about harms
08:01:27 [peter]
peter has joined #dnt
08:01:52 [npdoty]
jchester2: can we take comments from IRC as well? aleecia: can add yourself to the q
08:02:18 [npdoty]
notes on IRC are also recorded, unless they are marked as off-the-record -- prepended with "/me"
08:02:28 [npdoty]
aleecia: different types of parties
08:02:39 [npdoty]
... first parties, very few restrictions
08:02:41 [ifette]
rrsagent, bookmark?
08:02:41 [RRSAgent]
08:02:56 [npdoty]
... service providers, contractual relationship to 1st/3rd parties
08:03:02 [WileyS]
John, hard to build a solution if you don't know what problem you're attempting to solve. :-)
08:03:04 [dsinger]
q+ to discuss terminology
08:03:13 [peter]
peter has left #dnt
08:03:30 [npdoty]
... silo'd data
08:03:35 [npdoty]
ack dsinger
08:03:35 [Zakim]
dsinger, you wanted to discuss terminology
08:03:42 [dsinger]
08:03:53 [BerinSzoka]
Lewis Carroll would have agreed with Shane on
08:03:55 [peter-4As]
peter-4As has joined #dnt
08:03:58 [npdoty]
ack rachel_n_thomas
08:04:03 [BerinSzoka]
the need to define harm: "Would you tell me, please, which way I ought to go from here?" "That depends a good deal on where you want to get to," said the Cat. "I don’t much care where--" said Alice. "Then it doesn’t matter which way you go," said the Cat. "--so long as I get SOMEWHERE," Alice added as an explanation. "Oh, you’re sure to do that," said the Cat, "if you only walk long enough."
08:04:26 [JC]
08:05:01 [npdoty]
08:05:13 [npdoty]
aleecia reviews the agenda slide
08:05:50 [ifette]
ISSUE: What do we mean by tracking?
08:05:50 [trackbot]
Created ISSUE-169 - What do we mean by tracking? ; please complete additional details at .
08:06:22 [npdoty]
08:06:22 [trackbot]
ISSUE-5 -- What is the definition of tracking? -- raised
08:06:22 [trackbot]
08:06:32 [ifette]
Close ISSUE-169
08:06:32 [trackbot]
ISSUE-169 What do we mean by tracking? closed
08:06:47 [ifette]
ISSUE-169: duped on ISSUE-5
08:06:47 [trackbot]
ISSUE-169 What do we mean by tracking? notes added
08:06:50 [lmastria-DAA]
08:06:54 [justin]
The word "tracking" is not used in the compliance document, so defining it has no substantive benefit. We address that issue in the definition of collection.
08:06:57 [lmastria-DAA]
08:07:03 [ifette]
npdoty, your memory is way better than mine :)
08:07:08 [npdoty]
rachel_n_thomas: had discussion on the mailing list about the definition of tracking... can we open that issue and discuss during this meeting?
08:07:11 [JC]
08:07:24 [jchester2]
Can Ms Thomas of the DMA place on the IRC record the DMA's definition of what they consider tracking.
08:07:51 [rigo]
rigo has joined #dnt
08:08:02 [ifette]
ack imastria-DAA
08:08:06 [npdoty]
rachel_n_thomas: thought we would need to cover definition of tracking before reaching last call, if we're going to do that in this meeting
08:08:08 [ifette]
ack lmastria-DAA
08:08:18 [npdoty]
aleecia: we aren't going to be publishing a Last Call document during this meeting, no
08:08:22 [efelten]
* You can remove yourself from the queue by typing "q-" on IRC.
08:08:40 [npdoty]
lmastria-DAA: echo concern about identifying what we are doing
08:08:44 [jchester2]
I would like the ANA to also place on the record what they consider tracking--which I assume reflects their members regarding tracking and privacy.
08:09:17 [tl]
08:09:18 [npdoty]
aleecia: we've also had the discussion about the name of Do Not Track, need to find out what we're building
08:09:40 [jchester2]
I also would like to have Amazon clairfy whether it supports th position of the DMA regarding the DNT issues.
08:09:43 [npdoty]
lmastria-DAA: because "Do Not Track" is such a good sound bite, hard to pull back from that
08:09:48 [rigo]
q+ to push back on tracking definition because this is boiling the ocean
08:09:50 [Frank]
Frank has joined #dnt
08:10:04 [Zakim]
08:10:24 [johnsimpson]
+1 to Tom
08:10:38 [npdoty]
tl: encourage people to review mailing list and issue tracker, where discussions may have already been covered
08:10:53 [ifette]
ScribeNick: ifette
08:10:57 [npdoty]
rigo: -1 to defining tracking, discussing it right now
08:11:03 [ifette]
Aleecia: Please don't beat up the editors
08:11:06 [ifette]
… TPE is up first
08:11:11 [ifette]
… designer will present
08:11:16 [ifette]
08:11:19 [ifette]
darned auto-correct
08:11:37 [npdoty]
Topic: Drafts and Issues, reviewed by the editors
08:11:40 [ifette]
dsinger: TPE is one of two docs dealing with the immediate signals going back and forth, headers from UA to server and the response
08:11:46 [justin]
08:11:50 [ifette]
… as well as "well-known resource" and JS API
08:11:54 [ifette]
… what the parameters are and their effects
08:12:08 [justin]
There's the doc to follow along with David.
08:12:12 [ifette]
… about the immediate conversation, basic protocol, doesn't deal with "what is the long term effect of any of these signals" - thats the compliance doc
08:12:13 [Zakim]
08:12:21 [ifette]
… TPE is syntax of header (request/response)
08:12:29 [ifette]
… and immediate meaning of those
08:12:40 [johnsimpson]
are there slides with this"?
08:12:42 [ifette]
… plus well-known resource expressing characteristics of the site (party definitions)
08:12:50 [ifette]
… could have contextual responses with the header
08:12:51 [vinay_]
no slides
08:12:53 [ifette]
… consent, etc
08:13:04 [ifette]
… APIs for "exceptions"
08:13:05 [johnsimpson]
thanks, vin ay
08:13:08 [ifette]
… terminology lesson
08:13:18 [jchester2]
yes there are slides for Aleecia's presentation. Can they be sent to the members not in room?
08:13:21 [aleecia]
aleecia has joined #dnt
08:13:26 [ifette]
… compliance doc says "You shouldn't track except that you can claim the following permissions for the following reasons"
08:13:31 [ifette]
… permissions come from compliance doc
08:13:32 [WileyS]
john, click on the link above to open the doc in a browser window and follow along
08:13:41 [ifette]
… site can ask a user for an exception for broader permissions
08:14:03 [ifette]
… request for a user-granted exception, that's when you see a signal saying "I believe you've given me an exception and therefore I can do xyz"
08:14:18 [ifette]
… outbound is 0/1/absent
08:14:35 [johnsimpson]
saw Aleecia's, Jeff
08:14:36 [ifette]
… return has qualifiers relating to permissions from the compliance doc. Debate as to requirements to use these
08:14:42 [ifette]
… as well as additional qualifiers
08:15:07 [Zakim]
08:15:33 [ifette]
… exceptions have two kinds, a "first-party" saying "to continue to work with you, I need an exception for a given list of third parties" e.g. a site monetizing itself with ad revenue
08:15:40 [ifette]
… can ask for an exception for third parties on your site
08:16:24 [ifette]
… list of third party sites from the first party, user is asked (in an undefined manner) "are you ok with this" which then causes a 0 to be sent to these parties giving them permission to track the user in this context. a site-specific exception
08:16:40 [ifette]
… also site-wide exception, request from first party to say no matter what third party appears on my site, give them a DNT0
08:16:56 [ifette]
(didn't we get rid of site specific exception? or basically merge it into site-wide?) - ian
08:17:01 [ifette]
dsinger: also have web-wide exception
08:17:44 [ifette]
… user thinks it's advantageous/agreeable to be tracked by a site no matter where it turns up, e.g. "" where you want a site to remember what sites you've visited, be able to "like" certain sites and get recommendations. Clearly want to give this site permission to track you across all sorts of different sites
08:18:00 [npdoty]
08:18:01 [ifette]
… rough overview of TPE, throw to Matthias for open issues etc
08:18:06 [fielding]
fielding has joined #dnt
08:18:07 [rigo]
ack ri
08:18:07 [Zakim]
rigo, you wanted to push back on tracking definition because this is boiling the ocean
08:18:09 [rigo]
ack tl
08:18:20 [schunter]
08:18:24 [johnsimpson]
cannot hear
08:18:32 [justin]
08:18:38 [johnsimpson]
ok now
08:18:55 [ifette]
justin: compliance doc, link pasted in IRC. Walk through document, identify major areas of contention, structure. hwest will pop in
08:19:05 [ifette]
… if you object to something I say, raise hand / holler
08:19:16 [ifette]
… document structure - 1 & 2 on intro scope / goals
08:19:24 [ifette]
… parked as people disagree, will fine tune once substance is in place
08:19:36 [ifette]
… as dsinger said, this is about what the obligations are
08:19:43 [ifette]
… section 3/4 how first parties comply
08:19:52 [ifette]
… 5 how UAs comply, controversial
08:19:57 [ifette]
… 6 is how third parties comply, bulk of the document
08:20:05 [ifette]
… a few controversial definitions
08:20:21 [ifette]
… "user agent" has recent discussion around perhaps different classes of UAs - add-on vs browser
08:20:25 [ifette]
… may have different obligations
08:20:28 [ifette]
… not really fleshed out
08:20:32 [ifette]
… 3.3 is definition of party
08:20:44 [ifette]
… lots of controversy at one point
08:20:51 [ifette]
… discussions around common branding vs ownership
08:21:10 [ifette]
… settled on corporate structure being sufficient as long as it's easily discoverable
08:21:16 [ifette]
… two options in text, relatively close
08:21:16 [dsinger]
…notes that many other pieces of software other than web browsers access HTTP-loaded resources (e.g. RSS newsreaders, email agents)...
08:21:20 [BrendanIAB]
User Agent is strongly defined in the HTTP 1.1 spec - I'll need to catch up on the discussion. It's more that "intermediary" needs to be defined into subcategories.
08:21:20 [ifette]
… 3.4 on service providers / outsourcers
08:21:34 [ifette]
… a data processor / service provider need not obtain separate permission to work on your behalf
08:21:38 [ifette]
… 3 options in current draft
08:21:50 [ifette]
… one long one from jonathan/eff, two later that are less detailed
08:21:57 [aleecia]
We also have non-User Agents setting DNT. That's on the agenda for today.
08:21:59 [ifette]
… roy put in text in ML last night which might help us here
08:22:09 [ifette]
… general agreement service provider should be able to work for you
08:22:21 [ifette]
… 3.5 distinguishes between 1st/3rd parties. Long definition at first, shorter alternative
08:22:30 [ifette]
… longer one may be less controversial
08:22:37 [ifette]
… lots of discussion on this
08:23:00 [ifette]
… second option is more vague
08:23:05 [ifette]
… "first party is the site you go to"
08:23:32 [ifette]
… 3.6 is for "unlinkable" data
08:23:46 [ifette]
… lots of chatter on ML about how to decide if something is unlinkable
08:23:50 [ifette]
… 3.9 definition of tracking
08:23:53 [ifette]
… may need more work
08:24:00 [ifette]
… "tracking" not used as a term in the document
08:24:00 [robsherman]
Just for completeness, there's alternative text for multiple first parties that's been discussed on the mailing list that is based on what's in this draft.
08:24:04 [ifette]
… phrased in term of collection
08:24:04 [BrendanIAB]
aleecia - Right, wrt intermediaries setting DNT header. It sounded like the definition of user agent (the software that initiates the HTTP request) may be up for discussion. Which would be complex.
08:24:14 [ifette]
… but maybe we need to make sure definitions of collection/retention are sufficient
08:24:22 [ifette]
… 3.10 on explicit and informed consent
08:24:25 [Zakim]
08:24:34 [aleecia]
I don't think we should re-define UAs. But we may want "UAs and others"
08:24:34 [ifette]
… used to turn DNT on int eh first place (explicit/informed consent) as well as for a user-granted exception
08:24:38 [aleecia]
Or we may not.
08:24:39 [fielding]
fielding has joined #dnt
08:24:49 [ifette]
… two options in the draft for this text as well
08:24:51 [aleecia]
Worth talking through
08:25:05 [ifette]
… Sec 4 is on first party compliance
08:25:15 [Frank_]
Frank_ has joined #dnt
08:25:19 [ifette]
… general agreement there should be few restrictions, except e.g. send all the data to a third party
08:25:31 [ifette]
… some discussions around "Data Append"
08:26:22 [ifette]
… Sec 5, next is a relatively new section taken largely from TPE document, UA must have explicit consent to turn on DNT in the first lace
08:26:33 [ifette]
… shane suggested some modifications
08:26:49 [ifette]
… section 6 on third party compliance
08:26:57 [npdoty]
I don't think "express and informed consent" in User Agent Compliance came from the TPE, I think that was just a new phrase just invented there
08:27:02 [ifette]
… will be debated over the day,
08:27:10 [ifette]
… short term collection/use
08:27:17 [ifette]
… discussion around 6-week grace period
08:27:21 [ifette]
… contextual ads
08:27:33 [ifette]
… 6.1.3 on first-party data use
08:28:00 [ifette]
… frequency capping
08:28:14 [ifette]
… financial logging / auditing
08:28:19 [ifette]
… fair amount of extent of that info
08:28:22 [ifette]
… security/fraud
08:28:31 [ifette]
… debugging
08:28:48 [rigo]
zakim, code?
08:28:48 [Zakim]
the conference code is 87225 (tel:+1.617.761.6200, rigo
08:28:50 [ifette]
… aggregate reporting, may be taken out and structured in terms of unlink ability, up in the air
08:28:53 [ifette]
… compliance with local laws
08:29:04 [ifette]
… "nothing else"
08:29:13 [ifette]
… data minimization and transparency
08:29:19 [ifette]
… requirement to disclose
08:29:22 [ifette]
… no personalization
08:29:32 [ifette]
… and how much can you collect for these purposes
08:29:36 [Joanne]
Joanne has joined #DNT
08:29:36 [aleecia]
(requirement to disclose retention period)
08:29:50 [ifette]
… no persistent identifiers is one proposal, strong disagreement on that position
08:29:58 [ifette]
… a section here for a long time on geolocation compliance
08:30:08 [ifette]
… how precisely you can target with geolocaiton. Not consensus but hasn't been discussed in a long time
08:30:13 [ifette]
… provisions for user-granted exceptions
08:30:22 [npdoty]
I thought it was basically consensus, we did a few iterations on the geolocation piece
08:30:28 [ifette]
… 6.4 is new about disregarding non-compliant user agents
08:30:53 [npdoty]
scribenick: npdoty
08:30:53 [ifette]
ifette has joined #dnt
08:31:05 [npdoty]
scribenick: ifette
08:31:11 [ifette]
justin: a very dry walk-through
08:31:14 [aleecia]
geo-loc had been at consensus. Ian rejoined the group with new-to-us information, but I don't believe there is new text. This is the sort of thing we might reopen based on Ian's information.
08:31:16 [npdoty]
08:31:19 [ifette]
… seeing no questions, turn back to allecia
08:31:36 [ifette]
Aleecia: coffee outside the door. Don't have scheduled time for a break. Take a minute, caffeniate, and get back here
08:35:43 [johnsimpson]
Did we lose microphone? Now hearing nothing...
08:35:59 [johnsimpson]
heard lots of chatter during break
08:36:38 [BrendanIAB]
I think that folks turned off their mics
08:37:24 [johnsimpson]
Thanks, Brendan. Hearing chatter now.
08:38:32 [BrendanIAB]
JC is just trying to clear the room!
08:38:47 [robsherman]
robsherman has joined #dnt
08:39:13 [npdoty]
scribenick: robsherman
08:39:30 [ifette]
rob, you good
08:39:31 [ifette]
08:39:36 [robsherman]
08:39:56 [npdoty]
Topic: Definitions
08:39:59 [BrendanIAB]
screen not being shared yet.
08:40:16 [justin]
For those at home, we're discussion 3.8 of the compliance draft
08:40:18 [robsherman]
aleecia: Looking at definitions in Compliance doc. Want to identify issues and assign actions to write alternative text.
08:40:33 [johnsimpson]
waiting to see screen
08:40:35 [npdoty]
vinay_, do you have a read on whether screen sharing should be working now?
08:40:41 [justin]
08:40:43 [vinay_]
For those who want to follow-along to what Aleecia is pointing at --
08:40:45 [npdoty]
otherwise, you can follow the text just by looking at that section
08:40:56 [robsherman]
… Sec 3.8 — collection/retention
08:41:00 [amyc]
amyc has joined #dnt
08:41:37 [vinay_]
npdoty - asked her to; she needs to enable it on her computer
08:41:51 [afowler]
afowler has joined #dnt
08:42:02 [robsherman]
… [reading text]
08:42:11 [johnsimpson]
still not being shared. what is section in draft, please?
08:42:16 [robsherman]
08:42:21 [amyc]
08:42:37 [npdoty]
08:42:39 [amyc]
08:42:42 [robsherman]
aleecia: Comments on issues in this text?
08:43:15 [robsherman]
amyc: Need to work on definition of "share" because of prospect of downstream liability.
08:43:25 [rigo]
08:43:30 [npdoty]
ack amyc
08:43:55 [ChrisPedigoOPA]
08:44:03 [robsherman]
… Example of a small website that uses Google Ads. Under this definition, could be "sharing" info with Google. We're really concerned about circumvention.
08:44:15 [WileyS]
08:44:16 [dwainberg]
08:44:21 [npdoty]
ack rigo
08:44:22 [peter-4As]
08:44:38 [johnsimpson]
Amy, but isn't that a first party and allowed?
08:45:00 [robsherman]
rigo: Wants to work with Amy because "uses" prohibits forwarding. Different taxonomy from EU law.
08:45:08 [amyc]
john, not sure I understand your question?
08:45:13 [justin]
There's an argument that amyc's issue should be addressed in first-party compliance instead of the definition of "share," yes?
08:45:34 [justin]
08:45:39 [npdoty]
action: Colando to draft updated 'share' definition to avoid concerns (with rigo and chris-p)
08:45:39 [trackbot]
Created ACTION-264 - Draft updated 'share' definition to avoid concerns (with rigo and chris-p) [on Amy Colando - due 2012-10-10].
08:45:45 [npdoty]
ack rigo
08:45:46 [Joanne]
+1 to help Amy
08:45:49 [npdoty]
ack ChrisPedigoOPA
08:45:56 [npdoty]
ack WileyS
08:46:28 [robsherman]
shane: We shouldn't be saying that information must be deleted if it's inadvertently collected; we should be saying that it must be used appropriately according to its appropriate context. Will update.
08:46:56 [robsherman]
dwainberg: Overlap between "collects" and "retains."
08:47:06 [robsherman]
… Also, "data coming within a party's control" seems broad/vague.
08:47:12 [npdoty]
action: Wiley to update text in 3.8.1 regarding bringing into compliance, not just deletion
08:47:12 [trackbot]
Created ACTION-265 - Update text in 3.8.1 regarding bringing into compliance, not just deletion [on Shane Wiley - due 2012-10-10].
08:47:29 [robsherman]
…. 3.8.1: unclear what "reasonable efforts to understand its information practices" means. Also seems broad/vague.
08:47:31 [fielding]
My objection has not changed.
08:47:35 [Simon]
Simon has joined #dnt
08:47:51 [robsherman]
aleecia: We deliberately define "collects" and "retains" differently. Why do you think they overlap?
08:48:04 [kj_]
kj_ has joined #dnt
08:48:06 [rigo]
Amy, do you think we could merge "share" and "use"?
08:48:25 [justin]
rigo, no!
08:48:26 [npdoty]
depending on how we come down on third-party compliance, it could be that our definitions will really need retention rather than collection
08:48:27 [robsherman]
dwainberg: There may be cases when data comes within the party's control but the party holds the data only transiently. It seems like there is an element of retention in "collection."
08:48:34 [npdoty]
08:48:39 [npdoty]
ack dwainberg
08:49:03 [dsinger]
+1 to Ian; collection implies you took active steps
08:49:35 [robsherman]
ifette: Agrees that distinguishing is confusing because when we use "collect" in English we ordinarily think about keeping. There's also no real way to prove that once a party has touched data that it has never been swapped to disk, for example, even instantaneously. This may be addressed by the short-term retention period we've been discussing.
08:49:37 [BerinSzoka]
+1 to Ian: COPPA is a great example of a legal regime where "collection" has a meaning beyond its normal use (including allowing kids to share personal information--i.e., communicating with other users) and it causes huge problems
08:49:53 [schunter]
schunter has joined #dnt
08:49:53 [rigo]
08:50:10 [schunter]
\me test
08:50:11 [fielding]
I already did that.
08:50:20 [BrendanIAB]
Consider "receives" as opposed to "collects"?
08:50:28 [npdoty]
action: fette to suggest retention related to a timed grace period (with dwainberg)
08:50:28 [trackbot]
Created ACTION-266 - Suggest retention related to a timed grace period (with dwainberg) [on Ian Fette - due 2012-10-10].
08:50:29 [bryan_]
bryan_ has joined #dnt
08:50:30 [WileyS]
Matthias, "/"me
08:50:41 [rigo]
q+ to ask whether we can merge "collect and retain"
08:50:42 [schunter]
08:50:44 [npdoty]
fielding, you're referring to your version of the "tracking" definition which incorporates the time period?
08:50:52 [dwainberg]
08:50:57 [BrendanIAB]
If you're looking at something that doesn't imply retention in any way.
08:50:59 [rigo]
08:51:28 [fielding]
no, I am referring to my definition of data collection
08:51:28 [robsherman]
peter-4As: Seems to be a general notion in the documents that this is focused on "data," but we actually should consider what we mean when we use the term "data." Consider pseudonymous data - treated differently?
08:51:42 [lmastria-DAA]
08:52:03 [npdoty]
ack peter-4As
08:52:13 [npdoty]
08:52:16 [rigo]
08:52:17 [robsherman]
… Concern about covering anonymous/pseudonymous data in the same way as other data.
08:52:28 [robsherman]
aleecia: We've already made some decisions on these issues.
08:52:36 [robsherman]
… We decided we're not going to address children one way or the other.
