IRC log of dnt on 2012-10-04

Timestamps are in UTC.

07:07:14 [RRSAgent]
RRSAgent has joined #dnt
07:07:14 [RRSAgent]
logging to
07:07:24 [npdoty]
Meeting: Tracking Protection Working Group f2f
07:07:28 [npdoty]
Chair: aleecia
07:07:37 [npdoty]
scribenick: npdoty
07:07:46 [npdoty]
aleecia: getting started, welcome, going through the agenda
07:07:55 [npdoty]
... we have 24 open issues against compliance
07:08:00 [tedleung]
tedleung has joined #dnt
07:08:06 [npdoty]
... intending to go through all of them today, we will not be closing them all
07:08:11 [npdoty]
... what do we need to do to get them to closed?
07:08:22 [npdoty]
07:08:23 [johnsimpson]
johnsimpson has joined #dnt
07:08:30 [npdoty]
aleecia: grouped issues, will try to keep the times and breaks
07:08:45 [robsherman]
robsherman has joined #dnt
07:08:48 [npdoty]
... when people tried to make an immediate response, a direct quick response, holding up a pen
07:09:02 [Zakim]
07:09:16 [npdoty]
... like to suggest that we go back to that method, just a quick response, hold up a pen (rather than my noticing you vibrating in your seat)
07:09:20 [ifette]
ifette has joined #dnt
07:09:22 [adrianba]
adrianba has joined #dnt
07:09:25 [JBWeiss]
JBWeiss has joined #DNT
07:09:29 [npdoty]
... start with Open Issues through 10:30
07:09:34 [npdoty]
... calling for scribe volunteers
07:09:43 [npdoty]
first session: bryan
07:09:51 [afowler]
afowler has joined #dnt
07:10:03 [npdoty]
next session, 10:30-11: ifette
07:10:06 [dsriedel]
dsriedel has joined #dnt
07:10:11 [Rene]
Rene has joined #dnt
07:10:38 [npdoty]
1130 on: robsherman and efelten will split
07:10:45 [johnsimpson]
getting messagr that call is restricted again, uses 8277 pass code what should iuse, please?
07:10:51 [hwest]
hwest has joined #dnt
07:10:51 [npdoty]
Zakim, code?
07:10:51 [Zakim]
the conference code is 26631 (tel:+1.617.761.6200, npdoty
07:10:52 [dwainberg]
dwainberg has joined #dnt
07:10:52 [ChrisPedigoOPA]
ChrisPedigoOPA has joined #dnt
07:10:53 [eberkower]
eberkower has joined #dnt
07:10:57 [bryan]
bryan has joined #dnt
07:11:18 [npdoty]
lunch will have a global considerations table, if that's of interest to you
07:11:22 [amyc]
amyc has joined #dnt
07:11:28 [bryan]
present+ Bryan_Sullivan
07:11:41 [Zakim]
07:11:51 [npdoty]
compliance right after lunch: dsinger, with adrianba to help
07:12:12 [johnsimpson]
Got it worked. Am in thanks.
07:12:21 [npdoty]
pre-afternoon-break: adrianba, with dsinger to help
07:12:35 [npdoty]
final session: vinay
07:12:35 [dwainber_]
dwainber_ has joined #dnt
07:12:40 [Chris_DAA]
Chris_DAA has joined #dnt
07:12:47 [npdoty]
cheers to vinay for helping with screen-sharing
07:12:51 [efelten]
efelten has joined #dnt
07:12:59 [npdoty]
rrsagent, make logs public
07:12:59 [johnsimpson]
where is screen sharing, pease?
07:12:59 [RichardcomScore]
RichardcomScore has joined #dnt
07:13:02 [npdoty]
rrsagent, pointer?
07:13:02 [RRSAgent]
07:13:04 [jmayer]
jmayer has joined #dnt
07:13:04 [keith]
keith has joined #dnt
07:13:15 [WileyS]
WileyS has joined #DNT
07:13:56 [vinay]
for those that want to view Aleecia's screen remotely --
07:14:01 [ifette]
07:14:01 [trackbot]
ISSUE-134 -- Would we additionally permit logs that are retained for a short enough period? -- open
07:14:01 [trackbot]
07:14:04 [rvaneijk]
rvaneijk has joined #dnt
07:14:05 [bryan]
topic: issue 134
07:14:10 [npdoty]
scribenick: bryan
07:14:16 [ninjamarnau]
ninjamarnau has joined #dnt
07:14:27 [bryan]
aleecia: two options went out for poll text
07:14:55 [jchester2]
jchester2 has joined #dnt
07:14:56 [Simon]
Simon has joined #dnt
07:14:57 [bryan]
... 1st option was discussed yesterday e.g. unlinkability
07:15:27 [bryan]
... 2nd option also discussed; fundamental differences appear between the two
07:15:39 [bryan]
... justin suggested changes to option 1
07:16:03 [bryan]
... (describing proposed text)
07:16:36 [bryan]
... discussions back and forth ensued; what is the way forward re nick's and justin's text, also maybe text from jonathan
07:16:55 [jmayer]
Anyone have the current conference call code? TRACK isn't working. Thanks.
07:16:56 [justin]
justin has joined #dnt
07:16:58 [npdoty]
07:17:00 [npdoty]
Zakim, code?
07:17:00 [Zakim]
the conference code is 26631 (tel:+1.617.761.6200, npdoty
07:17:00 [bryan]
... anything else from the discussion, any changes by the authors, anyone else have other text?
07:17:10 [Joanne]
Joanne has joined #DNT
07:17:12 [tlr]
tlr has joined #dnt
07:17:17 [jeffwilson]
jeffwilson has joined #dnt
07:17:20 [bryan]
nick: maybe the differences are due to different goals
07:17:26 [JC]
JC has joined #DNT
07:17:30 [Zakim]
07:17:31 [Marc]
Marc has joined #DNT
07:17:41 [mikeo]
mikeo has joined #dnt
07:17:54 [justin]
07:18:04 [BrendanIAB]
07:18:05 [bryan]
... unlinkable/unidentifiable/research discussions...
07:18:05 [justin]
07:18:06 [WileyS]
07:18:14 [bryan]
... maybe having a separate section on market research would be a way forward?
07:18:15 [npdoty]
ack npdoty
07:18:17 [npdoty]
ack BrendanIAB
07:18:47 [bryan]
brendanIAB: a lot of discussion about 6 weeks and what is allowed to be done
07:19:07 [ifette]
07:19:10 [bryan]
... agreement may be quicker if we looked at allowed uses independently from retention period
07:19:33 [bryan]
... any specific period may be subject to a further discussion (outside W3C)
07:19:51 [dwainber_]
07:20:23 [bryan]
aleecia: suggestion is to decouple the issues - not sure that will solve the issue
07:20:27 [rigo]
rigo has joined #dnt
07:20:28 [npdoty]
if we wanted to get rid of the time period here, then I think we wouldn't be talking about a grace period at all, just permitted uses as usual
07:20:52 [npdoty]
ack justin
07:20:53 [bryan]
justin: sounded like we were moving away from permitted use, with use allowed within the retention period
07:20:54 [lmastria-DAA]
07:21:04 [justin]
q+ kj
07:21:10 [npdoty]
ack WileyS
07:21:19 [RichardcomScore]
q+ Kathy Lou
07:21:31 [npdoty]
q- Kathy
07:21:33 [npdoty]
q- Lou
07:21:42 [tl]
07:21:48 [robsherman]
07:21:50 [bryan]
shane: favor nicks proposal; the general reporting need for research goes far beyond 6 weeks
07:22:01 [dsinger]
q+ to support de-coupling 'raw data retention' from other permissions
07:22:12 [efelten]
07:22:34 [jmayer]
07:22:42 [dtauerbach]
dtauerbach has joined #dnt
07:22:43 [rigo_]
rigo_ has joined #dnt
07:22:48 [bryan]
... the research need is very specific to how long between data retained and anonymization (?)
07:22:51 [rigo_]
07:22:52 [jchester2]
07:23:00 [npdoty]
+1, if we have uses we want to enable, then we should discuss them as permitted uses
07:23:34 [Marije]
Marije has joined #dnt
07:23:36 [bryan]
... should avoid a black/white list of uses in that period and changes to what you can do during time periods
07:23:54 [npdoty]
ack ifette
07:23:55 [kj]
kj has joined #dnt
07:23:55 [bryan]
... this is very dependent upon where unlinkability ends up
07:24:23 [MikeZ]
MikeZ has joined #dnt
07:24:31 [bryan]
ifette: people who store data for a short time should bhave a very simple path to compliance
07:24:44 [WileyS]
Ian - are we saying the same thing?
07:24:55 [WileyS]
Ian - I don't see where we're apart?
07:25:00 [bryan]
... people who retain after 6 weeks would have to show purposes and minization are consistent
07:25:40 [ksmith]
ksmith has joined #DNT
07:25:48 [bryan]
... some restrictions on the 6 week period makes sense but overlaying that with what you can do with a longer purpose is problematic
07:26:41 [bryan]
aleecia: what hearing from ian is to make this simple for people to comply, with almost anything allowed within some limits in the period
07:26:59 [bryan]
... vs shane's proposal this seems to address fundamentally different things
07:27:36 [bryan]
wileys: what use in the 6 week timeframe would be outside the permitted uses in ian's proposal?
07:27:46 [WileyS]
Two sets of rules: one set for sub-6 weeks and another set for post-6 weeks. Not an easy standard to follow.
07:28:12 [bryan]
ifette: we are not sure what all uses may arise in the 6 week period; really want it to be simple for the data retainers and not add a lot of auditing overhead
07:28:18 [bryan]
... don't think we are far apart
07:28:41 [bryan]
... not sure what companies would have to show if they are keeping data for longer
07:28:43 [rigo]
07:28:48 [fielding]
My position on logfiles hasn't changed -- it is at
07:29:28 [bryan]
dsinger: so there are no restrictions in the 6- week period
07:29:29 [justin]
dsinger, The language I suggested said "no xfer, and no personalization"
07:29:38 [bryan]
ifette: no, there would be limits
07:29:41 [dsinger]
07:29:41 [npdoty]
ack dwainber_
07:29:41 [rigo]
ack dwainber_
07:30:05 [bryan]
dwainber_: suggest we open this as a new issue and punt it for later
07:30:27 [bryan]
... though we were talking about a period where getting your data together would be possible
07:30:30 [vincent]
vincent has joined #dnt
07:30:52 [npdoty]
ack lmastria-DAA
07:30:54 [rigo]
ack lmastria-DAA
07:31:08 [bryan]
aleecia: thought were were further along, but the main need is to figure out which one we are doing; but for now we should be ok keeping this a single issue
07:32:06 [justin]
If you don't want a grace period, I'm not going to make you have one.
07:32:27 [bryan]
lmastria-DAA: the chasm between the proposals and business as operated is large; this should be handled as a separate issue
07:32:33 [schunter]
schunter has joined #dnt
07:32:51 [bryan]
tl: dnt will effect changes to data storage
07:32:52 [BerinSzoka]
BerinSzoka has joined #DNT
07:33:10 [npdoty]
is there a chasm on having a grace period to bring data into minimization requirements?
07:33:16 [fielding]
tl, if we had a definition of tracking, I could answer that question.
07:33:55 [npdoty]
lmastria-DAA, is the grace period what you're concerned about, or something else in the short-term retention proposals?
07:33:59 [bryan]
lmastria-DAA: as a compliance matter this has taken an enormous amount of effort so far; DNT compliance should be a singluarly technical issue
07:34:24 [npdoty]
07:34:26 [bryan]
... company-internal policies should deal with data handling and we are not in the position to override those policies
07:34:34 [tl]
s/tl: dnt will effect changes to data storage/tl: Perhaps I misunderstand. If you don't think that DNT requires you to change how you store data about people, what did you think we were doing here?
07:34:47 [efelten]
07:34:56 [npdoty]
ack kj
07:35:27 [bryan]
kj: we submitted a poll text specific to research under issue #25 aggregated reporting
07:35:35 [robsherman]
07:35:35 [robsherman]
07:35:51 [bryan]
... it specifies data rention conditions and aggregated stats as output; we'd like that to be included in the text
07:35:52 [justin]
KJ's text:
07:35:53 [tl]
aleecia: That's very interesting lmastria-DAA, but I think that the problem you want us to be solving is very different from the task that we are actually performing.
07:36:17 [jmayer]
aleecia: And thank you for representing some of those companies in the group.
07:36:22 [bryan]
... (describes the aspects of the proposal)
07:36:30 [bryan]
aleecia: how much could be done under consent?
07:36:50 [bryan]
kj: most is done thru online panels per agreement with panel members
07:37:14 [bryan]
... research needs to project that to larger populations; a limited use is needed to check those assumptions
07:37:20 [npdoty]
07:37:21 [Chris_DAA]
07:37:24 [justin]
KJ's text requires "no return path to the individual" --- very similar to the discussion we had yesterday afternoon on unlinkable.
07:37:28 [bryan]
aleecia: seems off-topic but would like to hear more
07:37:31 [npdoty]
ack tl
07:38:01 [jchester2]
Kathy Joe--what is ESOMAR's definition of individual, and could the research be used in any way linked to a personna that will eventually used for online marketing applications?
07:38:13 [ifette]
07:38:13 [bryan]
tl: there has been talk about related but similar issues, e.g. ian's use case about short-term retention with no other use, that sounds good
07:38:36 [justin]
jchester2, kj's language says you can't alter any individual's experience.
07:38:40 [lmastria-DAA]
07:38:50 [bryan]
... but the question is what is the short period of time before you are allowed to keep the data in another form;
07:38:59 [jmayer_]
jmayer_ has joined #dnt
07:39:06 [bryan]
... we should not be talking about additional uses during this grace period
07:39:11 [Chris_DAA]
07:39:25 [npdoty]
do I understand that we have agreement that there should be a grace period to bring data into compliance regarding minimization/permitted uses? and then a separate question about whether additionally you can do other processing during that same period?
07:39:41 [lmastria-DAA]
TPWG Scope: The Working Group will produce Recommendation-track specifications for a simple machine-readable preference expression mechanism ("Do Not Track") and technologies for selectively allowing or blocking tracking elements.
07:39:58 [jchester2]
Justin, I know. But we need to clarify what ESOMAR means by individual. If it is used for targeting/online ad experiences for others, even if not back to specific individual, but to a set of users that are identified by such research, that's a privacy issue under DNT, IMHO.
07:40:10 [bryan]
... processing during this period for the permitted uses is what should be talked about; not other specific uses, just what is allowed to process during this period per the permitted uses
07:40:37 [peter-4A]
peter-4A has joined #dnt
07:40:40 [bryan]
ifette: if everything is the same before/after the 6-week period and you need to show compliance, what is different?
07:40:52 [npdoty]
ifette, I think tl's point is that different data can be retained during the 6-week period
07:40:59 [bryan]
tl: was suggesting the opposite; during the period you have no permissions
07:41:03 [justin]
npdoty, I find research/improvement/reporting to be a close call use case that could justify special treatment as just OK during grace period (or unlinkable), but if the room is against, I will concede.
07:41:08 [dsinger]
+1 to tl that we should separate 'raw data retention period' from a possible permitted use for general use 'for a short period'
07:41:12 [JBWeiss]
JBWeiss has joined #DNT
07:41:21 [bilcorry]
bilcorry has joined #dnt
07:41:27 [bryan]
npdoty: the difference is on the retention question
07:41:56 [Ionel_IABEU]
Ionel_IABEU has joined #dnt
07:41:59 [WileyS]
I can already do that for security - so in the real-world this provision does nothing.
07:41:59 [npdoty]
07:41:59 [Brooks]
Brooks has joined #dnt
07:42:06 [bryan]
tl: the point is you can retain the whole data in the period for the purpose of processing but no other purpose
07:42:10 [npdoty]
ack jmayer
07:42:14 [bryan]
ifette: understand but not sure that works for me
07:42:18 [bryan]
jmayer: 2 points
07:42:33 [bryan]
... seems there is not close consensus on the duration
07:42:38 [justin]
jchester2, I see, I think (would hope!) that would be prohibited, but perhaps kj could clarify for you.
07:43:19 [bryan]
... helpful to understand why 6 weeks is necessary; understand the privacy implications but want to know more about why its needed
07:43:29 [bryan]
... 2nd to clarify the role of the grace period under the proposals
07:43:31 [ninjamarnau]
I do not think we have consensus on the duration of this grace period, I have not heard from anyone of the privacy advocates that they could live with 6 weeks
07:43:42 [jchester2]
07:43:52 [bryan]
... protocol logs as a carveout to the unlinkability rule prior to 2 weeks
07:44:47 [bryan]
... there are different analytic purposes that require other approaches (scribe: please clarify if i missed this point)
07:44:51 [WileyS]
07:45:18 [rvaneijk]
The 'panel calibration' which you and Alex brought up a number of times can legally (EU) only be done with explicit user consent, after having been provided with clear and comprehensive information. Making market research part of the DNT standard through a permitted use doesn't make it a legitimate business practice.
07:45:33 [rvaneijk]
07:45:40 [bryan]
aleecia: three different things appear to be going on (listed them)
07:46:04 [amyc]
i think we all understand, and it is explicitly in the spec, that DNT spec does not override local laws
07:46:33 [rigo]
rigo has joined #dnt
07:46:36 [bryan]
wileys: the other option is to drop this altogether, that the time-period aspect could be orthogonal from the uses
07:46:48 [npdoty]
fielding, is that right? do you agree with WileyS that you argue there should be no limits on retention in the spec?
07:46:53 [rigo]
07:46:59 [jmayer]
My point: Under the EFF/Mozilla/Stanford proposal, this period reconciles protocol data with the general prohibition on collecting linkable data. Under other proposals, this period is connected to a standalone exception for data that is rendered unlinkable; linkable data can be collected, retained, and used for other permitted uses. The two approaches are functionally similar, but analytically a bit different.
07:47:02 [bryan]
ifette: there are two issues wrapped up here
07:47:14 [bryan]
... are audit criteria different in different periods?
07:47:32 [bryan]
... in a 6-week period there is a presumption of innocence
07:47:43 [fielding]
to clarify, raw logfiles are needed for the security permitted use
07:47:47 [fielding]
07:47:50 [npdoty]
I would expect audit criteria to be outside the standard altogether; didn't we already come to an agreement on that?
07:48:15 [npdoty]
07:48:18 [Chris_DAA]
I'd like to write another text proposal
07:48:32 [bryan]
aleecia: we have a separate issue re reporting; it sounds like we have to basic options i.e. real-time processing vs a grace period for processing
07:48:46 [Chris_DAA]
still people in the q (before she closes this)
07:48:59 [fielding]
(and I would expect use and retention of DNT:1 records to be limited to what is necessary for security)
07:49:01 [Chris_DAA]
can we please process the q
07:49:04 [npdoty]
07:49:13 [Rene]
rvaneijk: it depends on national and regional legislation and market research companies are following national legislation in all countires. DNT will be a global standard
07:49:14 [bryan]
.. suggest a new issue to consider what would be easier for implementations
07:49:20 [Rene]
rvaneijk: it depends on national and regional legislation and market research companies are following national legislation in all countires. DNT will be a global standard
07:49:21 [justin]
fielding, I don't see how this isn't fully addressed by the permitted use for security.
07:49:27 [npdoty]
Zakim, close queue
07:49:27 [Zakim]
ok, npdoty, the speaker queue is closed
07:49:27 [ifette]
ISSUE: How do we create straightforward compliance for implementers retaining data for N weeks or less?
07:49:28 [trackbot]
Created ISSUE-174 - How do we create straightforward compliance for implementers retaining data for N weeks or less? ; please complete additional details at .
07:49:35 [npdoty]
ack rigo_
07:49:56 [fielding]
justin, it should be -- which is why the N-week period is a fantasy.
07:50:12 [bryan]
rigo_: agree that ian's issue is separate and we should reopen this discussion;
07:50:51 [bryan]
... the 2nd thing is how you express what you intend to do in a policy
07:51:28 [bryan]
... we have an entanglement of issues
07:51:29 [WileyS]
Rigo, I actually support the notion of allowing a Server of replying with the self-regulatory standard it supports as a valid DNT response (in this case, DAA).
07:51:32 [npdoty]
ack robsherman
07:52:00 [bryan]
robsherman: agree that there are things entangled; e.g. the time period vs processing/use limits
07:52:15 [bryan]
... really need to think about small companies and how they will do this
07:52:32 [rvaneijk]
@Rene: this goes especially for NL
07:52:33 [justin]
fielding, it clearly is. If it's overdetermined why you are allowed to retain data under DNT, not sure why that is a problem for companies.
07:52:39 [npdoty]
fielding, justin, I think the point that you're making is that for many implementers, retention of raw log files for security purposes will be necessary anyway
07:52:58 [rigo]
07:53:16 [bryan]
... it's not clear what we are talking about re making something unlinkable for specific uses
07:53:42 [npdoty]
fielding, justin, for the small implementer who isn't retaining logs long term for security, I would think they would benefit from a six-week grace period to remove, anonymize, data
07:53:51 [npdoty]
ack ifette
07:53:52 [bryan]
... we may be closer together than we think if we got more specific about the actual activity of processing the dta
07:53:53 [npdoty]
ack lmastria-DAA
07:53:58 [WileyS]
07:54:21 [Rene]
rvaneijk: okay, so this is related to the new NL law related to cookie (implementation of e-privacy directive), got it
07:54:31 [bryan]
lmastria-DAA: caution against making a simple signal account for auditing etc; that should be out of scope
07:54:45 [jmayer]
All of this is well within scope.
07:55:01 [bryan]
... it might be fine/easy to do it, but saying whoe ecosystem must be held to it, don't think we are there yet
07:55:01 [rigo]
07:55:15 [npdoty]
07:55:15 [trackbot]
ISSUE-75 -- How do companies claim exemptions and is that technical or not? -- open
07:55:15 [trackbot]
07:55:19 [bryan]
aleecia: next topic is issue 75
07:55:26 [WileyS]
Jonathan - many here disagree with you - so let's at least agree that we have fundamentally different views here.
07:55:31 [bryan]
... this has been solved in the TPE, we should be able to close
07:55:44 [ifette]
07:55:44 [bryan]
... any further input?
07:55:47 [npdoty]
Zakim, open the queue
07:55:47 [Zakim]
ok, npdoty, the speaker queue is open
07:55:48 [Chris_DAA]
data retention beyond the use for "tracking" (which has not been defined yet by the working group) is OUT OF SCOPE per the charter:
07:55:49 [tl]
07:55:51 [fielding]
07:55:51 [tl]
07:56:12 [jmayer]
npdoty, fielding, justin, The E/M/S proposal facilitates easy compliance via a short-term use period for protocol information. If you're not collecting ID cookies and you dump your logs after two weeks, you're (very likely) in compliance.
07:56:12 [bryan]
ifette: in bellevue it was unlclear if all the letters in the header had consensus
07:56:13 [npdoty]
I believe we had agreement that it's optional
07:56:33 [bryan]
aleecia: i mean this is no longer a compliance issue; it's a TPE thing
07:56:40 [npdoty]
07:56:40 [tl]
07:56:42 [fielding]
07:56:46 [WileyS]
+1 to Nick
07:56:46 [ifette]
07:57:10 [bryan]
npdoty: we had agreement in bellevue for an optional method to claim permitted uses
07:57:25 [bryan]
... shane's proposal included transparent documentation but we did not have a method yet
07:57:34 [fielding]
as long as it is understood that what in in TPE right now doesn't match my recollection either -- why are the qualifiers in the header field?
07:57:40 [bryan]
aleecia: looking at the discoverability section?