08:52:43 [npdoty]
I think the unlinkable definition (and such data out of scope) might be relevant to this point
08:52:46 [robsherman]
… We decided not to categorize data (PII vs. non-PII, for example).
08:52:51 [tlr]
+1 to npdoty
08:53:00 [tlr]
q+ npdoty
08:53:16 [tlr]
08:53:36 [robsherman]
ruud: If we don't recognize that EU Parlaiment is taking a different approach, doesn't that hurt us?
08:53:57 [rigo]
+1 to npdoty
08:54:00 [robsherman]
aleecia: We recognize that our spec isn't going to map to any particular country's laws. We're working on a separate Global Considerations doc to give advice to people on how to manage this.
08:54:12 [rigo]
08:54:56 [robsherman]
npdoty: It may be that the definition of "unlinkable" data — which would be out-of-scope largely — would address ruud's concern.
08:55:10 [justin]
Unlinkable addresses some but not all of peter-4As's concerns.
08:56:15 [npdoty]
08:56:40 [robsherman]
ruud: We need to be sure that our standard is descriptive enough to be valuable. If "unlinkable" does that, we should dedicate the time to make it clear.
08:56:45 [robsherman]
ack justin
08:57:22 [robsherman]
justin: Regarding amyc's small publisher example, this should be dealt with in the first party compliance section. We should leave the definition of "sharing" the same and just deal with what first parties can do.
08:57:42 [robsherman]
…. On the "collection" point, if we leave "collection" but have a 6-week grace period as a permitted use, does that address the concern?
08:58:05 [rigo]
I suggest to merge use and sharing. I also suggest to have collect only for the things stored and "retain" for things that are stored beyond 6 weeks
08:58:06 [npdoty]
I think that might be a good approach, justin; many of the sharing use cases might be addressed by clarifying first-party compliance
08:58:08 [dsinger]
08:58:09 [robsherman]
ifette: I didn't have a problem with the goal of the text, but was just pointing out that the text was confusing.
08:58:22 [robsherman]
ack dwainberg
08:58:22 [Chris_IAB]
so are we going to put the burden of implementing DNT on the millions of little mom & pop websites around the world? These are almost all exclusively monitized by 3rd party ad networks.
08:58:26 [npdoty]
zakim, close queue
08:58:26 [Zakim]
ok, npdoty, the speaker queue is closed
08:58:27 [fielding]
currntly the 6-week conflicts with the requirements on third-party as stated
08:58:57 [robsherman]
dwainberg: [wants more actions!]
08:59:15 [fielding]
BTW, ruud's comments are similar to mine in
08:59:18 [robsherman]
ack lmastria-DAA
08:59:34 [justin]
fielding, expand, don't fully understand. Is it that during the 6-week you might be transferring or personalizing without knowing you're a third party governed by DNT?
08:59:36 [npdoty]
action-265: dwainberg interested, might have differing views on the first part of the unknowing piece
08:59:36 [trackbot]
ACTION-265 Update text in 3.8.1 regarding bringing into compliance, not just deletion notes added
08:59:45 [rigo]
WileyS, I think the definition of "collect" is far to harsh and creates problems IMHO
08:59:48 [jchester2]
08:59:58 [robsherman]
lmastria-DAA: DAA goes through all of this in discrete detail, which can be a resource for implementation.
09:00:32 [jchester2]
I disagree. The DAAs spec is considered totally inadequate by privacy advocates and many academics,\.
09:00:37 [JC]
JC has scribe
09:00:45 [robsherman]
scribenick: JC
09:01:06 [JC]
dsinger: Roy has expressed confusion in collection term
09:01:11 [fielding]
justin, I mean that the way that the collection is constrained right now does not take into account the 6-week window concept, so it is hard to know if having a broad definition and a 6-week allowance "helps"
09:01:20 [rigo]
+1 to dsinger
09:01:21 [Chris_IAB]
jchester2, which part(s) of the DAA Principals do you consider "totally inadequate"? Could you please be more specific?
09:01:24 [JC]
... setting rules on something you already have
09:01:33 [ifette]
ACTION-266: Note that dsinger used the term "exposure" which may be a better way to phrase things than collection
09:01:33 [trackbot]
ACTION-266 Suggest retention related to a timed grace period (with dwainberg) notes added
09:01:35 [npdoty]
lmastria-DAA, if you can provide that text to the group as a submission, that would be helpful (would also give us permission to include that text)
09:01:37 [JC]
Aleecia Does 3.8 address that
09:01:44 [JC]
Dsinger: not necessarily
09:01:46 [fielding]
no, exceptions that are the rule are not a sensible solution
09:01:52 [JC]
Aleecia: I don't understand why
09:01:59 [lmastria-DAA]
links to DAA ....
09:02:01 [JC]
Dsinger: much longer discussion
09:02:01 [npdoty]
jchester2, I think Lou is suggesting taking advantage of definitions from the DAA document, rather than compliance on the whole
09:02:17 [JC]
Aleecia: Maybe we don't need to define collection?
09:02:39 [JC]
Dsinger: Collection sounds like an active act. Can be misleading for someone not reading definition.
09:02:39 [dwainberg]
09:02:55 [justin]
fielding, I understand you don't like broad definitions with exceptions that carve things out, but logically they achieve the same purpose. But I am OK with restating if it achieves that same thing.
09:02:59 [JC]
Aleecia: does exposed versus collection a meaningful description
09:03:12 [JC]
Dsinger will work with Ifette on issue
09:03:18 [npdoty]
action-266: dsinger to help, regarding a distinction regarding "exposed"
09:03:18 [trackbot]
ACTION-266 Suggest retention related to a timed grace period (with dwainberg) notes added
09:03:24 [JC]
Dwainberg: valid point
09:03:35 [jchester2]
What is says it does to address user concerns; how it describes the problem; lack of coverage for sensitive data except what is required by law, such as COPPA, oe doesn't reflect what its members actually do in practice regarding financial and health data; the icon system was not tested and is not a valid way to serve privacy. The explanation of what is collected and why versus the actual practices of the companies regarding data collecting is purposefully mi
09:03:35 [npdoty]
action-266: rigo also interested
09:03:35 [trackbot]
ACTION-266 Suggest retention related to a timed grace period (with dwainberg) notes added
09:03:47 [JC]
Aleecia: sounds like if we have five people working on it then do it during a break
09:04:02 [Zakim]
+ +1.425.214.aadd
09:04:05 [JC]
... we are out of time for this issue.
09:04:36 [fwagner]
fwagner has joined #dnt
09:04:36 [justin]
npdoty, Do we want to address the issues of unid'd callins at some point?
09:04:40 [rachel_n_thomas]
09:04:52 [tlr]
zakim, reopen the queue
09:04:52 [Zakim]
ok, tlr, the speaker queue is open
09:04:56 [bryan_]
zakim, aadd is bryan_
09:04:56 [Zakim]
+bryan_; got it
09:04:58 [JC]
... definitions for first and third party
09:05:04 [npdoty]
Zakim, who is on the phone?
09:05:04 [Zakim]
On the phone I see Telegraaf, BrendanIAB?, johnsimpson, fielding, bryan_
09:05:05 [JBWeiss]
JBWeiss has left #DNT
09:05:10 [rachel_n_thomas]
move to reopen the queue
09:05:16 [JC]
... section 3.5. Do we think that these options are at final text?
09:05:17 [tlr]
09:05:27 [justin]
zakim, who is on the phone?
09:05:27 [Zakim]
On the phone I see Telegraaf, BrendanIAB?, johnsimpson, fielding, bryan_
09:05:30 [npdoty]
q- dsinger
09:05:32 [Brooks]
Brooks has joined #dnt
09:05:35 [npdoty]
q+ rachel_n_thomas
09:05:36 [JC]
... Should some of these be reworked or should additional options be added?
09:05:38 [lmastria-DAA]
how do we respond to queue questions?
09:05:51 [ChrisPedigoOPA]
09:06:24 [JC]
... first party the user knowingly and intentionally interacted with it. Otherwise 3rd party.
09:06:40 [fielding]
My comments and alternative are at
09:06:49 [JC]
... possible to have multiple first parties on one page, but branding must be clear and have separate privacy poicies
09:07:02 [JC]
... the first party is not based on domain name
09:07:21 [JC]
... domain could reference different party from URL
09:07:25 [dsinger]
The second sentence in the third party paragraph is talking about first parties, and belongs in the first party paragraph.
09:07:32 [rigo]
09:07:35 [JC]
... diferrent URL could belong to same party
09:07:39 [npdoty]
09:07:47 [JC]
... if that is not clear raise question
09:08:05 [rigo]
q+ ask the browser folks whether we can draw from the TPE
09:08:16 [rigo]
q+ to ask the browser folks whether we can draw from the TPE
09:08:24 [tlr]
ack ChrisPedigoOPA
09:08:26 [JC]
lmastria I have a questoin about process
09:08:39 [JC]
Rachel why are not DMA proposals not listed here?
09:08:42 [lmastria-DAA]
response to jchester2...the program was tested and is tested and validated every day by users (11 mm to date). the practices do match and when they don't we have enforcement to drive compliance, the latest of which happened monday
09:08:51 [npdoty]
s/Rachel why/rachel: why/
09:08:51 [JC]
... I would like to see them added or explained why not
09:09:04 [JC]
... why have we moved on from discussion of unlinkable data
09:09:05 [fielding]
09:09:20 [JC]
Aleeca: we have run out of time and will come back to unlinkable data at end of day
09:09:21 [justin]
ChrisPedigoOPA, here is the definition of party discussing affiliateness
09:09:36 [ChrisPedigoOPA]
thanks Justin
09:09:48 [lmastria-DAA]
09:10:00 [lmastria-DAA]
09:10:03 [JC]
... this is not the DAA or self-reg group
09:10:22 [JC]
Rachel: I feel there are many DAA members here
09:10:32 [justin]
rachel_n_thomas, Can you link the defs for us?
09:10:41 [fielding]
Imastria-DAA, please send those proposals to the mailing list
09:10:42 [JC]
... I have concrete proposals and can add them to IRC
09:10:46 [npdoty]
does someone have a summary of how the DAA definitions would vary from the current options?
09:11:01 [JC]
Aleecia: We can assign an action item to you and you can respond with your text to mailing list
09:11:02 [rigo]
rachel_n_thomas: please share link to DAA definitions
09:11:09 [JC]
... let me know if you have question on process
09:11:15 [npdoty]
09:11:15 [rigo]
09:11:18 [npdoty]
ack rachel_n_thomas
09:11:19 [rigo]
ack rachel_n_thomas
09:11:19 [JC]
Rachel: I am comfortable taking action item
09:11:51 [npdoty]
action: rachel to propose first/third party definitions from existing DAA documents
09:11:51 [trackbot]
Created ACTION-267 - Propose first/third party definitions from existing DAA documents [on Rachel Thomas - due 2012-10-10].
09:11:53 [JC]
Rigo:We have a very sophisticated system in TPE on first and third party distinction. Should we use that.
09:12:05 [rachel_n_thomas]
DAA definitons of first party and third party are available for review here
09:12:14 [JC]
... Can technology address this?
09:12:40 [JC]
Aleecia: the two docs are not in sync and maybe we can address this.
09:12:41 [robsherman]
09:12:46 [npdoty]
ack rigo
09:12:46 [Zakim]
rigo, you wanted to ask the browser folks whether we can draw from the TPE
09:12:47 [rigo]
ack rigo
09:12:47 [JC]
Dsinger: yes they should be in sync
09:13:09 [JC]
... I will take action to bring the docs into sync
09:13:13 [JC]
Rigo: I will help
09:13:23 [npdoty]
I think even with fielding's proposal and the existing TPE text, we still have concepts of user expectations/understanding in interaction
09:13:36 [dsinger]
action: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications
09:13:36 [trackbot]
Sorry, couldn't find dsinger. You can review and register nicknames at <>.
09:13:41 [JC]
Aleecia: Does either author wish to revise them based on feedback
09:13:52 [JC]
... one from Johanthan tom and peter
09:13:55 [justin]
09:13:59 [JC]
... another from Shane et. al.
09:14:03 [dwainberg]
09:14:13 [JC]
Shane: what is disucssion
09:14:21 [JC]
Aleecia: first and third party
09:14:44 [dsinger]
action: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications
09:14:44 [trackbot]
Sorry, couldn't find dsinger. You can review and register nicknames at <>.
09:14:57 [dwainberg]
09:14:59 [dwainberg]
09:15:15 [JC]
Justin: I wanted to modify definition to address multiple-first party issue. How would TPE address that
09:15:23 [npdoty]
action: singer to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications
09:15:23 [trackbot]
Created ACTION-268 - Edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [on David Singer - due 2012-10-10].
09:15:25 [JC]
Dsinger: it doesn't
09:15:27 [fielding]
Why would it matter?
09:15:28 [WileyS]
09:15:43 [justin]
09:16:01 [JC]
... substantial chunks of the TPE looks at top level domain
09:16:04 [tlr]
ack WileyS
09:16:21 [mischat]
mischat has joined #dnt
09:16:27 [JC]
WileyS: It should be no different from multi-domain structure. Each party responds as first parties.
09:16:42 [JC]
... handle it in that the beacon responds as first party
09:17:03 [JC]
Aleecia: That's great if they are co-first parties, but how does that work for FB button
09:17:05 [justin]
Thanks, rachel_n_thomas. I find the definition of third party too narrow given where we are (only OBA companies are first parties), but the first party definition tracks pretty closely to what we have as Option 2 right now.
09:17:15 [justin]
Ugh, s/first/third
09:17:23 [JC]
... same for clicking on an ad and why the discussion matters
09:17:29 [JBWeiss]
JBWeiss has joined #DNT
09:17:36 [JC]
Dsinger: the TPE discusses promotion
09:17:56 [npdoty]
ack robsherman
09:18:10 [JC]
Robsherman: Need to discuss how to manage multiple first parties
09:18:20 [fielding]
It is not relevant to TPE. It could be "solved" in a tracking policy document, or even an array of policy links, but it is still not relevant to the protocol.
09:18:42 [JC]
... both address but not clearly. I sent proposed text to email list
09:18:57 [JC]
Aleecia: Nick will assign action number to work
09:18:59 [johnsimpson]
Explain more please, Roy
09:19:00 [tlr]
09:19:00 [npdoty]
have we reviewed robsherman's text? maybe that would supplant existing options?
09:19:11 [justin]
Agree with fielding, I think that has to be addressed specifically in compliance doc.
09:19:13 [fielding]
That does not stop it from being relevant to compliance.
09:19:28 [JC]
Dwainberg: There was more discussion about determining with high probability, but now description on how that is done
09:19:34 [JC]
... can someone describe
09:19:34 [amyc]
as a process question, why isn't proposed text included as option?
09:19:41 [JC]
Aleecia: that is in first option
09:20:15 [JC]
Dwainberg: in 3.5.2 websites is discussed and the work applies beyond websites and we should address
09:20:26 [tlr]
robsherman's text is here:
09:20:34 [JC]
Aleecia: could Shane or Heather address
09:20:43 [tlr]
09:20:50 [JC]
... Justin will address
09:20:50 [rigo_]
rigo_ has joined #dnt
09:20:55 [JC]
Justin: Address what?
09:21:27 [JC]
WileyS: need to elaborate on websites to something more appropriate
09:21:54 [npdoty]
action: brookman to update 3.5.2 to expand beyond "Web site"
09:21:54 [trackbot]
Created ACTION-269 - Update 3.5.2 to expand beyond "Web site" [on Justin Brookman - due 2012-10-10].
09:21:55 [JC]
Dwainberg: Can clarification be made on option 1. It's not clear to me
09:21:58 [WileyS]
Justin, more expansive term than "web site" in 3.5.2. Perhaps "user interaction" instead?
09:22:13 [JC]
Aleecia: I believe that Rob suggested some text and we should look at that
09:22:36 [npdoty]
09:22:36 [WileyS]
Justin, or perhaps a list: "site, server, or application central to user interaction"?
09:22:37 [JC]
Robsherman: I will paste link into IRC
09:22:39 [npdoty]
ack dwainberg
09:22:40 [schunter]
09:22:40 [vinay_]
q+ kevinsmith
09:22:57 [robsherman] (HT tlr)
09:23:00 [npdoty]
ack kevinsmith
09:23:32 [npdoty]
09:23:34 [JC]
Kevinsmith: I'm concerned about having a link to separate privacy policies. There can be situations where it will be difficult due to realestate issues.
09:23:56 [JC]
... I don't have an obvious example, but I believe it is an issue
09:24:14 [JC]
WileyS: We didn't look at idea of promotion for multiple first parties
09:24:40 [JC]
... after clicking on a widget the privacy policy can be accessed
09:25:00 [rigo_]
note that "branding" is a commercial concept and DNT goes beyond commerce only
09:25:13 [justin]
Multi first party should be fairly rare.
09:25:21 [fielding]
This is another topic I already provided written comments for …
09:25:37 [robsherman]
09:25:49 [lmastria-DAA]
09:26:22 [robsherman]
09:26:47 [npdoty]
aleecia: suggestion, in 3.5.2 and Option 2, make the privacy policy a should, relying on screen real estate
09:26:48 [npdoty]
09:26:49 [dsinger]
dsinger has joined #dnt
09:27:11 [amyc]
as housekeeping matter, we need to move interaction/promotion section to option 2 as well, right?
09:27:21 [justin]
+1 to npdoty --- these two definitions are functionally the same.
09:27:39 [amyc]
in other words, both option 1 and option 2 need to accommodate multiple first parties and promotion to first party
09:27:46 [WileyS]
Let's work on combining them then - I'm open to that
09:27:55 [bryan]
bryan has joined #dnt
09:28:02 [robsherman]
09:28:14 [justin]
09:28:21 [lmastria-DAA]
09:28:22 [npdoty]
ack npdoty
09:28:31 [dsriedel]
dsriedel has joined #dnt
09:28:38 [justin]
09:29:35 [npdoty]
npdoty: I think these two definitions may not be all that different, both rely on user expectations for the sake of promotion / interaction
09:29:53 [justin]
WileyS, if you have an action item here, may want to consider fielding's test too:
09:30:21 [justin]
09:30:22 [rachel_n_thomas]
09:30:28 [npdoty]
... think there's a good chance we could combine these, particularly since we need to update "visiting" a "site" already, which might correspond to the concept of intending to in interact with
09:30:43 [Chapell]
Chapell has joined #DNT
09:31:23 [johnsimpson]
09:31:30 [WileyS]
Justin, got it - shared the text with David as we work on the rewrite
09:32:00 [dsinger]
option 3 only talks about first parties, which is a problem
09:32:05 [WileyS]
Justin - rewrite of 3.8.1 to be specific
09:32:23 [tlr]
tlr has joined #dnt
09:32:32 [hwest_]
09:32:51 [npdoty]
WileyS, justin - I thought we were talking about the first/third party definition updates -- for which we don't have an action
09:32:58 [amyc]
09:33:01 [dwainberg]
09:33:05 [npdoty]
q+ dwainberg
09:33:11 [npdoty]
ack hwest_
09:33:12 [dwainberg]
09:33:19 [dwainberg]
I don't know why I keep doing that :)
09:33:38 [rigo_]
09:33:38 [johnsimpson]
sorry, lost track what section?
09:33:51 [tlr]
tlr has joined #dnt
09:34:00 [npdoty]
ack rachel_n_thomas
09:34:13 [npdoty]
scribenick: npdoty
09:34:33 [justin]
npdoty, Yes, I think you should make an option on WileyS on this, but I'm willing to take it on --- I am fine with killing "high probability" in favor of the other text (though I still think you have subjective questions either way).
09:34:37 [npdoty]
rachel_n_thomas: happy to add definitions from DAA as an option, especially since most people in the room were involved with that
09:34:41 [WileyS]
09:34:42 [tlr]
09:34:46 [rigo]
ack amyc
09:34:47 [tlr]
ack amyc
09:35:02 [johnsimpson]
Rachel: Don't think everyone in room developed that. I sure didn't have a hand in it.
09:35:05 [JC]
JC has joined #DNT
09:35:06 [npdoty]
amyc: I do like option 3, though it would need to be broadened to third party as well
09:35:06 [rwessel]
rwessel has joined #dnt
09:35:13 [rigo]
ack tlr
09:35:20 [npdoty]
... service providers to detect fraud and monitor security
09:35:28 [WileyS]
09:35:40 [npdoty]
... those service providers need to aggregate that information across multiple clients
09:35:48 [npdoty]
... talks to the permitted uses, not just silo'ing
09:35:51 [JC]
Amy: I like option 3 since it doesn't specifically require siloing
09:36:04 [tlr]
ack dwainberg
09:36:07 [hwest_]
Not sure whether this got in there - but intention to option 3 is to have a pure definition that's simple and in line with consensus of gthe group in Seattle.
09:36:09 [npdoty]
aleecia: is the siloing just around security/fraud, or all of them?
09:36:14 [justin]
09:36:16 [efelten]
efelten has joined #dnt
09:36:17 [npdoty]
some people in the room: all of them
09:36:43 [fielding]
I consider such data-gathering for security to be a permitted third party, not a service provider relationship.
09:36:45 [npdoty]
dwainberg: language about "no independent rights" could be too limiting, service providers will have certain needs (debugging, maintaining)
09:36:58 [amyc]
options need to include ability to use across clients, rather than strict siloing. Example is fraud detection services that need to aggregate data across multiple clients in order to effectively detect fraud
09:37:15 [adrianba]
adrianba has joined #dnt
09:37:16 [npdoty]
... scoped to instead be "no independent rights" for a particular use
09:37:23 [Rene]
09:37:25 [npdoty]
npd: fielding, I assumed that as well
09:37:27 [amyc]
fielding, first parties are prohibited from sharing with third parties, can only share with service provider
09:37:30 [ksmith]
ksmith has joined #DNT
09:37:46 [amyc]
sites need to share with service provider that may be aggregating information for security detection
09:38:13 [npdoty]
rigo: if the service provider on your behalf uses the data to secure their own service, that's fine
09:38:23 [npdoty]
... the key is the *independent* use
09:38:31 [fielding]
amyc, I think we would need additional text to allow it -- tightly scoped to not be a huge privacy hole
09:38:45 [rwessel]
rwessel has left #dnt
09:38:57 [rigo]
ack rig
09:39:12 [Simon]
Simon has joined #dnt
09:39:20 [npdoty]
action: rachel to propose existing DAA text for service providers
09:39:20 [trackbot]
Created ACTION-270 - Propose existing DAA text for service providers [on Rachel Thomas - due 2012-10-10].