07:57:56 [rigo]
07:57:56 [npdoty]
07:57:58 [npdoty]
ack npdoty
07:58:00 [bryan]
npdoty: the spec now has technical support for the requirements
07:58:03 [jmayer]
07:58:08 [rigo]
07:58:09 [ifette]
Close iSSUE-75
07:58:09 [trackbot]
ISSUE-75 How do companies claim exemptions and is that technical or not? closed
07:58:26 [Chris_DAA]
npdoty, data retention (unless it relates to tracking) is out of scope of the charter - call for clarification by the W3C please on the charter
07:58:28 [jmayer]
Ah, got it. So this is just a TPE issue. Seems very reasonable.
07:58:36 [npdoty]
07:58:36 [trackbot]
ISSUE-24 -- Possible exemption for fraud detection and defense -- open
07:58:36 [trackbot]
07:58:38 [bryan]
aleecia: next is fraud as a permitted use (issue 24)
07:59:05 [fielding]
is fraud a permitted use? umm, maybe fraud prevention
07:59:15 [bryan]
... editors has got this to two proposals
07:59:40 [ifette]
08:00:09 [bryan]
... (describing text in Security and Fraud Prevention)
08:00:14 [tl]
08:00:17 [jmayer]
What happened to a MUST for graduated response?
08:00:21 [WileyS]
Roy, I suggested that "Security" is simply enough to cover both concepts (and others)
08:00:21 [jmayer]
08:00:27 [tl]
+q to ask where's the "but you must only..."?
08:00:27 [vincent]
08:00:35 [bryan]
... what will get us to final text?
08:00:44 [rigo]
"fraud as permitted use" is semantically interesting :)
08:00:59 [bryan]
ifette: like the text in the document; what problems exist for the current text?
08:01:06 [hwest]
rigo, I think we should rename it "fraud prevention"...
08:01:16 [npdoty]
ack ifette
08:01:17 [bryan]
... for nick's proposal, adding graduated response as preferred is OK
08:01:19 [WileyS]
I believe we should simply call it "Security"
08:01:23 [justin]
ifette, Fortunately, you already have an open action on defining graduated response.
08:01:33 [bryan]
... aside from that would like to see specific issues
08:01:37 [ifette]
justin, lovely :)
08:01:51 [bryan]
npdoty: the motivation was to simplify it and include graduated response
08:02:06 [bryan]
aleecia: can you live with it with the addition of graduated response?
08:02:07 [justin]
08:02:09 [bryan]
npdoty: yet
08:02:14 [bryan]
... (yes)
08:02:42 [npdoty]
I would be very concerned about "illegitimate"
08:02:54 [bryan]
dwainber_: trying to do three things (please add the the irc log as I did not capture the first two)
08:03:17 [bryan]
... third is filtering out bot-driven impressions
08:03:25 [fielding]
npdoty, why?
08:03:35 [WileyS]
08:03:56 [fielding]
is malicious a better word to use?
08:03:59 [rigo]
fielding, because you import all sorts of legal problems with this one word
08:04:08 [justin]
Sure, take out fraud, illegitimate, and tracking.
08:04:08 [BrendanIAB]
08:04:32 [npdoty]
I'm not sure why we want to take out "fraud"
08:04:52 [justin]
Leave fraud in but add security and malicious?
08:05:03 [fielding]
justin, yep
08:05:11 [justin]
08:05:30 [npdoty]
fielding, I would be concerned about what user's activity counts as legitimate or not or who would decide; yes, I would be fine with "malicious"
08:05:30 [bryan]
tl: could not find the text re global aspects of handing
08:05:31 [npdoty]
08:05:34 [npdoty]
ack tl
08:05:34 [Zakim]
tl, you wanted to ask where's the "but you must only..."?
08:05:34 [tlr]
ack tl
08:05:35 [tlr]
ack jm
08:05:41 [bryan]
aleecia: at the bottom of the section
08:05:50 [justin]
ack jmayer
08:06:10 [bryan]
jmayer: 3 points; first is be sure to flag an option is a must for graduated response
08:06:17 [dwainber_]
08:06:29 [Chris_DAA]
guys, we gotta object to data minimization-- it's not in scope
08:06:37 [ifette]
rrsagent, bookmark?
08:06:37 [RRSAgent]
08:06:42 [bryan]
... seems some think its close to must but some cases where graduated response may be a best practice
08:06:55 [fielding]
npdoty, the goal would be to distinguish bots from real people -- for example, we should not count google's indexing spider as an advertising impression, yet it isn't malicious either.
08:06:57 [dsinger]
um, the definition of graduated response is that it's the data needed to be OK, so it can't be not OK :-)
08:07:04 [bryan]
... 2nd point why i think a must makes sense
08:07:34 [Chris_DAA]
08:07:39 [bryan]
... companies can say i have no reason to suspect you, but i will keep your data around on the off-chance that you are suspect
08:08:01 [rigo]
I remind that "graduate response" still was the NATO doctrine to the russians which contained that they would send nukes first
08:08:14 [bilcorry]
It establishes patterns that can be used to detect account take overs. If we have no information about previous behavior, can't help users. What is the greater harm?
08:08:21 [bryan]
... 3rd point: i and others have called for industry to provide information; get that this is sensitive, but need info rather than bald assertions
08:09:02 [bryan]
aleecia: i suggest lets see the text from justin, and expect a debate
08:09:15 [WileyS]
08:09:42 [bryan]
tl: re the should/must discussion, recommend reading the RFC (2119)
08:09:44 [jmayer]
You SHOULD read about SHOULD. Classy, Tom.
08:09:50 [susanisrael]
susanisrael has joined #dnt
08:09:52 [dsinger]
from the RFC: "3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
08:09:52 [dsinger]
may exist valid reasons in particular circumstances to ignore a
08:09:53 [dsinger]
particular item, but the full implications must be understood and
08:09:54 [dsinger]
carefully weighed before choosing a different course.
08:09:55 [dsinger]
08:10:05 [ChrisPedigoOPA]
Aleecia, can you repost the link to the Compliance doc?
08:10:12 [fielding]
08:10:23 [bryan]
aaa: reality is that should will become must
08:10:39 [tlr]
08:11:06 [bryan]
vincent: question for david, how can we detect click-fraud?
08:11:07 [npdoty]
fielding, do we not think financial permitted use would cover keeping data from bots that shouldn't be billed?
08:11:15 [npdoty]
ack vincent
08:11:16 [bryan]
aleecia: that's not something we need to address here
08:11:16 [npdoty]
ack WileyS
08:11:16 [tlr]
ack wi
08:11:18 [ksmith]
08:11:38 [johnsimpson]
who is on the phone?
08:11:44 [tl]
08:11:46 [Brooks]
08:11:51 [bryan]
wileys: danger of literal interpretation of the RFC2119 language; recommend mocing graduated response into the informative text
08:11:55 [Chapell]
Chapell has joined #DNT
08:11:58 [fielding]
npdoty, yes -- I was just trying to explain why I think David W. chose illegitimate
08:12:07 [johnsimpson]
zakim, who is on the phone?
08:12:07 [Zakim]
On the phone I see BrendanIAB?, Telegraaf, fielding, johnsimpson, Jonathan_Mayer
08:12:15 [jmayer]
08:12:19 [bryan]
... only have heard one example in the real world, still searching for a company that can do this dynamically
08:12:21 [jmayer]
08:12:35 [bryan]
... appreciate the aspirational goals though
08:12:41 [dwainberg]
08:12:48 [fielding]
npdoty, there are security issues with botnets, of course, but I consider those to be malicious attacks
08:12:52 [tl]
+q to say that graduated response as a "nice to have" doesn't work for me.
08:12:55 [rigo]
08:13:10 [npdoty]
fielding, certainly, yes
08:13:14 [Chapell]
08:13:36 [bryan]
jmayer: half of DAA members kill cookes when the user opts out; the notion that this is infeasible seems questionable
08:14:13 [npdoty]
q+ to refer to minimization/graduated response (reasonably necessary/feasible lets us avoid practical debate)
08:14:18 [bryan]
... talking about graduated response
08:14:31 [bryan]
... (please add the rest of the point as needed)
08:14:38 [npdoty]
action: mayer to draft non-normative examples illustrating graduated response
08:14:38 [trackbot]
Created ACTION-293 - Draft non-normative examples illustrating graduated response [on Jonathan Mayer - due 2012-10-11].
08:14:43 [Chris_DAA]
call for the term "graduated response" to be defined
08:14:51 [npdoty]
Zakim, close the queue
08:14:51 [Zakim]
ok, npdoty, the speaker queue is closed
08:14:53 [rigo]
I note Article 4 of Directive 2002/58/EC requires
08:14:55 [rigo]
The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services
08:14:58 [fielding]
The problem with graduated response is that it assumes you haven't shared data with a third party that tells you whether or not you need to ratchet up that graduated response.
08:15:01 [efelten]
08:15:06 [npdoty]
ack BrendanIAB
08:15:25 [rwessel]
rwessel has joined #dnt
08:15:35 [johnsimpson]
Can't hear. Use microphone
08:15:38 [bryan]
BrendanIAB: to jonathan in the case that the user has opted out, we are still using identifiers for fraud/traffic etc
08:15:54 [jmayer]
s/identifiers/IP address identifiers/
08:16:07 [jmayer]
BrendanIAB, the E/M/S proposal allows using IP addresses and other protocol information for security/antifraud!
08:16:21 [jmayer]
npdoty, I also can't understand what he's saying.
08:16:27 [jmayer]
Sounds underwater.
08:16:51 [johnsimpson]
just not clear...
08:16:53 [Chris_DAA]
how does "graduated response" apply here?
08:17:22 [rigo]
08:17:30 [bryan]
... re automated traffic filtering, not all filters catch all bots in real time, so there is need to process the logs after-the-fact (please correct if that was not accurate)
08:17:30 [jmayer]
If we agree that these practices can be accomplished either through protocol data or unique ID data, why don't we agree to standardized the current industry best practice?
08:17:31 [npdoty]
ack dwainber_
08:18:14 [tlr]
ack chr
08:18:32 [npdoty]
action: brookman to revise security/fraud based on existing proposals
08:18:34 [trackbot]
Created ACTION-294 - Revise security/fraud based on existing proposals [on Justin Brookman - due 2012-10-11].
08:18:37 [BrendanIAB]
jmayer - I grok that IP addresses are usable, just wanted to call out that IP addresses are identifiers!
08:18:42 [bryan]
Chris_DAA: acking a solid definition of graduated response; should pause the debate
08:18:43 [tlr]
ack k
08:18:45 [hwets]
hwets has joined #dnt
08:18:55 [BerinSzoka]
at what point in the conversation would it be appropriate for us to finally get to the bottom of Should v Must? This seems to be a key issue that continues to be debate and, as a lawyer, I must say I'm frustrated by the conversation thus far--as well as the RFC text. For example, the definition of "must" uses the term "absolute requirement", which would suggest that "Should" is ALSO a "requirement"--just not an absolute one
08:19:10 [jmayer]
BrendanIAB, they're linkable in many cases, for sure. That's why the E/M/S treats them as a special case.
08:19:15 [bryan]
ksmith: this is not a good place for graduated response; we should go for minimization
08:19:34 [ifette]
ifette has joined #dnt
08:19:35 [BrendanIAB]
I'll see if I can fix my mic for the future, I do feel like I'm underwater as well (given that I started at 2:30 AM)
08:19:53 [npdoty]
BerinSzoka, yes, I believe "should" is a requirement that isn't absolute
08:20:03 [tlr]
brendan, kudos for getting up this early
08:20:04 [ifette]
Forced OS patch installation, sigh. Gotta love corporate policy and OSes that don't auto-update in a sane way, e.g. when I rebooted earlier ;-)
08:20:04 [bryan]
... graduated response is opposite of what you are likely to do in a real situation, rather collecting everything you can and then scale back as quickly as possible
08:20:26 [tlr]
SHOULD This word, or the adjective "RECOMMENDED", mean that there
08:20:27 [jeffwilson]
like debugging, each security scenario can be different, requiring different aproaches
08:20:27 [tlr]
may exist valid reasons in particular circumstances to ignore a
08:20:27 [tlr]
particular item, but the full implications must be understood and
08:20:28 [tlr]
carefully weighed before choosing a different course.
08:20:31 [tlr]
08:20:39 [jmayer]
08:20:41 [npdoty]
08:20:43 [npdoty]
ack tl
08:20:43 [Zakim]
tl, you wanted to say that graduated response as a "nice to have" doesn't work for me.
08:20:53 [jmayer]
08:20:54 [ifette]
rrsagent, bookmark?
08:20:54 [RRSAgent]
08:20:59 [npdoty]
ack Brooks
08:21:08 [BerinSzoka]
in other words, the RFC text seems to suggest that "Should" is a requirement with exceptions, where the burden is placed upon the party NOT doing what it "Should" do to justify its invocation of an exception to the "Should"
08:21:15 [bryan]
Brooks: re clickfraud being a 1st-party case
08:21:56 [npdoty]
I think this is a url re-direction question?
08:22:01 [BerinSzoka]
anyway, again, I'm asking when we can discuss should v must in greater detail--NOT in the IRC
08:22:22 [bryan]
... in a redirect scenario, different parties are involved some with a service provider exception
08:22:23 [amyc]
is wondering why the global statement about data minimization couldn't cover this, rather than adding graduated response to each permitted use
08:22:34 [Chapell]
08:22:34 [ninjamarnau]
ninjamarnau has joined #dnt
08:22:46 [bryan]
... don't think that clickfraud is solved due to the 1st party context
08:23:08 [Chris_DAA]
BerinSzoka, you should open an action item on should v must
08:23:12 [Simon]
Is "data authentication" more accurate a term than "fraud"?
08:23:27 [bryan]
aleecia: may be as we look into redirects we may address this, but we haven't gotten into it deeply so far
08:23:34 [npdoty]
08:23:36 [Chris_DAA]
amyc, global data minimization is clearly out of scope for this working group
08:23:39 [lmastria-DAA]
brooks: affiliate and click fraud has not been contemplated
08:23:46 [hwest]
hwest has joined #dnt
08:24:00 [bryan]
npdoty: we have a section on data minimization and transparency, with wide support
08:24:04 [rigo]
aleecia, I see the dragons that you point to
08:24:08 [johnsimpson]
johnsimpson has left #dnt
08:24:29 [bryan]
... use of graduated response was picking upon that global requirement, added this as a comforting help toward consensus
08:24:58 [bryan]
wileys: don't know if data minimization correlates with graduated response, but data minimization is undefined
08:25:08 [bryan]
... graduated response seems more proscriptive
08:25:21 [BerinSzoka]
ok, I just created an action item on "Should v Must"
08:25:24 [bryan]
... data minization was purposely left unproscriptive
08:25:38 [efelten]
Chris_DAA, doesn't that follow from "technologies for selectively allowing or blocking tracking elements?"
08:25:44 [ifette]
Can we wait to see revised text?
08:25:50 [WileyS]
data minimization only for permitted uses
08:25:58 [npdoty]
"Additionally, the Working Group will define the scope of the user preference and practices for compliance with it in a way that will inform and be informed by the technical specification."
08:26:28 [npdoty]
maybe there is a misunderstanding about data minimization applying beyond data retention under DNT:1?
08:26:29 [jmayer]
Is this Lou from DAA being disruptive again?
08:26:42 [jmayer]
Trying to argue about the group's charter?
08:26:50 [bryan]
Chris_DAA: (suggests a topic be considered here)
08:27:04 [dsinger]
to Chris_IAB: I think we mean minimization only of the data that is in scope, i.e. (speaking roughly) 'tracking data', or PII; other data does not concern us (including unlinkable, as we explored)
08:27:05 [bryan]
aleecia: suggests this be taken offline during the break
08:27:25 [bryan]
Chris_DAA: think global data minimization is out of scope of this working group (for the record)
08:27:30 [dsinger]
08:27:30 [trackbot]
ISSUE-72 -- Basic principle: independent use as an agent of a first party -- open
08:27:30 [trackbot]
08:27:36 [bryan]
aleecia: issue 72
08:27:37 [npdoty]
Zakim, open the queue
08:27:37 [Zakim]
ok, npdoty, the speaker queue is open
08:27:37 [dsinger]
08:27:37 [trackbot]
ISSUE-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- open
08:27:37 [trackbot]
08:27:54 [npdoty]
thx to the scribe for making sure to get comments for the record on to the record :)
08:28:01 [bryan]
... noted as covered elsewhere but it's open; all the activity has moved, so we should close it
08:28:10 [Chris_DAA]
efelton, the actionable word in the charter/scope doc is "tracking"
08:28:13 [johnsimpson]
johnsimpson has joined #dnt
08:28:15 [npdoty]
hearing nothing, closing 72 as subsumed by other issues
08:28:18 [BerinSzoka]
+1 to Chris. I'm really confused as to how data minimization falls with in the scope, which, let us recall, is"The Working Group will produce Recommendation-track specifications for a simple machine-readable preference expression mechanism ("Do Not Track") and technologies for selectively allowing or blocking tracking elements."
08:28:20 [npdoty]
close issue-72
08:28:21 [trackbot]
ISSUE-72 Basic principle: independent use as an agent of a first party closed
08:28:31 [bryan]
... issue 31 dovetails with the last topic
08:28:33 [Chris_DAA]
so as it may relate to tracking, let's talk about it-- but not global data minimization
08:29:03 [ifette]
08:29:05 [bryan]
... (reads from the data minimization and transparency section)
08:29:10 [efelten]
Berin, see the third paragraph of the charter: Additionally, the Working Group will define the scope of the user preference and practices for compliance with it in a way that will inform and be informed by the technical specification. The group will actively engage governmental, industry, academic and advocacy organizations to seek global consensus definitions and codes of conduct."
08:29:12 [MikeZ]
Why do we spend time discussing text when there is substantial doubt whether the topic is in scope of our work? Cart before horse.
08:29:17 [ifette]
q+ to say "for the permitted use" -> "for the permited uses for which the data is being retained"
08:29:18 [npdoty]
maybe there is some simple confusion, Chris_DAA, I don't think the requirements on data minimization are for organizations' data practices in general
08:29:19 [npdoty]
08:29:32 [tlr]
+1 to Nick.
08:29:49 [fielding]
q+ to say that the basic problem here is that first/third only applies to one interaction
08:29:52 [npdoty]
ack ifette
08:29:52 [Zakim]
ifette, you wanted to say "for the permitted use" -> "for the permited uses for which the data is being retained"
08:29:57 [bryan]
... any comments other than the suggested examples?
08:30:35 [tlr]
q+ to elaborate on an editorial point
08:30:37 [Chris_DAA]
efelton, since the actionable word in the scope/charter is "TRACKING", we should define tracking then before moving forward
08:30:40 [bryan]
ifette: the second half of the text addresses how data is handled for other permitted uses
08:31:09 [bryan]
rigo: if you reuse data for other purposes, it's still a permitted use
08:31:22 [efelten]
All I'm saying is, to know what the charter covers, you have to read the whole charter.
08:31:30 [Chris_DAA]
efelton, this group's charter is actually VERY specific-- it relates to tracking
08:31:38 [bryan]
ifette: this addresses retention for a specific use, but do not mandate separating the data retained per use
08:31:48 [BerinSzoka]
yes Ed, I see the third paragraph, but that ("define the scope of the user preference and practices for compliance with it") seems to refer back to the limiting principle of the first paragraph ("preference expression mechanism ("Do Not Track") and technologies for selectively allowing or blocking tracking elements"). So... what's tracking, again?
08:32:06 [Chris_DAA]
efelton, maybe you think everything advertisers do with data is "tracking"-- respectfully, I would disagree with that notion
08:32:07 [bryan]
... we should describe retaining minimal data for the uses valid for that data
08:32:07 [BerinSzoka]
Unfrozen Caveman Lawyer is confused
08:32:34 [jmayer]
Chris_DAA, BerinSzoka, the charter plainly covers defining compliance, including minimization. That hasn't been contested for over a year.
08:32:40 [tlr]
ack next
08:32:41 [Zakim]
fielding, you wanted to say that the basic problem here is that first/third only applies to one interaction
08:32:51 [Chris_DAA]
08:32:53 [bryan]
aleecia: don't see that separate copies is not a required approach
08:32:53 [tlr]
08:32:56 [tlr]
08:33:01 [johnsimpson]
08:33:02 [bryan]
... attach to issue 31
08:33:08 [dsinger]
to editors: "once the period of time" --> somewhere add "has expired" !!
08:33:14 [Chris_DAA]
npdoty, I'd like to open an issue to define "tracking" (I'll take the lead)
08:33:20 [bryan]
... anyone to provide examples per the note?
08:33:24 [rvaneijk]
@Chirs: we are currently not discussing the def of tracking
08:33:37 [jmayer]
08:33:37 [BerinSzoka]
all the more reason for an action item on that point, no?
08:33:39 [bryan]
... jonathan?
08:33:39 [rvaneijk]
08:33:45 [npdoty]
@Chris_DAA, you might look at issue 5
08:33:46 [justin]
How about "Tracking is the collection, use, or retention of information in contravention of this standard."
08:33:46 [Chris_DAA]
rvaneijk, as it relates to the scope, it relates to my objection
08:33:47 [bryan]
jmayer: sure
08:33:48 [Simon]
Is the earlier discussion of compliance and retention subsumed under this issue?
08:33:56 [jmayer]
Y'all don't say I never did anything for ya...
08:33:59 [rigo]
08:34:00 [npdoty]
ack fielding
08:34:10 [Chris_DAA]
justin, let's take it as an action item
08:34:26 [rvaneijk]
@Chris: it it not the time for formal objections
08:34:28 [bryan]
fielding: general problem with this section; it's phrase as if the hold is either a 1st pr 3rd party
08:34:43 [ifette]
Issue-31: "A third party MUST only retain that information which is still required for permitted uses, for as long as is reasonably necessary for those uses. When data is no longer required for any permited uses, it MUST NOT be retained. Data need not be stored multiple times for each permitted use, storing a single instance of the data is sufficient. … rest of existing text here"
08:34:43 [trackbot]
ISSUE-31 Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions) notes added
08:34:43 [bryan]
... on a large site the party context will vary for the same records
08:35:03 [Chris_DAA]
thanks npdoty, is this on the agenda for Amsterdam?
08:35:13 [bryan]
... how does this text account for that a site is not always the same type of party?
08:35:16 [ifette]
08:35:16 [trackbot]
ISSUE-31 -- Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions) -- open
08:35:16 [trackbot]
08:35:39 [bryan]
aleecia: hearing suggestion that "data collected in a 3rd party context must..."
08:35:40 [npdoty]
action: fette to draft text for the agreement that multiple copies of the same data are not required
08:35:40 [trackbot]
Created ACTION-296 - Draft text for the agreement that multiple copies of the same data are not required [on Ian Fette - due 2012-10-11].
08:35:44 [jmayer]
npdoty, could you please do the ACTION thing for me?
08:35:52 [bryan]
fielding: will provide text re that
08:36:07 [amyc]
wouldn't "data collected in third party context" apply to all of this section?
08:36:13 [ifette]
ACTION-296: see note associated with ISSUE-31
08:36:13 [trackbot]
ACTION-296 Draft text for the agreement that multiple copies of the same data are not required notes added
08:36:17 [ifette]
Close ACTION-296
08:36:18 [trackbot]
ACTION-296 Draft text for the agreement that multiple copies of the same data are not required closed
08:36:24 [npdoty]
action: fielding to update minimization text regarding data collected in a third-party context
08:36:24 [trackbot]
Created ACTION-297 - Update minimization text regarding data collected in a third-party context [on Roy Fielding - due 2012-10-11].
08:36:44 [bryan]
dwainberg: data retained for permitted uses should imply by definition that you are acting as a 3rd party?