09:39:27 [fielding]
09:39:31 [ChrisPedigoOPA]
09:39:31 [amyc]
fielding, I wonder whether option three, which speaks to permitted uses as well in context of service provider relationship - and fraud detection is permitted use
09:40:03 [Simon]
Simon has joined #dnt
09:40:11 [dwainberg]
09:40:18 [npdoty]
q+ dwainberg
09:40:22 [npdoty]
ack WileyS
09:40:34 [fielding]
I proposed rough text on the list for service provider within first party rather than as a separate party
09:40:50 [Chris_IAB]
Chris_IAB has joined #dnt
09:41:01 [susanisrael]
susanisrael has joined #dnt
09:41:24 [susanisrael]
roy thanks for clarification re: security use
09:41:24 [npdoty]
action: west to update service provider language to apply to first and third parties
09:41:24 [trackbot]
Created ACTION-271 - Update service provider language to apply to first and third parties [on Heather West - due 2012-10-10].
09:41:26 [Ionel_IAB]
Ionel_IAB has joined #dnt
09:41:27 [dwainberg]
09:41:38 [Chris_IAB]
npdoty, fyi, I was kicked out of IRC and had trouble re-joining
09:41:38 [rigo]
I can live with option 3 but for the sake of beauty and simplicity, legally we would not need anything beyond "no independent right to process"
09:41:49 [npdoty]
action-271: WileyS said the s// language aloud, but I couldn't capture that
09:41:49 [trackbot]
ACTION-271 Update service provider language to apply to first and third parties notes added
09:41:55 [npdoty]
scribenick: npdoty
09:42:09 [dwainberg]
rigo, I'm not sure whether we disagree
09:42:16 [Ionel_IABEU]
Ionel_IABEU has joined #dnt
09:42:30 [rigo]
David, I'm pretty sure we aren't
09:42:40 [npdoty]
WileyS: added the permitted uses text to that third option regarding service providers
09:42:43 [JC]
JC has joined #DNT
09:42:44 [npdoty]
09:42:54 [rigo]
09:43:04 [dwainberg]
I'm comparing to contractual language I've seen in the US, and in that context, I think companies will find the no independent use language confusing.
09:43:23 [JC]
Rene: in EU we have industry bodies representing owner of data. Is this something we can place under unlinkable?
09:43:25 [npdoty]
rene: audience measurement, working on behalf of the owner of the data -- is this a service provider relationship?
09:43:29 [npdoty]
scribenick: JC
09:43:40 [dwainberg]
what we generally see is "no independent rights, except..."
09:43:53 [mikeo]
mikeo has joined #dnt
09:44:00 [JC]
... Is sharing by SP covered by unlinkable?
09:44:07 [npdoty]
09:44:12 [JC]
Aleecia: depends on the definition
09:44:12 [rigo]
ack Rene
09:44:15 [tlr]
ack fielding
09:44:28 [WileyS]
Heather - new Option 3: Service Providers acting on the behalf of another Party and with no independent rights to use that Party’s data outside of the context of that that Party and Permitted Uses are also considered to be acting as the that Party.
09:44:35 [susanisrael]
David and Shane I have an idea for service provider definition clarification-will try to help if you want
09:44:49 [WileyS]
Susan - definitely - please let us know
09:44:56 [npdoty]
fielding, I thought we've just asked that we extend service provider beyond just first parties
09:45:06 [JC]
Roy: I want to know in addition to Aleecia's list is there a broader definition of a first party versus sprinkling throughout the document
09:45:17 [tlr]
09:45:22 [justin]
That would be hard for me too!
09:45:25 [JC]
... since it would affect the entire definition section it would be tough to write a new compliance document
09:45:26 [vinay]
vinay has joined #dnt
09:45:44 [jchester2]
I agree with Justin
09:45:44 [fwagner]
fwagner has joined #dnt
09:45:47 [JC]
Aleecia: We can't go through it now, but it should be in tracker
09:45:54 [tlr]
ACTION: roy Fielding to propose text for party and outsourcing definitions
09:45:54 [trackbot]
Created ACTION-272 - Fielding to propose text for party and outsourcing definitions [on Roy Fielding - due 2012-10-10].
09:45:59 [tlr]
ACTION-272: done in
09:45:59 [trackbot]
ACTION-272 Fielding to propose text for party and outsourcing definitions notes added
09:46:01 [JC]
... we will have an action that points to the text if that is okay
09:46:04 [tlr]
09:46:04 [trackbot]
ACTION-272 -- Roy Fielding to fielding to propose text for party and outsourcing definitions -- due 2012-10-10 -- OPEN
09:46:04 [trackbot]
09:46:07 [JC]
Roy: that's fine
09:46:11 [npdoty]
09:46:28 [tlr]
ACTION: robsherman to draft text on first party
09:46:28 [trackbot]
Sorry, couldn't find robsherman. You can review and register nicknames at <>.
09:46:53 [npdoty]
action: sherman to propose text regarding multiple first parties
09:46:53 [trackbot]
Created ACTION-273 - Propose text regarding multiple first parties [on Rob Sherman - due 2012-10-10].
09:46:55 [JC]
ChrisPedigo: Going back to David and Rigo statement about SP using data to improve service, does independent right include that?
09:47:04 [JC]
Rigo: I doubt that it would
09:47:07 [WileyS]
09:47:17 [npdoty]
ack ChrisPedigoOPA
09:47:44 [dwainberg]
09:47:46 [lmastria-DAA]
09:47:47 [JC]
... a person that processes on behalf of first party then it depends on reslationship. The first party is still in control
09:47:49 [tlr]
ACTION-273: done in
09:47:49 [trackbot]
ACTION-273 Propose text regarding multiple first parties notes added
09:48:06 [tlr]
09:48:06 [WileyS]
09:48:08 [tlr]
ack w
09:48:12 [dwainberg]
09:48:15 [dwainberg]
09:48:25 [dwainberg]
(boy I'm having trouble using this thing today)
09:48:27 [rvaneijk]
09:48:38 [tl]
09:48:53 [JC]
WileyS: I believe there is a difference in understanding. You can take learnings in those you work for. You can't use the data itself, but you can learn from it. Anything that is unlinkable can be used.
09:49:04 [tlr]
09:49:04 [jchester2]
Shane: Including if such learning is used for tracking?
09:49:13 [rwessel]
rwessel has joined #dnt
09:49:24 [WileyS]
Jeff, no - that would be an independent use - not allowed
09:49:28 [tlr]
09:49:40 [JC]
Rob: The first party determines the purpose and means. It is important to distinguish between learning and use, but work should not go beyond original agrement
09:49:47 [tl]
09:50:05 [JC]
Aleecia: two people are reading same statement and coming up with different meanings. This should be fixed.
09:50:08 [rvaneijk]
controller determines purpose and means. Any serviceprovider who does anything with the actual data beyond that scope becomes a controller himself
09:50:16 [jchester2]
Shane: So what happens with the "learnings"--it wuld be used for some part of the targeting function at some point, no?
09:50:34 [npdoty]
WileyS, is your suggestion that a service provider can make unlinkable data of a customer's data and then use it for other purposes not for the customer?
09:50:34 [JC]
WileyS: I don't think Rob was commenting on text, but EU position. If not I would like to get his response
09:50:41 [tl]
09:51:06 [JC]
Aleecia: WileyS will take action to add non-normative text to clarify text
09:51:12 [rigo]
rigo has joined #dnt
09:51:30 [npdoty]
action: wiley to propose non-normative text on service providers to clarify "independent use" (with rvaneijk)
09:51:30 [trackbot]
Created ACTION-274 - Propose non-normative text on service providers to clarify "independent use" (with rvaneijk) [on Shane Wiley - due 2012-10-10].
09:51:33 [tlr]
09:51:33 [JC]
Rob: we had text already, maybe we could copy and paste it. I will work with wileyS on it.
09:51:47 [npdoty]
q- rvaneijk
09:51:47 [rvaneijk]
09:52:38 [JC]
Lmastria: Bridges between Rachel's action item and Rigo's independence could be addressed. A large portion of our businesses are subject to enhanced notice and control around data usage.
09:52:44 [JC]
... that should be considered.
09:52:50 [npdoty]
ack lmastria-DAA
09:53:06 [JC]
Aleecia: One of our proposals has less notice vs. more.
09:53:21 [JC]
Dwainberg: I look forward to extra text because I'm confused by it
09:53:55 [JC]
... we dont want to unintentionally cause a problem between SP doing work for a party and a first party that can do it themselves
09:54:13 [JC]
... this would create a competitive disparity that we should try to avoid
09:54:28 [JC]
Aleecia: Basically we see the SP standing in the shoes of the first party
09:54:51 [tlr]
09:54:56 [tlr]
ack dwainberg
09:54:57 [schunter]
ack dwainberg
09:55:10 [JC]
Aleecia: SP can be seen as the same, but they cannot for example share data across first parties
09:55:25 [justin]
09:55:33 [rvaneijk]
@shane: "For the EU, the outsourcing scenario is clearly regulated. In the
09:55:33 [npdoty]
I think there's support for that principle (from dwainberg) in general, although limiting independent use gets at the potential privacy difference between a company performing the practice itself and a service provider doing it
09:55:34 [rvaneijk]
current EU Directive 95/46/EC, but also in the suggested regulation
09:55:36 [rvaneijk]
reforming the data protection regime, an entity using or processing data
09:55:38 [rvaneijk]
is subject to data protection law. A First Party (EU: data controller)
09:55:39 [rvaneijk]
is an entity or multiple entities (EU: joint data controller) who
09:55:41 [rvaneijk]
determines the purposes, conditions and means of the data processing
09:55:43 [rvaneijk]
will be the data controller. A service provider (EU: data processor) is
09:55:44 [JC]
... Dwainberg came up with some text for data append.
09:55:45 [rvaneijk]
an entity with a legal contractual relation to the Data Controller. The
09:55:46 [rvaneijk]
Service Provider does determine the purposes, conditions and means of
09:55:48 [rvaneijk]
the data processing, but processes data on behalf of the controller. The
09:55:49 [rvaneijk]
data processor acts on behalf of the data controller and is a separate
09:55:51 [rvaneijk]
legal entity. An entity acting as a first party and contracting services
09:55:52 [rvaneijk]
of another party is responsible for the overall processing. A third
09:55:54 [rvaneijk]
party is an entity with no contractual relation to the Data Controller
09:55:55 [rvaneijk]
and no specific legitimacy or authorization in processing personal data.
09:55:57 [rvaneijk]
If the third party has own rights and privileges concerning the
09:55:58 [rvaneijk]
processing of the data collected by the first party, it isn't a data
09:56:00 [JC]
... a lot of these use cases may be addressed else where
09:56:00 [rvaneijk]
processor anymore and thus not covered by exemptions. This third party
09:56:02 [rvaneijk]
is then considered as a second data controller with all duties attached
09:56:04 [rvaneijk]
to that status. As the pretensions of users are based on law, they apply
09:56:05 [rvaneijk]
to first and third party alike unless the third party acts as a mere
09:56:07 [rvaneijk]
data processor."
09:56:21 [JC]
... my suggestion is that we leave this at is and come back to it
09:56:28 [JC]
... once definition is done
09:57:11 [JC]
... there is an action for data append, but no issue so we should create one
09:57:14 [johnsimpson]
makes sense
09:57:14 [ChrisPedigoOPA]
09:57:32 [WileyS]
09:57:47 [JC]
ChrisPedigo: I don't believe there should be a data append restriction as it may be out of scope
09:57:56 [JC]
Aleecia: let's define it and then decide
09:58:08 [npdoty]
issue: definition of and what/whether limitations around data append
09:58:08 [trackbot]
Created ISSUE-170 - Definition of and what/whether limitations around data append ; please complete additional details at .
09:58:11 [lmastria-DAA]
ditto ChrisPedigo re data append
09:58:18 [npdoty]
issue-170: see action-229
09:58:28 [npdoty]
postpone issue-170
09:58:30 [JC]
... Npdoty will create new issue and attach to action 229
09:58:30 [trackbot]
ISSUE-170 Definition of and what/whether limitations around data append notes added
09:58:55 [JC]
... covered everything except unlinkable and now will go to lunch
09:58:58 [npdoty]
issue-170: let's come back to this issue after we've made decisions around service providers
09:58:58 [trackbot]
ISSUE-170 Definition of and what/whether limitations around data append notes added
09:59:10 [Zakim]
09:59:12 [rigo_]
rigo_ has joined #dnt
09:59:25 [BrendanIAB]
I'm going to disconnect from phone for the next 60 minutes
09:59:40 [npdoty]
adjourned for lunch.
09:59:47 [npdoty]
rrsagent, pointer?
09:59:47 [RRSAgent]
10:00:11 [Zakim]
10:00:19 [npdoty]
rrsagent, draft minutes
10:00:19 [RRSAgent]
I have made the request to generate npdoty
10:00:52 [Zakim]
10:00:57 [Zakim]
10:23:23 [dtauerbach]
dtauerbach has joined #dnt
10:46:55 [dwainberg]
dwainberg has joined #dnt
10:47:55 [Joanne]
Joanne has joined #DNT
10:49:31 [ksmith]
ksmith has joined #DNT
10:55:18 [justin]
justin has joined #dnt
10:56:46 [npdoty]
npdoty has joined #dnt
10:57:45 [Simon]
Simon has joined #dnt
10:59:23 [ksmith1]
ksmith1 has joined #DNT
10:59:24 [Zakim]
10:59:42 [BrendanIAB]
Zakim, ??P1 is probably me
10:59:42 [Zakim]
+BrendanIAB?; got it
11:00:51 [Zakim]
11:02:20 [Zakim]
11:02:29 [amyc]
amyc has joined #dnt
11:03:24 [johnsimpson]
are we back
11:03:44 [amyc]
not quite yet
11:04:00 [justin]
We are working out boat-dinner logistics.
11:04:10 [npdoty]
Zakim, who is on the phone?
11:04:10 [Zakim]
On the phone I see Telegraaf, BrendanIAB?, bryan_, fielding
11:04:19 [justin]
We're assuming you're a no, johnsimpson.
11:04:26 [afowler]
afowler has joined #dnt
11:04:29 [Zakim]
11:05:02 [johnsimpson]
A no on what?
11:05:26 [johnsimpson]
I'll be there in spirit...
11:06:07 [Rene]
Rene has joined #dnt
11:06:35 [dsriedel]
dsriedel has joined #dnt
11:06:43 [BerinSzoka]
BerinSzoka has joined #DNT
11:06:57 [npdoty]
screen should be shared now, let us know if you're having problems
11:07:14 [vinay]
Those can follow Aleecia screen at
11:07:38 [npdoty]
scribenick: susanisrael
11:07:46 [johnsimpson]
yes have screen
11:08:06 [ChrisPedigoOPA]
ChrisPedigoOPA has joined #dnt
11:08:06 [susanisrael]
aleecia: will be talking about financial logging, don't have enough text to discuss clearly
11:08:21 [susanisrael]
have text originally in draft and action 235 from nick, discussed a bit on phone
11:08:32 [susanisrael]
there is a lot of nonnormative text that's useful
11:08:43 [npdoty]
from me:
11:08:45 [susanisrael]
ran into trouble with "to the extent required by law."
11:08:46 [JBWeiss]
JBWeiss has joined #DNT
11:09:00 [susanisrael]
[read text]
11:09:05 [rigo_]
rigo_ has joined #dnt
11:09:15 [ifette]
11:09:21 [rvaneijk]
rvaneijk has joined #dnt
11:09:42 [susanisrael]
there is a lot of additional text re: permitted uses, this is just one of them
11:09:50 [Ionel_IABEU]
Ionel_IABEU has joined #dnt
11:10:06 [susanisrael]
in editor's draft have different text right now. [read
11:10:19 [susanisrael]
those are the 2 texts we are looking at
11:10:22 [npdoty]
regarding action-255, we also had a proposal from Alan:
11:10:28 [susanisrael]
have not started to flesh out differences
11:10:30 [WileyS]
11:10:30 [justin]
11:10:32 [npdoty]
11:10:34 [WileyS]
11:10:35 [susanisrael]
will take comments/questions about this text
11:11:01 [susanisrael]
ian: i will note that nick's text introduces term of tracking and that is not defined or used elsewhere
11:11:02 [justin]
Replace tracking with "collection, retention, and use"?
11:11:14 [susanisrael]
aleecia: there may be an action on that elsewhere already
11:11:20 [susanisrael]
nick: happy to do that
11:11:30 [Chris_IAB]
11:11:36 [Chapell]
Chapell has joined #DNT
11:11:38 [justin]
ack ifette
11:11:39 [susanisrael]
aleecia: if that isn't in action form already it should be created
11:11:41 [justin]
ack npdoty
11:11:42 [Marije]
Marije has joined #dnt
11:12:04 [susanisrael]
nick: in queue to talk about "not my text"--alan took action to provide info re: financial reporting
11:12:16 [susanisrael]
.....that's how we got into discussion re: contract
11:12:18 [WileyS]
11:12:43 [susanisrael]
nick: i was using law because of suggestion from shane that there might be applicable law
11:12:49 [npdoty]
regarding action-255, we also had a proposal from Alan:
11:12:49 [susanisrael]
aleecia: which action?
11:12:53 [susanisrael]
nick: 244
11:12:56 [npdoty]
11:12:56 [trackbot]
ACTION-255 -- Alan Chapell to work on financial reporting text (with nick, ian) as alternative to legal requirements -- due 2012-09-19 -- PENDINGREVIEW
11:12:56 [trackbot]
11:12:58 [susanisrael]
sorry, nick: 255
11:13:06 [efelten]
11:13:11 [susanisrael]
got it
11:13:33 [npdoty]
I think most of the discussion on that thread is not directly related, but the start of it has the proposal about contracts
11:13:42 [susanisrael]
aleecia reads from email chain
11:13:48 [hwest]
hwest has joined #dnt
11:13:52 [npdoty]
11:14:00 [Brooks]
Brooks has joined #dnt
11:14:13 [susanisrael]
chris: my concern is "required by law."
11:14:14 [ksmith1]
11:14:20 [npdoty]
ack Chris_IAB
11:14:45 [susanisrael]
chris: i did some research on auditing since 60s by MRC which requires retaining data for a year
11:14:48 [jchester2]
11:14:55 [efelten]
11:14:55 [tl]
11:15:00 [npdoty]
ack WileyS
11:15:03 [susanisrael]
chris: i don't think this organization should have ability to override another organization's standards
11:15:04 [Chapell]
11:15:29 [susanisrael]
shane: the issues with contracts are not with contracts directly but just with proving you performed under contract
11:15:37 [efelten]
11:15:46 [dsinger]
Indeed, I believe even financial auditing is technically not law, often, but required e.g. to get listed on a stock exchange, or to conform to an industry norm
11:16:13 [susanisrael]
need to prove having performed is an issue across jurisdiction. don't know how to get around this problem.
11:16:23 [rigo_]
11:16:25 [dsinger]
q+ to check to what extent the general provisions make life easier here
11:16:38 [susanisrael]
shane: contracts not the problem: but proof of contract
11:16:54 [Chris_IAB]
According to the Media Rating Council (MRC), the normal retention period for "source data" required for industry accreditation of third-party audience estimates is 1-year, as documented in their published standards: "Minimum Standards for Media Rating Research" (available for download at
11:17:03 [npdoty]
WileyS, I hear your point about proof of fulfillment of a contract, rather than fulfillment directly required by the contract itself
11:17:08 [susanisrael]
aleecia: getting a sense of other needs may help
11:17:32 [WileyS]
Nick, how could we integrate that perspective into the proposed text from Alan?
11:17:34 [susanisrael]
jeff: i do think it's important that we have identified what is required by law
11:17:45 [justin]
I think someone should take an action to write Shane's middle ground text.
11:18:03 [susanisrael]
jeff: we did research on sarbox and couldn't find any specific language re: interactive advertising
11:18:20 [lmastria-DAA]
lmastria-DAA has joined #dnt
11:18:29 [susanisrael]
can't depend on contractual procedures industry has developed before privacy crisis. don't have enough documentation
11:18:38 [npdoty]
11:18:42 [Chris_IAB]
11:18:44 [justin]
ack jchester
11:18:44 [tl]
11:18:45 [susanisrael]
jeff: there is resistance to providing proof to govt agencies
11:18:47 [justin]
ack tl
11:18:48 [npdoty]
ack jchester2
11:18:50 [justin]
ack chapell
11:18:51 [tlr]
tlr has joined #dnt
11:18:52 [npdoty]
ack Chapell
11:19:13 [susanisrael]
alan: point i was trying to make is that there are standards created by other bodies that companies i work with will have to make
11:19:22 [rigo_]
WileyS, do I understand you right that you want limited purpose to have it retained for audit purpose only and for financial proof. That could be added to the spec
11:19:26 [dwainberg]
11:19:32 [rachel_n_thomas]
rachel_n_thomas has joined #dnt
11:19:42 [susanisrael]
alan: there are hobson's choices for these companies. they will try to do right thing but it speaks to goal here if it's industry implementability
11:19:46 [tl]
11:20:07 [susanisrael]
alan: i am not here to say which other standards are legitimate but it is uncomfortable
11:20:28 [efelten]
11:20:33 [susanisrael]
alan: jeff: i love you but there has been a lot of information that has gone around pls acknowledge
11:20:36 [rwessel]
rwessel has joined #dnt
11:20:53 [WileyS]
For those interested - this is only SOX (many financial laws outside of this one):
11:20:58 [ifette]
11:21:04 [susanisrael]
jeff: one of the organizations that just joined has said it could provide more if ms default taken off the table
11:21:40 [susanisrael]
david singer: how much will general permissions help? if you demo that you only collected data for permitted use for the specified time that may help
11:21:46 [justin]
11:21:53 [npdoty]
ack dsinger
11:21:53 [Zakim]
dsinger, you wanted to check to what extent the general provisions make life easier here
11:21:54 [susanisrael]
11:22:08 [JBWeiss]
JBWeiss has joined #DNT
11:22:29 [susanisrael]
david singer: we will not police collection or retention but it helps to be able to point to an industry requirement. does that help off pressure?