08:37:06 [jmayer]
examples for minimization
08:37:06 [bryan]
... we accept that service providers stand in the shoes of their served parties
08:37:14 [Chris_DAA]
rvaneijk, I didn't file a formal objection (yet), I engaged in the discussion and objected that the discussion of data minimization is out of scope (I'm allowed to do that)
08:37:15 [fielding]
I don't multitask very well
08:37:54 [fielding]
ditto tlr -- it is useally negated as MUST NOT except
08:38:01 [bryan]
tlr: "must only" is ambiguous; recommending against using such phrases, for language clarity
08:38:09 [robsherman]
+1 tlr.
08:38:18 [Chris_DAA]
data minimization is out of scope
08:38:19 [bryan]
aleecia: we can flip it around
08:38:31 [npdoty]
08:38:31 [trackbot]
ACTION-293 -- Jonathan Mayer to draft non-normative examples illustrating graduated response -- due 2012-10-11 -- OPEN
08:38:31 [trackbot]
08:38:45 [bryan]
... justin take an action to flip this around
08:38:57 [bryan]
dsinger: please add "has expired"
08:38:59 [npdoty]
08:39:01 [npdoty]
ack fielding
08:39:02 [npdoty]
ack tlr
08:39:32 [ifette]
ScribeNick: ifette
08:39:43 [ifette]
Topic: Issue-64
08:39:45 [ifette]
08:39:45 [trackbot]
ISSUE-64 -- How do we describe non-identifiable data -- open
08:39:45 [trackbot]
08:39:46 [npdoty]
action: mayer to draft examples for data minimization
08:39:47 [trackbot]
Created ACTION-298 - Draft examples for data minimization [on Jonathan Mayer - due 2012-10-11].
08:39:57 [dwainberg]
suggestion on retention: "Data retained by a party for permitted uses MUST be limited to the data reasonably necessary for such permitted uses, and MUST be retained no longer than is reasonably necessary for such permitted uses."
08:40:00 [ifette]
Aleecia: don't believe anything has changed overnight, believe we leave it where we left it yesterday
08:40:02 [ifette]
… much to do
08:40:06 [ifette]
… move on to service providers
08:40:08 [npdoty]
08:40:08 [trackbot]
ISSUE-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- open
08:40:08 [trackbot]
08:40:08 [ifette]
Topic: ISSUE-49
08:40:16 [ifette]
Aleecia: extensive drafts in here
08:40:21 [ifette]
… as section 3.4 and three options
08:40:23 [ifette]
… for definitions
08:40:26 [ifette]
… look at those
08:40:38 [ifette]
… first option, looking only at normative section, is <reads>
08:41:19 [ifette]
… reads This section applies to parties engaging in an outsourcing relationship, wherein one party "stands in the shoes" of another party to perform a specific task. Both parties have responsibilities, as detailed below.
08:41:20 [ifette]
A first party or a third party MAY outsource functionality to another party, in which case the third party may act as the original first party or third party under this standard, with the following additional restrictions:
08:41:21 [ifette]
Data collected by each outsourced company is separated for each party they collect data for by both technical means and organizational process, AND
08:41:23 [ifette]
The outsourced company has no independent rights to the collected information, AND
08:41:23 [rigo]
q+ to suggest option 3 stripped
08:41:24 [ifette]
A contractual relationship exists between the outsourced and the party they collect data for that outlines and mandates these requirements.
08:41:24 [ifette]
An outsourced company acting on the behalf of another party is subject to all of the same restrictions on that party (for First or Third party, as appropriate.)
08:41:26 [lmastria-DAA]
non-identifiable data is still very open issue
08:41:43 [ifette]
Aleecia: Moves to option 2
08:42:03 [jmayer]
08:42:04 [ifette]
… Outsourced service providers are considered to be the same party as their clients if the outsourced service providers only act as data processors on behalf of that party, silo the data so that it cannot be accessed by other parties, and have no control over the use or sharing of that data except as directed by that party.
08:42:18 [ifette]
Aleecia: option 3, Service Providers acting on the behalf of a First Party and with no independent rights to use the First Party’s data outside of the context of that First Party and Permitted Uses are also considered to be acting as the First Party.
08:42:34 [ifette]
Aleecia: this doesn't contemplate first/third parties but probably should
08:42:44 [Chris_DAA]
jmayer, per your argument above, can you please demonstrate concretely how data retention is in scope of the charter? btw- doesn't matter when parties object-- DAA just got into the group officially, so now we can formally object
08:42:54 [ifette]
Shane: "Service providers acting on behalf of a.. with no rights to use … otuside of context … also considered to be acting as that party"
08:42:59 [ifette]
… shane entered this in IRC yesterday
08:43:16 [rigo]
08:43:19 [ifette]
Aleecia: Anything new, or are we just tightening these down
08:43:23 [ifette]
… think we understand differences between
08:43:28 [justin]
WileyS, I think hwest was charged with revising these two.
08:43:30 [robsherman]
Even where service providers are limited in their use of data, most contracts give them the right to access it for troubleshooting, etc. I think this should be noncontroversial, but does anybody agree that that kind of use doesn't cause a service provider to become a third party (under any of these 3 options)?
08:43:33 [ifette]
… are these final, to a point where we can move them closer togehter, or where we need a decision process
08:43:36 [npdoty]
08:43:37 [ifette]
… more to discuss about this
08:43:39 [npdoty]
ack jmayer
08:43:44 [robsherman]
s/does anybody agree/does anybody disagree
08:43:46 [rigo]
08:43:49 [Chris_DAA]
if data does not relate to tracking (per the Charter scope), then it's out of scope
08:43:55 [ifette]
jmayer: these options bundle together many different design choices
08:43:59 [rigo]
to ask whether we can merge option 2 and 3
08:44:07 [ifette]
… decisions about treatment of service provider as being synonymous with first party or not
08:44:11 [ifette]
… technical, business protections required
08:44:15 [ifette]
… issues about use direction
08:44:20 [ifette]
… what i am hoping
08:44:21 [ifette]
… process
08:44:28 [ifette]
… does it make sense to break out individual components
08:44:34 [ifette]
… or does it make sense to bundle them
08:44:40 [justin]
Per request, current compliance spec:
08:44:47 [ifette]
aleecia: choices between these were done deliberately
08:44:50 [ChrisPedigoOPA]
thanks Justin
08:44:55 [kimon]
kimon has joined #dnt
08:44:56 [ifette]
… you are right that the siloing can be separated out, endless conversation about that
08:45:06 [kimon]
08:45:07 [jmayer]
Chris, you're welcome to propose your novel charter interpretation on the mailing list. I'm trying to focus on the current conversation.
08:45:10 [Chris_DAA]
efelton, are you offering the FTC's position on the scope of this working group?
08:45:11 [ifette]
… but the idea a SP is considered the same party, or that it acts on behalf of the same party, is fundamentally different and is on purpose between these drafts
08:45:16 [ifette]
08:45:33 [ifette]
jmayer: wanted to add EFF/stanford/mozilla as another option
08:45:36 [ifette]
aleecia: isnt that option 1?
08:45:40 [ifette]
jmayer: slight differences
08:45:53 [ifette]
… one is the requirement that the technical/business precautions <hard to scribe, he's not speaking linearly>
08:45:58 [efelten]
Chris, all I did was quote from the charter.
08:45:59 [ifette]
… explicitly don't add consensus on this
08:46:08 [npdoty]
if the differences are slight, then can we condense them?
08:46:16 [ifette]
… collecting/retaining data that COULD be linked across multiple first parties
08:46:30 [ifette]
… vs under "this" (not defined) is about hte use of data across multiple first parties, not collection
08:46:43 [npdoty]
08:46:46 [ifette]
… one of reasons i'm concerned about bundling, easy to lose that nuance
08:46:50 [rigo]
q- later
08:46:54 [Chris_DAA]
efelton, thanks for the clarification-- it appeared to me that you were trying to offer you analysis of the charter/scope.
08:46:56 [ifette]
aleecia: actionably out of that is a request to have that text added back to draft
08:47:04 [ifette]
… jonathan, if you can put in IRC, thanks
08:47:10 [ifette]
… perhaps hwest can take an action
08:47:16 [ifette]
… another option to 3.4 which jmayer will provide
08:47:26 [npdoty]
action: west to add a service provider option (or condense with option 1) from jmayer
08:47:26 [trackbot]
Created ACTION-300 - Add a service provider option (or condense with option 1) from jmayer [on Heather West - due 2012-10-11].
08:47:37 [ifette]
… many close options
08:47:39 [jmayer]
Here's the E/M/S language:
08:47:42 [npdoty]
08:47:42 [ifette]
… can we get down to 2 vs 4 options?
08:47:53 [dwainberg]
08:47:55 [ifette]
kimon: like the first definition
08:47:57 [npdoty]
ack kimon
08:47:58 [ifette]
… ok with some of them
08:48:10 [ifette]
… question is we have a lot of text on the first, not sure i like it entirely but don't have a problem with the definition
08:48:18 [ifette]
… do we choose between definition and long text or short definition?
08:48:18 [lmastria-DAA]
08:48:28 [fielding]
I am not sure how siloing can be separated out given that it distinguishes a service provider from a third party
08:48:29 [ifette]
aleecia: can we pull out definition, and then do responsibilities of a S.P. as a separate issue
08:48:32 [ifette]
… like that approach
08:48:35 [npdoty]
ack rigo
08:48:42 [ifette]
rigo: options 2,3 fundamentally the same
08:49:05 [ifette]
… 2 says "are considered same party IF outsourced service provider acts as a data processor"
08:49:14 [ifette]
… rob will confirm DP definition is when SP has no indepndent right to use
08:49:14 [efelten]
Chris, I just wanted to make sure you weren't trying to claim that defining the scope of the user preference and practices for compliance with it would be outside the charter.
08:49:17 [ifette]
… so they are the same
08:49:22 [ifette]
… merge and replace with shane's suggestion
08:49:29 [ifette]
… still believe shane's suggestion too long, burns down to independent use
08:49:38 [ifette]
… believe we already agreed
08:49:42 [npdoty]
08:49:54 [ifette]
aleecia: who wrote 2/3?
08:49:58 [Chris_DAA]
npdoty, is issue 5 on the agenda for Amsterdam (sorry if you already answered this before)
08:50:08 [ifette]
shane: rob and i did 2 togehter, i wrote option 3, also wokred on option 1
08:50:18 [fielding] should not be in the spec
08:50:20 [ifette]
WileyS: evolution of thought was again, much of this can be played into option 1
08:50:26 [ifette]
… very first AI that jmayer and I worked on
08:50:35 [ifette]
… proscriptive application vs less proscriptive
08:50:36 [npdoty]
Chris_DAA, you can see f2f agenda here: we don't have issue-5 on that agenda, it was on the agenda for the last two teleconferences
08:50:41 [Chris_DAA]
efelton, my objection was simple: general/global data minimization is out of scope
08:50:49 [ifette]
… evolution was when rob and i trying to show SP+DP were legitimately the same
08:50:56 [MikeZ]
robsherman, agree wth your assessment of service providers
08:50:57 [ifette]
… open discussion
08:51:06 [ifette]
… 3 was to reinforce permitted use for SPs
08:51:15 [rachel_n_thomas]
rachel_n_thomas has joined #dnt
08:51:25 [ifette]
… service providers have every need for permitted uses as well
08:51:35 [ifette]
… if we collapse the three, still same fundamental divide on specifics
08:51:36 [rigo]
q+ rvaneijk
08:51:38 [ifette]
… but definitionally, already there
08:51:42 [robsherman]
Thanks, MikeZ
08:51:43 [ifette]
… just need to collapse the definitions
08:51:46 [rigo]
ack rvaneijk
08:52:00 [ifette]
rvaneijk: to be clear, when it comes to independt use through permitted use, we have a difference of opinion
08:52:02 [fielding]
Rob's mic not working
08:52:12 [ifette]
he's just speaking softly / not close to mic
08:52:15 [johnsimpson]
microphone, please
08:52:35 [ifette]
rigo: not debating that third parties… misunderstanding shane was alluding to … even a third party of article 4 of 2000/58 obliged to make service secure
08:52:41 [ifette]
… security and fraud prevention
08:52:46 [ifette]
rvaneijk: within the purpose of the first party
08:52:48 [Chris_DAA]
thanks npdoty, is there any way to add this in somewhere? I think it's critical to all discussions here-- helps define the charter/scope in a meaningful way
08:52:53 [ifette]
rigo: no independent right means you can tchange purpose as a party
08:52:55 [ifette]
… financial reporting
08:53:04 [ifette]
… no permitted use that would be outside of that purpose set by first party
08:53:14 [ifette]
rvaneijk: no independent product development or market research
08:53:27 [npdoty]
08:53:43 [ifette]
shane, rvaneijk was saying SP gets no permitted use around e.g product development
08:53:49 [npdoty]
ack lmastria-DAA
08:53:52 [ifette]
aleecia: hearing useful to get definition first, then pull apart other issues
08:54:00 [vinay]
08:54:05 [ifette]
lou: troubled by indepdent use, think legitimate uses flow from first party to SP or third party
08:54:08 [ifette]
… need to be contemplated
08:54:19 [ifette]
… rigo talked about this
08:54:40 [ifette]
lmastria-DAA: beyond this, need to be able to say FP has indepndent right to be able to say "it's OK t use in this way, I collected with permission to do X,Y,Z"
08:54:45 [ifette]
… way this is structured doesnt contemplate that
08:54:49 [WileyS]
Again - I believe the "product development" concept isn't well understood. If I learn through one of my clients that a server isn't performing well, then I can modify that system and all my clients benefit. This IS PERMITTED by EU law.
08:54:52 [ifette]
08:55:08 [ifette]
vinay: one example is industry reports. How many mobile users, highly aggregated that SPs provide
08:55:15 [ifette]
… same thing as a large first party doing it themselves
08:55:20 [ifette]
… example of a permitted use SP should be able to do
08:55:25 [fielding]
q+ to ask that be removed
08:55:30 [WileyS]
08:55:31 [ifette]
kimon: how would htat work
08:55:41 [ifette]
… i drop out of first party become thid party, covered by permitted uses?
08:55:48 [jmayer]
As I explained in Bellevue, the risk of independent use is a perverse incentive to collect and retain information that can be linked across first parties.
08:56:02 [ifette]
WileyS: first party uncovered, if third party, only permitted uses are permitted uses
08:56:04 [amyc]
another scenario is fraud detection, where service providers use data from many first parties to identify fraud (e.g., a suspicious IP address)
08:56:15 [ifette]
kimon: if i use part of the data independently i become a third partyy
08:56:19 [ifette]
WileyS: then ahve permitted uses
08:56:23 [ifette]
… thats why they're in option 3
08:56:33 [ifette]
… if you look at this as a heirarchy / threshold
08:56:37 [ifette]
… see FP/TP/SP
08:56:46 [ifette]
… nonseniscal to in the middle say you have less access to the one at the bottom
08:57:00 [ifette]
rigo: i think for the moment if we blow the permitted uses this goes wrong
08:57:05 [vinay]
08:57:11 [ifette]
… i collect more than i would be able ot collect in third party context
08:57:17 [ifette]
WileyS: what does blow mean?
08:57:24 [ifette]
rigo: security/financial reporting are reasonable
08:57:31 [ifette]
… then product development which are in this
08:57:34 [ifette]
WileyS: we dont hae these
08:57:41 [ifette]
rigo: as long as those are not permitted uses this is not a problem
08:57:50 [justin]
+1 to rigo
08:57:53 [ifette]
… if permitted uses go beyond, you collect in a first-party trusted contex,t hten re-purpose this later on
08:57:59 [ifette]
… for those that have a permitted use, no problem
08:58:06 [justin]
This is all contingent upon the scope of permitted uses (whether they are blown or not).
08:58:07 [ifette]
… but we could run into a problem later
08:58:11 [npdoty]
08:58:40 [ifette]
tl: if we are going to decide SPs can do a whole bunch of stuff with info throwing out the previous year of discussion re constraints of standing in shoes of FP, are there any other decisions you want us to take up?
08:58:41 [npdoty]
ack fielding
08:58:41 [Zakim]
fielding, you wanted to ask that be removed
08:59:00 [lmastria-DAA]
08:59:12 [ifette]
fielding: long part of the first definition be removed from be removed, dont reflect industry practice and dont add clarity
08:59:14 [npdoty]
I would support decreasing the length of this section; perhaps in a separate best practices document
08:59:15 [ifette]
… move this elsewhere
08:59:29 [hwest]
hwest has joined #dnt
08:59:33 [ifette]
aleecia: appendix of best practices sounds like a viable idea
08:59:33 [tlr]
08:59:37 [npdoty]
I do think we had agreement in Santa Clara last November that service providers would use technical means to silo data
08:59:39 [ifette]
… if we have enough to do an appendix, good concept
08:59:40 [rachel_n_thomas]
08:59:42 [tlr]
I think is long enough for an appendix of its own
08:59:42 [amyc]
08:59:45 [ifette]
ISSUE: have an appendix of best practices?
08:59:45 [trackbot]
Created ISSUE-175 - Have an appendix of best practices? ; please complete additional details at .
08:59:54 [ifette]
aleecia: let the editors deal with this
09:00:03 [ifette]
… as for this specific text, lets figure out normative side first
09:00:06 [ifette]
… then do non-normative
09:00:10 [justin]
Who is in charge of merging these three defs?
09:00:10 [BerinSzoka]
are we ever going to break? or shall we all just die of bladder-explosion?
09:00:23 [amyc]
are you defining blow?
09:00:26 [ifette]
… discuss more on next editors call
09:00:32 [justin]
We can add blow to the defs.
09:00:35 [npdoty]
09:00:40 [npdoty]
ack WileyS
09:00:41 [WileyS]
09:00:48 [npdoty]
ack lmastria-DAA
09:00:51 [johnsimpson]
Chris_DAA, There is been discussion about Issue-5 on the mailing list recently. Here was my attempt to define tracking: . Roy responded: It would be interesting if you offered a definition.
09:01:15 [Brooks]
Brooks has joined #dnt
09:01:16 [ifette]
lmastria-DAA: in response, all of these things are happening not in the wild west premise a number of folks seem to be suggesting re dat asharing amongst companies. Not reality in the market
09:01:34 [ifette]
… reality is that if data is shared, there are contracts, compliance folks, there' san industry of privacy professionals who do nothing but managet his issue
09:01:42 [peter-4A]
09:01:46 [jchester2]
The reality of the market in the US is that the data is mixed and matched without regard to consumer privacy or consumer protection.
09:01:47 [rigo]
issue-175: Plan would be to have a very simple decision of Service Provider and have a best practice or guidance document non-normatively as an attachement to the Compliance Specification
09:01:47 [trackbot]
ISSUE-175 Have an appendix of best practices? notes added
09:02:03 [ifette]
… incumbent upon us to say you can comply with DNT or not, but not incumbent upon us to relitigate 15-20 years of internet evolution of how data flows among internet and service providers who provide a valuable function ont he backned, create innovation, ...
09:02:08 [hwest]
Justin, I can take a first run at combining the three definition pieces
09:02:12 [npdoty]
Zakim, close the queue
09:02:12 [Zakim]
ok, npdoty, the speaker queue is closed
09:02:12 [ifette]
aleecia: closing the queue on this
09:02:15 [ifette]
… pen from alex
09:02:19 [tlr]
09:02:26 [ifette]
afowler: quick response to lou
09:02:31 [ifette]
… establishing expertise is important in comments
09:02:56 [ifette]
… as someone who spent 8 years auditing businesses including DAA members, can say with certanty that in engagements i was involved in, we found variance in business practices form what they were expecting in temrs of data management
09:03:16 [ifette]
… not to say there were bad intentions / illegal / unethical conduct, just that practices wer enot up to snuff in terms of what they were expressing in privacy policies / general compliance
09:03:22 [fielding]
Note that DAA definition of "service provider" (an ISP advertiser) has nothing to do with our definitions, so please don't suggest the DAA applies to this definition.
09:03:48 [ifette]
… agree with premise that organizations largely legal/ethical/well intentioned, but as a privacy professional it's still an emerging field and this si complex, if we can help establish improvement through this standard we make the job of privacy officers stronger
09:03:49 [rigo]
09:03:50 [ifette]
09:03:54 [tlr]
ack next
09:04:01 [npdoty]
ack rachel_n_thomas
09:04:25 [ifette]
rachel_n_thomas: alex, in response as a former CPO and a PP myself, certain difficulties when you get into client environment, disagree that a standard would make this more likely to resolve those problems
09:04:33 [ifette]
… to point about a best practices document
09:04:53 [ifette]
… point to scope/charter of recommendation track specs, encourage us not to get into policy making outside of what is necessary for the technical standard
09:05:07 [ifette]
peter-4A: not to belabour point, but struggling with scoping issue
09:05:20 [ifette]
… going into what seems to lead towards an ambitious exercise to touch on intracicies of vendor relationships, etc
09:05:24 [ifette]
… when we are driving towards TPE
09:05:28 [rigo]
09:05:31 [ifette]
… as others explained, many stautuory / regulatory issues
09:05:33 [npdoty]
ack peter-4A
09:05:34 [rigo]
ack peter-4A
09:05:34 [ifette]
… attempted to address
09:05:43 [ifette]
… suggest that other bodies address those and we stay on track
09:05:43 [Chris_DAA]
afowler, to your point, are you prepared to get specific about which companies for which you have audited, do not comply with their stated business practices? BTW- the DAA has a compliance mechanism and complaint mechanism, so perhaps you should bring your concerns with individual companies there. CBBB runs those mechanisms.
09:05:45 [ifette]
aleecia: break now
09:05:48 [tlr]
09:05:49 [ifette]
… switch scribes
09:05:57 [ifette]
aleecia: we didnt make it all the way through, missing ISSUE-156
09:06:00 [ifette]
09:06:03 [ifette]
… back in 30m
09:06:05 [npdoty]
half hour break. adjourned.
09:06:16 [Zakim]
09:06:31 [Zakim]
09:06:33 [Zakim]
09:06:33 [bilcorry]
group is taking half-hour break
09:06:35 [ifette]
I apologize for the typos though
09:06:38 [ifette]
mac keyboard :(
09:06:51 [johnsimpson]
Nick, what is call code again, please
09:06:56 [npdoty]
Zakim, code?
09:06:56 [Zakim]
the conference code is 26631 (tel:+1.617.761.6200, npdoty
09:07:20 [johnsimpson]
09:07:44 [npdoty]
rrsagent, pointer?
09:07:44 [RRSAgent]
09:17:38 [aleecia]
aleecia has joined #dnt
09:17:49 [rigo]
rigo has joined #dnt
09:17:55 [efelten]
efelten has joined #dnt
09:31:14 [Zakim]
09:31:27 [BrendanIAB]
Zakim, IPcaller is probably me
09:31:27 [Zakim]
+BrendanIAB?; got it
09:34:17 [justin]
09:34:20 [justin]
09:36:00 [Zakim]
09:36:12 [Zakim]
09:37:15 [johnsimpson]
are we back?
09:38:08 [johnsimpson]
09:38:54 [johnsimpson]
thanks, hearing nothing
09:39:59 [robsherman]
scribenick: robsherman
09:40:04 [npdoty]
npdoty has joined #dnt
09:40:23 [npdoty]
Zakim, who is on the phone?
09:40:23 [Zakim]
On the phone I see Telegraaf, Jonathan_Mayer, BrendanIAB?, fielding, johnsimpson
09:40:27 [npdoty]
starting up again.
09:40:34 [johnsimpson]
09:40:37 [robsherman]
aleecia: (Summarizing issues for this session.)
09:40:52 [Zakim]
09:40:54 [robsherman]
09:40:54 [trackbot]
ISSUE-132 -- Should the spec speak to intermediaries or hosting providers to modify any responses/statements about DNT compliance? -- open
09:40:54 [trackbot]
09:40:58 [vinay]
Nothing is being presented via AdobeConnect. Aleecia's computer for some reason can't share on it. Sorry!
09:41:06 [tl]
09:41:07 [fielding]
just text in TPE
09:41:18 [johnsimpson]
thanks, Vinay
09:41:20 [robsherman]
aleecia: We've addressed this substantively, but have no text. Maybe doesn't belong in defs & compliance.
09:41:25 [dwainberg]
09:41:28 [Simon]
Simon has joined #dnt
09:41:30 [npdoty]
Zakim, open the queue
09:41:30 [Zakim]
ok, npdoty, the speaker queue is open
09:41:33 [tl]
09:41:35 [justin]
zakim, open the queue
09:41:35 [Zakim]
ok, justin, the speaker queue is open
09:41:35 [dwainberg]
09:41:39 [robsherman]
… Potentially create a new section. Should someone work on text?
09:41:44 [npdoty]
ack tl
09:41:47 [johnsimpson]
i thought there was text in TPE
09:41:48 [fielding]
or do you mean retention of information from DNT:1 requests?
09:41:56 [jchester2]
jchester2 has joined #dnt
09:41:58 [robsherman]
tl: Have TPE section on this that pretty much covers this.
09:41:59 [dsinger]
end of section 3 of the TPE, includes "Implementations of HTTP that are not under control of the user must not generate or modify a tracking preference.'
09:42:12 [npdoty]
I agree, TPE section seems sufficient
09:42:14 [jmayer]
09:42:31 [robsherman]
… In Santa Clara, we discussed examples of this — including a proxy to ensure that each HTTP request has a specified header.
09:42:49 [robsherman]
… No need for more text if we comply with other requirements, but maybe add a pointer.
09:43:07 [jeffwilson]
09:43:10 [npdoty]
ack dwainberg
09:43:23 [robsherman]
dwainberg: Agree w/ tl.
09:43:42 [npdoty]
ack jmayer
09:43:42 [robsherman]
… Leaves open questions of who is responsible for ensuring that it's a deliberate choice and what we do if it's not.
09:44:07 [ifette]
09:44:10 [robsherman]
jmayer: Agreement on "not meddling." Maybe pressure on definition of an intermediary.
09:44:19 [Desmond]
Desmond has joined #dnt
09:44:39 [robsherman]
… Ex: would a server-side proxy count as an intermediary? Does it matter if it's within server's control?
09:45:03 [ionel]
ionel has joined #dnt
09:45:09 [robsherman]
tl: Don't need a definition of intermediary if we say that the rules are the same.
09:45:35 [robsherman]
… Whether you're a UA or intermediary or martian, we don't need to define those categories if we know the substantive obligations.
09:46:05 [robsherman]
jmayer: If web server removed DNT header for certain browsers, how do we think about that?
09:46:23 [WileyS]
09:46:24 [fielding]
09:46:27 [robsherman]
… No problems coming from user perspective, but maybe from server perspective.
09:46:31 [BrendanIAB]
Is the "intermediary" required just to meet the "user intent" or also the rest of the features?
09:46:37 [robsherman]
tl: Can't we subject that scenario to the same test we've already described?
09:46:52 [npdoty]
I assume that a server's compliance is considered on the whole, rather than defined as different sets of intermediaries.
09:47:01 [robsherman]
jmayer: One possibility is that the server is within the control of the party running the website, so we wouldn't consider it an intermediary.
09:47:18 [npdoty]
09:47:36 [MikeZ]
09:47:45 [tl]
09:47:48 [robsherman]
aleecia: Question is what if we add no text, and don't use the word "intermediary"? Would we be okay with the text as it stands?
09:47:50 [npdoty]
ack jeffwilson
09:47:53 [robsherman]
ifette: No.
09:48:13 [robsherman]
jeffwilson: Do we have an open issue on where intermediary is required to sync status with JS API?
09:48:43 [robsherman]
aleecia: Let's discuss tomorrow.
09:48:55 [fielding]
note that the inbound connection of an intermediary isn't even necessarily HTTP, so it is hard to require non-meddling in general
09:49:03 [amyc]
amyc has joined #dnt
09:49:11 [robsherman]
dsinger: We expect sync, but if that's not clear we should make it clear.
09:49:21 [tl]
+q to try and express the difference between the server (which I think is the responsibility of the person running it) and an "intermediary" as we've generally been talking about it which -- unless specifically instructed by the user shouldn't edit it.
09:49:24 [jmayer]
s/Let's discuss tomorrow./Let's discuss tomorrow. That's a matter for the TPE document./
09:49:35 [npdoty]
ack ifette
09:50:06 [robsherman]
ifette: Procedural concern about people raising pens to respond to something that's been said rather than for clarifying question. Rely on queue.
09:50:08 [Chapell]
Chapell has joined #DNT
09:50:10 [robsherman]
aleecia: +1
09:50:19 [Simon]
Simon has joined #dnt
09:50:40 [dsinger]
09:51:08 [robsherman]
ifette: ISSUE-132 is important specifically because of this issue. Need intermediary requirement to ensure they aren't creating an inconsistent situation. If proxy is changing header and server is ignorant of this, the intermediary creates a problem for both server and user. Not sure how to avoid this problem, but important to say that we shouldn't create these problems.
09:51:17 [npdoty]
ack WileyS
09:51:19 [BrendanIAB]
+1 to not creating problems with JS and HTTP out of sync
09:51:23 [robsherman]
aleecia: Leave this issue open but shift from Compliance to TPE?
09:51:38 [bhuseman]
bhuseman has joined #dnt
09:52:07 [robsherman]
WileyS: Seems related to requirement to honor non-compliant DNT signals. If there's an intermediary that modified DNT setting on behalf of a user, would that be compliant? May want to solve that issue before coming back to this.
09:52:18 [robsherman]
aleecia: I'd like to solve this issue as it is.
09:52:29 [npdoty]
ack MikeZ
09:52:43 [fielding]
better link for intermediary definition:
09:52:59 [robsherman]
MikeZ: Agree with ifette that we need one signal. Challenge with this issue relates to discussion about the "tri-part state" and how option is presented to users. Intermediaries aren't user-facing and may not be able to present options and tradeoffs.
09:53:13 [robsherman]
… Agree that if we get the spec right then this goes away, but I'm worried we haven't gotten it right.
09:53:35 [jmayer]
We could use a networking definition of intermediary. We could use an HTTP definition. We could craft our own definition influenced by both.
09:54:08 [robsherman]
tl: Parts of network infrastructure that are under control of party receiving the signal — the party has an obligation to comply, and we don't need to impose that liability on intermediaries directly.
09:54:13 [npdoty]
WileyS, is your concern about "intermediaries" on the server-side? or about a user-controlled intermediary setting a DNT value?
09:54:26 [WileyS]
Both sides
09:54:31 [WileyS]
Nick, both sides
09:54:39 [npdoty]
ack tl
09:54:39 [Zakim]
tl, you wanted to try and express the difference between the server (which I think is the responsibility of the person running it) and an "intermediary" as we've generally been
09:54:41 [npdoty]
ack dsinger
09:54:42 [rvaneijk]
09:54:42 [Zakim]
... talking about it which -- unless specifically instructed by the user shouldn't edit it.
09:54:48 [robsherman]
… Difficult to design a proxy that implements DNT correctly, but we shouldn't say that's impossible. We can have a standard that offers this and says that, if you can't do this right you shouldn't do it.
09:55:23 [npdoty]
dsinger, I thought we had dropped the "echo" requirement as not commonly important
09:55:26 [robsherman]
dsinger: How does the UA know what the server thinks it's responding to? Ex: there are old proxies that strip HTTP headers they're not familiar with, so you may think you're sending DNT:1 but not having it get through.
09:55:27 [dsinger]
this is closely related to the user/user-agent being able to check what the server actually got. that's an open question against "what are the response and well-known resource for"?
09:55:39 [npdoty]
ack rvaneijk
09:55:44 [BrendanIAB]
dsinger - you require that the JS and the HTTP header be in sync, so that you can doublecheck
09:55:47 [WileyS]
dsinger, you'd get that in the Server response
09:56:04 [kj]
kj has joined #dnt
09:56:13 [WileyS]
dsinger, UA should be able to see the disconnect between signal sent and response received
09:56:18 [robsherman]
rvaneijk: Sometimes ISPs add subscriber IDs to headers. When speaking about intermediaries, is that something we should address?
09:56:49 [robsherman]
… If DNT is valid, this kind of injection of headers with IDs conflicts with the idea of DNT. Not sure how to address this specifically, but I am concerned about it.
09:56:49 [dsinger]
to WileyS: I think if someone changed your DNT:1 to DNT:0 you'd see the "I got consent" response. But if it got deleted, you only know "I behave according to 3rd party rules" and you don't know if your DNT:1 made it or not. At least, it's worth checking that we cover this.
09:57:15 [robsherman]
aleecia: Add another compliance section for ISPs. Don't know if we want to go down that path, but not sure there's another option.
09:57:23 [WileyS]
dsigner, I'm fairly certain we do but easy enough to run this use case against the TPE
09:57:25 [npdoty]
09:57:26 [fielding]
It is easier just to say that an intermediary must relay any received user preference if the information received in the request is forwarded.
09:57:36 [robsherman]
… Any thoughts on how to address this?
09:57:52 [BrendanIAB]
To rvaneijk point - I think this is out of scope of the DNT group, and really is part of HTTP 1.2?
09:58:23 [BrendanIAB]
Given that Tracking Protection work is for expression of a preference, rather than eliminating data on the HTTP request.
09:58:32 [robsherman]
rvaneijk: Separate issue about ISPs injecting HTTP headers.
09:59:42 [robsherman]
npdoty: Understand the privacy concern. Not sure if we want to address it here. I think the expectation of many in the TPWG is that we're dealing with endpoints and are technology-agnostic. So rather than focusing on specific methods of tracking, the requirements on the recipient are the same. (That is, it doesn't matter whether party gets an identifier through a cookie or through an HTTP header.)
10:00:01 [robsherman]
rvaneijk: Treat this as data?
10:00:06 [npdoty]
10:00:09 [robsherman]
aleecia: Or treat the ISP as a third party?
10:00:09 [npdoty]
ack npdoty
10:00:15 [npdoty]
10:00:29 [Marije]
Marije has joined #dnt
10:00:41 [robsherman]
bryan: This is separate from what we're focusing on here.
10:00:42 [fielding]
q+ to suggest It is easier just to say that an intermediary must relay any received user preference if the information received in the request is forwarded.
10:00:48 [fielding]
10:00:56 [tl]
10:01:05 [rigo]
ack fielding
10:01:05 [Zakim]
fielding, you wanted to suggest It is easier just to say that an intermediary must relay any received user preference if the information received in the request is forwarded.
10:01:18 [robsherman]
fielding: ^^^
10:01:27 [robsherman]
aleecia: Sounds like this is more TPE than compliance.
10:01:35 [npdoty]
issue: requirements on intermediaries/isps and header insertion that might affect tracking
10:01:35 [trackbot]
Created ISSUE-176 - Requirements on intermediaries/isps and header insertion that might affect tracking ; please complete additional details at .
10:01:39 [robsherman]
fielding: Don't know.
10:01:56 [rvaneijk]
s/Treat this as data?/Treat this as data append?
10:02:08 [robsherman]
aleecia: Straw poll: problems with fielding's proposal?
10:02:10 [npdoty]
action: vaneijk to draft explanation on intermediaries and inserted headers
10:02:10 [trackbot]
Sorry, couldn't find vaneijk. You can review and register nicknames at <>.
10:02:17 [npdoty]
action: van eijk to draft explanation on intermediaries and inserted headers
10:02:17 [trackbot]
Created ACTION-301 - Eijk to draft explanation on intermediaries and inserted headers [on Rob van Eijk - due 2012-10-11].
10:02:27 [npdoty]
action-301: see issue-176
10:02:27 [trackbot]
ACTION-301 Eijk to draft explanation on intermediaries and inserted headers notes added
10:02:31 [tl]
10:02:52 [dwainberg]
10:03:25 [robsherman]
efelten: tl talked about the possibility that an intermediary could satisfy the requirements of the spec (ex., gets informed consent from user to become first party).
10:03:35 [ifette]
10:03:37 [robsherman]
… If intermediary figured out how to do that, could it inject a DNT on behalf of the user?
10:04:35 [robsherman]
fielding: My proposed text would require proxy to forward DNT:0 that came from the browser rather than being able to replace it with DNT:1.
10:05:23 [fielding]
I agree with ifette, but he can have the action
10:05:25 [robsherman]
ifette: Disagree with Roy's text. Not strong enough to simply relay a preference received from browser. "Relay" should be changed to "be consistent with" because we have the issue of header vs JS API. If browser is in an inconsistent state, that creates a problem.
10:05:35 [robsherman]
aleecia: Can fielding/ifette work on this in IRC?
10:05:39 [robsherman]
ack tl
10:05:39 [jmayer]
10:05:39 [jeffwilson]
10:05:42 [npdoty]
Zakim, close the queue
10:05:42 [Zakim]
ok, npdoty, the speaker queue is closed
10:06:22 [ifette]
I would suggest that "an intermediary must not add or change any signal that will result in a server receiving an inconsistent DNT state when looking at the DNT value expressed in the header vs the DNT value expressed via the JavaScript API"
10:06:24 [robsherman]
tl: I am concerned that fielding's proposal would remove the possibility of several sophisticated implementations, and I don't think we need it because there's already an obligation to represent the will of the user.
10:06:47 [jeffwilson]
ksmith +1
10:06:54 [robsherman]
ksmith: If you're going to have a JS API, you can't allow intermediary to change header.
10:06:55 [bryan]
I also agree that specifically forbidding technical solutions that are aligned with DNT's intent (preference of the user) is a bad thing
10:07:15 [bryan]
10:07:38 [npdoty]
10:07:42 [WileyS]
Use case population: 1
10:07:45 [robsherman]
tl: Disagree. I have multiple browsers. I also have a proxy that adds DNT header. And I have a database that decides which sites get DNT:1 vs DNT:0. Finally, I use browser plugins. This whole thing is compliant.
10:07:47 [dsinger]
suggest we set functional rules,
10:08:04 [npdoty]
10:08:08 [fielding]
not following how tl's case is prevented by intermediary being consistent
10:08:10 [dsinger]
10:08:13 [robsherman]
bryan: We shouldn't overstate this problem. tl's example is a factor of the scalability of DNT.
10:08:34 [robsherman]
… We should be careful about overly restricting the possibility of new solutions to this problem.
10:08:59 [robsherman]
fielding: I didn't see anything in tl's description that would suggest an intermediary that would override DNT value.
10:09:00 [dsinger]
you should be able to have your preference in the cloud and have a JS API and a proxy both of which use the cloud setting, in all your devices
10:09:12 [robsherman]
tl: My proxy on my gateway is the only thing that sets DNT header.
10:09:19 [robsherman]
fielding: So then there's no DNT header to change.
10:09:22 [npdoty]
ack dwainberg
10:09:25 [BerinSzoka]
like most typical users, Tom runs a proxy server on his gateway... presumably, cURL is involved, too
10:09:45 [robsherman]
dwainberg: This depends on requirement that DNT signal reflect user's explicit, deliberate choice.
10:10:02 [robsherman]
… If we're going to go down the road of imposing obligations on intermediaries then we need to define what an intermediary is.
10:10:07 [robsherman]
aleecia: We'll need to do that.
10:10:14 [fielding]
and specifically, this would be for intermediaries that forward any information in the received request
10:10:17 [robsherman]
dwainberg: If we're going to discuss it, then we need to do so as a threshold matter.
10:10:25 [robsherman]
tl: I can live with a rule that prohibits modifying or removing a DNT signal.
10:10:29 [npdoty]
10:10:45 [rachel_n_thomas]
rachel_n_thomas has joined #dnt
10:10:48 [Chapell]
10:10:58 [Chapell]
10:11:10 [robsherman]
ifette: "an intermediary must not add or change any signal that will result in a server receiving an inconsistent DNT state when looking at the DNT value expressed in the header vs the DNT value expressed via the JavaScript API"
10:11:17 [BrendanIAB]
I don't think that a rule "you cannot modify a sent DNT header" is reasonable, because it precludes the possibility of an ISP level consent management system.
10:11:17 [Chapell]
chapell is tempted to raise his voice to zakim
10:11:31 [npdoty]
10:11:32 [robsherman]
tl: I can think of different text with fewer words.
10:11:45 [BrendanIAB]
Since the queue is closed, sign me up to help wordsmith
10:11:54 [robsherman]
aleecia: Let's leave the issue open, and tl will come up with competing text that we can discuss via the mailing list.
10:12:14 [robsherman]
10:12:19 [npdoty]
ack ifette
10:12:23 [bryan]
10:12:25 [tl]
Suggestion: "If an HTTP request includes a DNT header, do not modify or remove it."
10:12:38 [jeffwilson]
10:12:43 [npdoty]
ack jmayer
10:12:45 [tl]
10:12:46 [robsherman]
ifette: Possible to create an intermediary that's compliant. I just think that it's difficult, and any text that we come up with needs to maintain that consistency.
10:12:47 [robsherman]
tl: +1
10:13:06 [Chapell]
TL: how does your rule apply to to non-compliant DNT headers?
10:13:34 [npdoty]
action: lowenthal to draft intermediary requirements, without implementation details (with Brendan)
10:13:34 [trackbot]
Created ACTION-302 - Draft intermediary requirements, without implementation details (with Brendan) [on Thomas Lowenthal - due 2012-10-11].
10:13:35 [bryan]
one of the main weaknesses of such a blanket restriction is that the "user" in DNT is not always the owner of the device e.g. for kiosk browsers
10:13:40 [Chapell]
TL: not trying to beat the drum of the apache announcement, but your rule seems at odd with Apache's treatment of IE
10:13:43 [fielding]
tl, text doesn't work because it may not be HTTP on both sides of intermediary
10:13:45 [tl]
Chapell: Thou shalt not modify or remove DNT headers. Don't second-guess them.
10:13:57 [Chapell]
TL: not really answering my question
10:14:03 [tl]
fielding: Patch, plz.
10:14:18 [fielding]
my original wording ;-)
10:14:21 [npdoty]
ack jmayer
10:14:24 [robsherman]
jmayer: Two buckets to think through: (1) intermediaries shouldn't modify or delete DNT headers if the user is actually controlling/setting it. (2) intermediary that is used for a purpose other than UA (ex., web server software) and wants to make a claim about DNT compliance.
10:14:25 [lmastria-DAA]
lmastria-DAA has joined #dnt
10:14:28 [tl]
Chapell: Yes. It does. Do not modify or remove a DNT header, even if you think it's wrong.
10:14:43 [Chapell]
TL: in your opinion, doesn't the Apache announcement re: violate your proposed rule?
10:14:58 [fielding]
Chapell, of course it does.
10:15:02 [robsherman]
… Resolution would be to split into (1) intermediaries that touch packets in flight, and (2) software and hardware vendors that provide non-UA and want to make claims about DNT compliance.
10:15:08 [Walter]
For what reason would you alter a DNT header?
10:15:18 [Chapell]
Fielding: then I absolutely object to TL's language
10:15:38 [tl]
Chapell, fielding: I think that anyone who used Apache would have to change the default config to comply with DNT.
10:15:38 [robsherman]
rvaneijk: This is in the context of non-repudiation.
10:15:42 [robsherman]
ifette: Integrity.
10:15:47 [Chapell]
TL: unlike certain religious leaders, browsers are not infallible
10:15:50 [Chapell]
10:16:04 [fielding]
It is impossible to comply with DNT right now.
10:16:11 [tl]
Chapell: Intermediates should not second-guess clients.
10:16:19 [bryan]
the notion that a UA (of which there may be many that a user uses) is always and distinctly managed by the specific user making a request (when that user may have logged into a service without modifying the UA settings), is a key weakness
10:16:27 [robsherman]
ifette: Non-repudiation is when someone can prove that you said something at a later point in time. Integrity is proving that what you said remains intact.
10:16:37 [robsherman]
aleecia: Appreciates ifette's pen-raising.
10:16:48 [justin]
10:16:49 [Chapell]
TL: again, the browsers are not infallible...
10:17:09 [fielding]
10:17:19 [robsherman]
tl: Roy and Alan both object to a rule prohibiting modifying/removing DNT signals.
10:17:20 [Zakim]
10:17:24 [fielding]
tl, I was proposing such a rule
10:17:29 [Walter]
rigo: I think that actually is sensible for the multi-domain issue
10:17:38 [bryan]
+1 to the objection on an explicit rule
10:17:44 [robsherman]
dwainberg: Why is a server an intermediary if a browser is not?
10:17:48 [tl]
fielding: I thought you said that my rule nixed Apache?
10:17:48 [dsriedel]
@TL: is apache an intermediary and not the "end-point" in the conversation between the browser and the server (apache)?
10:17:55 [npdoty]
(for the notes, some non-scribes are using : to direct comments to others, not scribing what the recipient is saying)
10:18:21 [fielding]
Apache httpd has origin server, proxy, and reverse proxy functionality
10:18:23 [robsherman]
jmayer: Agree w/ aleecia that these are distinct issues. But they tend to get lumped into "intermediary compliance" and we should better distinguish them.
10:18:54 [tl]
Revised suggestion: "If a communication includes a DNT signal, do not modify or remove it."
10:19:13 [robsherman]
aleecia: jmayer to create an issue.
10:19:17 [efelten]
scribenick: efelten
10:19:19 [tl]
Chapell, fielding &^
10:19:19 [dsinger]
10:19:21 [npdoty]
how does this differ from issue-132?
10:19:43 [Chapell]
10:19:47 [efelten]
aleecia: Will finish the queue
10:19:51 [dsinger]
from the point of view of HTTP, the server and the user-agent are the end-points; from the point of view of compliance, the user and the service are.
10:20:01 [efelten]
npdoty: Queue was closed, people using fingers to speak.
10:20:04 [Chapell]
Zakim, you're making it difficult to have decorum in this room when you keep closing the que
10:20:04 [Zakim]
I don't understand you, Chapell
10:20:09 [Chapell]
10:20:13 [dsinger]
so, "intermediary" is ambiguous until you talk about the context
10:20:41 [efelten]
tl: Modified language to try to address concerns from Chapell, fielding etc. What do they think of the new language?
10:20:44 [fielding]
that is another issue
10:20:49 [efelten]
aleecia: Won't solve in this session.
10:21:00 [Walter]
would "intentionally" be helpful in this context?
10:21:05 [fielding]
origin server
10:21:09 [tl]
Walter: no
10:21:10 [BrendanIAB]
There's a difference between "second guessing" and "having user configuration"
10:21:20 [efelten]
dsinger: "intermediary" ambiguous. Talking about HTTP protocol, or DNT compliance? It matters which context we're talking in.
10:21:43 [BrendanIAB]
If the intermediary was configured by the user, then the intermediary isn't second guessing the browser signal, and should be able to modify.
10:21:47 [efelten]
… modifying user expression between user and UA is an intermediary for DNT purposes, but not an HTTP intermediary.
10:21:51 [jmayer]
ISSUE: Should we specify compliance requirements for software and hardware other than user agents? For example, is a web server package compliant if it tweaks DNT headers?
10:21:52 [trackbot]
Created ISSUE-177 - Should we specify compliance requirements for software and hardware other than user agents? For example, is a web server package compliant if it tweaks DNT headers? ; please complete additional details at .
10:21:58 [efelten]
xxx: Let's use the queue.
10:22:06 [dwainberg]
dsinger, yes, but I think it's between the user and the recipient party
10:22:09 [npdoty]
10:22:14 [vinay]
10:22:19 [justin]
Difference between stripping and ignoring.
10:22:33 [efelten]
… Does the Apache decision violate tl's rule. Don't think that's fair.