11:22:42 [susanisrael]
aleecia: quick straw poll
11:23:08 [susanisrael]
does anyone want to continue to argue for to the extent required by law?
11:23:17 [susanisrael]
jeff: only vote for this
11:23:25 [johnsimpson]
i think law is important
11:23:35 [susanisrael]
rigo: the relation is different. req'd by law will trump anyway
11:23:51 [WileyS]
law trumps all else in the standard
11:24:08 [susanisrael]
rigo: qu is whether anyone opposed to adding other requirements, i would be opposed to removing reqmt' to comply with law
11:24:32 [susanisrael]
aleecia: jeff was concerned that sox compliance could become indefinite
11:25:17 [dsinger]
…and much auditing is a requirement of e.g. belonging to a trade group, being listed on a stock exchange, isn't it?
11:25:18 [tlr]
11:25:18 [trackbot]
ACTION-235 -- Nick Doty to draft middle way draft on permitted uses -- due 2012-09-04 -- PENDINGREVIEW
11:25:18 [trackbot]
11:25:19 [susanisrael]
jeff: i agree with you that you could interpret -- i do have this concern that sarbox is so vague that you could make lots of arguments
11:25:32 [susanisrael]
jeff: at the same time i think my point is show me the tofu
11:25:37 [susanisrael]
chris: i provided tofu
11:25:48 [justin]
11:25:58 [susanisrael]
jeff: i have not seen evidence of legal requirements and extent of data retained
11:26:21 [npdoty]
action: doty to update middle way proposals to avoid relying on "tracking"
11:26:21 [trackbot]
Created ACTION-275 - Update middle way proposals to avoid relying on "tracking" [on Nick Doty - due 2012-10-10].
11:26:25 [susanisrael]
ed: difficult question what's the limiting principle. if entities got together and decided keep everything that could be a problem
11:26:36 [tlr]
11:26:38 [susanisrael]
11:26:42 [tl]
11:27:01 [susanisrael]
aleecia: not seeing huge support for to the extent required by law
11:27:05 [johnsimpson]
the key is what is he limiting factor
11:27:10 [tlr]
ack Chris_IAB
11:27:18 [npdoty]
aleecia: I think we are moving to something else besides "required by law"
11:27:30 [susanisrael]
chris: i think i agree with david singer's principle so we could find a place to start there
11:27:45 [susanisrael]
chris: i think we already have text without required by law
11:28:01 [Stella]
Stella has joined #dnt
11:28:14 [susanisrael]
ed: so limiting principle is requirements for collection and use?
11:28:16 [tl]
11:28:19 [tl]
11:28:24 [susanisrael]
chris: could interpret it that way
11:28:27 [dsinger]
11:28:27 [tlr]
ack dwainberg
11:28:28 [efelten]
11:28:32 [tlr]
ack efelten
11:28:38 [tlr]
q- ifette
11:28:40 [tlr]
ack justin
11:29:03 [susanisrael]
justin: a lot of my question is similar to what ed is pointing out but i guess 6. 1. 2.2 is data minimization principle
11:29:05 [npdoty]
chris is referring to the existing Working Draft / editors' draft text on financial reporting
11:29:05 [tl]
+q to say that we don't want to oblige people to break the law, but we don't want contracts to allow for a hole you could drive a double-decker bus through, and the same applies to other standards.
11:29:11 [dwainberg]
11:29:17 [tlr]
ack next
11:29:20 [susanisrael]
justin: contracts shouldn't be dispositive
11:29:44 [tlr]
susanisrael: Is the principle best expressed not through contracts -- but proof of delivery of the ad is the basis?
11:29:50 [tlr]
... not necessarily required that data linkable
11:29:56 [npdoty]
susanisrael: is the principle best expressed through contracts, "proof of delivery" -- which doesn't require that data be linkable
11:29:57 [tlr]
... maybe that's also something to work with?
11:30:22 [amyc]
11:30:24 [Chris_IAB]
11:30:30 [susanisrael]
susan scribing again
11:30:34 [WileyS]
Jeff, here is a direct SEC mandate requiring data used for transacational audits be retained for 7 years:
11:31:09 [Chris_IAB]
would need to know definition of "linkable"
11:31:13 [tlr]
ack tl
11:31:13 [Zakim]
tl, you wanted to say that we don't want to oblige people to break the law, but we don't want contracts to allow for a hole you could drive a double-decker bus through, and the
11:31:16 [Zakim]
... same applies to other standards.
11:31:16 [npdoty]
susanisrael: question whether linkable data is required for this purpose
11:31:19 [Brooks]
it might be a useful term
11:31:25 [efelten]
Shane, doesn't that SEC doc apply only to accounting firms?
11:31:31 [susanisrael]
aleecia: linkable not part of definition right now
11:31:37 [rachel_n_thomas]
11:31:41 [susanisrael]
tl: standard should not require breaking law
11:31:57 [jchester2]
Thanks. I had lawyers review this and they did not find any evidence that Sarbannes requires online ad companies to keep data linked to users. We will have them review this. But at the moment, we don't believe that sufficient evidence has been given.
11:31:59 [Simon]
There are other industry standars, such as GAAP accounting standards that may come into play
11:32:02 [Chapell]
11:32:06 [lmastria-DAA]
11:32:12 [tlr]
ack dwainberg
11:32:17 [susanisrael]
tl: i think compliance with contracts or other standards could make standard emptyt
11:32:22 [Brooks]
11:32:28 [justin]
I think we can incorporate the workaround that contracts DNT following the law, but that issue is somewhat orthogonal to what is reasonable retention/use for financial logging.
11:32:31 [jchester2]
Can Tom propose how it should be written?
11:32:35 [justin]
11:32:39 [WileyS]
Ed, in this case it does - but the orgin of the records has the same retention requirement OR GREATER - looking for the exact reference now. IRS requirements not as easy to thread in this context (receipt/financial record retention laws).
11:32:46 [rigo_]
rigo_ has joined #dnt
11:32:57 [fielding]
I think the standard should be written based on Do Not Track, not Do Not Collect, since these issues have nothing whatsoever to do with tracking.
11:33:03 [susanisrael]
david w: i think we are somewhere in gap between required by law but don't want big loophole permitting throwing it out
11:33:08 [rigo_]
11:33:14 [rigo_]
q+ to respond to Ed and finding purpose limitation an option, concerned by the level of document required.
11:33:20 [susanisrael]
david w: might help to hear bad things we think might result so we can protect against them
11:33:21 [npdoty]
11:33:28 [rigo_]
q- later
11:33:32 [hwest]
hwest has joined #dnt
11:33:33 [dsinger]
q+ to suggest a note on contracts and practices
11:34:01 [susanisrael]
aleecia: can i sum up as worry be able to have contracts do away with the standard and global protection entirely
11:34:17 [susanisrael]
aleecia: i think that is the concern rather than any specific thing
11:34:31 [tlr]
ack amyc
11:34:34 [npdoty]
(want to: identify concern over billing of past/subsequent activity; billing of profile of the audience)
11:35:02 [justin]
+1 to amyc
11:35:02 [susanisrael]
amy: i was going to highlight that i have an action pending re: not using the contract to circumvent the spec. so rather than trying to deal with this piecemeal
11:35:15 [tlr]
ack Chris_IAB
11:35:15 [susanisrael]
...let's rely on that global requirement
11:35:20 [susanisrael]
aleecia: could be helpful
11:35:22 [WileyS]
+1 to AmyC
11:35:31 [npdoty]
+1 on global requirement, amyc
11:35:52 [susanisrael]
chris: in arguing vs the way the draft is today, i am trying to understand why it's a problem...
11:36:04 [rigo_]
11:36:06 [npdoty]
ack rachel_n_thomas
11:36:08 [susanisrael]
are you trying to protect against bad actors? spec requires some level of trust
11:36:08 [Joanne]
+1 to Amy
11:36:20 [npdoty]
s/are you/... are you/
11:36:41 [susanisrael]
rachel: newbie question: why legal requirements in standard
11:36:47 [tlr]
rachel, different discussion.
11:36:55 [ifette]
11:37:13 [susanisrael]
rachel: my question is why does it need to be in doc if w3c standard process and if not why not
11:37:38 [Brooks]
11:37:39 [susanisrael]
aleecia: we have said we are for law compliance and we're not going down that path so don't need to discuss this
11:37:46 [susanisrael]
aleecia: it's dead
11:38:12 [efelten]
11:38:37 [npdoty]
ack Chapell
11:38:37 [susanisrael]
alan: trying to use reasonable person standard, but in hypo that i have given there may be a requirement to report
11:38:39 [npdoty]
ack lmastria-DAA
11:38:44 [Chris_IAB]
11:39:16 [susanisrael]
lou: we have certainly found language acceptable to broad swath of language acceptable to industry. not sure what we would want beyond that
11:39:18 [jmayer]
jmayer has joined #dnt
11:39:24 [Zakim]
11:39:41 [susanisrael]
aleecia: so are you suggesting read daa text? was originally suggested but people may not have read recently
11:39:53 [Zakim]
11:40:03 [tl]
+q to say that this is not the DAA
11:40:32 [jchester2]
Consumer and privacy groups were not involved with the DAA process at all. Consequently it is narrowly drawn and does not reflect the interests of users, esp on privacy.
11:40:36 [susanisrael]
aleecia: lou has action to provide text re data retention which is applicable to financial logging
11:40:39 [npdoty]
action: luigi to provide text regarding data retention, applicable to finanical logging data
11:40:39 [trackbot]
Created ACTION-276 - Provide text regarding data retention, applicable to finanical logging data [on Luigi Mastria - due 2012-10-10].
11:40:55 [Walter]
Walter has joined #dnt
11:41:12 [jchester2]
Hello Walter!
11:41:17 [susanisrael]
nick: i wanted to pick up on point ed was making and i think alan or david w re: what we might have concern about that is not captured in text
11:41:19 [djm]
djm has joined #dnt
11:41:27 [Walter]
Good afternoon Jeffrey (and the rest)
11:41:40 [susanisrael]
nick: examples that have come up in thread with alan. one is billing re: past or subsequent activity
11:42:02 [susanisrael]
nick: contract where i get paid differently if someone sees ads then purchases, that might be a concern
11:42:34 [npdoty]
11:42:36 [susanisrael]
nick: other might be billing based on profile of audience. do i need to keep data re: type of people who saw ad for financial reporting?
11:42:38 [npdoty]
ack npdoty
11:42:43 [jchester2]
Nick. That's what the industry calls attribution, and where a user's history and actions are tracked and stored so billing can be shared with multiple parties.
11:42:44 [npdoty]
ack rigo_
11:42:44 [Zakim]
rigo_, you wanted to respond to Ed and finding purpose limitation an option, concerned by the level of document required.
11:43:21 [susanisrael]
rigo: as the other contributor to epic thread with alan, i think thread is epic because it goes beyond financial logging, so generally alan is saying certain business practice required
11:43:55 [susanisrael]
we would pull in activity through financial reporting. my concern is that you create consortium, create standard then dissolve
11:44:00 [dwainberg]
11:44:04 [Chapell]
11:44:27 [susanisrael]
rigo: as soon as no requirement on business practice we open up hole in ground where other group can decide whether our docs useful or not
11:44:47 [lmastria-DAA]
11:44:53 [susanisrael]
rigo: this is the concern. you have document here but can dismiss through consortium you create
11:45:03 [susanisrael]
alan: that is exactly what we are doing here
11:45:39 [susanisrael]
alan: if we here are prepared to say that standards bodies have to be ignored then that's what we are doing
11:45:40 [npdoty]
ack dsinger
11:45:40 [Zakim]
dsinger, you wanted to suggest a note on contracts and practices
11:46:22 [susanisrael]
david singer: reacting to ed's concern and reasonable man idea, and idea that contract may be a good reference but not if it's unreasonable
11:46:38 [npdoty]
ack ifette
11:47:04 [susanisrael]
david s: a large reputable auditor should be considered but this is not a get out of jail free card
11:47:18 [susanisrael]
david: it's something that you can say in your defense
11:47:22 [ChrisPedigoOPA]
11:47:26 [dsinger]
add the note on the general principles (on "the data as reasonably needed, and as long as reasonably needed") – a contract or other specification might be a reference of reasonable need for the data or period, but may not suffice if its requirements are not reasonable"
11:47:26 [lmastria-DAA]
11:47:30 [susanisrael]
mike z: not sure it works but couldn't agree more
11:47:46 [rigo_]
rigo_ has joined #dnt
11:47:50 [rigo_]
rigo_ has joined #dnt
11:47:52 [susanisrael]
aleecia: so non-normative text for implementation
11:48:09 [johnsimpson]
11:48:10 [susanisrael]
aleecia: david has action item
11:48:15 [ChrisPedigoOPA]
11:48:41 [Chris_IAB]
q- (I yielded my time to Mike Zaneis who couldn't get in the q)
11:48:54 [npdoty]
action: singer to propose non-normative text regarding contracts/other specifications
11:48:54 [trackbot]
Created ACTION-277 - Propose non-normative text regarding contracts/other specifications [on David Singer - due 2012-10-10].
11:48:55 [susanisrael]
ian: would be useful to go through practices like conversion tracking to see how they work under standard
11:49:01 [rigo_]
ack Chris_IAB
11:49:01 [Chris_IAB]
11:49:06 [npdoty]
action-277: add the note on the general principles (on "the data as reasonably needed, and as long as reasonably needed") – a contract or other specification might be a reference of reasonable need for the data or period, but may not suffice if its requirements are not reasonable"
11:49:06 [trackbot]
ACTION-277 Propose non-normative text regarding contracts/other specifications notes added
11:49:16 [jchester2]
David. But industry could change the standards--and the financial crisis showed the inadequacies of leading auditing firms. So I am afraid that here will still be loopholes that permit practices that override user expectations related to the permitted uses.
11:49:20 [susanisrael]
ian: there are toher things not a standard practice that would also be interesting to review
11:49:43 [susanisrael]
ian-aleecia dialogue: first party in first example
11:49:44 [vinay] is an example of Ian's use case
11:49:54 [susanisrael]
aleecia: not sure these 2 are very different
11:50:14 [Chris_IAB]
what does "ack" mean rigo_ ?
11:50:20 [tlr]
11:50:24 [susanisrael]
aleecia: we have a bunch of non-normative examples here
11:50:31 [Chris_IAB]
got it, thanks
11:50:38 [johnsimpson]
11:50:40 [susanisrael]
aleecia: actually we just have the note, don't yet have the examples
11:50:42 [npdoty]
Zakim, close the queue
11:50:42 [Zakim]
ok, npdoty, the speaker queue is closed
11:50:44 [dsinger]
(In IRC only as it's historical --on 'good and bad actors'). Our restrictions are for organizations that (a) wish to claim with a straight face that they comply yet (b) will take every inch of the permissions -- will 'drive right up to the fence'. Where the fence is matters a great deal for us, for those organizations. We have much less to say about organizations whose apsirations are well within the fence, and nothing to those who will go where they want and
11:50:44 [dsinger]
not care about the fence at all.
11:50:51 [tl]
11:50:56 [npdoty]
ack dwainberg
11:50:59 [Simon]
It appears that the "reasonable standard" would be a rebuttable presumption so if someone was making a claim that this standard is violated then it is up to the trier of fact to determine reasonableness
11:51:05 [Chris_IAB]
dsinger, great point
11:51:29 [jmayer]
The "good actors" argument has been made again and again. Not helpful.
11:51:35 [susanisrael]
david wainberg: we have already enumerated allowed uses, and beyond that good actors don't have a desire to retain the data and bad actors will ignore standard anyway
11:51:37 [npdoty]
ack Chapell
11:52:05 [susanisrael]
alan: nick you and i were going to draw up some additional text on this--maybe first thing tomorrow? [nick yes]
11:52:06 [npdoty]
Chapell: can volunteer, to help with Nick tomorrow
11:52:20 [susanisrael]
tlr: against which text is david s's action item
11:52:31 [kj]
kj has joined #dnt
11:52:58 [susanisrael]
aleecia: i think i heard the text in action 235 does not survive, but 255 alan is suggesting he and nick try to work through so 255 goes back to open
11:53:00 [tlr]
reopen action-255
11:53:00 [trackbot]
ACTION-255 Work on financial reporting text (with nick, ian) as alternative to legal requirements re-opened
11:53:16 [tlr]
action-235: decided not to do legal requirement for financial
11:53:16 [trackbot]
ACTION-235 Draft middle way draft on permitted uses notes added
11:53:36 [susanisrael]
aleecia: they should have 2 weeks or so to go through and we still have editor's draft - any questions?
11:53:53 [susanisrael]
kathy joe: we have text pending re: market research and will put it in
11:54:09 [susanisrael]
aleecia: we are looking at financial right now
11:54:39 [susanisrael]
nick: can i clarify my understanding? i am not wedded to my text if we come up with something better
11:54:57 [susanisrael]
nick: hope we can get our action done in 24 hours
11:55:39 [susanisrael]
nick: does group think conversion tracking and audience profiling are permitted uses?
11:55:53 [jmayer]
11:56:18 [susanisrael]
jeff: i think it's a very good question, i put it in irc and would like to know whether attribution is a practice under what you suggested
11:56:37 [tlr]
zakim, reopen queue
11:56:37 [Zakim]
ok, tlr, the speaker queue is open
11:57:04 [npdoty]
should we have a permitted use for these things?
11:57:20 [justin]
I'm OK with the first use case, npdoty, as a subcategory within reporting.
11:57:32 [susanisrael]
jonathan mayer: want to make sure i understood nick's question--is it are we assuming whether we have these things? ok i got clarification from irc
11:57:54 [susanisrael]
jonathan: my position is that you should not be able to collect whatever you want for these things
11:58:08 [WileyS]
Unlinkable data doesn't meet the needs in this case.
11:58:57 [npdoty]
justin, you think it would be consistent with a Do Not Track preference to track subsequent activity of an ad impression in order to bill differently?
11:59:02 [susanisrael]
mike z: we are having a discussion about permitted uses. obviously it's what david says that obviously we have permitted uses. But we are not having discussions about what type of data you need to have
11:59:08 [rachel_n_thomas]
11:59:35 [susanisrael]
aleecia: there has been growing discussion re: doing all of these if data is unlinkable but ther ehas been no support for ad industry
11:59:40 [jmayer]
Chris_IAB: "If you look at the DAA, just to beat that drum a little bit more..."
11:59:41 [dtauerbach]
11:59:51 [Brooks]
difficult to think about exceptions in terms of non-defined terms
11:59:52 [Chris_IAB]
what does "unlinkable" mean? We need a definition in order to evaluate and move forward
12:00:01 [susanisrael]
mike z: we have permitted uses but, not either/or
12:00:07 [npdoty]
s/Chris_IAB: "if you/mikez: "if you/
12:00:14 [Chris_IAB]
Aleecia, for at least a month we have asked for a definition of "linkable"
12:00:27 [jmayer]
Thanks Nick.
12:00:28 [Joanne]
Susan - I'll take over scribing
12:00:28 [susanisrael]
aleecia: these permitted uses all ok if unlinkable
12:00:48 [susanisrael]
mike z: not in scope, not permitted uses but unlinkability
12:00:53 [Chris_IAB]
npdoty, sorry, I don't understand your text?
12:01:00 [jmayer]
12:01:10 [jchester2]
12:01:19 [susanisrael]
aleecia: but that could be a way out if we could agree that these uses ok if unlinkable, this is not out of scope
12:01:36 [susanisrael]
mike z: so is it the same type of data to be used for permitted use:
12:01:36 [jmayer]
Mike Zaneis, please stop arguing with Aleecia and allow the queue to comment.
12:01:41 [justin]
npdoty, Yes, our proposal has allowed for this from the beginning. I understand that the user is monitored across sites, but it's a very narrow set of tracking (did action occur on this one site) for a narrow purpose.
12:01:41 [Joanne]
Mike Z: are we having a disucssion around permitted uses
12:01:52 [Joanne]
Aleecia: we are moving off of this
12:01:53 [lmastria-DAA]
12:02:03 [jchester2]
12:02:04 [Joanne]
Aleecia: how many in queue
12:02:06 [dtauerbach]
12:02:08 [susanisrael]
aleecia: it is still within the concept of permitted uses to say you could do if unlinkable
12:02:09 [WileyS]
Jonathan, he is still discussing his item in this queue and is allowed to work through that.
12:02:11 [Joanne]
answer: 5
12:02:20 [Joanne]
Nick: down to three
12:02:26 [npdoty]
ack rachel_n_thomas
12:02:27 [susanisrael]
aleecia: pls drop from q if you think we have discussed
12:02:36 [jchester2]
I think the unlinkability issue is relevant.
12:03:11 [susanisrael]
rachel: don't see how we could say industry has not agreed to unlinkability if we haven't found defintion, and linking of that to tracking definition
12:03:21 [npdoty]
ack jmayer
12:03:23 [jmayer]
12:03:27 [susanisrael]
aleecia: i ahve heard that a couple of times looking for new points
12:03:29 [jmayer]
12:03:32 [rachel_n_thomas]
12:03:35 [rachel_n_thomas]
12:03:41 [npdoty]
ack lmastria-DAA
12:04:01 [jmayer]
rachel_n_thomas, there is nothing new about the unlinkability proposal.
12:04:10 [susanisrael]
lou: i think we heard a couple of use cases that require data to be used in a couple of way s that are different than what is being proposed
12:04:35 [susanisrael]
lou: have trouble because we are trying to make some of these things binary
12:04:43 [efelten]
We have been discussing these issues for over a year.
12:04:49 [WileyS]
Jonathan, would you agree that we've not yet come to consensus on the definition of unlinkability and until we do so its difficult to look a Permitted Uses through that lens?
12:04:56 [jmayer]
I dropped myself from the queue.
12:05:00 [susanisrael]
lou: there are exceptions/use cases that need to be factored in
12:05:09 [susanisrael]
aleecia: we have been doing that
12:05:49 [jmayer]
WileyS, we have a range of definitions on unlinkability. Any should be adequate. There's not a dependency there.