10:22:39 [efelten]
… [questions legitimacy of process]
10:22:42 [WileyS]
+1 to Alan
10:22:42 [dwainberg]
outside of that HTTP protocol context, then, browsers, servers, etc. are all intermediaries -- in your formulation
10:23:16 [tl]
Scribe note: at no point have I stated that Apache would break my rule. Roy said that. I'm not sure I agree.
10:23:17 [efelten]
aleecia: We have text from Ian, text from Roy, text from tl. Let's capture those, an action for each against ISSUE-132.
10:23:19 [fielding]
An intermediary must relay any received user preference if the information received in the request is forwarded.
10:23:23 [WileyS]
Actually the UA is an intermediary as well. This is between a user and a Server.
10:23:26 [ifette]
ISSUE-132: I would suggest that "an intermediary must not add or change any signal that will result in a server receiving an inconsistent DNT state when looking at the DNT value expressed in the header vs the DNT value expressed via the JavaScript API"
10:23:27 [trackbot]
ISSUE-132 Should the spec speak to intermediaries or hosting providers to modify any responses/statements about DNT compliance? notes added
10:23:27 [justin]
There should be transparency regardless. Intermediaries should not strip, we can have the discussion later about whether end parties can dispute/ignore/etc and whether/how that should be conveyed back.
10:23:33 [efelten]
aleecia: move on to new topic
10:23:38 [npdoty]
Zakim, open the queue
10:23:38 [Zakim]
ok, npdoty, the speaker queue is open
10:23:40 [ifette]
10:23:40 [trackbot]
ISSUE-32 -- Sharing of data between entities via cookie syncing / identity brokering -- open
10:23:40 [trackbot]
10:23:45 [efelten]
… ISSUE-32 now
10:23:52 [efelten]
… queue should be open now
10:23:57 [ifette]
10:24:02 [efelten]
… ACTION-106 against ISSUE-32
10:24:26 [efelten]
… Have text from mailing list from Vincent. Spent time on this. No complaints on mailing list.
10:24:35 [efelten]
… [reads text]
10:24:36 [bryan]
(what I wanted to say) re what Tom noted, if an intermediary does have evidence that a DNT signal does not reflect the intent of the user then it should have latitude to modify the signal
10:24:41 [hwest]
10:24:54 [npdoty]
Chapell, I think that tl's rule is suggesting that intermediaries should not remove an existing header, and does not speak to the question of how servers must respond to headers they believe do not respect the user's preference
10:25:00 [WileyS]
Justin, if UAs (as an intermediary to the user) can alter a user's express choice, then other intermediaries should be able to correct this.
10:25:37 [efelten]
… text has been revised several times. Are we ready to adopt it?
10:25:43 [tl]
I think that server is the responsibility of the recipient controlling it.
10:26:02 [efelten]
hwest: May be simple definitional thing: ID brokering means something different to me. Need to avoid terminology conflict.
10:26:10 [tl]
npdoty: I'm having difficulty loading the tracker. Is it just me?
10:26:19 [npdoty]
ack hwest
10:26:20 [justin]
WileyS, bryan, Why not leave to end server? Why are intermediaries policing?
10:26:21 [npdoty]
ack vincent
10:26:25 [ifette]
10:26:36 [efelten]
vincent: Text meant to be about cookie synching. But cookie synching is just one way to implement this, mean to be more general.
10:26:48 [efelten]
aleecia: More generally, synchronization between parties?
10:26:49 [dwainberg]
10:26:50 [npdoty]
ack ifette
10:26:51 [efelten]
vincent: yes
10:27:00 [Chapell]
dpdoty: i'll take a look at the text when TL revises. as written, I believe that it says something else
10:27:06 [efelten]
ifette: Don't see normative text here. No MUST, SHOULD etc. Need to fix
10:27:12 [tl]
npdoty: Just came back for me.
10:27:12 [Chapell]
Sorry NPDoty
10:27:16 [efelten]
aleecia: [points to normative text at end]
10:27:20 [tl]
npdoty: Still very slow for me though.
10:27:25 [jmayer]
10:27:30 [npdoty]
ack dwainberg
10:27:35 [ifette]
10:27:40 [efelten]
dwainberg: Not sure I understand what this does that's not already in the spec elsewhere.
10:27:44 [tl]
ISSUE-132 My text suggestion: "If a communication includes a DNT signal, do not modify or remove it."
10:27:45 [ifette]
q+ to ask how this specific text would affect redirects
10:28:04 [efelten]
aleecia: Asked and answered in email. Points to email from Vincent on March 21
10:28:14 [BrendanIAB]
dwainberg - what it does is prevent the inclusion of HTML elements by a 3rd party to another 3rd party.
10:28:39 [Brooks]
10:28:52 [efelten]
amyc: +1 dwainberg, don't understand what this changes.
10:29:06 [efelten]
… what does this limit that is not already limited?
10:29:32 [efelten]
vincent: Depends whether exceptions are transitive for third parties. If not transitive, this might change what's allowed.
10:29:54 [efelten]
rigo: This is the auction case we wanted to cover, in the transitive permissions discussion with Brooks.
10:29:56 [vinay]
Fielding - correct. For some reason, Aleecia couldn't share her screen.
10:29:57 [Brooks]
10:30:11 [efelten]
… Transitivity covers part of what you want. This is limitation on transitivity.
10:30:11 [npdoty]
ack jmayer
10:30:12 [BerinSzoka]
once again, I'm disturbed that we're tossing around terms that aren't defined. How many lawyers are there in the room, anyway?
10:30:22 [vinay]
Here is the page she is looking at --
10:30:28 [fielding]
tl, my language is better
10:30:48 [efelten]
jmayer: Suggest we not have language on cookie synching. Should have general discussion of unique IDs and sharing thereof. That should be sufficient.
10:30:59 [efelten]
… Don't need to address this specific present business practice.
10:30:59 [npdoty]
ack ifette
10:30:59 [Zakim]
ifette, you wanted to ask how this specific text would affect redirects
10:31:13 [efelten]
ifette: Looking at text, know we have open issue on redirects.
10:31:18 [tl]
fielding: Can you re-paste?
10:31:24 [robsherman]
+q to raise a drafting point
10:31:27 [efelten]
… Not clear what "must not transmit" means for redirects.
10:31:38 [fielding]
An intermediary must relay any received user preference if the information received in the request is forwarded.
10:31:46 [efelten]
… If want to restrict back-end cookie synching, that's fine. But worry about possible complications with redirects.
10:31:57 [dhaan]
dhaan has joined #dnt
10:32:11 [efelten]
… Not comfortable with this text until more clarity on some use cases.
10:32:22 [BerinSzoka]
to put this in engineer-friendly terms: building a spec without clear definitions is a bit like building a house without a foundation: the taupe shutters might be very pretty, but when the first wind of criticism blows in the real world...
10:32:31 [tl]
fielding: I want to be explicit that the two things you shouldn't do are: (1) remove or (2) modify a DNT signal.
10:32:37 [npdoty]
10:32:38 [efelten]
… Would be more comfortable if it were more specific about identifier synching, but think this may already be covered by third-party sharing language.
10:32:39 [Walter]
BerinSzoka: +1
10:32:39 [npdoty]
ack Brooks
10:32:46 [efelten]
… Might be agreeing with Jonathan.
10:32:49 [Chris_DAA]
fyi, "identity brokering" is not a term of art in the ad industry
10:33:06 [efelten]
Brooks: Text uses terms of art like SSP, DSP, which should be defined if used.
10:33:15 [Marc]
+1 to Brooks
10:33:21 [efelten]
… Language needs to be more careful.
10:33:32 [efelten]
aleecia: Is this a drafting issue, or do you have a problem with the substance?
10:33:34 [npdoty]
10:33:35 [npdoty]
10:33:44 [vinay]
+1 to Brooks
10:33:47 [efelten]
Brooks: Would have to see redrafted language to know.
10:34:09 [robsherman]
10:34:15 [fielding]
tl, which isn't relevant because the forwarded request is a different message, and thus neither removed nor modified
10:34:24 [BerinSzoka]
is anyone keeping a list of key undefined terms? That might be helpful if this bird is actually supposed to fly anytime soon...
10:34:35 [npdoty]
good volunteering, BerinSzoka
10:34:37 [efelten]
aleecia: Queue is empty. Vincent, please give a quick summary. Do we still need this, and why?
10:34:47 [tl]
fielding: What?
10:34:57 [WileyS]
10:35:05 [efelten]
Vincent: Depends on transitivity of exceptions. If not transitive, this isn't needed. If transitive, need something along these lines.
10:35:24 [efelten]
… If you're transmitting IDs, probably need some language.
10:35:39 [efelten]
aleecia: Postpone this issue, come back after we have worked out transitivity.
10:35:43 [npdoty]
ack WileyS
10:36:15 [efelten]
WileyS: Is there still a question about transitivity of permitted uses? Though it was already decided as transitive.
10:36:17 [fielding]
tl, A ---> intermediary ---> B , there is no implication that the A side is even using the same protocol as B, let alone the same message
10:36:39 [jmayer]
We do not have consensus on transitivity of permitted uses or user-granted exceptions.
10:36:40 [efelten]
rigo: [comic relief]
10:36:48 [BerinSzoka]
10:37:11 [BerinSzoka]
looks like schunter couldn't handle the "vibrate" mental image
10:37:12 [efelten]
… Vincent is trying to determine what the transitivity of permission for user-granted exception means.
10:37:30 [tl]
fielding: When you're relaying or forwarding a message, it's the same message.
10:37:39 [npdoty]
jmayer, if you have an alternative to the text that rigo has proposed on transitivity of exceptions (which I believe is now in the TPE, via dsinger), it would be good to document that
10:37:42 [efelten]
… Already discussed at some point, even in a transitive situation, might hit somebody who user explicitly says not to allow.
10:38:00 [fielding]
read the text you proposed
10:38:10 [efelten]
… Suggest Vincent's concern is already covered by current text on transitivity.
10:38:35 [jchester2]
10:38:41 [efelten]
WileyS: If you agree in EU with financial fulfillment requirements, then this is still a non-issue.
10:38:45 [tl]
fielding: If I whisper my communique in the ear of a messenger who writes it down to communicate it to a deaf messenger who sends it via morse over a telegraph, it's still the same message.
10:38:59 [efelten]
… Can expand this issue to user-granted exceptions, but it's a null issue for permitted uses.
10:39:25 [schunter]
schunter has joined #dnt
10:39:40 [efelten]
aleecia: What I'm hearing: I have a chain from A to B to C, even though user has said no specifically to B, data would be able to go through B to C for permitted uses?
10:39:45 [efelten]
… Right?
10:39:47 [efelten]
WileyS: yes
10:40:09 [efelten]
rigo: WileyS, do you think the financial permitted use cover the whole ad exchange scenario?
10:40:24 [efelten]
wileys: Yes, that's a requirement of logging.
10:40:40 [efelten]
aleecia: Then what does it mean to send DNT:0 to party B?
10:40:41 [jmayer]
To be clear: this is Shane's interpretation of EU law. Many would disagree with that interpretation.
10:40:42 [npdoty]
10:41:04 [efelten]
WileyS: [scribe missed the response. WileyS, help please.]
10:41:54 [efelten]
rigo: If permitted use given to first party site-wide, what you're suggesting seems very broad.
10:42:05 [jchester2]
Can Shane place in IRC some use cases of how even with DNT 1 sent, ad entities will be able to process the data under the proposed permitted uses?
10:42:12 [efelten]
WileyS: Disagree with premise that permitted uses equal everything.
10:42:29 [npdoty]
10:42:30 [efelten]
… Important to understand how ad exchanges and cookie synching work.
10:43:05 [efelten]
Walter: Introduces self. Works for Open Rights group.
10:43:09 [jchester2]
10:43:32 [npdoty]
10:43:39 [efelten]
… Don't follow the argument for why accounting requirements would allow party B to do tracking.
10:43:44 [fielding]
tl, I think we have to agree to disagree -- message is a defined term in HTTP, so trying to "improve" the text by assuming some other ambiguous use of the same english term is not productive.
10:43:50 [efelten]
aleecia: Rigo and WileyS should discuss.
10:43:52 [jchester2]
10:44:05 [Marije]
Marije has joined #dnt
10:44:08 [Chapell]
I'm sorry - but can someone let me know who our new guest is?
10:44:15 [Chapell]
I didn't pick up on the intro
10:44:16 [tl]
fielding: Good thing I didn't use the word "message" then, isn't it?
10:44:18 [efelten]
… Defer issue. Larger issue has surfaced for discussion.
10:44:25 [Chapell]
a quick note in IRC would be helpful
10:44:27 [tlr]
s/Open Rights group/Vrijschrift/
10:44:36 [Chapell]
Invited expert? W3C Staff?
10:44:37 [efelten]
… Move on to URL redirection, ISSUE-97
10:44:38 [Walter]
Ok, I'll reintroduce myself
10:44:43 [Chapell]
Thanks Walter
10:44:56 [Walter]
I'm a standin for Jim Killock of Open Rights Groups
10:45:02 [tlr]
Walter is an Invited Expert. He is with Vrijschrift.
10:45:19 [npdoty]
npdoty has left #dnt
10:45:21 [WileyS]
Another consumer advocate/regulator invited expert?
10:45:25 [npdoty]
npdoty has joined #dnt
10:45:38 [Chapell]
I'm confused - sorry - Vrijschrift is the same as Open Rights Group
10:45:39 [Chapell]
10:45:42 [fielding]
tl, good point, but you didn't use forward either
10:45:44 [Walter]
no, it is not
10:45:50 [efelten]
rigo: WileyS and I have to discuss this. Seems to be a misunderstanding about the transitive permissions issue.
10:45:55 [Walter]
Vrijschrift is kind of a 'sister' to ORG
10:46:26 [efelten]
… Will discuss what the status of ad exchanges is under permitted uses.
10:46:29 [Walter]
Vrijschrift is a Dutch civil society group
10:46:54 [Walter]
tlr: BTW: what are the wifi details? I'm on a laggy GPRS-connection now
10:46:55 [efelten]
Marc: Thanks.
10:47:02 [WileyS]
civil society group = consumer advocate in our terms :-)
10:47:04 [ifette]
10:47:04 [trackbot]
ISSUE-97 -- Re-direction, shortened URLs, click analytics -- what kind of tracking is this? -- open
10:47:04 [trackbot]
10:47:08 [ifette]
10:47:16 [efelten]
aleecia: Redirection might depend on how we address first parties.
10:47:22 [tl]
fielding: I think I'm not following you again.
10:47:27 [ifette]
wifi password is cookiemonster
10:47:42 [kimon]
kimon has joined #dnt
10:47:44 [fielding]
tl, it's 3:47am here -- I am not following me
10:47:44 [ifette]
10:47:47 [Chapell]
Walter: Thanks
10:47:48 [efelten]
… have some proposed language. Reads use case from Justin.
10:47:49 [tl]
10:47:56 [Chapell]
.... when were you guys added to the group?
10:47:58 [WileyS]
Ian - wouldn't you have to be on the WiFi for the password to be useful? :-)
10:48:02 [susanisrael]
walter: wifi id and password behind you on whiteboard
10:48:12 [efelten]
ifette: If you click on something and that results in a redirect chain, think everyone who gets redirected through is part of the chain.
10:48:18 [efelten]
… all should be considered first parties.
10:48:22 [Chapell]
Ahhh... never mind. I see Killock
10:48:24 [npdoty]
10:48:27 [npdoty]
ack ifette
10:48:28 [Walter]
susanisrael: thanks
10:48:30 [npdoty]
ack tl
10:48:43 [efelten]
tl: Disagree with ifette. Have previously submitted text on this.
10:48:59 [ifette]
10:49:07 [npdoty]
10:49:08 [justin]
My language is based substantially on earlier text from tl
10:49:10 [dsinger]
I cannot see how the user thought they were interacting with service in the middle of getting to the site they thought they were visiting is a 1st party
10:49:12 [bryan]
q+ to assert that if the intermediate locations are part of the first party, they should not be considered a 3rd party
10:49:13 [efelten]
… parties in redirect chain might or might not be first parties, depending on whether user would expect the party to be involved. See previous text for details.
10:49:16 [tl]
10:49:31 [justin]
10:49:43 [efelten]
ifette: User expectation is dangerous to rely on. Many users don't understand who might be involved.
10:49:52 [jmayer]
10:49:55 [aleecia]
10:49:56 [Chris_DAA]
+1 to Ian- call for definition of the term "user exception" as it relates to this doc
10:50:02 [efelten]
… Hard to define in an arbitrary interaction how integral a party is to the interaction.
10:50:14 [efelten]
… If you click on an ad, whoever is hosting the ad is a first party.
10:50:16 [dtauerbach]
10:50:26 [efelten]
… If redirected to another site, you're viewing that site so it's a first party.
10:50:27 [jmayer]
We already have consensus on the user expectations test for whether a party is a first party or third party.
10:50:28 [dtauerbach]
are we talking only about clicks?
10:50:43 [jmayer]
I'm surprised that Ian finds that unsettled.
10:50:45 [efelten]
… If intermediate redirect through an ad verification service, that's a first party too.
10:50:52 [WileyS]
Jonathan, you have that in your draft text but there is an option that specifically doesn't rely on that
10:50:52 [efelten]
tl: User would understand that?
10:50:56 [npdoty]
10:50:58 [npdoty]
ack ifette
10:51:05 [efelten]
ifette: That should be basis for definition.
10:51:06 [ifette]
ack npdoty
10:51:15 [jmayer]
WileyS, not party size, first party vs. third party.
10:51:17 [efelten]
10:51:45 [efelten]
npdoty: All of the first-party definitions we have now involve user expectations.
10:51:49 [rvaneijk]
10:51:50 [ifette]
10:51:51 [rigo]
issue-32: This has a relation to the transitive permissions coming out of the first party getting permissions for its third parties. Shane offered the interpretation that permitted uses of financial and audit recording would allow all data exchanges needed to use an ad auction system. The participants of the auction would use all the data coming from the first party under financial and audit. Rigo expressed the opinion that this is stretching the semantic content
10:51:51 [trackbot]
ISSUE-32 Sharing of data between entities via cookie syncing / identity brokering notes added
10:51:52 [rigo]
of financial and audit into meaning every commercial interaction as every commercial interaction involves by definition a financial transaction.
10:51:55 [npdoty]
ack bryan
10:51:55 [Zakim]
bryan, you wanted to assert that if the intermediate locations are part of the first party, they should not be considered a 3rd party
10:51:58 [fielding]
are we talking about this now?
10:52:01 [efelten]
… If communicating with a party makes it a first party, then everybody is a first party.
10:52:03 [WileyS]
Jonathan, our proposal does NOT sit on user expectation: requires corp affilation and easily discoverability
10:52:19 [WileyS]
Jonathan, for first party.
10:52:32 [jmayer]
WileyS, you're again talking about party size.
10:52:35 [dsinger]
OK, if the re-directs are through sites in the same party, that we can handle
10:52:37 [vinay]
Roy - no, this:
10:52:38 [susanisrael]
nick i think that the use of "user expectation" in those definitions should be reconsidered
10:52:47 [efelten]
bryan: As long as all intermediaries are part of the first party, consider them as first parties.
10:52:58 [dsinger]
'sites that are not the same party as a first party'
10:53:00 [dtauerbach]
10:53:02 [npdoty]
ack tl
10:53:03 [rigo]
10:53:12 [WileyS]
Joanthan, okay, let me go check the definition of 1st party again.
10:53:13 [efelten]
aleecia: I'm hearing that redirects within a party don't take you outside first party status. Don't think there's disagreement about that.
10:53:17 [BerinSzoka]
maybe we should actually define terms, just a little, before using them?
10:53:28 [dsinger]
to Berin :-)
10:53:32 [Chris_DAA]
too complex, I agree -- Complexity is specifically out of scope per our charter: "While guidelines that define the user experience or user interface may be useful (and within scope), the Working Group will not specify the exact presentation to the user."
10:53:36 [fielding]
heh, thanks vinay, but I was just pointing out my message on first party definition
10:53:44 [efelten]
tl: Let's look at definitions of first and third parties. Let's stick with the definitions we have for first and third parties.
10:53:54 [npdoty]
susanisrael, WileyS, I think the concept of "interaction" (sometimes "meaningful interaction") is affected by user's expectation
10:53:59 [npdoty]
ack justin
10:54:00 [Chris_DAA]
sorry, wrong one "The Working Group will not design mechanisms for the expression of complex or general-purpose policy statements."
10:54:01 [rvaneijk]
10:54:02 [efelten]
… Let's not make exceptions for specific use cases. Suggest no text on redirection.
10:54:02 [vinay]
fielding - oh, got it!
10:54:06 [npdoty]
ack jmayer
10:54:08 [efelten]
justin: +1
10:54:17 [efelten]
jmayer: +1 to tl.
10:54:28 [WileyS]
Nick, need more objective measures - "user expectation" is not easily measured
10:54:30 [tlr]
Chris, that language was also known as the "do not reinvent P3P" clause in the charter.
10:54:49 [tl]
fielding: Let's put our proposals in the issue (132), and and come back to it later =]
10:55:08 [efelten]
… Once we have agreement that user expectations should generally guide first/third parties, no need to reopen for specific use cases.
10:55:10 [npdoty]
WileyS, but you agree that meaningful interaction with a widget makes it a first party?
10:55:15 [hwest]
Jonathan, there have been a number of us that have been continually concerned by this idea and asking the question across the board, including myself.
10:55:19 [justin]
10:55:21 [npdoty]
ack aleecia
10:55:35 [ninjamarnau]
I'm concerned about labelling redirect chains all first parties would lead to blowing these chains up to gain first party rights for more involved services.
10:55:43 [WileyS]
Nick, yes - and we've even defined what meaningful interaction does and does not mean.
10:55:47 [bryan]
if a 1st party site is architected with distributed resources which are integrated using redirect, they represent a single meaningful interaction of the user when a click results in a chain of redirection though them
10:55:49 [fielding]
10:55:55 [tl]
10:56:00 [efelten]
aleecia: [not as chair] If we adopt ifette's proposal, couldn't a first party make anybody else a first party by redirecting through a long chain of others?
10:56:03 [JC]
10:56:04 [BerinSzoka]
Unfrozen Caveman Lawyer is very confused by all these undefined terms being thrown around. he has used this magical real-time collaboration tool that he does not understand to create a list of undefined terms. he invites you all to add to the bottom, and insert comments (ctrl-alt-M), but not to delete or edit the work done by others
10:56:19 [efelten]
ifette: Yes, my definition would imply the whole redirect chain are first parties.
10:56:23 [Chris_DAA]
tlr, agree that we should not contemplate something so complex as P3P here. Goal should be simplicity. This is nothing but complex.
10:56:43 [jmayer]
10:56:50 [justin]
10:56:54 [npdoty]
ack ifette
10:56:55 [efelten]
aleecia: Hard for users to know/expect what is going on.
10:56:58 [fielding]
10:57:01 [jmayer]
Ian earlier: users don't get what's going on in there browser. Ian now: if it's in the address bar, that's cool.
10:57:15 [jmayer]
10:57:18 [efelten]
ifette: Perhaps, but that's what my definition implies.
10:57:51 [ifette]
10:57:53 [efelten]
ksmith: Agree with ifette, at least to the extent that others are integral to providing the primary content.
10:58:07 [tl]
10:58:15 [efelten]
aleecia: Can this be handled via the service provider language?
10:58:19 [tl]
+q to say omgserviceproviders!
10:58:19 [npdoty]
WileyS, hwest, justin - the current draft doesn't have additional text on meaningful interaction, does someone have that?
10:58:34 [jmayer]
npdoty, meaningful interaction == user expectations.
10:58:35 [efelten]
ifette: Redirect might or might not be integral to serving content, depending on use case.
10:59:05 [efelten]
… How do I know what the user expects if I user a standard URL shortener that collects analytics?
10:59:17 [efelten]
s/I user/I use/
10:59:24 [JC]
10:59:27 [justin]
npdoty, --- User Interaction With Third Party Content
10:59:27 [efelten]
… Would be disappointed if I don't get the data.
10:59:32 [npdoty]
ack jmayer
10:59:47 [rachel_n_thomas]
clearly we need a definition of "user expectation" for this conversation to be fruitful.
10:59:56 [fielding]
I personally think that defining user expectations by the URI or domain is ridiculous -- what a user sees is hypertext or an image and they are selecting the semantics portrayed by that link, not a URI owner
11:00:01 [efelten]
jmayer: Response to ifette: service provider language lets you use a service provider for link statistics.
11:00:02 [rigo]
11:00:06 [rigo]
11:00:11 [efelten]
… Does that satisfy your use case?
11:00:21 [npdoty]
hwest, WileyS, are you comfortable with the text on interaction? (yes, it does rely on user expectations as well)
11:00:26 [dtauerbach]
11:00:39 [efelten]
ifette: No. Not clear who it's a service provider to. The user who is using the URL shortener?
11:01:08 [efelten]
aleecia: Might not be a contractual relationship in that use case.
11:01:08 [WileyS]
Nick, can you paste a link to the version you're looking at?
11:01:15 [npdoty]
11:01:22 [rachel_n_thomas]
11:01:29 [npdoty]
(apologies, a link is obviously more useful than the TOC numbers)
11:01:42 [efelten]
jmayer: Seems like a substantive disagreement. If user on forum posts link using link shortener, I don't think link shortener should be tracking users who click.
11:01:49 [efelten]
… Doesn't seem consistent with user expectation.
11:01:55 [npdoty]
Zakim, close the queue
11:01:56 [Zakim]
ok, npdoty, the speaker queue is closed
11:02:00 [efelten]
aleecia: Close queue, toward lunch.
11:02:02 [ninjamarnau]
+1 jmayer
11:02:06 [npdoty]
ack justin
11:02:20 [rachel_n_thomas]
there is absolutely a contractual relationship involved in the case of a URL shortener, contrary to aleecia's assertion. the contractual relationship is between the user (consumer) and the URL shortener website itself.
11:02:26 [rachel_n_thomas]
that would make it a first party.
11:02:31 [BerinSzoka]
during lunch, I invite you all to add to this list of key undefined terms
11:02:34 [efelten]
justin: There are two definitions of first/third parties in the draft. Link shorteners aren't first parties under either definition.
11:02:42 [npdoty]
ack tl
11:02:42 [Zakim]
tl, you wanted to say omgserviceproviders!
11:02:42 [WileyS]
Nick, the "average" modifier in the definition was added outside of the standard process. I'd like to request that be removed as I believe that's the linking element you're seeing as "user expectation".
11:02:47 [efelten]
tl: Clarifications...
11:03:02 [efelten]
… Which user's expectations? Should be the user who is clicking a link.
11:03:11 [jmayer]
justin, I thought we'd decided to go with user expectations over pure ownership.
11:03:34 [efelten]
… Service provider to whom? Whoever makes an agreement with the provider. Probably the person using the shortener service in ifette's use case.
11:03:40 [jmayer]
In part because we never could button down what the ownership would be of.
11:03:50 [npdoty]
WileyS, is your concern just with the word "average"? and you're okay with the user's knowing and intentional expectation
11:03:56 [npdoty]
11:04:19 [efelten]
… If the shortener is not evident to the user, and user sends DNT:1, shortener service should comply with third party rules.
11:04:23 [WileyS]
Nick, "intentially communicated" - no "expectations" in the text.
11:04:35 [efelten]
… can still gather unsinkable stats, and permitted uses as third party
11:04:54 [efelten]
… Not everybody who receives an HTTP request is a first party.
11:05:02 [npdoty]
ack rigo
11:05:23 [efelten]
11:05:33 [justin]
jmayer, I think user expectations are implicit in the second definition as well --- I'm just noting that under the second option that came from the industry proposal, url shorteners are third parties.
11:05:37 [efelten]
rigo: Don't want to barrage users with consent dialogs.
11:05:47 [rachel_n_thomas]
11:05:51 [npdoty]
WileyS, sorry, I'm not referring to "user expectations" literally in text, but versions of definitions that refer to user knowledge or user intention
11:05:59 [jmayer]
justin, if the ownership test applies to the domain name in the URL bar, then shorteners are first parties.
11:06:10 [tl]
Whenever Ed is scribing, I feel incredibly long-winded. Ed's amazingly good at distilling the gist of folks' sentiments.
11:06:22 [efelten]
aleecia: quick straw poll. Who else in room agrees with Ian's position.
11:06:28 [efelten]
… some tepid support.
11:06:37 [efelten]
s/some/a little/
11:06:51 [rachel_n_thomas]
strong "tepid" support for ian's position.
11:06:55 [WileyS]
Nick, intent does not mean expectation - but in both cases a definition should be provided with examples. We give examples of what would NOT meet an intentional action by a user. Doesn't rely on their "expectations" which can't be measured.
11:06:56 [MikeZ]
strong tepid support for Ian's position. Would like to see the actual language.
11:07:10 [justin]
The ownership test applies to the site the user "visits" . . .
11:07:16 [MikeZ]
Do we now need to define "stong tepid support"?
11:07:21 [BerinSzoka]
Caveman lawyer has added "visit" to his list of key undefined terms
11:07:24 [BerinSzoka]
11:07:29 [BrendanIAB]
Visit? Is it "click on a URL" or "have a URL displayed in my URL bar"?
11:07:34 [npdoty]
action: fette to draft definition of "visit"
11:07:34 [trackbot]
Created ACTION-303 - Draft definition of "visit" [on Ian Fette - due 2012-10-11].
11:07:37 [ksmith]
Would the 3rd party promotion idea promote a url shortener to 1st party?
11:07:39 [efelten]
… Asks ifette to propose specific language on redirects.
11:07:47 [johnsimpson]
11:07:54 [fielding]
the current text is not consensus
11:07:55 [rvaneijk]
@BrendanIAB: what about QR code?
11:08:00 [johnsimpson]
current text does it
11:08:08 [schunter]
11:08:12 [BrendanIAB]
QR codes are a massive security vuln!
11:08:14 [npdoty]
action: fette to draft proposal on url re-direction
11:08:14 [trackbot]
Created ACTION-304 - Draft proposal on url re-direction [on Ian Fette - due 2012-10-11].
11:08:46 [efelten]
matthias: [arrangements for dinner at downtown Dutch/Indonesian restaurant]
11:08:52 [BrendanIAB]
But that's an implementation case - the QR provider translates the code into a URL.
11:08:55 [rvaneijk]
@BrandanIAB: so we have agreement that redirects through QR codes is not ok?
11:09:00 [BerinSzoka]
- what about cURL? countless users want to know!
11:09:14 [Walter]
Kantjil is fine
11:09:22 [npdoty]
break for lunch. back in an hour.
11:09:27 [BrendanIAB]
Not at all - QR is a different protocol - a method of taking an image and turning it into a URL
11:09:29 [Zakim]
11:09:39 [Zakim]
11:09:44 [Zakim]
11:10:00 [Zakim]
11:13:36 [johnsimpson]
johnsimpson has left #dnt
11:21:35 [dsinger]
dsinger has joined #dnt
11:23:03 [dsinger]
11:23:03 [trackbot]
ISSUE-140 -- Do we need site-specific exceptions, i.e., concrete list of permitted thirdparties for a site? -- closed
11:23:03 [trackbot]
11:31:54 [aleecia]
aleecia has joined #dnt
11:52:52 [djm]
djm has joined #dnt
11:59:20 [BrendanIAB]
Zakim, conference call details?
11:59:22 [Zakim]
I don't understand your question, BrendanIAB.
12:00:24 [Zakim]
12:00:40 [Zakim]
12:01:03 [Zakim]
12:01:07 [fielding]
zakim, what is the code?
12:01:07 [Zakim]
I don't understand your question, fielding.
12:01:34 [BrendanIAB]
Zakim, ??P6 is probably me
12:01:34 [Zakim]
+BrendanIAB?; got it
12:01:35 [fielding]
zakim, code?
12:01:35 [Zakim]
the conference code is 26631 (tel:+1.617.761.6200, fielding
12:02:18 [Zakim]
12:06:24 [Zakim]
12:08:36 [dsinger]
dsinger has joined #dnt
12:10:00 [dwainberg]
dwainberg has joined #dnt
12:10:11 [Zakim]
12:10:12 [ChrisPedigoOPA]
ChrisPedigoOPA has joined #dnt
12:10:24 [justin]
justin has joined #dnt
12:10:42 [hwest]
hwest has joined #dnt
12:11:01 [johnsimpson]
johnsimpson has joined #dnt
12:11:30 [robsherman]
robsherman has joined #dnt
12:11:58 [dtauerbach]
dtauerbach has joined #dnt
12:12:07 [Zakim]
12:12:53 [npdoty]
npdoty has joined #dnt
12:12:53 [afowler]
afowler has joined #dnt
12:12:55 [dsinger]
scribenick: dsinger
12:13:09 [Zakim]
12:13:16 [amyc]
amyc has joined #dnt
12:13:20 [BerinSzoka]
hoorah for well-timed breaks!
12:13:27 [npdoty]
12:13:28 [efelten]
efelten has joined #dnt
12:13:28 [trackbot]
ISSUE-122 -- Should we have use limitations on referrer data? -- open
12:13:28 [trackbot]
12:13:28 [dsinger]
aleecia: break now between 2 sessions and we'll end early
12:13:35 [npdoty]
Zakim, who is on the phone?
12:13:35 [Zakim]
On the phone I see Telegraaf, BrendanIAB?, fielding, johnsimpson, Jonathan_Mayer
12:13:49 [dsinger]
aleecia: for those on phone, screen sharing broken
12:13:51 [mikeo]
mikeo has joined #dnt
12:14:04 [tlr]
tlr has joined #dnt
12:14:05 [dsinger]
…we ended up talking this over, and agreed to come back, and never did. Now we do
12:14:23 [jchester2]
jchester2 has joined #dnt
12:14:27 [dsinger]
…there might not be a godo technical way to limit xmitting referrers; well, some browsers can, some not
12:14:35 [JC]
JC has joined #DNT
12:14:42 [fielding]
er, only the header fields -- they are not the only way to refer
12:14:49 [dsinger]
… we can't prohibit it, but we could suggest it as a good practice
12:14:57 [tl]
12:15:01 [npdoty]
Zakim, open the queue
12:15:01 [Zakim]
ok, npdoty, the speaker queue is open
12:15:02 [dsinger]
… no text, no action items, only discussion
12:15:03 [dsinger]
12:15:04 [tl]
12:15:07 [Chris_DAA]
Chris_DAA has joined #dnt
12:15:09 [jmayer]
12:15:12 [Chapell]
Chapell has joined #DNT
12:15:13 [npdoty]
ack tl
12:15:13 [ionel]
ionel has joined #dnt
12:15:18 [rachel_n_thomas]
rachel_n_thomas has joined #dnt
12:15:19 [WileyS]
12:15:23 [npdoty]
12:15:23 [trackbot]
ISSUE-122 -- Should we have use limitations on referrer data? -- open
12:15:23 [trackbot]
12:15:28 [fielding]
Why would we want to limit referrals?
12:15:52 [npdoty]
I think the question is whether there would be additional limitations beyond existing third-party requirements
12:15:58 [dsinger]
tl: are we talking about collection, retention, or use? maybe whether the browser sends it or not helps, but is almost orthogonal?
12:16:08 [WileyS]
+1 to Tom
12:16:24 [robsherman]
12:16:26 [BrendanIAB]
+1 to "why should we limit the *sending* of HTTP REFERER when DNT:1 is set?"
12:16:30 [dsinger]
tl: would prefer that this is covered by the principles, rather than write explicit text
12:16:40 [dsinger]
aleecia: does anyone want text?
12:16:42 [npdoty]
no interest in the room on writing text.
12:16:46 [npdoty]
close issue-122
12:16:46 [trackbot]
ISSUE-122 Should we have use limitations on referrer data? closed
12:16:47 [dsinger]
….hearing no, issue-122 is CLOSED
12:16:55 [npdoty]
12:16:55 [trackbot]
ISSUE-69 -- Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy) -- open
12:16:55 [trackbot]
12:17:16 [johnsimpson]
Did we address Issue 16 what is colection in th4 morning?
12:17:19 [MikeZ]
MikeZ has joined #dnt
12:17:25 [tl]
12:17:39 [npdoty]
jmayer, WileyS, are you in the q for issue 69?
12:17:39 [dsinger]
aleecia: introduces issue. now, we have an optional set of flags. could it be more readily found than in a privacy policy
12:17:40 [tl]
+q to say that this have been overtaken by events. Close?
12:17:49 [jmayer]
12:17:55 [dsinger]
…anyone to describe min. notice?
12:17:58 [Zakim]
12:18:03 [WileyS]
12:18:04 [npdoty]
q- WileyS
12:18:05 [jmayer]
12:18:08 [npdoty]
ack tl
12:18:08 [Zakim]
tl, you wanted to say that this have been overtaken by events. Close?
12:18:14 [dsinger]
tl: overtaken by events?
12:18:26 [dsinger]
aleecia: looks like issue-69 is CLOSED!
12:18:31 [npdoty]
q+ to clarify
12:18:35 [Zakim]
12:19:14 [npdoty]
12:19:23 [npdoty]
close issue-69
12:19:23 [trackbot]
ISSUE-69 Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy) closed
12:19:26 [npdoty]
12:19:26 [trackbot]
ISSUE-65 -- How does logged in and logged out state work -- open
12:19:26 [trackbot]
12:19:38 [peter]
peter has joined #dnt
12:19:50 [dsinger]
aleecia: we were supposed to have 2 competing proposals and a decision process; and they thought and didn't write
12:19:59 [justin]
To be clear, ISSUE-69 is addressed through the explicit and informed consent requirement, the contours of which are still being debated.
12:20:00 [jmayer]
12:20:01 [dsinger]
… we now feel we don't need text on logged in and logged out
12:20:03 [dsinger]
12:20:35 [npdoty]
ack jmayer
12:20:59 [Simon]
Simon has joined #dnt
12:21:09 [dsinger]
jmayer: confirming: this has become a specific instance of a general issue of when a user grants an exception. The general contours may well subsume this.
12:21:21 [jmayer]
s/may well/do/
12:21:22 [npdoty]
I think we're dropping this section:
12:21:38 [dsinger]
WileyS: when we talk about user consent for an exception, that would overtake this
12:21:38 [rachel_n_thomas]
12:21:55 [justin]
Yes, what WileyS has said.
12:21:58 [Chris_DAA]
12:22:00 [dsinger]
aleecia: close 65?
12:22:03 [npdoty]
ack dsinger
12:22:16 [kj]
kj has joined #dnt
12:22:22 [fielding]
they are out-of-band
12:22:31 [npdoty]
does the TPE not point to the out-of-band section in Compliance?
12:22:54 [npdoty]
ack rachel_n_thomas
12:22:55 [fielding]
npdoty, seriously?
12:22:55 [dsinger]
dsinger: we might need to discuss this in OOB exceptions tomorrow
12:23:24 [dsinger]
rachel: are we thereby deleting 6.3.2?? usually closing issues would mean no change.
12:23:29 [Chris_DAA]
12:23:43 [dsinger]
aleecia: yes, we delete the section, and logged-in/out are not otherwise mentioned
12:23:52 [npdoty]
action: brookman to remove 6.3.2 on logged in transactions
12:23:52 [trackbot]
Created ACTION-305 - Remove 6.3.2 on logged in transactions [on Justin Brookman - due 2012-10-11].
12:23:56 [dsinger]
justin: deleting as we speak!
12:23:57 [BrendanIAB]
OK - what happened over lunch?
12:24:06 [dsinger]
12:24:13 [BrendanIAB]
I'm not listening in to the same call as I was an hour ago!
12:24:15 [npdoty]
close issue-65
12:24:15 [trackbot]
ISSUE-65 How does logged in and logged out state work closed
12:24:18 [dsinger]
aleecia: we can close issue 65!!
12:24:23 [dsinger]
….3 down!
12:24:28 [dsinger]
12:24:28 [trackbot]
ISSUE-54 -- Can first party provide targeting based on registration information even while sending DNT -- open
12:24:28 [trackbot]
12:24:45 [justin]
tl is this true?
12:24:47 [npdoty]
12:24:49 [npdoty]
12:24:50 [dsinger]
aleecia: this is an old issue; it's a first party.
12:24:56 [dsinger]
… anyone disagree?
12:25:14 [WileyS]
12:25:15 [tl]
justin: Is what?
12:25:18 [dsinger]
npdoty: to clarify: I understand I got some 1st party data, and now I am a 3rd party I can use that data?
12:25:22 [susanisrael]
susanisrael has joined #dnt
12:25:26 [dsinger]
aleecia: no, that's not what I thought
12:25:30 [Marije]
Marije has joined #dnt
12:25:35 [jmayer]
12:25:39 [npdoty]
ack npdoty
12:25:46 [dsinger]
WileyS: this is a similar discussion to logged-in/out, as to what the scope of the consent is
12:25:50 [npdoty]
ack WileyS
12:25:52 [justin]
12:25:59 [robsherman]
12:26:04 [justin]
This is the language currently in the text to address this issue.
12:26:19 [npdoty]
it might be behavioral from your behavior on the first-party site, right?
12:26:25 [dsinger]
JC: reminds that this is not 'tracking' data, but data voluntarily given by the user
12:26:35 [tl]
12:26:37 [amyc]
nick, this is about registration info
12:26:39 [dsinger]
Chris: if not related to targetting, then out of scope
12:26:44 [rigo]
rigo has joined #dnt
12:26:47 [justin]
It's clearly targeting.
12:26:48 [dsinger]
12:26:51 [npdoty]
ack jmayer
12:27:03 [vinay]
its personalization, not targeting (in my opinion)
12:27:03 [amyc]
it is registration info that the user has explicitly provided
12:27:23 [Chris_DAA]
point of order: if it's not based on targeting or tracking, it's out of scope for this working group
12:27:30 [amyc]
12:27:32 [BerinSzoka]
I, for one, would find it amazingly useful to clarify, at some point, what is, and what is not, in scope, by defining tracking
12:27:41 [dsinger]
jmayer: phrase differently. We got consensus to close issues. Is this true: "in the absence of consensus, you cannot use info a 1st party gets to target on another website"
12:27:54 [dsinger]
JC: what do you mean by 'gets'
12:28:01 [Chapell]
12:28:06 [dsinger]
aleecia: info provided as part of reg. info
12:28:15 [npdoty]
do we expect a different outcome if the data was provided explicitly to the first party or was just collected while I was browsing a first party site?
12:28:20 [fielding]
12:28:25 [ifette]
12:28:25 [ChrisPedigoOPA]
12:28:26 [fielding]
it is allowed by DNT
12:28:26 [dsinger]
jmayer: is it: no you can't, unless the user gave consent
12:28:32 [Chris_DAA]
tlr, can you please weigh in about the scope question that we keep raising, but Aleecia keeps shutting down categorically?
12:28:47 [dsinger]
JC: disagree. DNT does not apply, when the user freely gave info, and it's not tracking. out of scope and close?
12:28:51 [Chris_DAA]
+1 to JC
12:28:54 [fielding]
DNT does not impact first party personalization, period.
12:29:16 [dsinger]
jmayer: is this a special instance of a more general question? can 3rd parties use information they got as a 1st party?
12:29:22 [dsinger]
aleecia: beginning to get the issue
12:29:26 [Chris_DAA]
"what we allow 3rd parties to do" is not in scope here
12:29:50 [eberkower]
But this doesn't say anything about the involvement of third parties
12:29:50 [dsinger]
justin: the issue, as given yesterday: go to a sales site, look at something, visit a new site, see an ad from the sales site that's related to my looking
12:29:52 [Chris_DAA]
what is in scope is tracking (though that term is not defined by consensus)
12:29:54 [BrendanIAB]
12:29:57 [dwainberg]
12:30:09 [npdoty]
12:30:13 [dsinger]
justin: there is text,
12:30:43 [dsinger]
ifette: can we re-title or get a new issue?
12:31:02 [dsinger]
ifette: use of 1st party data in a 3rd party context?
12:31:03 [ifette]
"Use of data obtained as a first party in a third party context"
12:31:22 [Chris_DAA]
jmayer and all, I don't see in the Charter anywhere, "what we allow or disallow 3rd parties to do" (if it is in the charter, please point it out for all of us)
12:31:27 [dsinger]
JC: tracking data collected in a 1st party context is not usable; registration information is not tracking info, and is
12:31:30 [justin]
I don't think we've talked through the distinction between registration info and passively observed first-party data.
12:32:21 [dsinger]
sherman: you cannot collect new data, but if the user gave it to you, such that the user clearly intended you to have it, can you use it?
12:33:05 [BerinSzoka]
Could someone please clarify to me how this relates to our scope limitation (tracking)?
12:33:12 [dsinger]
sherman: when in a 3rd party context, no, you cannot collect new data. but, when you were GIVEN data in a 1st party context, can you use that?
12:33:18 [dsinger]
aleecia: does this clarify?
12:33:21 [johnsimpson]
can you please restate?
12:33:21 [fielding]
how does the third party know who the user is?
12:33:39 [justin]
fielding, by reading a previously placed first party cookie, most like.
12:33:44 [npdoty]
I think Rob's explanation fits with Ian's re-titling of the issue
12:33:52 [dsinger]
wainberg: not sure we are agreed. is this ANY data provided by the user, or just 'registration data'?
12:34:02 [dtauerbach]
dtauerbach has joined #dnt
12:34:10 [justin]
There is no text ATM distinguishing between observed and declared data.
12:34:26 [efelten]
efelten has joined #dnt
12:34:30 [dsinger]
WileyS: terms we use are 'observed data' and 'declared data', think that's the distinction, and we agree on observed and are discussing declared
12:34:31 [npdoty]
do we believe that we will come to different conclusions for data declared to a first party than data observed in a first party context?
12:34:38 [fielding]
and there is a cookie and it corresponds to a registered user and there is no consent?
12:34:48 [dsinger]
notes we have no definition of 'registration data'
12:34:52 [npdoty]
12:34:53 [dsinger]
12:34:53 [dtauerbach]
12:34:54 [ChrisPedigoOPA]
12:34:57 [npdoty]
ack robsherman
12:34:58 [npdoty]
ack tl
12:34:59 [ifette]
ack robsherman
12:35:08 [ifette]
gah irc lag
12:35:11 [Walter]
Zakim: I've been waving my hand a few times
12:35:31 [Walter]
ack Walter
12:35:31 [ifette]
So do we have two issues, "observed" and "declared" data?
12:35:32 [rigo]
rigo has joined #dnt
12:35:40 [ifette]
walter, you're looking for "q+"
12:35:41 [dsinger]
tl: clarify: a 1party, when 1st, collected some info (observation or declaration), applies to a number of situations
12:35:48 [Walter]
ifette: thanks
12:35:50 [Walter]
12:36:02 [dsinger]
…issue is, when as a 3rd party, use the data it legit. gathered as a 1st party?
12:36:21 [fielding]
tl, *and* there is no specific consent for that purpose?
12:36:37 [ninjamarnau]
12:36:46 [dsinger]
dsinger: think this is only for the subset that is declared data
12:36:46 [justin]
In the current text, usage is not limited to declared data. I would happy to revise, however.
12:36:51 [aleecia]
Giving this a try: can first parties use declared data while in a 3rd party context?