12:05:53 [susanisrael]
aleecia: re: financial reporting. hearing this allows businesses to prove they have done what they said they would do vs. very expansive approach
12:06:01 [rigo_]
rigo_ has joined #dnt
12:06:12 [susanisrael]
also heard concerns about standards for limiting
12:06:25 [WileyS]
12:06:38 [johnsimpson]
so what would be*reasonable*?
12:06:40 [rachel_n_thomas]
12:06:56 [susanisrael]
david wainberg: clarification: we aren't talking about unlimited retention
12:07:05 [lmastria-DAA]
12:07:17 [susanisrael]
aleecia: so what is the way out? set period for retention?
12:07:35 [lmastria-DAA]
12:07:38 [WileyS]
indefinite and not defined are already not allowed
12:07:41 [npdoty]
I think we may have that text (specific to indefinite retention) in the spec already
12:07:49 [WileyS]
Please see Nick's version
12:08:02 [susanisrael]
david wainberg: but no one wants indefinite. idea of loophole to retain data forever is kind of a fairy tale
12:08:14 [susanisrael]
aleecia: but some people think that idea has validity
12:08:21 [dsinger]
12:08:27 [jmayer]
David Wainberg, people in your industry have been talking about 7+ year retention.
12:08:38 [npdoty]
ack rachel_n_thomas
12:08:45 [jmayer]
That may not be unlimited, but it's close enough.
12:08:54 [jmayer]
Who is talking?
12:09:04 [jmayer]
And could she decrease her volume a bit?
12:09:05 [susanisrael]
rachel: no one wants unlimited retention: want only as long as is necessary or required by law. all of industry has already commited to it
12:09:07 [Simon]
Rachel Tomas DAA talking
12:09:27 [susanisrael]
aleecia: in global section you will find language that is similar but not as restrictive
12:09:32 [JC]
Rachel thomas DMA
12:09:34 [Zakim]
12:09:45 [susanisrael]
rachel: but you say there are people who don't believe it
12:09:48 [jmayer]
Ok, would you mind asking her to decrease her volume a bit? Thanks.
12:09:52 [jchester2]
It's not about forever. It's kept too long for when people send DNT: 1
12:10:14 [susanisrael]
aleecia: some people feel global section not ok
12:10:26 [JC]
There is no individual way to do that
12:10:31 [jmayer]
12:10:33 [efelten]
To point out the obvious, not all companies belong to DAA.
12:10:48 [WileyS]
WileyS has joined #DNT
12:10:56 [jmayer]
There are two separate issues - whether a standard is enforceable, and what the standard requires.
12:10:56 [susanisrael]
rachel: if an existing self-reg framework not sufficient what is
12:11:02 [jmayer]
I'm glad we agree on enforceability.
12:11:08 [susanisrael]
aleecia: that's what we are looking for
12:11:20 [justin]
12:11:36 [jchester2]
Only if the FTC has the knowledge and political will to enforce meaningful privacy safeguards
12:11:47 [rvaneijk]
12:11:55 [susanisrael]
lou: apologize that i will not offer any additional text but this is not just us based, other reg bodies not engaged
12:12:27 [susanisrael]
aleecia: queue closed
12:12:27 [dsinger]
12:12:45 [WileyS]
12:13:11 [justin]
I thought the proposal was Chapell works with npdoty on language.
12:13:20 [Joanne]
Susan, good job scribing this session
12:13:25 [jmayer]
12:13:35 [susanisrael]
aleecia: if no concrete proposal we keep one of these texts, and decide global language ok
12:13:45 [rvaneijk]
12:14:16 [susanisrael]
david w: does data minimization and retention section solve this if parties have to disclose retention period
12:14:25 [rvaneijk]
my answer to the sufficiency of data collection by 3rd parties under DAA principles is: Do Not Collect.
12:14:27 [susanisrael]
aleecia: that is the question
12:14:33 [johnsimpson]
When do you need the text proposal?
12:14:45 [Chris_IAB]
how many people think David Singer's proposal is not sufficient?
12:14:54 [susanisrael]
jeff: i will take it on to write some text will do in 2 weeks and will go to my privacy colleagues
12:15:12 [jmayer]
12:15:22 [justin]
The existing language in the text is broader than the DAA requirement (requires disclosure).
12:15:22 [npdoty]
dsinger, we have proposals from Alan, from the editor's draft, from my proposal (although perhaps that won't get support)
12:15:23 [susanisrael]
jeff: are you saying default will be daa text if no alternative? then i will write it
12:15:37 [jmayer]
12:15:38 [susanisrael]
aleecia: does anyone else want to help
12:15:39 [johnsimpson]
Isn't there text already from Mozilla/Stanford/EFF
12:16:02 [susanisrael]
tl: i would like to repropose the text that jonathan peter and i proposed
12:16:14 [susanisrael]
jeff: then i will withdraw my action
12:16:28 [npdoty]
I think Chapell and I are going to find time in the next 24 hours
12:16:38 [npdoty]
right, Chapell?
12:16:39 [johnsimpson]
Can we please see recap the three options?
12:16:42 [susanisrael]
aleecia: next debugging
12:16:48 [npdoty]
Topic: Debugging
12:16:50 [npdoty]
scribenick: Joanne
12:17:04 [npdoty]
thanks to susanisrael for scribing!
12:17:31 [Joanne]
Aleecia: looking for info on debugging.
12:17:31 [susanisrael]
nick, shane, my pleasure. hope i captured it
12:17:55 [Joanne]
...text from Nick.
12:18:03 [Joanne]
Nick: action 235
12:18:56 [npdoty]
Operators MAY retain data related to a communication in a third-party context to use for identifying and repairing bugs in functionality. As described in the general requirements [reference to Minimization section], services MAY collect and retain data from DNT:1 users ONLY when reasonably necessary to identify and repair errors in functionality. Services SHOULD use graduated responses where feasible.
12:19:02 [Joanne]
Nick: suggestions from last week's call to add non-normative text and normative text around that it is short term
12:19:10 [Chris_IAB]
seriously, just to be clear, industry does not retain data "forever" (what's the point of this debate then?)
12:19:12 [adrianba]
12:19:18 [WileyS]
12:19:40 [Joanne]
Aleecia: anything further to discuss or wait for Nick to add text. May want to discuss graduated response
12:19:41 [npdoty]
Chris_IAB, I think the concern is about retaining data too long, rather than forever
12:19:54 [Chris_IAB]
<efelten> To point out the obvious, not all companies belong to DAA (neither to the W3C)
12:20:22 [Chris_IAB]
"too long" is vague... we are saying, as long as we need it to do our legitimate business, within our rules, and as GOOD actors
12:20:37 [Chris_IAB]
good luck regulating bad actors-- they aren't here in Amsterdam
12:20:43 [efelten]
Chris_IAB, point taken. Was responding to an assertion that nothing is needed here because "the industry" is following the DAA program.
12:20:58 [johnsimpson]
Isn't most debugging by first party site?
12:21:00 [tl]
12:21:08 [Joanne]
Ifette: issue is if discver a bug, you want to go back and look at log data to fix it. if small percentage of users, then may need to log additional data to track and fix bug
12:21:18 [Joanne]
...minimal scope for fixing bug
12:21:19 [npdoty]
I think we are debating a variety of business practices; behavioral targeting is a legitimate business practice that would be limited in part by DNT, for example
12:22:17 [Joanne]
Allecia: we don't have minimazation for debugging and something useful to write up
12:22:35 [Chris_IAB]
efelten, we do however have representatives from industry representing thousands of companies
12:23:03 [lmastria-DAA]
efelten: re: DAA not all, but many many do and the number continues to grow each day...our umbrella covers thousands of companies in the space in the US and internationally
12:23:18 [Joanne]
Adriaanb: purpose of text was that data minzation to capture data that was necessary
12:23:24 [rachel_n_thomas]
efelten, you're correct that no group represents every single company...but the DAA - through the associations that form it - represents more than 5,000 companies. That includes all of the major players in every sector of the online advertising ecosystem. It's the most inclusive and representative group ever created in the industry, and the only one to successfully bring all of those companies on board wiht one self-regulatory standard. No small feat.
12:23:25 [Joanne]
Aleecia: thanks for context
12:23:40 [Joanne]
Shane: disagree with graduated response in reality
12:23:50 [ifette]
12:23:55 [lmastria-DAA]
12:23:56 [ksmith1]
12:24:00 [jmayer]
12:24:01 [ifette]
q+ to give examples of additional information we may collect
12:24:09 [Joanne]
...its that information we can't predict what is going to break. there the graduated response isnt helpful
12:24:12 [npdoty]
ack adrianba
12:24:14 [npdoty]
ack WileyS
12:24:18 [amyc]
12:24:41 [Joanne] to understand how how this works, esp for 3rd party
12:25:12 [Joanne]
Aleecia: not all companies are the same
12:25:25 [Simon]
"should whenever reasonably possibe"
12:25:33 [amyc]
wouldn't the global principles on data minimization get us out of this box?
12:25:36 [Joanne]
Shane: Roy has helped us understand a should be interperted as a must
12:25:57 [Joanne]
...isolate this as a May
12:26:21 [ksmith1]
12:26:43 [Chris_IAB]
that's just not how debugging works
12:26:49 [tlr]
tlr has joined #dnt
12:26:58 [Joanne]
Aleecia: text as it stands, Should use graduated response. then use debugging for non-DNT users. can we collect less data upfront. not all cos aren't going to do this the sames.
12:27:14 [Joanne]
...we suggest not using the phrase "graduated response"
12:27:48 [Joanne]
TL: concenr we collect data now becuase something might go wrong
12:27:49 [jeffwilson]
not only are not all companies the same, debugging scenarios differ. each scenario is by nature 'graduated'.
12:27:59 [Joanne]
Aleccia: do you have something to address that
12:28:01 [dsinger]
12:28:06 [Chris_IAB]
12:28:14 [ksmith1]
12:28:40 [npdoty]
ack tl
12:29:05 [Joanne]
TL: suggestion substantially different from graduated response
12:29:20 [WileyS]
12:29:30 [Joanne]
...may collect information necessary to resolve issue as long not used beyond that purpose
12:29:32 [jmayer]
I would note that this is a new concession. The EFF/Mozilla/Stanford proposal does not allow collection of linkable data as a graduated response to debugging.
12:29:49 [Joanne] discussion around fraud and malicous behavior
12:29:53 [npdoty]
tl is suggesting that "once you have identified a problem," rather than ongoing graduated response
12:29:54 [Joanne]
not applicable here
12:30:01 [jmayer]
The latest EFF/Mozilla/Stanford text is at
12:30:06 [Joanne]
...will write up sentence in IRC write now
12:30:33 [justin]
If you're allowing for prophylactic collection for security, what is the privacy advantage of . . . what ifette is saying now.
12:30:53 [Joanne]
ifette: without reopening may collected another use may now be used for this purpose
12:31:10 [npdoty]
action: lowenthal to suggest an alternative to debugging graduated response ('once identified a problem')
12:31:10 [trackbot]
Created ACTION-278 - Suggest an alternative to debugging graduated response ('once identified a problem') [on Thomas Lowenthal - due 2012-10-10].
12:31:14 [Joanne]
...back to Shane's point, audio example
12:31:27 [jmayer]
Justin, once you allow collection for *any* purpose, the privacy advantages of focusing on uses quickly diminish.
12:31:32 [damiano]
damiano has joined #dnt
12:31:50 [Joanne]
Aleecia wants Ian to write up something
12:32:12 [Joanne]
Aleecia: explaniation around graduated use cases and how that may work
12:32:17 [justin]
jmayer, I'm just trying to envision a scenario where data collection for debugging > data collection for security.
12:32:20 [ksmith1]
12:32:22 [dsinger]
12:32:22 [npdoty]
action: fette to write an explanation of graduated response and a list of explanatory use cases
12:32:22 [trackbot]
Created ACTION-279 - Write an explanation of graduated response and a list of explanatory use cases [on Ian Fette - due 2012-10-10].
12:32:23 [Joanne]
ifette: say something ends up with action
12:32:27 [npdoty]
ack ifette
12:32:27 [Zakim]
ifette, you wanted to give examples of additional information we may collect
12:32:28 [ksmith1]
12:32:33 [npdoty]
ack lmastria-DAA
12:32:50 [amyc]
12:33:10 [Joanne]
lou: good practie inside a company but not sure if policy that needs to be pushed down. not sure worthy of full on conversation
12:33:13 [fwagner]
fwagner has joined #dnt
12:33:16 [npdoty]
ack jmayer
12:33:45 [Joanne]
Jmayer: ask for more info about debugging in general to learn more
12:33:48 [amyc]
12:33:54 [npdoty]
ack dsinger
12:34:44 [dwainberg]
Is David saying that a best practice should be read as a MUST?
12:34:46 [npdoty]
dsinger, would a "SHOULD where feasible" work for that?
12:34:50 [rvaneijk]
12:34:57 [npdoty]
ack Chris_IAB
12:34:58 [Joanne]
Dsinger: agree with Lou and disagree with Shane a little. Collecting data for debugging is a best practice. Document what Ian described. Collecting data for bug you are aware of to fix it then get rid of it
12:35:15 [Joanne]
Chris_IAB: lots of cos read that as a MUST
12:35:29 [tl]
npdoty, my text: "After identifying an error that impairs existing intended functionality, it is acceptable to collect additional data which may be needed to identify the cause of the error and resolve it, so long as the resolution of that error is as prompt as possible, and that the data is used only for that purpose and deleted immediately afterwards."
12:35:48 [npdoty]
action-278: "After identifying an error that impairs existing intended functionality, it is acceptable to collect additional data which may be needed to identify the cause of the error and resolve it, so long as the resolution of that error is as prompt as possible, and that the data is used only for that purpose and deleted immediately afterwards."
12:35:48 [trackbot]
ACTION-278 Suggest an alternative to debugging graduated response ('once identified a problem') notes added
12:35:56 [jmayer]
Is this the "good actors" argument again?
12:35:56 [dsinger]
maybe we need an explicit note on this 'should' explaining why it's not a must?
12:35:58 [Joanne]
...what harm are we trying to prevent in putting further restrictions on debugging
12:36:00 [adrianba]
agreed - don't think this is a SHOULD here - it's an english suggestion that it would be a good idea to only collect what is needed when it is needed
12:36:16 [tl]
Thanks, npdoty!
12:36:26 [npdoty]
action-278 pending review
12:36:33 [npdoty]
action-278 pending-review
12:37:22 [Joanne]
Aleecia: two possilbe wasy to address Should v May. 1. change the word Should. 2. provide example when graduated response does not make sense and add as non-normative text
12:37:27 [WileyS]
12:37:41 [Joanne]
Chris_IAB: doesn't agree with approach. should remove the word "shoud"
12:37:42 [npdoty]
ack ksmith
12:38:03 [rachel_n_thomas]
12:38:23 [amyc]
12:38:42 [Joanne]
KevinS: agress with both sides. in enterprise world, graduated response is not fesible. wishes it was. however, cos are dealing with 1000's of bugs
12:39:09 [justin]
If we don't use SHOULD, I'd prefer a non-normative example using graduated response instead of MAY which is irrelevant.
12:39:13 [Joanne]
...can;t turn on off collection. not very practical
12:39:21 [WileyS]
12:39:25 [npdoty]
Zakim, close queue
12:39:25 [Zakim]
ok, npdoty, the speaker queue is closed
12:39:28 [Joanne]
Aleecia: good direction.closing queue
12:40:03 [jmayer]
Many third parties don't collect ID cookies from opted-out users. They do debugging just fine.
12:40:23 [jmayer]
I'm aware of several third parties that presently use graduated response on debugging.
12:40:29 [JC]
They probably use IP info
12:40:48 [Joanne]
ShaneW: made it in the queue. 3rd parties wanting to be fast and reactive. collecting more data to determine root cause not realistic. moved beyond collection v use. graduated response is not real. strongly support moving to a "may"
12:40:55 [tl]
And you don't think you can rely on non-DNT users?
12:41:00 [jmayer]
JC, that would be OK under our proposal.
12:41:19 [Joanne]
Aleecia: alternative - don't change collection styles, but change retention
12:41:20 [Chris_IAB]
WileyS, one good example of such a company is Unicorn, Inc.
12:41:29 [johnsimpson]
12:41:39 [npdoty]
WileyS, when you say we've moved beyond "collection v. use", which way do you mean that we've moved past it?
12:41:43 [johnsimpson]
Rob is breaking up
12:41:43 [npdoty]
ack WileyS
12:41:48 [npdoty]
ack rvaneijk
12:41:55 [Joanne]
Rob: quick Q. talking about debugging in a general sense or in a prod dev sense
12:42:03 [Joanne]
Aleecia: reading text
12:42:15 [tl]
+q to say "bugs"
12:42:21 [npdoty]
ack rachel_n_thomas
12:42:22 [tl]
12:42:37 [adrianba]
i don't think a MAY is appropriate - we're definitely not saying graduated response needs permission in the spec - perhaps this is a non-normative suggestion?
12:42:49 [dsinger]
12:42:54 [Joanne]
Rachel_N_Thomas: it should be "may". lawyers will interpert "should" as a "must"
12:42:54 [adrianba]
(i also don't think SHOULD is appropriate)
12:43:01 [Joanne]
...request it be "may"
12:43:23 [Chris_IAB]
Joanne, to clarify my audible comment, the 2nd point was that we have already agreed not to use the data for targeting, so I don't think this should be a debate any longer.
12:43:25 [Joanne]
Aleecia: "should" is a strong statement and you are hearing it correctly
12:43:33 [Joanne]
thanks Chirs
12:43:35 [schunter]
12:43:36 [Joanne]
12:43:40 [npdoty]
12:43:48 [schunter]
... defines the keywords SHOULD, MUST, ...
12:43:59 [Chris_IAB]
I support Rachel's request to change "should" to "may"
12:44:01 [Joanne]
Aleeica: action item to clean up text a bit
12:44:03 [dsinger]
we can avoid 'should' by being clearer "the best and safest practice is to use graduated response; an un-graduated response has some risks..."
12:44:34 [dsinger]
I do not think "may" has quite the right formal sense, either.
12:44:43 [Chris_IAB]
dsinger, good suggestion to make this non-normative best practice
12:44:46 [adrianba]
12:44:48 [justin]
Yes, MAY is clearly wrong.
12:45:10 [Joanne]
Aleecia: genuie differnce on graduated response. solid text on this proposal and we'll go from there
12:45:16 [justin]
"best and safest practice is to use graduated response WHEN FEASIBLE"?
12:45:18 [Chris_IAB]
should may be should? who's on first? :)
12:45:27 [Joanne]
...break 15 minutes early and hoepfully we can keep ahead
12:45:32 [npdoty]
break early, back in half an hour.
12:45:33 [Zakim]
12:46:02 [fwagner_]
fwagner_ has joined #dnt
12:57:38 [ksmith]
ksmith has joined #DNT
13:01:21 [Simon]
Simon has joined #dnt
13:08:52 [dsriedel]
dsriedel has joined #dnt
13:11:05 [vincent]
vincent has joined #dnt
13:17:17 [johnsimpson]
are we back?
13:19:52 [vinay]
vinay has joined #dnt
13:19:52 [johnsimpson]
Cant't telephone in. says conference is "restricted"
13:21:01 [amyc]
amyc has joined #dnt
13:21:14 [ifette]
13:21:24 [ifette]
zakim, open the queue
13:21:24 [Zakim]
ok, ifette, the speaker queue is open
13:21:25 [npdoty]
Zakim, open the queue
13:21:25 [Zakim]
ok, npdoty, the speaker queue is open
13:21:26 [tedleung]
scribenick tedleung
13:21:26 [amyc]
Aleecia: next discussion is user agent compliance
13:21:32 [npdoty]
scribenick: tedleung
13:21:44 [amyc]
oops, sorry ted, I will scribe next
13:21:55 [tedleung]
ok, that's fine
13:21:57 [justin_]
justin_ has joined #dnt
13:21:58 [johnsimpson]
having trouble calling in. Says conference is "restricted" and won't let me in
13:21:58 [johnsimpson]
13:22:00 [npdoty]
make sure we have the universe of issues that we need to resolve
13:22:15 [npdoty]
Zakim, who is on the phone?
13:22:15 [Zakim]
On the phone I see Telegraaf, BrendanIAB?, Jonathan_Mayer
13:22:15 [tedleung]
scribenick amyc
13:22:32 [tedleung]
npdoty: amyc will scribe, not me
13:22:39 [JBWeiss]
JBWeiss has joined #DNT
13:22:39 [tedleung]
13:22:56 [tedleung]
13:22:58 [Chapell]
Chapell has joined #DNT
13:23:03 [tedleung]
since i am already the nick
13:23:30 [tedleung]
reviewing section 5 on UA compliance
13:23:31 [afowler]
afowler has joined #dnt
13:23:52 [jmayer]
dsinger and hober, how does Apple feel about a mandatory link in the browser UI?
13:24:00 [jchester2]
jchester2 has joined #dnt
13:24:01 [tedleung]
taking WileyS;s point
13:24:04 [dsinger]
13:24:06 [tedleung]
13:24:10 [hwest]
hwest has joined #dnt
13:24:12 [dsinger]
13:24:22 [jmayer]
*raises hand*
13:24:23 [ifette]
13:24:27 [johnsimpson]
still locked out of call
13:24:32 [dsinger]
13:24:34 [tedleung]
browser folks object to link to explanatory text when DNT is enabled
13:24:46 [johnsimpson]
did that and am holding for an operator....
13:24:48 [npdoty]
ack ifette
13:25:14 [WileyS]
13:25:16 [tedleung]
ifette in chrome, when user checks the box, more info will be given in an additional dialog as opposed to a link to a document
13:25:18 [tl]
13:25:33 [npdoty]
ack dsinger
13:25:35 [tedleung]
ifette prefer less prescription, but agree with the spirit
13:25:48 [npdoty]
s/ifette in/ifette: in/
13:25:48 [jmayer]
13:25:55 [npdoty]
s/ifette prefer/ifette: prefer/
13:25:55 [WileyS]
The goal is a "pre-selection" option
13:26:00 [johnsimpson]
still holding for an operator
13:26:00 [stella]
stella has joined #dnt
13:26:21 [ifette]
13:26:29 [tedleung]
dsinger don't want to stray into product / ui design. also unhappy with a MUST that says you have to explain how your product works to your users
13:26:49 [Chapell]
13:26:52 [ifette]
q+ to suggest we probably want a middle ground between "a link right next to the checkbox" and "go dig in the manual"
13:27:11 [Marije]
Marije has joined #dnt
13:27:14 [npdoty]
s/dsinger don't/dsinger: don't/
13:27:18 [johnsimpson]
looks like nobody plans to answer the telephone
13:27:24 [npdoty]
ack WileyS
13:27:24 [johnsimpson]
still holding
13:27:29 [tedleung]
aleecia are you changing the MUST to SHOULD, non-normative text, or deleting?
13:27:37 [tedleung]
dsinger any of those
13:27:50 [jmayer]
Proposal: SHOULD provide users with information about Do Not Track. Don't specify the form of that information.
13:28:02 [jmayer]
Why does pre- or post-selection matter, Shane?
13:28:07 [jmayer]
One click to deselect.
13:28:10 [johnsimpson]
thanks, nick. should i hang up and call back? still getting message to hold for an operator
13:28:11 [tedleung]
WileyS the goal here is to have pre-selection means of informing the user, not a post-selection means
13:28:31 [jmayer]
We've talked about the "balance" argument before. Many in the group don't buy it.
13:28:36 [lmastria-DAA]
lmastria-DAA has joined #dnt
13:28:37 [npdoty]
13:28:39 [lmastria-DAA]
13:28:41 [tedleung]
WileyS goal was to bring balance between UA's and servers
13:28:44 [mikez]
mikez has joined #dnt
13:29:22 [tedleung]
aleecia I hear no disagreement with moving away from link
13:29:24 [npdoty]
violent agreement that we don't need language specific to a link
13:29:31 [johnsimpson]
Still no operator. Am hanging up and redialing...
13:29:50 [ifette]
Shane, I think what you said was "Inform the user as part of enabling" was a good way to approach this
13:29:55 [tedleung]
no one in the room in favor of link, so moving on
13:30:01 [rigop]
rigop has joined #dnt
13:30:13 [ifette]
13:30:14 [tedleung]
aleecia still have a question on MUST vs SHOULD
13:30:37 [npdoty]
ack tl
13:31:15 [tedleung]
tl current test builds for Firefox have a tri-state build, but we don't think people should be forced to do this. We might find a better way, this language seems restrctive
13:31:30 [mischat1]
mischat1 has joined #dnt
13:31:37 [tedleung]
tl very worried that this will be used to rule UA's non—compliant.
13:32:01 [johnsimpson]
Nick, called back still holding for an operator to answer,
13:32:05 [tedleung]
tl this is oriented towards mouse based GUI's. What about curl or UI less extension
13:32:15 [dwainberg]
13:32:19 [npdoty]
q+ dwainberg
13:32:25 [tedleung]
npdoty: ok
13:32:26 [ksmith]
Tom, is that the actual text? Has anyone ever checked the box "Tell sites I want to be tracked?"
13:33:10 [johnsimpson]
Nick, any ideas?
13:33:26 [tedleung]
aleecia: if we change the MUST to SHOULD, and then give examples of best practices, give an example with no UI, and give info about DNT at the point of download, could people live with that
13:34:09 [afowler]
ksmith, the tri-state with explanatory link that Tom mentioned is still in our experimental builds and not in our full releases, yet.
13:34:15 [Chris_IAB]
cURL? Seriously Tom, what's the installed based of cURL users surfing websites?
13:34:27 [tedleung]
WileyS: concern is over making sure people understand DNT before turning it on
13:35:42 [Chris_IAB]
cURL is the use case we hinging on?
13:35:50 [tedleung]
tl: still concerned over ruling browsers non-compliant, and still feel that curl isn't covered
13:36:10 [dwainberg]
Can we have an explicit exception for Curl?
13:36:10 [mikez]
13:36:21 [tedleung]
tl: don't want a situation where browser vendor says "we're compliant" and site says "no, your not"
13:36:24 [johnsimpson]
Nick, should I hang up or keep on "holding for an operator"
13:36:33 [jmayer]
Shane, we're not renegotiating the working group charter.
13:36:43 [Chris_IAB]
Shane: what's good for the goose should be good for the gander - agree
13:36:52 [justin_]
There are no UX requirements on servers.
13:36:58 [tedleung]
WileyS: we have all these rules for servers, but not allowed to have rules for UAs?
13:37:16 [johnsimpson]
Nick, so hang up?
13:37:22 [dsinger]
13:37:25 [tedleung]
WileyS: we could work on the text so that curl could be covered
13:37:32 [Marc]
Marc has joined #DNT
13:37:38 [Chris_IAB]
jmayer, Shane is arguing within the working group charter, as he reads it
13:37:38 [dsinger]
13:37:48 [dsinger]
three suggestions (a) 'should
13:38:00 [johnsimpson]
zakim, who is on phone
13:38:00 [Zakim]
I don't understand 'who is on phone', johnsimpson
13:38:01 [jmayer]
Chris, the working group charter explicitly excludes UI. You know that.
13:38:33 [npdoty]
Zakim, who is on the phone?
13:38:33 [Zakim]
On the phone I see Telegraaf, BrendanIAB?, Jonathan_Mayer
13:38:41 [Chris_IAB]
jmayer, We are talking about requirements, not actual UI
13:38:44 [tedleung]
tl: we can get around this by making a SHOULD suggestion that enough information is provided for a GUI Browser, a UI less extension, and, a program like curl. A combination of normative and non-normative text
13:38:49 [dsinger]
three suggestions (a) 'should' (b) 'as well documented as other user choices and operations' and (c) a gentleman's agreement not to use this as a way to deem UAs non-compliant (as a compromise on the 'should')
13:39:28 [tedleung]
WileyS: to update text
13:39:35 [npdoty]
action: wiley to draft updated text on UA requirements; explanatory text made more general; add 'prior to selecting DNT'; add examples; change MUST to SHOULD
13:39:35 [trackbot]
Created ACTION-280 - Draft updated text on UA requirements; explanatory text made more general; add 'prior to selecting DNT'; add examples; change MUST to SHOULD [on Shane Wiley - due 2012-10-10].
13:39:37 [jmayer]
Chris, if mandating a particular format (link) for information in a particular place (before clicking the DNT button) isn't a UI requirement, I don't know what is.
13:39:43 [Chris_IAB]
jmayer, general requirements don't = specifying UI
13:39:50 [justin_]
Gentleman's agreement?
13:39:58 [npdoty]
13:40:14 [WileyS]
Jonathan, we already agreed to remove link
13:40:23 [tedleung]
dwainberg: was going to propose review of charter statement on UI
13:40:28 [jmayer]
I agree that, sans link, we're in scope.
13:40:38 [tedleung]
aleecia: we are walking close to the line, but not crossing it
13:40:54 [Chris_IAB]
jmayer, just because you don't understand how this fits, doesn't mean it's not a valid proposal for discussion (many here, including Shane and obviously the Chairs agree that this is something to talk about)
13:41:07 [johnsimpson]
Nick, should I hand up or keep holding?
13:41:08 [tedleung]
review of charter content around UI/UE
13:41:24 [ifette]
13:41:38 [npdoty]
13:41:49 [npdoty]
ack jmayer
13:41:52 [ksmith]
Shane - rather than "Prior to selecting" you might consider "Prior to enabling" or some such which would allow for Ian's suggested workflow in which turning on DNT is a 2 (or more) step process of selecting, and then accepting
13:42:02 [johnsimpson]
I'll hang up now.
13:42:14 [WileyS]
Kevin, I like that "prior to enabling"
13:42:30 [WileyS]
Kevin, consider it borrowed/stolen :-)
13:43:41 [tedleung]
jmayer: what about current implementation of help pages - is that enough for DNT?
13:43:44 [WileyS]
13:44:05 [WileyS]
Jonathan, do you feel comfortable if I make an opt-in choice work in the same way?
13:44:07 [tedleung]
WileyS: does the current implementation of Firefox and IE satisfy the test
13:44:28 [johnsimpson]
Nick, please let me know when to call back.
13:45:06 [johnsimpson]
thanks for your help, I don't mean to sound impatent
13:45:06 [Chris_IAB]
tl, what does the one sentence next to the DNT check-box mean?
13:45:23 [Chris_IAB]
sorry, what does it say?
13:45:23 [jmayer]
Then I strongly object.
13:45:26 [Chris_IAB]
and mean?
13:45:29 [rvaneijk]
@WIleyS: users have made an active and informed choice to allow or disallow DNT... ?
13:45:32 [tedleung]
WileyS: it does not meet the text
13:46:16 [npdoty]
13:46:23 [Chris_IAB]
tl, what I meant to ask is, "what does that sentence next to the check-box say exactly"
13:46:27 [tedleung]
aleecia: does anyone want to draft alternative text
13:46:28 [jmayer]
I can draft alternative text.
13:46:49 [dwainberg]
13:46:50 [johnsimpson]
vinay, are you sharing on screen?
13:47:00 [schunter]
13:47:07 [schunter]
ack Chapell
13:47:12 [WileyS]
13:47:13 [tedleung]
mikez: DAA will supply alternative text
13:47:17 [johnsimpson]
vinay, thanks got it.
13:47:20 [npdoty]
Zakim, who is on the phone?
13:47:20 [Zakim]
On the phone I see Telegraaf, BrendanIAB?, Jonathan_Mayer
13:47:28 [npdoty]
Zakim, drop Jonathan_Mayer
13:47:28 [Zakim]
Jonathan_Mayer is being disconnected
13:47:30 [Zakim]
13:47:32 [npdoty]
Zakim, drop BrendanIAB
13:47:32 [Zakim]
BrendanIAB? is being disconnected
13:47:34 [vinay]
johnsimpson - sorry. didn't see your request for access. You should see her screen now
13:47:34 [Zakim]
13:47:36 [npdoty]
Zakim, drop Telegraaf
13:47:36 [Zakim]
Telegraaf is being disconnected
13:47:36 [tl]
Chris_IAB: The release implementation right now has a checkbox and the phrase "Tell websites I do not want to be tracked."
13:47:37 [mischat]
mischat has joined #dnt
13:47:38 [Zakim]
Team_(dnt)06:49Z has ended
13:47:38 [Zakim]
Attendees were +31.20.585.aaaa, Telegraaf, +1.714.852.aabb, fielding, BrendanIAB?, +1.310.292.aacc, johnsimpson, +1.425.214.aadd, bryan_, Jonathan_Mayer
13:48:14 [johnsimpson]
can I dial back in now?
13:48:30 [jmayer] now everyone's off the call...
13:48:41 [Chris_IAB]
tl, thanks-- what does "Tell websites I do not want to be tracked" mean? Websites = ALL websites, including first party?
13:48:42 [efelten]
13:48:45 [schunter]
13:48:46 [Joanne]
*Nick is working in the phone issue
13:48:56 [rigop]
13:49:21 [johnsimpson]
let us know when to call back in
13:49:23 [dsinger]
q+ to point out that not every UA is a browser
13:49:27 [tedleung]
Chapell: asking drafters to supply more meat around the framework in addition to the details
13:49:27 [tl]
Chris_IAB: If the box is checked, a "DNT:1" header is sent with every HTTP request.
13:49:38 [npdoty]
Zakim, move 26631 to here
13:49:39 [Zakim]
ok, npdoty; that matches Team_(privacy)13:48Z
13:49:54 [npdoty]
okay phone folks, please dial back in, and use code 26631
13:49:57 [npdoty]
sorry for the drop
13:50:02 [Chris_IAB]
tl, can you please answer my actual question?
13:50:06 [Zakim]
13:50:13 [npdoty]
Zakim, who is on the phone?
13:50:13 [Zakim]
On the phone I see Telegraaf, Jonathan_Mayer
13:50:16 [dsinger]
13:50:23 [susanisrael]
to those who were on the phone, nick is working on getting you all back on
13:50:28 [tl]
Chris_IAB: I'm not sure I understand your question?
13:50:29 [Chris_IAB]
tl, I get what happens
13:50:47 [tl]
Chris_IAB: What confuses you?
13:50:50 [rigop]
ack dsinger
13:50:50 [Zakim]
dsinger, you wanted to point out that not every UA is a browser
13:50:52 [tedleung]
dsinger: not every UA is a browser: RSS feed readers, Mail UA's, etc
13:51:24 [Chris_IAB]
what I want to know, is what does Mozilla (and presumably it's users) mean by "websites" in this sentence you are using to turn on the sending of DNT:1. It's a simple question Tom.
13:51:28 [tedleung]
mikez: can't live with suggested proposal to change MUST to SHOULD
13:51:30 [dsinger]
13:51:33 [johnsimpson]
do we use a different code?
13:51:41 [rigop]
13:51:54 [justin_]
mikez, you just argued that SHOULD was effectively the same as MUST for graduated response :)
13:51:56 [jmayer]
Mike Zaneis, there was nothing clear about that White House "agreement." One of your own member companies thought it allows a silent default.
13:51:57 [schunter]
13:52:05 [Zakim]
13:52:36 [tl]
Chris_IAB: The recipient of any HTTP request from the browser.
13:53:15 [tl]
Chris_IAB: When you check the box, Firefox tells everyone that you don't want to be tracked by sending them a signal in the form of a DNT header.
13:53:26 [johnsimpson]
13:53:34 [tlr]
tlr has joined #dnt
13:53:44 [npdoty]
ack dsinger
13:53:46 [tedleung]
lmastria-DAA: forthcoming language on mobile; DAA representing many in ecosystem, browser vendors will be gaining responsibility
13:53:49 [mikez]
justin, no, I argued that browsers should have an affirmative, non subjective obligation
13:54:42 [tedleung]
dsinger: if we have rules about what browsers must present to users, then we will have to contemplate rules about what sites must present to users. at the moment we are silent. on bot h sides. it's a balance argument
13:54:58 [dsinger]
13:54:58 [trackbot]
ISSUE-150 -- DNT conflicts from multiple user agents -- raised
13:54:58 [trackbot]
13:55:23 [Chris_IAB]
tl, so ALL websites then? Since ALL websites would receive the HTTP request... So by checking your box, the user is asking that ALL WEBSITES (including first party sites) not "track" them. Ok, that's clear now, thanks. Ad industry has HUGE issue with this.
13:55:24 [WileyS]
David Singer - UAs have zero business impactful implications from DNT - having a single requirement for user disclosure prior to selecting DNT IS BALANCE.
13:55:26 [mikez]
jmayer, read this and then get back to me about whether our position on defaults are unclear -
13:55:45 [jmayer]
mikez, take it up with Microsoft.
13:55:57 [tedleung]
going to close 150 with: up to the browsers to resolve DNT conflicts beween multiple plugins
13:56:27 [dsinger]
it's non-compliant to send multiple headers, and it is non-compliant to send a header that does not reflect the user's intent. do we need to say more?
13:56:27 [ifette]
q+ to answer matthias' questions
13:56:30 [dsinger]
13:56:41 [tedleung]
schunter: can browser plugins set headers?
13:57:28 [tl]
13:57:40 [johnsimpson]
thanks for all your help, Nick
13:57:44 [dwainberg]
13:57:48 [lmastria-DAA]
to dsinger: DAA has specific rules on what "sites" have to tell users and how that is accomplished
13:57:54 [tedleung]
ifette: depends on which browser. flash for example does not use the browser's network stack in some browsers. In some browsers extensions can add headers, multiple extensions can set multiple headers
13:57:56 [Zakim]
13:58:00 [npdoty]
do I need to create action items for mikez and jmayer for proposals on UA requirements?
13:58:02 [jeffwilson]
13:58:12 [ifette]
13:58:34 [BrendanIAB]
Zakim, ??P31 is probably me
13:58:34 [Zakim]
+BrendanIAB?; got it
13:59:03 [npdoty]
ack ifette
13:59:03 [Zakim]
ifette, you wanted to answer matthias' questions and to
13:59:04 [tedleung]
ifette: hard to enforce "there must be only 1 DNT header"
13:59:09 [rigop]
ack ifette
13:59:18 [Chris_IAB]
ALL, if you read up, tl points out that Mozilla's UI of asking websites not to track the user, applies to ALL websites (if I read it right). That seems to be why we are having the UI discussion here.
13:59:20 [npdoty]
Zakim, who is making noise?
13:59:33 [Joanne]
Can an out of band request to confirm the user preference help in the case of multiple DNT header request?
13:59:37 [Zakim]
npdoty, listening for 10 seconds I could not identify any sounds
13:59:45 [tedleung]
dsinger: HTTP only allows on instance of a given header. Therefore it's up to the browser to ensure a single header
13:59:46 [ksmith]
13:59:46 [rigop]
ack dsinger
13:59:50 [npdoty]
ack tl
13:59:52 [Chris_IAB]
13:59:52 [Chris_IAB]
can we please define "user intent"?
14:00:21 [npdoty]
I believe it's already invalid, at the HTTP level, per discussion with fielding
14:00:22 [tedleung]
tl: 2 dnt headers in a single request is an invalid HTTP request
14:00:28 [rigop]
14:00:33 [dsinger]
from HTTP: "Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. " this is not the case for the DNT header
14:01:03 [WileyS]
14:01:48 [ksmith]
14:02:02 [WileyS]
If multiple DNT signals come in the same header, DNT:0 wins.
14:02:07 [tedleung]
disagreement over HTTP compliance of multiple DNT headers.
14:02:21 [adrianba]
14:02:42 [WileyS]
Similar outcome in MSFT's TPL white/black list conflict resolution (I'm in no way supporting TPLs - they are still horrible)
14:02:59 [tedleung]
aleecia: propose "UA may only send 1 DNT signal", "A transaction with 2 DNT headers is invalid and is equivalent to DNT unset"
14:03:02 [npdoty]
lmastria-DAA, can you take on the action item with Mike Z.?
14:03:23 [jmayer]
Sounds very reasonable to me.
14:03:34 [npdoty]
14:03:45 [jmayer]
Language in the TPE about invalid syntax, that is.
14:04:45 [tedleung]
dsinger: whoever added the 2nd DNT header is non complient
14:04:50 [jmayer]
14:05:06 [tedleung]
tl: let's not rule pieces compliant, lets just say the request is invalid
14:05:08 [jmayer]
I was totally onboard... until the multiple headers component.
14:05:18 [jmayer]
If you get multiple "DNT: 1"s, that should be "DNT: 1"
14:05:23 [justin_]
DNT: muffins = DNT unset
14:05:35 [jmayer]
Example: both browser and extension blindly add "DNT: 1"
14:05:36 [dsinger]
action: dsinger to add to the TPE that at most one DNT header is permitted in any HTTP request
14:05:36 [trackbot]
Sorry, couldn't find dsinger. You can review and register nicknames at <>.
14:05:43 [adrianba]
14:05:44 [tedleung]
result of this discussion to go into TPE
14:05:45 [WileyS]
DNT:1, DNT:0, DNT:1 = DNT:<null>
14:05:57 [npdoty]
action: singer to add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150)
14:05:57 [trackbot]
Created ACTION-282 - Add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150) [on David Singer - due 2012-10-10].
14:06:13 [tl]
WileyS: well, not DNT:<null>, just not DNT header.
14:06:36 [johnsimpson]
Sounds good
14:06:40 [jmayer]
I would like to volunteer to draft alternative text.
14:06:48 [npdoty]
aleecia: if we're fine with that text, then we'll close issue-150
14:07:00 [WileyS]
tl, fair
14:07:02 [jmayer]
We do not have agreement on duplicate headers for ISSUE-150.
14:07:03 [npdoty]
action-282: if this text goes through, we can close issue-150
14:07:03 [trackbot]
ACTION-282 Add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150) notes added
14:07:08 [tedleung]
14:07:08 [trackbot]
ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised
14:07:08 [trackbot]
14:07:17 [tl]
14:07:23 [schunter]
The statement that aleecia made is different: She concluded: If you have multiple DNT headers (no matter what they contain), the http request is invalid (and a 505 error will be returned9.
14:07:24 [justin_]
jmayer, David already volunteered, do you want to write an alternative?
14:07:46 [npdoty]
my proposal with dave singer:
14:07:46 [jmayer]
14:07:49 [BrendanIAB]
14:07:50 [WileyS]
Matthias, that's not what we all just agreed to
14:08:00 [dsinger]
14:08:00 [trackbot]
ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised
14:08:00 [trackbot]
14:08:08 [tl]
I think Aleecia just mis-stated it.
14:08:13 [npdoty]
action: mayer to draft an alternative for multiple DNT headers (issue-150)
14:08:13 [trackbot]
Created ACTION-283 - Draft an alternative for multiple DNT headers (issue-150) [on Jonathan Mayer - due 2012-10-10].
14:08:16 [npdoty]
14:08:20 [rachel_n_thomas]
14:08:21 [npdoty]
ack dwainberg
14:08:22 [npdoty]
14:08:58 [npdoty]
I don't believe there is any such encompassing piece of software.
14:09:03 [dsinger]
14:09:12 [tedleung]
dwainberg: i submitted some text around this to ensure that user choice is reflected
14:09:20 [dwainberg]
"A UA that allows or enables other software to alter the DNT setting MUST ensure that such alteration reflects the user's intent."
14:10:10 [tedleung]
aleecia: we are looking at going beyond a UA. A UA or anything else that sets DNT
14:10:15 [tedleung]
objections from the room
14:10:24 [npdoty]
ack jeffwilson
14:10:26 [rigop]
rigop has joined #dnt
14:11:12 [tedleung]
jeffwilson: referring to multiple DNT header situation, is that true in relation to the JS API?
14:11:32 [tedleung]
dsinger: that can't happen
14:12:26 [WileyS]
Issue - 143: requires naming the setter of the DNT signal
14:12:51 [npdoty]
what are the objections in the room to moving towards requirements beyond the user agent?
14:13:00 [ifette]
14:13:19 [npdoty]
14:13:19 [trackbot]
ISSUE-116 -- How can we build a JS DOM property which doesn't allow inline JS to receive mixed signals? -- pending review
14:13:19 [trackbot]
14:13:26 [dsinger]
the objection is that whatever is behind the HTTP end-point is opaque and out of scope, and it's a waste of time to discuss it.