12:37:42 [JBWeiss]
JBWeiss has joined #DNT
12:37:43 [ifette]
aleecia, is the "observed" data still an open separate issue then?
12:38:00 [dsinger]
tl: previously we took the example of facebook, it might *worry* users that they are being tracked, so be imprudent, but we wouldn't say. so, is it OK to use declared data, yes, you can (unless you said you wouldn't of coyrse)
12:38:16 [jmayer]
If this is about information given to a first party with consent to reuse it in a third-party setting, then it seems just a special case of user-granted exceptions. If this is about information given to a first party without consent to reuse it in a third-party setting, then it seems to be a proposed new permitted use.
12:38:16 [dtauerbach]
12:38:19 [dsinger]
WileyS: rejoices at the agreement, but takes an action to define declared data
12:38:27 [Chris_DAA]
I maintain that first party data is out of scope here
12:38:30 [dsinger]
justin: see
12:38:53 [justin]
Ack, sorry working of the newer version.
12:39:02 [dsinger]
tl: before we write a defn of declared data, do we want a difference between declared and observed data?
12:39:14 [dsinger]
WileyS: we previously agreed that observed data was not usable
12:39:18 [ninjamarnau]
q- wanted to remind about notice and choice for the data when giving this data to the first party (but that is a local law issue)
12:39:18 [rachel_n_thomas]
12:39:22 [dsinger]
[disagreement from the room]
12:39:26 [ChrisPedigoOPA]
12:39:32 [dsinger]
tl: does not agree we agreed that
12:39:32 [WileyS]
My bad - apologies everyone
12:39:33 [justin]
Sorry, in the third public working draft.
12:39:33 [aleecia]
which section are we in?
12:39:58 [npdoty]
action: wiley to define "declared" data (which might be relevant to issue-54)
12:39:58 [trackbot]
Created ACTION-306 - Define "declared" data (which might be relevant to issue-54) [on Shane Wiley - due 2012-10-11].
12:40:00 [dsinger]
tl: do we have a different rule for USING observed vs. declared data?
12:40:00 [BrendanIAB]
12:40:10 [BrendanIAB]
My points are being covered by the current discussion.
12:40:16 [dsinger]
… can we avoid defining the distinction?
12:40:19 [dsinger]
12:40:48 [BrendanIAB]
Given that, from a technical POV, I could convert my "observed" data into "declared" by changing everything to POSTs
12:41:06 [dsinger]
WileyS: so, this means ALL data (declared or observed) in a 1st party context is OK to use?
12:41:23 [justin]
That is what the draft currently says, tl
12:41:24 [aleecia]
seeing jmayer in a moment
12:41:24 [dsinger]
tl: ALL data you legitimately have is OK to use. Not share, but you can use it. That's the idea.
12:41:37 [dsinger]
[it may be imprudent]
12:41:45 [aleecia]
12:42:31 [dsinger]
jmayer: tl clarify? I signed up for a sweepstakes and gave some info, and they got my explicit consent. Can that site use that in a 3rd party context?
12:43:03 [dsinger]
tl: don't get the question: the user DELIBERATELY gave info (e.g. form submit), and then ...
12:43:17 [dsinger]
jmayer: can they use it? we say fair enough, go ahead.
12:43:35 [dsinger]
sherman: lots of back-n-forth. checking existing text
12:43:45 [npdoty]
12:43:47 [dsinger]
12:43:56 [dsinger]
12:44:33 [npdoty]
one of the suggestions for that section is that it might be unnecessary, because of that agreement
12:44:36 [npdoty]
ack amyc
12:44:47 [dsinger]
tl: notes that nowhere is there a prohibition on this, so maybe this is a note rather than suggesting it's an exception to a prohibit
12:45:29 [johnsimpson]
12:45:41 [dsinger]
amyC: want to check where we are going. does DNT even govern declared data at all, as opposed to observed? it might lead to bizarre scenarios ('do you really want to fill in this survey? you have DNT on!')
12:46:01 [npdoty]
ack Chapell
12:46:11 [dsinger]
aleecia: the text currently covers both declared and obsered and allows use (it may be imprudent)
12:46:13 [johnsimpson]
12:46:22 [amyc]
we used to have "transactional data" defined
12:46:38 [vinay]
+1 to Alan.
12:46:38 [BerinSzoka]
again, folks, I have a running list of undefined terms. feel free to add to it
12:46:41 [justin]
Yes, Chapell, that could happen.
12:46:44 [BerinSzoka]
+2 to Alan
12:46:46 [vinay]
This is a large expansion of scope
12:47:10 [npdoty]
Chapell, I understand that you are objecting to that outcome, is that right?
12:47:30 [justin]
Isn't that iAds?
12:47:33 [dsinger]
achapell: take a hypothetical: can Apple take an iTunes playlist and set up an ad network and use that data for targetting?
12:47:51 [eberkower]
That's what I thought he was describing - iAds
12:47:58 [ifette]
Aleecia, Can we have some queue management? Certain people seem to get to reply to every single statement being made..
12:48:05 [dsinger]
tl: maybe the rules for 1st parties are not sufficiently restrictive. unless we choose to restrict 1st parties, this is a natural outcome
12:48:16 [WileyS]
All of this conversation centers around 1st party consent structures
12:48:35 [dsinger]
achapell: I think I see where this is going. what harms are we getting at?
12:48:45 [dsinger]
aleecia: is surprised at Tom's position.
12:48:46 [dsinger]
12:48:48 [BerinSzoka]
In the immortal words of Admiral Stockdale: Who am I? Why am I here?
12:49:20 [ifette]
12:49:21 [justin]
The implication of this language is obvious. Tracking is doing what is prohibited in the spec. The spec is designed to prevent cross-site collection and usage. First party data usage gets around this problem.
12:49:22 [vinay]
Would be able to run a site retargeting campaign on (unrelated site) if the only data they are using is data collected on
12:49:28 [dsinger]
chrisPedigo: ebay's privacy policy would probably say that they won't do that; it might be imprudent
12:49:29 [BrendanIAB]
Using data collected in a 1st party context in a 3rd party context is not tracking - the initial 1st party would not be able to add any new data from the 3rd party context.
12:49:31 [vinay]
Tom is saying that this use case is allowable; regardless of dnt signal
12:49:32 [ifette]
roy, if only you were here ;-)
12:49:35 [justin]
Please let's return to the queue.
12:49:38 [susanisrael]
they might have to use a new privacy policy only prospectively
12:49:41 [aleecia]
12:49:44 [ninjamarnau]
ninjamarnau has joined #dnt
12:49:48 [dsinger]
achapell: they were in the data business before. they might be encouraged back in
12:49:58 [vinay]
12:50:06 [npdoty]
ack ifette
12:50:11 [dsinger]
q+ to say that he firmly believes declared data is not tracking
12:50:28 [dtauerbach]
12:50:29 [dsinger]
ifette: please only q-jump to clarify
12:50:54 [dsinger]
ifette: does DNT have anything to say about data users explicity provide? we should open that issue.
12:50:58 [dsinger]
aleecia: agreed, open issue
12:51:03 [npdoty]
ack dwainberg
12:51:10 [WileyS]
Ian - we already have that draft text in the CS doc
12:51:15 [dsinger]
dwainberg: echo Alan's concerns. also some questions
12:51:23 [johnsimpson]
12:51:28 [WileyS]
Ian - this was the language Justin B. and I were working on (user consent)
12:51:41 [dsinger]
… what is the scope of the use? probably 'used by or on behalf of other parties?'
12:51:57 [ifette]
ISSUE: Make sure in the spec that we clarify information provided explicitly by a user (e.g. data typed into a form on a site with a clear privacy policy) is not subject to DNT.
12:51:57 [trackbot]
Created ISSUE-179 - Make sure in the spec that we clarify information provided explicitly by a user (e.g. data typed into a form on a site with a clear privacy policy) is not subject to DNT. ; please complete additional details at .
12:51:57 [npdoty]
I think first parties giving observed data to third parties for some other use is one of the few things prohibited in first-party compliance
12:52:02 [dsinger]
… what about observed data collected when using the declared data? can that be joined back?
12:52:03 [robsherman]
12:52:19 [npdoty]
implied consent? or just not explicitly prohibiting?
12:52:19 [dtauerbach]
12:52:29 [npdoty]
ack Walter
12:52:30 [dsinger]
… does this create an implied consent for 1st parties to 'track' despite what their policy or other docs say
12:52:32 [BrendanIAB]
It sounds like there's confusion between "track" and "target"
12:53:05 [dsinger]
Walter: why are we here? DNT is about the context in which data is collected and used.
12:53:06 [efelten]
Neither "track" nor "target" appears in this text.
12:53:16 [rigo]
This is all a problem of a missing purpose binding
12:53:44 [aleecia]
Proposal: we scope this to declared data, not all data, and can everyone live with that?
12:53:45 [dsinger]
… if you have a personal interest in say butchering, and professionally you visit an animal rights group, there might be … problems
12:53:45 [susanisrael]
i don't think we are here to permit users to control "context" but maybe we are using language differently
12:53:53 [BrendanIAB]
efelten - but the dialogue is referencing both regularly.
12:53:57 [eberkower]
or the more philosophical, "when is a first party a third party"
12:53:58 [dtauerbach]
12:53:58 [dsinger]
… privacy policies tend to be vague
12:54:12 [ifette]
12:54:18 [rigo]
so "for the purpose it was collected for" would resolve all, but also may create the obstacles to creative re-use. Obstacles we wanted to avoid. bummer
12:54:19 [dsinger]
… notes also that sensitive data (e.g. health) even if declared, cannot be used in a 3rd party context
12:54:22 [amyc]
declared data should be out of scope period
12:54:23 [justin]
I can live with declared data or all data. Scoping to declared adds a layer of complexity, but I could live with it.
12:54:37 [npdoty]
ack ninjamarnau
12:54:37 [dsinger]
… suggest we are silent on the subject
12:54:38 [jmayer]
12:55:20 [dsinger]
Ninja: 2nding Walter. Also do we have consensus: if former-1st now-3rd party sends ads based on declared data, can they append new data from the 3rd party context?
12:55:31 [justin]
I think existing text covers this.
12:55:35 [dsinger]
room: agreed, that no they cannot, it's not permitted by today's rules.
12:55:39 [npdoty]
ack rachel_n_thomas
12:56:04 [Chapell]
npdoty: yes, that would seem like a problematic outcome
12:56:27 [dsinger]
Rachel: amazing how many questions about what it means 'do not track', and would like to see an issue on 'what does it mean to track?' (and hence what is DNT?)
12:56:35 [justin]
Tracking is doing what is prohibited in the document.
12:56:35 [dsinger]
12:56:35 [trackbot]
ISSUE-5 -- What is the definition of tracking? -- raised
12:56:35 [trackbot]
12:56:43 [npdoty]
Chapell, I think you'd like to talk with robsherman
12:56:51 [dsinger]
issue 5 is raised but not opened, but
12:57:01 [dsinger]
Rachel: how do we get from Raised to Opened?
12:57:12 [dsinger]
aleecia: the chair is not choosing to open it at this time.
12:57:15 [efelten]
We had that conversation a year ago.
12:57:18 [dsinger]
Rachel: so, when?
12:57:22 [ifette]
What is the difference between "raised" and "open"?
12:57:37 [justin]
ninjamarnau, The non-normative examples make clear that the former first party is not adding the third party data to the user profile.
12:57:39 [fielding]
It has been at the end of the agenda for several months
12:57:44 [dsinger]
aleecia: has been on the agenda
12:57:53 [BerinSzoka]
If Aleecia is saying it's on the agenda, why can't it be opened?
12:57:55 [dsinger]
aleecia: has been going on for a while
12:58:03 [dsinger]
Rachel: disappointed
12:58:03 [Chapell]
npdoty; i'm not sure what you mean by talk to robsherman
12:58:04 [justin]
12:58:04 [fielding]
And every week new items are added in front of it on the agenda.
12:58:05 [WileyS]
Can we get a committment to move it to the front of an agenda?
12:58:09 [BerinSzoka]
I'm confused. what does it mean for a topic not to be opened?
12:58:10 [Chris_DAA]
I also would like to see it OPEN
12:58:20 [dsinger]
ifette: please clarify raised vs. opened
12:58:29 [dtauerbach]
12:58:35 [ionel1]
ionel1 has joined #dnt
12:58:42 [Chris_DAA]
Can w3c staff please define the process for opening an item
12:59:12 [npdoty]
we usually have assigned action items when we open an issue, though people have offered text for issues that are just raised
12:59:16 [ninjamarnau]
justin, thank you. Following this discussion I just wanted to make sure, that this is still the consensus of the group. This is not always the case with former decisions we made :)
12:59:32 [justin]
12:59:33 [dsinger]
aleecia: raised may be parked because of dependency, opened means we are working on it
12:59:36 [WileyS]
Nick, so are you suggesting procedurally this should be moved to open?
12:59:47 [dsinger]
ChrisIAB: would like to see it opened before LC
13:00:04 [dsinger]
jmayer: are we now on issue-5? 'what is tracking?'
13:00:07 [justin]
Link above defines RAISED and OPEN
13:00:08 [aleecia]
13:00:12 [susanisrael]
where did david offer a definition that was not screamed about?
13:00:14 [MikeZ]
We cannot move to Last Call until we Open issue #5: define "tracking"
13:00:19 [WileyS]
Nick, we can then add an action to capture the text that David W. provide attached to Issue #5?
13:00:21 [npdoty]
ack ChrisPedigoOPA
13:00:35 [aleecia]
MikeZ: I hear that you would like that.
13:00:38 [WileyS]
Susan, on the public mailing list
13:00:53 [dsinger]
ChrisPedigo: can a 1st party share that data with a 3rd? and the document currently prohibits 1st party sharing
13:00:56 [BerinSzoka]
could someone from W3C just confirm that issued that have been raised but not opened WILL be opened and resolved (closed) before moving to last call?
13:01:07 [Chris_DAA]
dsinger, yes, that's correct, I'd like to see Issue 5 OPENED and discussed (and real consensus reached) before last call. Logically.
13:01:10 [dsinger]
wainberg: what about use on behalf of another party (but not share the data)?
13:01:13 [aleecia]
13:01:18 [dsinger]
chrisP: yes, they could
13:01:20 [aleecia]
close queue
13:01:27 [aleecia]
zakim, close queue
13:01:27 [Zakim]
ok, aleecia, the speaker queue is closed
13:01:35 [dsinger]
dwainberg: does that create an incentive to create owned ad networks?
13:01:43 [rachel_n_thomas]
i would again ask that someone point me to the distinction - in the W3C process doc or elsewhere - where the terms "raised issue" and "open issue" are defined. and the process by which a raised issue is moved to an open issue such that formal debate (and not just "throwing it aorund") can occur on Issue 5 "what is tracking"
13:01:57 [dsinger]
ChrisP: but the users know the 1st party, and have a relationship that they can use to complain etc.
13:02:18 [dsinger]
dwainberg: but do they understand the 3rd party context?
13:02:23 [Chapell]
If first parties are allowed to create their own ad networks under the DNT track standard, I'm struggline to see how that is a good outcome for privacy.
13:02:32 [WileyS]
13:02:34 [npdoty]
Chapell, I'm suggesting that it would be productive for you to have a discussion at some point with robsherman about this issue
13:02:35 [vinay]
+1 to chapell
13:02:48 [dsinger]
dwainberg: not sure that users will get the explanation from e.g. a ToS
13:02:53 [tl]
13:02:53 [susanisrael]
Shane: re definition raised on mailing list, i think it may be worth discussing the limits of this channel ( vs. calls) for determining whether people object.
13:02:53 [ifette]
13:02:54 [ninjamarnau]
+1 chapell
13:02:54 [Chapell]
DNT = anti-competitive
13:02:59 [dsinger]
ChrisP: but it cannot be contrary to the ToS
13:03:05 [vinay]
+1 to chapell again
13:03:05 [dsinger]
aleecia: back to q
13:03:07 [dtauerbach]
13:03:11 [npdoty]
ack johnsimpson
13:03:43 [WileyS]
Susan, fair - but typically often react more violently on the email list so its at least a good litmus test
13:03:43 [Chapell]
Thanks to the advocates for their 'compromise' -- giving the first parties a blank check
13:03:44 [dsinger]
johnsimpson: is fine with using data you willingly provided. less sure about about observed data
13:04:11 [dsinger]
… is dubious about declared, but more so about observed data
13:04:32 [npdoty]
ack vinay
13:04:34 [npdoty]
ack dsinger
13:04:34 [Zakim]
dsinger, you wanted to say that he firmly believes declared data is not tracking
13:04:35 [Marc]
13:04:37 [aleecia]
ack vinay
13:04:59 [Chapell]
13:05:00 [aleecia]
Declared data becomes scope for, which requires a defn
13:05:01 [JC]
+1 to dsinger
13:05:21 [Chapell]
DSinger - ok ,but can we define what we mean by declared data
13:05:21 [adrianba]
dsinger: hearing a consensus on declared data - this group is Do Not Track about tracking and i think we should agree that declared data is out of scope
13:05:25 [Brooks]
Of course it isn't tracking - because tracking isn't defined
13:05:29 [efelten]
Is there any alternative text proposed for
13:05:31 [dtauerbach]
13:05:38 [npdoty]
ack robsherman
13:06:01 [justin]
Chapell, Can first parties use declared and observed data in third party context under DAA principles? I would presume so based on the definition of Mutlti-Site data.
13:06:08 [dsinger]
robsherman: maybe in a lot of rat-holes. when you are a 3rd party, user has control. when 1st, there are less restrictions
13:06:17 [rigo]
I still think that the change of context will blow into hour face
13:06:21 [MikeZ]
DAA agrees that first party data, declared and observed, should be out of scope of this spec. That's part of the DAA code.
13:06:23 [Chapell]
Justin - there are three representatives from the DAA here, I suggest you ask them (:
13:06:26 [aleecia]
13:06:30 [ifette]
13:06:32 [npdoty]
ack dtauerbach
13:06:33 [dsinger]
robsherman: tl gave an example of facebook personalization (50 friends liked this page) and that should not be controversial
13:06:38 [rigo]
13:06:56 [justin]
Chappel, ha fair point.
13:06:57 [MikeZ]
That being said, this discussion maybe out of scope of the charter, so reserving that right to object.
13:07:08 [vinay]
MikeZ - does the DAA spec allow a first party to use observed data to target an ad on an unrelated site? I thought that required teh AdChoices icon
13:07:15 [vinay]
its as simple as a site retargeting campaign
13:07:20 [dsinger]
danauerbach: clarifying that in the FB case we know who you are from your logged in cookie, we know how many freinds liekd it, we tell you and collect nothing
13:07:23 [vinay]
does that require AdChoices?
13:07:31 [Chapell]
MikeZ we have driven the bus so far past the charter that I suggest we keep driving because we're almost to the other side of the globe
13:07:40 [dsinger]
aleecia: clarify, who you are, that you are logged in, and your friends are all declared data
13:07:53 [aleecia]
13:07:54 [npdoty]
13:08:02 [aleecia]
ack ifette
13:08:02 [npdoty]
ack ifette
13:08:05 [dsinger]
danA: feels that 'these tracking cookies' should not be used
13:08:06 [Chapell]
13:08:13 [jchester2]
13:08:31 [dsinger]
ifette: we have opened 179 on declared data. hope we have consensus on that.
13:08:51 [dsinger]
… if we do reach consensus on splitting, maybe we are further apart on observed data
13:08:57 [Randall]
Randall has joined #dnt
13:09:03 [npdoty]
ack jmayer
13:09:33 [dsinger]
jmayer: agree with Dan A, has been sig. debate for some time. proposal I worked on with Tom and Peter did have text on this issue
13:10:11 [dsinger]
… would like to be concrete. "If the info you gave to the 1st party is used in a 3rd party context in a way that the data can be linked to the 3rd party context, not OK"
13:10:20 [dsinger]
… but if privacy preserving, you could do that
13:10:47 [dsinger]
… so instead of drawing lines around former/current, one line about unlinkability defines everything
13:10:53 [dsinger]
[room] different issue?
13:11:04 [Brooks]
Having trouble following a conversation which relies on undefined terms
13:11:17 [dsinger]
aleecia: split into two issues, or connect to linkability?
13:11:40 [rigo]
Brooks, do you mean the definition of tracking?
13:11:46 [dsinger]
WileyS: surely unlinkable data is out of scope.
13:11:50 [justin]
I think the cookie/unique ID issue is a separate point.
13:11:56 [dsinger]
jmayer: doesn't work the way you might think
13:12:22 [dsinger]
… our decision could be 'you get to use unlinkable data, but not linkable data'
13:12:24 [justin]
It's related, and this issue is dependent, but the language does not need to address this language.
13:12:38 [dsinger]
[scribe confesses he doesn't understand jmayer and may have scribed badly]
13:12:56 [susanisrael]
sympathy for scribe
13:12:59 [rigo]
justin, the problem is the context shift. And context is important to users. All the blow-ups (like the teacher-with-a-beer-case) where an information being accepted in one context brought into another context and blowing there
13:13:29 [npdoty]
I think WileyS is pointing out that unlinkable-data-only wouldn't require additional text because we already rule that out of scope; jmayer just wants to note that the silence is still a valid option to handle this question
13:13:35 [dsinger]
aleecia: shane has action to explain what declared data means. we could (a) make 6.1.13 specific to declared (b) leave as-is, apply to declared and observed (c) delete section, and do it in terms of unlinkable
13:13:38 [ifette]
q+ to ask for a quick straw poll on support for observed, declared, vs "no use"?
13:13:50 [npdoty]
three options:
13:13:51 [ifette]
can we get a quick straw poll?
13:13:53 [adrianba]
13:13:57 [Chapell]
TLR: this is coming apart at the seams. Is the goal of this WG to put third parties out of business and allow first parties to do whatever in the hell they want?
13:14:03 [npdoty]
1) action against Shane and declared ata only
13:14:06 [Chris_DAA]
Ian's calling for a straw poll
13:14:06 [jmayer]
My point, in short: We could draw the line at linkability. That's independent of whether you think unlinkable data is in scope. (I think it is, Shane thinks it isn't.)
13:14:10 [dsinger]
aleecia: for editors, please capture those 3, and the actions
13:14:37 [Chapell]
TLR: if that's the goal, then lets just be up front and put that in our charter
13:14:38 [justin]
rigo, But no new sharing occurs here. The context is still cabined to the individual user.
13:14:41 [johnsimpson]
casnnot hear use mi8ke
13:14:42 [npdoty]
2) current text (you can use 1st-party observed or declared data)
13:15:03 [dsinger]
aleecia: if you have unlinkable data, how can you be linking it to a person?
13:15:04 [npdoty]
3) you can't do this at all (except when it's unlinkable somehow)
13:15:14 [justin]
Option 3 is contingent upon whether the EFF/Stanford/Mozilla proposed limiting the use of unique IDs is accepted. It does not need to be addressed here.
13:15:18 [ifette]
could we get a straw poll on "People should be able to use 1st-party declared data in a third party context yes/no", "People should be able to use 1st-party observed data in a third party context yes/no"
13:15:26 [amyc]
+1 justin
13:15:32 [tlr]
chapell, if you think this discussion is going in the wrong direction, I suggest you get in the queue.
13:15:40 [npdoty]
+1 to ifette's version of the poll questions
13:15:43 [dsinger]
jmayer: there are a bunch of ways. work to date has focused on 3rd parties. could apply to 1st-become-3rd
13:15:44 [Chapell]
I am in the Que, at least I think I am
13:15:47 [Chapell]
13:15:48 [dsinger]
[scribe is still confused]
13:15:50 [Brooks]
13:15:52 [Brooks]
13:15:55 [Brooks]
13:15:58 [Chapell]
But Zakim constantly tells me I'm out
13:15:58 [justin]
13:16:02 [ifette]
could we get a straw poll on "People should be able to use 1st-party declared data in a third party context yes/no", "People should be able to use 1st-party observed data in a third party context yes/no"
13:16:02 [ifette]
13:16:03 [Brooks]
13:16:05 [MikeZ]
Vinay, you are generally correct that retargeting requires AdChoices icon. The current discussion and use cases don't jibe one for one with the DAA principles so let me retract that "official" statement on behalf of DAA.