14:13:50 [ksmith]
14:13:55 [tedleung]
tl: the API's that we currently have defined do not have a consistency problem. We haven't figured out how to build the API in issue-116.
14:15:03 [npdoty]
issue-116 is pending review because I think we actually do have it resolved, and we include language noting that a JS API signal won't guarantee a future value of a DNT header, which governs
14:15:32 [tedleung]
aleecia: AVG was the driver for issue 153
14:15:47 [adrianba]
14:15:57 [tedleung]
dsinger: that's a poorly engineered UA
14:16:26 [Marc]
Marc has joined #DNT
14:16:41 [ksmith]
Tom - I think the question I heard from Jeff (correct me if I am wrong Jeff) - if there are multiple headers (say both a DNT:1 and DNT:0), thereby making the DNT request invalid, will the JS API also get an invalid response, or will it get a 1 or 0?
14:16:47 [rigop]
ack Chris_IAB
14:16:48 [npdoty]
ack Chris_IAB
14:16:56 [dsinger]
14:16:57 [jmayer]
Chris, please stop interrupting. It's very difficult to follow.
14:17:18 [jeffwilson]
ksmith, overall question about getting status of conflicting preferences, regardless of the source
14:17:31 [jeffwilson]
in all such cases, should be treated as dnt not set
14:17:45 [tedleung]
Chris_IAB: do we have a common definition of user expectation?
14:18:02 [jmayer]
Chris, this is totally off-topic.
14:19:12 [rigop]
14:19:12 [trackbot]
ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised
14:19:12 [trackbot]
14:19:15 [justin_]
14:19:29 [jmayer]
Chris, please stop fighting with the chair.
14:19:32 [dsinger]
14:19:32 [justin_]
14:19:35 [npdoty]
ack WileyS
14:19:37 [amyc]
amyc has joined #dnt
14:19:43 [dsinger]
14:19:43 [trackbot]
ISSUE-143 -- Activating a Tracking Preference must require explicit, informed consent from a user -- raised
14:19:43 [trackbot]
14:20:03 [tedleung]
WileyS: issue-143 is related. It is difficult for one UA to know what another UA is doing
14:20:15 [amyc]
ted, let me know when you want me to take over
14:20:18 [amyc]
14:20:32 [justin_]
scribenick: amyc
14:20:32 [tedleung]
let me finish this part out
14:20:41 [justin_]
scribenick: tedleung
14:20:48 [jmayer]
q+ later
14:20:52 [jmayer]
14:21:04 [dsinger]
to WileyS: the user-agent header tells you what the user-agent is.
14:21:12 [tedleung]
discussions about whether issue-143 should come over from TPE
14:21:16 [npdoty]
ack tl
14:21:17 [Brooks]
14:21:18 [jeffwilson]
14:21:21 [Chris_IAB]
dsinger, you asserted the notion of "user expectation" in your argument. I asked if there was a definition for "user expectation" (since it's so commonly used here, but in many different contexts, and can be confusing)
14:21:55 [dwainberg]
14:22:00 [WileyS]
dsinger, not true, installed software can overwrite UA settings and make it appear as if its still coming from the UA. For example, AVG. :-)
14:22:18 [Chris_IAB]
since I was cut off by the chair, can someone here please point me to the definition or tell me that there is not one?
14:22:43 [dsinger]
to WileyS: But your complaint is then to the user-agent that allowed that to happen. THAT is what terminated the HTTP transaction.
14:22:45 [rigop]
14:22:52 [Chris_IAB]
to be clear, is there a definition of "user expectation"?
14:22:54 [tedleung]
tl: Browser vendors cannot vet their add-on's. All addon's should convey user intent - different addon's ascertain intent via different mechanisms.
14:22:55 [ifette]
14:22:55 [trackbot]
ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- raised
14:22:55 [trackbot]
14:22:56 [Chapell]
14:23:08 [Marc]
14:23:25 [vincent]
Chris_IAB, I remember at least one paper mentioned about user expection of DNT mention during princeton workshop and then some recall during santa clara meeting
14:23:32 [lmastria-DAA]
follow up to Chris_IAB: this discussion was suspended without all of the stakeholders in the q were heard
14:23:46 [adrianba]
WileyS, we're only allowed to use APIs in IE to store settings in Windows that any other software is allowed to use - we can't prevent other people calling them
14:23:47 [Chris_IAB]
vincent, can you please point to the definition in this doc?
14:23:56 [tedleung]
tl: i have no objection to clarifying
14:23:57 [npdoty]
ack BrendanIAB
14:24:19 [Chris_IAB]
vincent, that's what I'm looking for-- a definition in of "user expectation" in this document
14:24:33 [efelten]
The record shows who was allowed to speak in that session, and who spoke how often.
14:24:50 [rigop]
I think that defining "user expectation" is boiling the ocean
14:25:26 [Chris_IAB]
efelton, the record does not reflect that the chair cut me off before I was done making my point, because she didn't understand the point I was trying to make, and decided it was off topic
14:25:37 [vincent]
agree with rigo, defintion would not be stable at all and varies for each user
14:26:12 [rachel_n_thomas]
efelten, the record shows that chris and i were both in the queue and were cut off without being given the opportunity to speak to the issue raised at the time we entered the queue. TPWG is not following its own processes, let alone those of W3C's process document.
14:26:21 [Chris_IAB]
rigop and vincent, then we should remove it from the documents -- if we can't define something, it shouldn't be in the document (context is everything)
14:26:33 [amyc]
that argues against using user expectation in docs, or in justifications
14:27:15 [rachel_n_thomas]
removing myself from the queue, i want to know that there seems little point in trying to closely follow the W3C / TPWG processes if the chairs do not comport with them in their management of the meeting.
14:27:20 [rachel_n_thomas]
14:27:23 [rigop]
Chris_IAB: it says currently: "We do not specify how tracking preference choices are offered" so this is the verbose claim of not defining anything
14:27:39 [rvaneijk]
@rachel: you can paste what you want to say in IRC or post it to the mailing list. Anything decided in the meetings here will need to go through the mailinglist anyways.
14:28:17 [npdoty]
Zakim, close queue
14:28:17 [Zakim]
ok, npdoty, the speaker queue is closed
14:28:20 [tedleung]
BrendanIAB: browser plugins are like a new/2nd class of intermediary, should we be viewing this through the lens of intermediary compliance?
14:28:22 [justin_]
ack npdoty
14:28:24 [Chris_IAB]
rigop and vincent- if we can't agree to talk "apples and apples" in this forum, especially with all the language barriers, then it's work product will be clouded. What's wrong with nailing down definitions of terms commonly used in the documents and in discussions/debates/arguments?
14:28:36 [rachel_n_thomas]
if we are allowed to entere the queue, we should be allowed to speak.
14:28:38 [npdoty]
14:28:43 [rigop]
Aleecia: Intermediary compliance is a good topic for the mailing list <= me agrees
14:29:54 [dsinger]
from HTTP 1.1 "user agent
14:29:55 [dsinger]
The client which initiates a request. These are often browsers, editors, spiders (web-traversing robots), or other end user tools."
14:30:00 [BrendanIAB]
dsinger - what is the scope of "these requirements"?
14:30:07 [dsinger]
notes that that does NOT include plug-ins
14:30:08 [justin_]
I think existing text already does that, but fine adding this too.
14:30:13 [tedleung]
npdoty: submitted language around software that modifies the DNT header needing to preserve the user intent
14:30:14 [hwest]
hwest has joined #dnt
14:30:24 [jmayer]
I would like to suggest best practice language.
14:30:38 [ifette]
14:31:04 [rachel_n_thomas]
Rehashing an earlier conversation from Chris_IAB and tl in order then respond to it in IRC... [15:48] <Chris_IAB> tl, thanks-- what does "Tell websites I do not want to be tracked" mean? Websites = ALL websites, including first party? [15:49] <tl> Chris_IAB: If the box is checked, a "DNT:1" header is sent with every HTTP request. [15:51] <Chris_IAB> what I want to know, is what does Mozilla (and presumably it's users) mean by "websites" in this sentence
14:31:10 [jmayer]
If software affects the DNT setting for other software, it is a best practice to clearly explain that to the user.
14:31:17 [npdoty]
ack ifette
14:31:18 [dsinger]
to BrendanIAB: the requirements are on all HTTP request headers. They must contain at most one DNT header which must reflect the user's intent.
14:31:35 [Chris_IAB]
so rigop, in response to your "We do not specify how tracking preference choices are offered", a valid user agent could say "I don't like pink unicorns" and the agent can send DNT:1? Is that acceptable to you?
14:31:49 [tedleung]
ifette: propose not allowing other software to modify the header
14:32:08 [Marije]
Marije has joined #dnt
14:32:09 [jmayer]
*hand up*
14:32:17 [rigop]
Chris_IAB: sure, have you seen the opera bork browser? It is valid
14:32:17 [tedleung]
dsinger: propose the null proposal
14:32:20 [dsinger]
to ifette: but that again is a rule for the user-agent author to write. don't modify existing headers
14:32:21 [rachel_n_thomas]
[15:55] <Chris_IAB> tl, so ALL websites then? Since ALL websites would receive the HTTP request... So by checking your box, the user is asking that ALL WEBSITES (including first party sites) not "track" them. Ok, that's clear now, thanks. Ad industry has HUGE issue with this.
14:32:24 [johnsimpson]
+1 David Singer
14:32:43 [rigop]
Chris_IAB: normal language can also be used to tell nonsense
14:32:43 [tedleung]
jmayer: see my IRC proposal
14:32:58 [npdoty]
action: fette to propose barring other software from altering a DNT signal if the browser already set it
14:32:58 [trackbot]
Created ACTION-284 - Propose barring other software from altering a DNT signal if the browser already set it [on Ian Fette - due 2012-10-10].
14:33:34 [rachel_n_thomas]
Want to reiterate that this is a huge issue for the entire ad industry. I cannot object more strenuously to tl's understanding that ALL websites would be required not to track (including first party) when box is checked.
14:33:35 [rigop]
14:33:39 [rigop]
ack jmayer
14:33:40 [tedleung]
amyc: over to you
14:33:44 [ifette]
14:33:48 [tedleung]
scribenick: amyc
14:33:49 [npdoty]
action: mayer to propose non-normative text to add on to action-231 (with nick)
14:33:49 [trackbot]
Created ACTION-285 - Propose non-normative text to add on to action-231 (with nick) [on Jonathan Mayer - due 2012-10-10].
14:34:06 [amyc]
Aleecia: quite a thread on unlinkability, disheartening
14:34:22 [amyc]
... have two world views on unlinkable
14:34:28 [npdoty]
jeffwilson, dwainberg, Chapell, Marc -- if you have more comments on 153 but not new action items, maybe you can follow up with us over coffee or dinner?
14:34:29 [npdoty]
14:34:41 [npdoty]
Topic: Unlinkability
14:34:48 [amyc]
... as a group, haven't talked about Shane's proposal; EFF proposal was reviewed in DC
14:34:51 [npdoty]
14:35:03 [npdoty]
Zakim, open the queue
14:35:03 [Zakim]
ok, npdoty, the speaker queue is open
14:35:05 [npdoty]
14:35:10 [npdoty]
14:35:25 [npdoty]
scribenick: amyc
14:35:43 [amyc]
Shane: end goal is that resulting data (not raw form) then take unique identifiers like cookies and IP addresses
14:35:53 [dsinger]
to Rachel: we should chat about why the DNT header is sent to everyone, even though what it means varies depending on whether you are first or third party
14:36:06 [amyc]
... undergo one way hash, so that resulting info cannot be linked back to original production idenfiers
14:36:09 [jmayer]
14:36:14 [dtauerbach]
14:36:16 [efelten]
14:36:30 [tl]
14:36:40 [amyc]
... notes that there are technical discussions about hashing, but end goal is that info cannot be used directly to link back to production system
14:37:03 [amyc]
... not meant to say that can't be associated to real world user or browser, wouldn't affect
14:37:16 [ifette]
q+ clarifying question to shane
14:37:23 [ifette]
q+ to ask clarifying question to shane
14:37:33 [amyc]
... 32 byte idenfiier, one way hash, could rotate
14:37:50 [ifette]
when you say "not tied to a production system" i assume what you mean is being able to link back to a given user or computer?
14:37:55 [amyc]
... result may be longer or shorter in byte length, but would not link back to original idenfier
14:38:09 [jmayer]
14:38:19 [amyc]
Aleecia: two options in text 3.6.1 and 3.6.2
14:38:45 [amyc]
... goes to queue, but need to end at 545
14:38:51 [rvaneijk]
14:38:57 [amyc]
... please keep civil
14:39:15 [npdoty]
ack jmayer
14:39:26 [lmastria-DAA]
14:39:50 [amyc]
jmayer: what exactly does unlinkability mean? what should not be linked after hash?
14:40:09 [amyc]
... user ID from data, or ability to connect various actions
14:40:27 [Chris_IAB]
rigop, are you serious that if the UI of a DNT UA says "I don't like pink unicorns", you would consider this a valid UI for the W3C? I want to ensure I got this right...
14:40:57 [amyc]
... which would be unlinking with respect to browser, but questions whether one way hash would make more difficult to connect to original source of data
14:41:14 [amyc]
... but would retain linkability across events or sessions
14:41:49 [amyc]
... seems like tension between one way hashes OK, but saying that OK to connect across sessions
14:42:17 [amyc]
Shane: connection back to device or browser, looking at maintaining longitudinal connection
14:42:31 [amyc]
... major goal is delinking from production sets
14:42:45 [vincent]
14:42:49 [jmayer]
14:43:04 [Rene]
14:43:04 [jmayer]
Can I follow up on that with another technical clarifying question?
14:43:06 [amyc]
... so could not affect user in real world, but could be used to maintain value of data
14:43:42 [amyc]
... differences between option one and option two, difference in granularity, but maintain value of data while addressing harms
14:44:30 [amyc]
Aleecia: how does this fit into document, this is data that is outside of DNT, anyone can use without worrying about permitted use
14:44:38 [amyc]
... not replacement for actually reading doc
14:44:48 [npdoty]
while there may be several differences between Option 1 and Option 2, the key question seems to be whether the data can't be re-linked, or isn't linkable back to the production identifier?
14:44:57 [npdoty]
ack dtauerbach
14:45:24 [Chris_IAB]
rigop, just want to make sure you don't miss my question (above): are you serious that if the UI of a DNT UA says "I don't like pink unicorns", you would consider this a valid UI for the W3C? I want to ensure I got this right...
14:45:37 [amyc]
dtauerbach: two separate definitions, what Shane is describing requires prior state, this is more like hashed data, need common sense definition
14:46:00 [dsinger]
14:46:03 [npdoty]
ack efelten
14:46:05 [amyc]
Aleecia: option one should be named something else?
14:46:33 [amyc]
efelten: linkability back to original identifier vs to user or device, need to understand distinction
14:46:50 [schunter]
Chris: My take is that the preference collected via the "pink unicorn" UI (if used alone) would not satisfy the requirement that the resulting DNT values are reflecting the (unbiased) user preference.
14:47:06 [johnsimpson]
Shane, why wouldn't the 'should' in the last sentence be a 'MUST'
14:47:23 [schunter]
note: "Chris" meant "response to chris" not anything chris said.
14:47:27 [amyc]
Shane: one is unlinkable to production systems, so that even if using unique cookie, when you hash then info could not be associated with that user in real world
14:47:36 [schunter]
q+ aleecia
14:47:37 [npdoty]
s/Chris: My/Chris, My/
14:47:48 [jmayer]
Shane: is this a technical claim you're making?
14:47:53 [amyc]
... but could be used longitudinally across data set, identifiers simply don't relate back to real world
14:47:54 [npdoty]
ack tl
14:48:02 [npdoty]
s/Shane: is/Shane, is/
14:48:05 [jmayer]
Because one-way hashing does not provide the technical properties you described.
14:48:09 [WileyS]
Jonathan, I'm not sure I understand your question
14:48:10 [dsinger]
…wonders if what we want is data that is detached from any specific user, user-agent, or device. maybe we are using the wrong term of art?
14:48:25 [amyc]
tl: thinks that all of the privacy folks are thinking about academic definition of unlinkable
14:48:28 [npdoty]
ack ifette
14:48:28 [Zakim]
ifette, you wanted to ask clarifying question to shane
14:48:29 [jmayer]
Are you claiming that one-way hashing prevents associating production data with hashed data?
14:48:49 [npdoty]
tl, so is your concern just with the name "unlinkable"?
14:49:00 [dtauerbach]
14:49:00 [amyc]
ifette: even in academic community it is difficult to determine or define whether data set is re identifiable
14:49:45 [Marc]
Question for clarification for Dan. Was Dan proposing that neither options are appropriate or that 3.6.1 is the right option? I simply didn't follow.
14:49:47 [amyc]
... this is unsolved problem, so best thing that we can do is de-identify to do one way hash, not a strict guarantee that there is no technical way to re-associate
14:50:09 [amyc]
Aleecia: dumping cookies is not part of what Shane is associated
14:50:12 [Rene]
14:50:19 [amyc]
... where dumping is equivalent of deletion
14:50:46 [WileyS]
Jonathan, if you look at the larger definition there is a further restriction to NOT attempt to link unlinked data with linkable data. There will always be ways to break encryption given the appropriate tools and access. If I give you a list of data records (breach/gov't request) that has been "unlinked" you, with only that data, be able to re-identify that data.
14:51:04 [efelten]
It would be useful to have some non-normative text giving examples that we can agree are still linkable, and some that are definitely unsinkable.
14:51:05 [Chris_IAB]
npdoty, point of clarification please: how do we (DAA and DMA) open an action item?
14:51:06 [WileyS]
would not be able
14:51:06 [Chris_IAB]
npdoty, a new action item?
14:51:12 [amyc]
rvaneijk: if goal is to de-anonymize so that law does not apply, will be difficult case for NL and EU, Second proposal addresses technical and organizational measures
14:51:19 [npdoty]
ifette, the definitions suggest certain levels of confidence or use of legal means to prevent re-identifiability; but it seems like Shane's intent is not to prevent re-identifiability
14:51:20 [WileyS]
ed, "unsinkable" - LOL
14:51:36 [ifette]
npdoty, that's a fair assessment
14:51:38 [johnsimpson]
Shane, did you see my question about "should" vs "must"?
14:51:53 [amyc]
... may still be considered personal data, also concerned about safeguards for further uses
14:52:01 [rigop]
rigop has joined #dnt
14:52:04 [ifette]
npdoty, i think all we can do is say "de-identify the data you have collected" e.g. one-way salted hash of cookies, not "guarantee the data could not be reidentified in any manner"
14:52:05 [WileyS]
John, I didn't - speaking so unable to watch IRC at the same time - what is your question?
14:52:27 [susanisrael]
i understood shane to be discussing preventing the likelihood but not the absolute possibility of de-identification.
14:52:31 [amyc]
... if go with option one, still need to comply with laws. but in option two, then that would not be personal info
14:52:34 [johnsimpson]
Why not a "Must" in item 3 instead os "should"?
14:52:35 [efelten]
Ian, I think that's what the "reasonable" in some definitions is trying to address
14:52:35 [WileyS]
Susan - spot on
14:52:45 [npdoty]
Chris_IAB, we can open action items for any DAA or DMA folks that are listed as participants in the group (currently Luigi, Rachel, respectively)
14:53:01 [amyc]
Aleecia: what would work in EU?
14:53:28 [npdoty]
Chris_IAB, which we can do from IRC or from
14:53:38 [susanisrael]
if there is no solution, how can we meet the standard?
14:53:41 [jmayer]
14:53:42 [Chris_IAB]
npdogy and rachel_n_thomas, thank you Nick.
14:53:58 [npdoty]
Chris_IAB, I suggested that we open an action on Luigi for something that Mike Z volunteered to do
14:53:59 [npdoty]
14:54:02 [npdoty]
ack rvaneijk
14:54:04 [amyc]
rvaneijk: not really a solved problem in academia, process of anonymization still tricky, concerned about "reasonable" not being prescriptive, doesn't have solution
14:54:05 [npdoty]
ack lmastria-DAA
14:54:18 [johnsimpson]
Shane, Why not a "Must" in item 3 instead of "should"?
14:54:35 [amyc]
lmastria: tend to look at one issue at a time, would fall under many different regimes
14:54:52 [amyc]
... additional legal protections
14:55:13 [amyc]
... thinks that one way hash is a solution, but don't think that would work for everyone
14:55:13 [kj]
14:55:25 [rvaneijk]
option 1: data protection law applies, also for permitted uses: ie companies still need a legal ground. option 2: if done correctly, we are not dealing with (in)direct identifyable data anymore.
14:55:45 [amyc]
... plenty of industries where much more senstive data is de-identified and kept for long periods of time (medical, education)
14:56:14 [amyc]
... no harms come out of those, don't discount, simply because of fear of unknown, needs to be practical solvable solution
14:56:34 [amyc]
... DAA has specific text on de-identified data, could draft up and send along
14:56:56 [amyc]
... companies working on indirect identification, would boil the ocean
14:57:14 [WileyS]
John, SHOULD due to the level of detail required to find the balance between not giving too many details to help bad guys figure out what you're doing and enough information for you and others to understand our approach generally.
14:57:15 [amyc]
Aleecia: not talking about security, separate issue
14:57:23 [efelten]
14:57:25 [amyc]
14:57:57 [amyc]
vincent: hashing cookies and IP addresses, what about info in referral, personal info in referrer
14:58:09 [npdoty]
action: luigi to propose DAA text regarding de-identification (for unlinkability discussion)
14:58:09 [trackbot]
Created ACTION-286 - Propose DAA text regarding de-identification (for unlinkability discussion) [on Luigi Mastria - due 2012-10-10].
14:58:50 [amyc]
shane: at yahoo look at suspected PII in headers, and transforms, websites shouldn't be sending PII in referrers
14:59:12 [amyc]
... best efforts should be made
14:59:15 [npdoty]
ack vincent
14:59:20 [amyc]
Aleecia: can text reflect that?
14:59:32 [amyc]
Shane: previously drafted non normative text
14:59:40 [WileyS]
John, remember SHOULD in this case means you should do it unless you have a good reason not to
15:00:22 [npdoty]
action: west to update unlinkable with non-normative text from Shane
15:00:22 [trackbot]
Created ACTION-288 - Update unlinkable with non-normative text from Shane [on Heather West - due 2012-10-10].
15:00:24 [npdoty]
15:00:26 [johnsimpson]
Shane, seems to me ought to be a MUST on transparency, because you have the qualifier "to the extent it will not provide confidential details...
15:00:28 [npdoty]
ack jmayer
15:00:31 [rigop]
rigop has joined #dnt
15:01:00 [amyc]
jmayer: first, with response to technical claim that one way hash would mean unusable in production systems, not accurate
15:01:14 [ifette]
that would be why you drop the key
15:01:14 [amyc]
... as long as still have key, just one operation to reassociate
15:01:31 [amyc]
... could have dictionary list of hash matches
15:01:34 [ifette]
what jonathan is describing is not at all what shane/others are describing
15:01:50 [justin_]
ifette, you can't drop the key if you're doing longitudinal research
15:01:53 [amyc]
... second, likes DAA language
15:01:56 [justin_]
ifette, right?
15:02:01 [amyc]
... prefers FTC language
15:02:06 [ifette]
justin, that would depend on the timeperiod
15:02:28 [ifette]
e.g. are you hashing with a salt you drop after 1 day, or do you do this on a 90-day or N-day period
15:03:01 [npdoty]
15:03:02 [justin_]
ifette, sure, but WileyS's language doesn't seem to envision a time limitation
15:03:10 [amyc]
lmastria: if not going down harms road, let's not go down path of speculating
15:03:12 [jmayer]
I didn't understand that last comment.
15:03:37 [amyc]
aleecia: not as chair, other than data breach, is there a big difference practically between these two?
15:04:01 [efelten]
15:04:02 [amyc]
... just hard, as opposed to k-anon option
15:04:06 [efelten]
15:04:14 [npdoty]
ack aleecia
15:04:25 [amyc]
... may be cross-linked data, but a problem in both options
15:04:35 [tl]
15:04:38 [jmayer]
The second part of my comment: I don't understand how Shane's proposal aligns with the DAA text. It seems like a much more rigorous requirement than what Shane's proposed.
15:04:50 [amyc]
Shane: primary difference is that option 2 forces much stronger anon end state
15:05:02 [ifette]
not 1024 buckets
15:05:05 [ifette]
100M / 1024
15:05:06 [amyc]
... but it limits usefulness of data
15:05:07 [tl]
+q to say that there's a big difference in secondary use risks which aren't leaks
15:05:08 [ifette]
15:05:39 [amyc]
... correct that you could look back after hashing, but spec says that you can't do that
15:06:27 [amyc]
.. focus on one is breaking conneciton with prod data, the focus on two is significant less value
15:06:27 [jmayer]
Data breach is far from the only concern.
15:06:41 [jmayer]
Access or use by anyone.
15:06:47 [amyc]
Aleecia: if change keys, then also losing value?
15:06:54 [jmayer]
I imagine government access, for example, weighs on the mind of some.
15:07:14 [amyc]
Shane: yes, matters when you hash, when you rotate hash, each time boundary will impact how you use info and value going forward
15:07:18 [JC]
The govt can get the data anyway
15:07:36 [amyc]
Aleecia: does anyone disagree with Shane's description?
15:07:40 [jmayer]
15:07:50 [amyc]
ifette: how different are these to implement, or risk to user?
15:08:07 [vincent]
I beleive using public comments that are posted on webstie, it is is enough to deanonymize the browsing history of someone
15:08:25 [amyc]
... not much difference in risk to user
15:08:26 [jmayer]
I disagree.
15:08:38 [amyc]
Aleecia: so other than breach, no difference to users?
15:08:55 [amyc]
tl: many types of data sharing and disclosure, outside of breach
15:09:16 [amyc]
... for example, company is acquired or sharing info with affiliates
15:09:17 [susanisrael]
15:09:44 [amyc]
... really, this is transofrming data, as opposed to k-anon
15:10:03 [WileyS]
Vincent, fair - how often has that occurred in the real-world with 3rd party ad serving data?
15:10:05 [rigop]
rigop has joined #dnt
15:10:05 [npdoty]
ack dtauerbach
15:10:12 [amyc]
dtauerbach: need to have a real standard, rather than some sort of hash
15:10:17 [adrianba]
q+ rigo
15:10:19 [amyc]
... option two makes more sense
15:10:43 [amyc]
Aleecia: can we adjust to make more acceptable, need to have complete understanding
15:10:49 [tl]
ack tl
15:10:49 [Zakim]
tl, you wanted to say that there's a big difference in secondary use risks which aren't leaks
15:11:03 [amyc]
... may be ways to address breach and other concerns with option one
15:11:12 [npdoty]
ack kj
15:11:34 [amyc]
kj: concerned about going into technical implementatin, technology will change quickly
15:11:57 [KevinT]
KevinT has joined #dnt
15:11:58 [amyc]
... DPR has proportionality and balance of interest, we should take that into account
15:12:15 [amyc]
... supports research, while being careful about security and linkability
15:12:26 [rigop]
rigop has joined #dnt
15:12:26 [rvaneijk]
the text Kathy is putting forward applies to SCIENTIFIC RESEARCH, not commercially data use
15:12:46 [vincent]
WileyS, as far as I am aware of, there has not been any concrete example, but someone inside the ad-network could easily do it... and I would still not be aware of it
15:12:52 [amyc]
Aleecia: we should try to avoid specific text, focus on outcomes
15:12:55 [npdoty]
ack amyc
15:12:58 [npdoty]
scribenick: npdoty
15:13:02 [ifette]
15:13:03 [eberkower]
Kathy IS talking about research - "market research"
15:13:16 [npdoty]
amyc: echo Shane and Kathy in proportionality and value of the data
15:13:45 [npdoty]
... for a voluntary standard that is not required to implement, please implement this (even though your competitors might not), want to entice as many as possible to implement
15:13:54 [Simon]
15:14:12 [npdoty]
... language in there about protecting intellectual property
15:14:14 [dtauerbach]
let's get into the nitty gritty of how the data is valuable
15:14:31 [npdoty]
... value of the data in improvement of research
15:14:32 [amyc]
thanks Nick
15:14:36 [jmayer]
The "we want broad implementation" argument has very limited force. Taken to the limit, we would just declare Do Not Track a nullity. There are countervailing considerations, of course.
15:14:36 [npdoty]
scribenick: amyc
15:14:48 [amyc]
Aleecia: anything else?
15:14:51 [npdoty]
ack efelten
15:15:08 [amyc]
efelten: lauren gelman may propose language?
15:15:11 [dtauerbach]
is the data valuable because you want to retroactively bucket the data?
15:15:14 [amyc]
aleecia: not a member or IE
15:15:19 [dtauerbach]
or do you want to use it in a non-bucketed way?
15:15:32 [dtauerbach]
15:15:36 [amyc]
efelten: thread went a lot of places, but didn't answer my questions
15:15:48 [rachel_n_thomas]
15:15:49 [amyc]
... perhaps shane and I should chat
15:16:01 [amyc]
Shane: thought I had answered, happy to follow up
15:16:08 [npdoty]
ack jmayer
15:16:10 [amyc]
Aleecia: suggests doing this in real time
15:16:36 [amyc]
jmayer: wanted to get more information about what the business uses for this info are
15:16:39 [jchester2]
15:17:01 [amyc]
... what are business uses?
15:17:19 [amyc]
... and do they overlap with other permitted uses
15:17:40 [Chapell]
Jmayer - to the extent that industry shares more about uses of this data, would you be willing to share you insights re: the harms you are trying to prevent?
15:17:46 [amyc]
Shane: simplest form of reporting, product improvement, review through lens of being able to run reports
15:17:47 [dtauerbach]
"able to run reports" -> bucketed data
15:18:03 [dtauerbach]
so 1024-unlinkable
15:18:04 [jmayer]
Chapell, sure, take a look at my paper "Third-Party Web Tracking: Policy and Technology."
15:18:05 [dtauerbach]
should be no problem
15:18:20 [amyc]
... can't specify all, so really want to make sure that busienss can understand its operations better
15:18:20 [dtauerbach]
do you need raw data ever?
15:18:22 [dtauerbach]
for what?
15:18:30 [Chapell]
does every example in that paper address issues that are in the scope of DNT?
15:18:37 [amyc]
... want to remove from production use
15:18:52 [jmayer]
Chapell, I believe so. Read it and get back to me.
15:19:12 [Chapell]
Will do
15:19:13 [amyc]
Aleecia: what if option two is DAA, and option one is data transformation, with retention period and new permitted uses
15:19:15 [Chapell]
15:19:26 [amyc]
... who hates it
15:19:52 [npdoty]
dtauerbach, I think it depends on exactly what kind of reporting you would want to do -- some of it might require longitudinal linkable data
15:19:53 [npdoty]
15:19:55 [amyc]
... Rob, Jeff and Shane don't seem to like, unlikely to get traction
15:19:57 [npdoty]
ack susanisrael
15:20:24 [dtauerbach]
you can link data into buckets
15:20:39 [dtauerbach]
npdoty, can you give a concrete example?
15:20:40 [amyc]
susanisrael: the kind of standard that Shane suggests, may not need to be same level of debate about permitted uses, if agreement that level of protection is adequate
15:20:43 [dtauerbach]
it can be hypothetical
15:21:04 [Chapell]
Jmayer: thanks, but found it.... to be clear, are you referring to section THIRD-PARTY WEB TRACKING POLICY III. PRIVACY PROBLEMS?
15:21:06 [amyc]
Aleecia: can we get economic value of data, while not providing get out of jail free card
15:21:22 [npdoty]
ack rigo
15:21:35 [jmayer]
Chapell, sounds right.
15:21:39 [dtauerbach]
amyc, i would love an example of the economic value
15:21:43 [amyc]
Rigo: two suggestions, this is pseudonymity discussion that Ruud raises
15:22:10 [jmayer]
Chapell, presently multitasking. Always glad to chat about my academic research offline.
15:22:12 [amyc]
... warning againt fog (in) mess
15:22:57 [amyc]
... we need to think about data breach
15:23:11 [amyc]
... with option one, concerned about sharing with others
15:23:37 [Chapell]
Jmayer: Ok thanks. would love to discuss at some point.
15:23:43 [Chapell]
.... "Each particular scenario may have a low probability of occurring. But the chance of some scenarios occurring is substantial, especially when considered over time and across many companies."
15:23:47 [lmastria-DAA]
15:23:54 [amyc]
... maybe with publsihing, would look at k-anon for external use
15:24:18 [amyc]
Shane: maybe sharing outside of service provider would require additional anon, as opposed to external sharing
15:24:49 [amyc]
Aleecia: could be direction to consider, where we have option one for internal use plus service provider
15:25:01 [Chapell]
...."Third, an action that harms the consumer. The action could be, for example, publication, a less favorable offer, denial of a benefit, or termination of employment. Last, a particular harm that is inflicted. The harm might be physical, psychological, or economic."
15:25:04 [amyc]
... then option two for external
15:25:06 [rigop]
15:25:16 [npdoty]
q- ifette
15:25:24 [npdoty]
ack Simon
15:25:41 [amyc]
Simon: staring at two options, not that far apart
15:25:54 [amyc]
... commercially reasonably but not less than 1024
15:26:01 [Chapell]
.... I would like to discuss how these issues are being addressed by the W3C DNT effort AND why they are not addressed by the current industry standards.
15:26:10 [Chapell]
..... JMayer: I welcome the discussion. Thanks.
15:26:34 [amyc]
Aleecia: Shane would reject
15:26:54 [amyc]
Shane: reduce viable buckets of data to very small number
15:27:20 [amyc]
.. by using by k-anon 1024 bar
15:27:38 [amyc]
... and reduces value of data
15:27:56 [amyc]
Aleecia: for some companies, may be case by case as to value
15:28:11 [npdoty]
ack dtauerbach
15:28:16 [stella]
stella has joined #dnt
15:28:30 [amyc]
dtauerbach: give me example of report, unless the report is by request
15:28:55 [schunter]
schunter has joined #dnt
15:29:06 [amyc]
Shane: thousands of employees, billions of records daily, unrealistic
15:29:19 [amyc]
... would never be able to look back
15:30:02 [amyc]
Aleecia: k-anon would require that you never have a bucket of fewer than 1024
15:30:21 [tl]
15:30:29 [amyc]
Shane: can't build tables on fly, doesn;t make sense in real business
15:30:40 [jmayer]
You don't have to predetermine reports. You can build an unlinkable dataset, then use that to generate reports.
15:31:03 [rachel_n_thomas]
none of this is in the queue...
15:31:07 [npdoty]
15:31:28 [amyc]
lmastria: number of assumptions going unchallenged
15:31:52 [amyc]
... no one gives data to man on street, many professionals and contracts and security
15:32:20 [amyc]
... can't pretend that we can preconceive buckets of data
15:32:22 [npdoty]
ack lmastria-DAA
15:32:27 [amyc]
... don't want to prevent innovation
15:33:04 [jchester2]
Lou. I have to disagree. Online ad industry in US--despite having privacy employees-are continually expanding their data collection practices. Innovation is about more data mining and invading privacy of users. We have not seen much on promoting innovation to protect privacy in an online ad context.
15:33:34 [amyc]
Rigo: put into one bucket for internal use data
15:33:59 [dwainberg]
15:34:09 [amyc]
dtauerbach: don't need to detemine in advance
15:34:20 [amyc]
... can come up with tables on fly, add to pipeline
15:34:29 [amyc]
... still with k-anon
15:34:32 [WileyS]
15:34:56 [justin_]
ack rachel_n_thomas
15:34:57 [amyc]
rachel: wants to point out that DAA sent letter to W3C
15:35:08 [jmayer]
Why is Rachel talking about the DAA letter to the W3C leadership? We're talking about technical issues related to data linkability.
15:35:43 [amyc]
... wants to post letter, this is not appropriate process or means to move forward
15:35:58 [amyc]
... should not try to refine industry practice where there is already a consensus
15:36:00 [npdoty]
15:36:04 [jmayer]
"The working group shouldn't try to refine industry practice where there isn't already widespread consensus..."
15:36:11 [amyc]
... out of scope of w3c mission of developing web techology
15:36:36 [amyc]
... looks like w3c thinking about more policy issues, let's focus on technology rather than policy
15:36:41 [WileyS]
15:36:57 [amyc]
Aleecia: will take process discussion offline
15:37:13 [rachel_n_thomas]
DAA letter to W3C
15:37:25 [amyc]
tl: don't need to know in advance what you are doing
15:37:46 [amyc]
... just need to collect it correctly, then reports wouldn't go back to data
15:37:56 [stella]
stella has joined #dnt
15:37:56 [npdoty]
15:38:02 [npdoty]
ack tl
15:38:08 [npdoty]
Zakim, close the queue
15:38:08 [Zakim]
ok, npdoty, the speaker queue is closed
15:38:30 [npdoty]
ack WileyS
15:38:33 [jchester2]
The DAA/IAB admitted last week in DC that they did not test itse self-regulatory system using the icon. They did not test, for example, how its system interacts with the optimized system designed to process users to conversion, inc. data collection. I ask again for the IAB/US and DAA to submit to this list any research any any outside independent research they used to establish its so-called privacy system.
15:38:56 [jmayer]
Shane fifteen minutes ago: this can't be done. Shane now: OK, it can be done. But it's hard.
15:39:00 [amyc]
Shane: not disputing philosphically that this can be done, Google is large company, but speaking from own experience buidling data tables on the fly is incredibly expensive, current software packeage don't offer
15:39:09 [amyc]
... so likely no one would implement
15:39:34 [susanisrael]
jeff I was at the meeting you are describing and i did not hear the dialogue quite that way.
15:39:36 [npdoty]
15:39:37 [lmastria-DAA]
ditto shane
15:39:40 [johnsimpson]
15:39:49 [npdoty]
ack dwainberg
15:40:22 [rachel_n_thomas]
jchester2 DAA admitted no such thing with regarding to testing the icon. An unrelated party made that assertion, when in reality TRUSTe did significant testing on the icon with extremely positive findings.
15:40:32 [lmastria-DAA]
ditto dwainberg
15:40:37 [amyc]
dwainberg: dpn't want to adopt standard that disadvantages small companies
15:40:38 [npdoty]
15:41:05 [amyc]
npdoty: w3c process questions, happy to follow up
15:41:42 [amyc]
Aleecia: will submit DAA text, see whether everyone can live with this
15:41:50 [rachel_n_thomas]
from DAA letter: •DAA expressed strong opposition to the current posturing of the W3C’s effort to establish a “do-not-track” standard.
15:41:53 [amyc]
... Shane making some modifications
15:41:57 [jchester2]
IAB could not say any research was done. It referred to World Privacy Forum, which its researcher said wasn't a study. Provide the Evidon research and its design, and the outside review it undertook.
15:41:58 [rachel_n_thomas]
•This agenda states, “We will now accept that many issues cannot be resolved in a way that does not raise any objections.”1 oTPWG states that the goal of this meeting is to come to a decision on a standard through the following non-consensus process: “we will put more focus on creating viable alternative texts as input for our decision procedure where the chairs call for objections and then analyze the resulting input to come to a conclusion th
15:42:05 [rachel_n_thomas]
•This is not an appropriate process or means for moving forward on decisions that could affect the future of an entire online ecosystem. oA non-consensus decision by the TPWG, an organization of unelected individuals who do not represent the interests of all stakeholders, should not be substituted for the consensus judgment of the participants given the impact such a decision could have on consumers, commerce, national and global economies, jobs, an
15:42:09 [efelten]
s/will submit/Lou will submit/
15:42:13 [rachel_n_thomas]
•The TPWG should not try to redefine established industry practice and consumer expectations in an area where widespread consensus already exists.
15:42:17 [ksmith]
Nick - I don't see an action item for me, but I was assigned to edit section 3.5.2 slightly. Did you get that? Or am I looking in the wrong place?
15:42:18 [amyc]
... will contine when we see texts
15:42:18 [rachel_n_thomas]
•The DAA has developed a comprehensive standard governing web-viewing data practices.
15:42:23 [rachel_n_thomas]
•To my knowledge, W3C is a technology standards organization that has traditionally focused on developing consensus around specifications and guidelines for web technologies. The W3C’s recent foray into setting public policy standards is outside the oThe public interest is not served by this expansion of the W3C’s efforts, especially because the method by which the W3C is seeking to achieve results is not through consensus and gives all stakehold
15:42:25 [Zakim]
15:42:31 [rachel_n_thomas]
•The TPWG should remain true to the W3C’s mission of developing consensus around specifications for web technologies and oshould not seek to expand its scope into public policy issues that would be better addressed in other policy forums that have the experience and qualifications to evaluate these issues.
15:42:33 [npdoty]
ksmith, I may have missed that one, what's the action?
15:42:35 [rachel_n_thomas]
•The DAA strongly believes that the W3C should not undertake further forays into privacy policy issues. oWe ask that the W3C leave these areas to the established industry and policy bodies that have already been successfully addressing them.”
15:42:37 [amyc]
15:42:52 [hwest]
Thank you Aleecia!
15:43:12 [Zakim]
15:43:23 [ksmith]
to addresss the requirement for a privacy policy link for 1st parties
15:43:29 [hwest]
Anyone headed to Centraal, Rob and I are headed straight there to get checked in first
15:43:33 [ksmith]
in widget scenarios
15:44:05 [Zakim]
15:44:23 [johnsimpson]
johnsimpson has left #dnt
15:44:46 [Zakim]
15:44:52 [BrendanIAB]
Zakim, ??P1 is probably me
15:44:52 [Zakim]
+BrendanIAB?; got it
15:45:07 [Zakim]
15:45:17 [Zakim]
15:45:18 [Zakim]
Team_(privacy)13:48Z has ended
15:45:18 [Zakim]
Attendees were Telegraaf, Jonathan_Mayer, johnsimpson, BrendanIAB?
15:45:24 [npdoty]
rrsagent, draft minutes
15:45:24 [RRSAgent]
I have made the request to generate npdoty
15:48:10 [npdoty]
rrsagent, bye
15:48:10 [RRSAgent]
I see 27 open action items saved in :
15:48:10 [RRSAgent]
ACTION: Colando to draft updated 'share' definition to avoid concerns (with rigo and chris-p) [1]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: Wiley to update text in 3.8.1 regarding bringing into compliance, not just deletion [2]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: fette to suggest retention related to a timed grace period (with dwainberg) [3]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: rachel to propose first/third party definitions from existing DAA documents [4]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [5]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: dsinger to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [6]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: singer to edit the TPE document to make sure that the final definition of parties is in sync across the two specifications [7]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: brookman to update 3.5.2 to expand beyond "Web site" [8]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: rachel to propose existing DAA text for service providers [9]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: west to update service provider language to apply to first and third parties [10]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: roy Fielding to propose text for party and outsourcing definitions [11]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: robsherman to draft text on first party [12]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: sherman to propose text regarding multiple first parties [13]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: wiley to propose non-normative text on service providers to clarify "independent use" (with rvaneijk) [14]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: doty to update middle way proposals to avoid relying on "tracking" [15]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: luigi to provide text regarding data retention, applicable to finanical logging data [16]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: singer to propose non-normative text regarding contracts/other specifications [17]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: lowenthal to suggest an alternative to debugging graduated response ('once identified a problem') [18]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: fette to write an explanation of graduated response and a list of explanatory use cases [19]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: wiley to draft updated text on UA requirements; explanatory text made more general; add 'prior to selecting DNT'; add examples; change MUST to SHOULD [20]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: dsinger to add to the TPE that at most one DNT header is permitted in any HTTP request [21]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: singer to add to the TPE that at most one DNT header is permitted in any HTTP request (issue-150) [22]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: mayer to draft an alternative for multiple DNT headers (issue-150) [23]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: fette to propose barring other software from altering a DNT signal if the browser already set it [24]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: mayer to propose non-normative text to add on to action-231 (with nick) [25]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: luigi to propose DAA text regarding de-identification (for unlinkability discussion) [26]
15:48:10 [RRSAgent]
recorded in
15:48:10 [RRSAgent]
ACTION: west to update unlinkable with non-normative text from Shane [27]
15:48:10 [RRSAgent]
recorded in
15:48:12 [npdoty]
Zakim, bye
15:48:12 [Zakim]
Zakim has left #dnt