13:16:09 [dsinger]
aleecia: Ian asked for straw poll. Ian will suggest text
13:16:18 [BrendanIAB]
13:16:24 [ifette]
could we get a straw poll on "People should be able to use 1st-party declared data in a third party context yes/no", "People should be able to use 1st-party observed data in a third party context yes/no"
13:16:30 [npdoty]
"People should be able to use 1st-party declared data in a third party context yes/no"
13:16:32 [dsinger]
"People should be able to use 1st-party declared data in a third party context yes/no"
13:16:35 [johnsimpson]
13:16:43 [jmayer]
Is the question ALL first-party declared data?
13:16:43 [johnsimpson]
13:16:53 [dtauerbach]
i think yes
13:16:57 [jmayer]
Or SOME first-party declared data?
13:16:57 [Chapell]
13:17:03 [Chapell]
13:17:05 [Chapell]
13:17:21 [rigo]
amy, justin, context switch and its disastrous effects are not dependent on sharing
13:17:25 [ifette]
could we get a straw poll on "People should be able to use 1st-party declared data in a third party context yes/no", "People should be able to use 1st-party observed data in a third party context yes/no"
13:17:26 [Chapell]
Chapell raises his pen
13:17:31 [schunter2]
schunter2 has joined #dnt
13:17:45 [dsinger]
mixed results on poll 1, but clearly favoring yes
13:17:52 [ifette]
it was like 80 yes / 20 no
13:17:56 [johnsimpson]
please use the mike
13:17:59 [ifette]
on the first question
13:17:59 [WileyS]
Not mixed - more like 80
13:18:10 [BerinSzoka]
so 50-3 is "mixed results"? wow
13:18:10 [rigo]
ifette, it was 60/40
13:18:13 [npdoty]
on the first question: lots of people favoring yes / some people favoring no
13:18:13 [WileyS]
Not mixed - more like 85% yes, 15% no
13:18:20 [dsinger]
People should be able to use 1st-party observed data in a third party context yes/no
13:18:20 [ChrisPedigoOPA]
+1 Wiley
13:18:25 [rigo]
WileyS, ifette, no way!
13:18:29 [johnsimpson]
No on observed data
13:18:33 [Chris_DAA]
rigo, it was 80/20
13:18:47 [BrendanIAB]
13:18:48 [Chapell]
We continue to vote on things without defining them
13:18:49 [fielding]
13:18:52 [dtauerbach]
for me, this depends a lot on how the linking from 1st party to 3rd party context happens
13:18:54 [johnsimpson]
No on observed data
13:18:59 [jmayer]
Again, ALL observed data? Or SOME observed data?
13:19:01 [Chapell]
What is "Observed" What is "Declared"
13:19:14 [WileyS]
Mixed on #2 - 50/50 split with about half the room not voting
13:19:15 [Chris_DAA]
80/20 is actually fair
13:19:15 [BerinSzoka]
how hard would it be to have an actual voting mechanism here rather than just eyeballing these votes?
13:19:22 [rigo]
should we have a vote on whether it was 80/20 or 60/40?
13:19:23 [ChrisPedigoOPA]
not mixed more like 60-40 yes
13:19:29 [dsinger]
preponderance for yes, but not so large (and fewer indicating)
13:19:36 [rachel_n_thomas]
"closer to" is not a valid polling strategy, straw or otherwise.
13:19:37 [Chris_DAA]
rigo, would love to have an actual vote
13:19:39 [BrendanIAB]
13:19:43 [johnsimpson]
yes to unlinability
13:19:52 [Chapell]
+1 to brooks
13:19:54 [dsinger]
finally jmayer's concept of unlinkability?
13:20:07 [rachel_n_thomas]
13:20:17 [rigo]
I still believe that people would rather accept sharing than change of context
13:20:24 [johnsimpson]
Yes on linkability
13:20:42 [dtauerbach]
13:20:44 [dsinger]
aleecia: the question is deleting this section
13:21:00 [dsinger]
dwainberg: should the text be silent, or contain affirmative text
13:21:03 [dsinger]
13:21:14 [dsinger]
13:21:24 [susanisrael]
i thought we were having a poll on what should be permitted as opposed to what should be included in doc
13:21:24 [fielding]
for those who don't understand, straw polls are not decisions
13:21:57 [dsinger]
if you collect data as a 1st party, you may not use it as 3rd party unless it is unlinkable. yes/no?
13:22:10 [dtauerbach]
13:22:13 [johnsimpson]
Yes support that
13:22:27 [lmastria-DAA]
lmastria-DAA has joined #dnt
13:22:37 [dsinger]
very little support, and a lot of opposition
13:23:00 [ChrisPedigoOPA]
fwiw, the straw poll was 80-20 against Jonathan's proposal
13:23:13 [dsinger]
achapell: back to clarifying questions. some orgs have multiple people
13:23:21 [BerinSzoka]
I think we need a better TWPG Expression Mechanism
13:23:35 [vinay]
13:23:39 [dsinger]
answer - this is a sense of the room, do we have rough consensus?
13:23:42 [WileyS]
Chris - it was closer to 95% against, 5% for Jonathan's option
13:24:02 [dsinger]
rigo: would like to offer a 4th option. we have fun discussing a vertical issue square.
13:24:25 [ifette]
Amy, I suggest going through -- it will make you feel better
13:24:38 [dsinger]
… people feel bad, because it might favor large central entities. users should be able to opt out.
13:24:45 [Chris_DAA]
WileyS, I think you are right (but it's just a feeling)
13:24:46 [Chapell]
This process has become a sham - if the idea was to give the user control, we are not providing that control
13:25:03 [dsinger]
… if you legit. acquire data in one context, and use it in another, people may freak
13:25:14 [dsinger]
(so it may be imprudent)
13:25:20 [BerinSzoka]
Rigo: Did you call that the "Bus Problem?" I missed something...
13:25:34 [vincent]
BerinSzoka, buzz not bus
13:25:34 [aleecia]
It's context collapse as Walter raised
13:25:56 [susanisrael]
13:26:02 [BerinSzoka]
oh.... fair
13:26:06 [susanisrael]
13:26:12 [fielding]
generally speaking, we don't need to tell sites that they shoudn't freak out users, unless of course it is a freaking site
13:26:18 [dsinger]
… option 4: is to limit the 1st party to using the data in the context for which it was collected.
13:26:22 [dsinger]
[room] define context?
13:26:25 [BerinSzoka]
wait, that was a "fun" proposal?
13:26:42 [robsherman]
13:26:47 [hwest]
hwest has joined #dnt
13:26:48 [amyc]
@ifette, I feel much better now
13:26:49 [ChrisPedigoOPA]
Roy, exactly
13:26:51 [ifette]
13:26:53 [dsinger]
… context could be … thinks … the overall relationship to that 1st party site.
13:27:01 [ChrisPedigoOPA]
first parties aren't going to freak out their users
13:27:07 [ChrisPedigoOPA]
they want them to come back
13:27:09 [susanisrael]
I appreciate Rigo's effort to explain the basis for objections. It seems though that this is really about whether people understand the scope of the consent they give to first parties-not our work here.
13:27:28 [dsinger]
… so, 1st party data is restricted to 1st party contexts. 3rd party data is restricted to 3rd party context.
13:27:33 [Chris_DAA]
frist party data use is out of scope per the charter (charter based objection to this dialog)
13:27:40 [dsinger]
aleecia: different between context and 'as a party'?
13:28:00 [ChrisPedigoOPA]
Chris_DAA, agreed
13:28:23 [dsinger]
rigo: … thinks… can't answer off the top of his head. could explore 1st party defn so that if data is collected as a 1st party
13:28:26 [Chris_DAA]
ChrisPedigoOPA, get it on the record
13:28:41 [dsinger]
rigo: context would mean my relation to the 1st party as a 1st party.
13:28:51 [Marc]
13:29:01 [Chapell]
PR Wire: October 4, 2012 --- applauds the great work by the W3C (and on a TOTALLY unrelated note, announces the Zappos ad network)
13:29:03 [susanisrael]
i think Rigo is accurately describing the basis of the objections to these scenarios we voted on as I understand them, which was helpful. But I don't think those objections make sense in this spec.
13:29:05 [ChrisPedigoOPA]
first party data use is out of scope for this group
13:29:20 [djm]
djm has joined #dnt
13:29:42 [Walter]
13:29:56 [tlr]
strong +1 to David
13:30:01 [ifette]
Zakim, open the queue
13:30:01 [Zakim]
ok, ifette, the speaker queue is open
13:30:05 [tlr]
*brief* text proposals would be great
13:30:12 [jmayer]
What's there to write up? It's been written for half a year.
13:30:14 [dsinger]
dsinger: suggests that people write text so people can understand what is suggested
13:30:20 [Walter]
13:30:43 [justin]
Yes, we do not need text here.
13:30:55 [Marc]
13:31:07 [justin]
We have to turn this into two options, and the cookie issue will be decided at a different time.
13:31:11 [Chris_DAA]
longevity doesn't = "rightness" (ref gender rights violations)
13:31:26 [dsinger]
aleecia: maybe we are running out of options. we are supposed to be q-closed, and moving on. we will continue to explore the 3 options
13:31:49 [vinay]
+1 for Marc
13:32:00 [vinay]
Well said!
13:32:05 [dsinger]
Marc: finds this astounding. this changes who is collecting.
13:32:10 [ChrisPedigoOPA]
13:32:22 [justin]
rachel_n_thomas, Can first parties use their own data to serve ads offsite under DAA rules?
13:32:47 [Walter]
Anyway, if the spec moves this way it will run counter to EU data protection principles
13:32:54 [justin]
Since Google, Facebook, and Amazon are DAA members, I suspect so!
13:32:58 [Walter]
and not an easy sell to regulators
13:33:05 [dsinger]
troessler: friendly amendment. we thought we knew what it was. we rapidly found options. there may be more. we'll have a call and an agenda, where we'll take specific proposals to change the text
13:33:08 [adrianba]
ScribeNick: adrianba
13:33:11 [adrianba]
13:33:11 [trackbot]
ISSUE-119 -- Specify "absolutely not tracking" -- open
13:33:11 [trackbot]
13:33:16 [ifette]
13:33:22 [Chapell]
Regulators in the U.S. have been very active on DNT to date -- presumably to address privacy issues
13:33:28 [adrianba]
aleecia: poorly named absolutely not tracking
13:33:38 [mischat]
mischat has joined #dnt
13:33:39 [adrianba]
... we have text which was ninja's proposal
13:33:39 [susanisrael]
I agree with Thomnas that people did not understand the straw poll and the basis for the discussion. Sometimes explanatory comments without the goal of closing an issue -like Rigo's and David's comments- are useful.
13:33:54 [Chapell]
I would encourage those same regulators - to the extent that they are also tasked with anti-competitive issues - to step in and participate with the same level of enthusiasm
13:33:55 [adrianba]
... one of the things we talked about on the phone was non-normative text saying expect this not be widely used
13:33:55 [dsinger]
13:34:03 [Walter]
13:34:05 [adrianba]
... that might be a good addition
13:34:25 [adrianba]
... we also talked many times that this is the wrong name - perhaps not retaining, roy had suggested anonymous
13:34:28 [ifette]
13:34:31 [WileyS]
13:34:33 [ifette]
is this a TPE or complaicne issue?
13:34:42 [ninjamarnau]
ninjamarnau has joined #dnt
13:34:46 [susanisrael]
rigo asks to be added to the q
13:34:48 [rigo]
rigo has joined #dnt
13:34:50 [aleecia]
13:34:52 [adrianba]
aleecia: this crosses between docs but we're talking about compliance doc
13:34:52 [tlr]
q+ rigo
13:34:52 [Chapell]
dpdoty: I would appreciate it if my comments here are not sanitized off of the minutes from this discussion
13:34:54 [susanisrael]
q+ rigo
13:35:04 [adrianba]
13:35:04 [trackbot]
ACTION-110 -- Ninja Marnau to write proposal text for what it means to "not track" -- due 2012-02-10 -- PENDINGREVIEW
13:35:04 [trackbot]
13:35:06 [aleecia]
ack Marc
13:35:11 [aleecia]
ack dsinger
13:35:13 [npdoty]
13:35:18 [schunter]
13:35:37 [vinay]
What are they not interested in? (We don't know what 'not interested in tracking' is)
13:35:42 [schunter]
13:35:42 [adrianba]
dsinger: you said this is for few sites - i think quite a few web sites not interested in tracking you and one of motivations is to say i'm not interested and not tracking you
13:35:49 [adrianba]
... not sure it's a small number of sites
13:35:52 [vinay]
Is it -- they do not retain any data beyond completing the service they provide?
13:36:08 [vinay]
Or something else?
13:36:08 [dwainberg]
13:36:15 [adrianba]
aleecia: [reads text from ACTION-110]
13:36:33 [jchester2]
Plus we need to give sites--and I think there will be many who wish to act responsibly in a DNT world, will want to signal they do no tracking.
13:36:37 [npdoty]
13:36:47 [Chris_DAA]
CHAIRS- Please open ISSUE-5 first, before ISSUE-10 is discussed
13:37:04 [ninjamarnau]
we need to remember that we are talking about third party context. The original idea came from a time where first parties were still in scope.
13:37:07 [ifette]
Can we please enforce the queue? This is really not a "quick clarification question"
13:37:17 [justin]
13:37:29 [adrianba]
lmastria-DAA: want to be crystal clear - no one in ad industry interested in me specifically - they care about audience segments
13:37:49 [aleecia]
ack ifette
13:38:02 [dtauerbach]
13:38:11 [bryan]
13:38:28 [adrianba]
ifette: i heard aleecia say this is on compliance and also a tpe part - we'll leave the tpe part for that discussion
13:38:40 [schunter]
To Chris_DAA: Why do you believe that we need to discuss our definition of "tracking" before defining a "party"?
13:38:45 [adrianba]
... i don't understand why this needs to be in compliance doc - if this is all you do then you're already in compliance
13:38:59 [adrianba]
... 6 week retention period is even more liberal than this
13:39:12 [adrianba]
... question about expressing this in tpe doc but for compliance we need say nothing
13:39:25 [jchester2]
13:39:26 [adrianba]
aleecia: i hear this may be a definition of the flag that may belong in tpe
13:39:28 [npdoty]
+1 to ifette, I don't think this is needed in the compliance document
13:39:33 [npdoty]
13:39:34 [adrianba]
ifette: fine way to characterise it, yes
13:39:39 [npdoty]
ack WileyS
13:39:40 [adrianba]
aleecia: that's what this may end up being
13:39:45 [Chris_DAA]
schunter, issue 119 is about "not track" (what is track then?)
13:39:51 [adrianba]
WileyS: i request that we remove this text completely
13:39:59 [adrianba]
... sites can implement or not implement DNT
13:39:59 [schunter]
13:40:00 [dsinger]
13:40:01 [vinay]
+1 to Shane
13:40:08 [tl]
+q to say DDG
13:40:10 [adrianba]
... creating a "i implement better than you" is not necessary
13:40:28 [Chris_DAA]
schunter, sorry, I mean't issue 110
13:40:30 [schunter]
The proposal is to send "3"
13:40:31 [npdoty]
is WileyS agreeing with ifette that we don't need this text in the compliance doc?
13:40:32 [adrianba]
aleecia: contrast that to ifette's view yesterday to make it easy for small sites to show compliance easily?
13:40:32 [Chris_DAA]
not 10 :)
13:40:44 [fielding]
13:40:56 [adrianba]
WileyS: you implement DNT and send back the appropriate response or in the well known resource
13:40:56 [susanisrael]
npdoty, i think yes, shane is agreeing with ian
13:40:57 [schunter]
answer "Tk:3" or a "3" in the tracking status resource
13:41:09 [dsinger]
it may be that you can say "I respect 3rd party rules with no exceptions", and that is enough
13:41:40 [schunter]
Yes. This makes life easier for small parties since they have 1 section less to read (at the same implementation complexity)
13:41:43 [npdoty]
fielding, are you still happy with:
13:41:49 [tl]
dsinger: Even that is weaker than some of the organizations we're talking about, like DDG.
13:41:57 [adrianba]
WileyS: trying to set a graduated scale of implementations of DNT is not helpful for the outcome and no business case that requires this outcome
13:42:07 [adrianba]
... why would anyone need to do something else
13:42:16 [BerinSzoka]
Caveman Lawyer is confused again. Defining "not tracking"' (110) before defining "tracking" (5) makes about as much sense as hunting mammoth before making spears
13:42:18 [npdoty]
13:42:25 [adrianba]
aleecia: because some people think implementing DNT implies that they do tracking if they don't
13:42:39 [adrianba]
WileyS: but they can have clarifying text to say this - they don't need the flag
13:42:41 [ifette]
q+ to say we're really talking about TPE issues now
13:42:42 [Chris_DAA]
schunter, I meant we should not be discussing ISSUE-110 before opening ISSUE-5 (and defining tracking before we define "not track")
13:42:45 [npdoty]
ack rigo
13:42:55 [ifette]
This whole discussion is now TPE focused not compliance focused
13:42:56 [adrianba]
rigo: we had discussion on the mailing list
13:42:57 [schunter]
to Chris_DAA: Thanks!
13:43:07 [adrianba]
... when ninja wrote this we had hope of alignment with EU stuff
13:43:16 [ksmith]
I almost hate to ask - but how can we define "not tracking" when we dont define "tracking"?
13:43:20 [adrianba]
... want to come back to ian who said want to have a simple thing
13:43:32 [adrianba]
... don't necessarily need different signal
13:43:37 [vinay]
not to seem pedantic, but if we are creating a super-DNT, why should we stop there? Why not a DNT-light for companies that won't impleemnt DNT (like Duck Duck Go) but wants to do something?
13:43:45 [adrianba]
... but have to go through all the specs to verify doesn't apply to me
13:43:48 [vinay]
It seems silly to create use cases for small majority of sites
13:43:57 [adrianba]
... then can safely send DNT 1 back
13:44:07 [aleecia]
13:44:10 [schunter]
13:44:12 [fielding]
npdoty, yes, assuming we define tracking
13:44:13 [npdoty]
ack schunter
13:44:15 [BerinSzoka]
vinay: I'm concerned about cURL and the tens of hundreds of users affected by the interaction of DNT with cURL
13:44:15 [aleecia]
ack schunter
13:44:16 [adrianba]
... just want to provide a shortcut in spec and this doesn't discriminate
13:44:16 [ifette]
Rigo, I agree with you, but I think we will have that when we say "If you dump all the data in 6 weeks and don't do X" we will have that
13:44:33 [adrianba]
schunter: agree with Shane and Rigo
13:44:44 [adrianba]
... no need for flag saying nicer than the nice guys
13:44:45 [BerinSzoka]
13:44:57 [adrianba]
... i comply with strictest set of requirements
13:45:23 [adrianba]
... what rigo says is have rules of thumb for sites - if you only configure this way then it is safe to send this header back
13:45:28 [MikeZ]
13:45:29 [adrianba]
... not normative - just guidance
13:45:38 [ifette]
13:45:45 [adrianba]
... simple guidance for simple sites without reading 100 pages
13:45:55 [ifette]
Rigo, I agree with you, but I think we will have that when we say "If you dump all the data in 6 weeks and don't do X" we will have that
13:46:00 [WileyS]
Non-normative - not a new value in the TPE or a definition. that works for me
13:46:01 [ifette]
i think i have an action to draft that text
13:46:02 [adrianba]
... suggest drop this definition and i'm wondering also i don't do any tracking at all flag
13:46:14 [BerinSzoka]
Caveman Lawyer is getting angry. He doesn't function well without clear defined terms. Brings out his inner Saber-tooth Tiger
13:46:20 [aleecia]
ack dwainberg
13:46:22 [adrianba]
aleecia: hearing proposal from shane and matthias to not have normative text and maybe have guidance
13:46:36 [adrianba]
dwainberg: i agree and had proposed on mailing list that we drop this
13:46:45 [rigo]
ifette, I nearly think so, but I learned you could full targeted advertisement within the timeframe of 6 weeks of data retention, so beware of chilling effects ...
13:46:51 [adrianba]
... i don't think it is in scope to promote practices of particular groups
13:46:51 [schunter]
message: we have two sets of compliance regimes: one for 1st parties and one for 3rd parties. I believe this is complicated enough and does not adding a third regime called "no tracking at all".
13:46:55 [aleecia]
why is there marketing here?
13:47:03 [adrianba]
...the marketing efforts of one particular company
13:47:10 [aleecia]
It's a use case, not a marketing issue. It's an actual barrier to implementation
13:47:16 [jmayer]
I don't see any marketing. Aleecia proposed a reasonable use case.
13:47:22 [aleecia]
13:47:27 [npdoty]
13:47:27 [vinay]
Aleecia - Duck Duck Go wants to distinguish itself from other companies that implement just DNT
13:47:27 [adrianba]
... if we do create this and i don't want to it should use consistent language
13:47:35 [aleecia]
ack bryan
13:47:37 [adrianba]
bryan: i think this will be not that helpful
13:47:44 [adrianba]
... always people who think we could have done better
13:47:50 [npdoty]
my proposal would not define a new term, provides TPE mechanism to identify permitted uses claimed:
13:48:00 [adrianba]
... they can build an industry in verifying that people went above and beyond
13:48:04 [aleecia]
ack jchester
13:48:08 [adrianba]
... we don't need something like that in the spec
13:48:11 [Chapell]
13:48:24 [adrianba]
jchester2: i think this is important to provide to sites
13:48:24 [bryan]
some group will think always DNT is not strong enough, and they can augment the status resource with certifications that are industry-driven and define how the site goes "beyond the call of DNT"
13:48:36 [adrianba]
... probably mostly not commercial sites but i don't rule that our
13:48:39 [adrianba]
13:48:43 [aleecia]
zakim, close queue
13:48:43 [Zakim]
ok, aleecia, the speaker queue is closed
13:48:47 [adrianba]
... i think this is incredibily helpful
13:48:56 [adrianba]
13:49:13 [schunter]
13:49:25 [aleecia]
ack dsinger
13:49:31 [schunter]
note: We could rename "3" to "no tracking"
13:49:40 [bryan]
my point was new input, i.e. that we already have a means to address this without any new standardized indication
13:49:49 [adrianba]
dsinger: i should have been clearer - i think there is a problem for sites in a 3rd party context that will be viewed with suspicion if they don't do anything
13:49:55 [WileyS]
Matthias, this would require defining "tracking" :-)
13:50:05 [adrianba]
... we need some guidance - i don't mind if it is a specific flag or just guidance about what to set
13:50:16 [adrianba]
... we don't want to make life difficult for small sites on the internet
13:50:32 [adrianba]
... or even large sites that have some resources like this that just don't do tracking
13:50:43 [adrianba]
... otherwise i think it will be apparently hostile
13:50:44 [susanisrael]
13:50:52 [npdoty]
dwainberg, it sounds like you'd also be okay with permitted use indicators (including no permitted uses), as I'd proposed?
13:50:59 [adrianba]
aleecia: was that volunteering to write non-normative text
13:51:00 [schunter]
WileyS: I disagree: The semantics of this "no tracking" are the permitted behavior for 3rd parties (longer text: no tracking except to the limited extend permitted to third parties)
13:51:05 [adrianba]
dsinger: yes, i'll work with matthias
13:51:21 [aleecia]
13:51:26 [aleecia]
ack tl
13:51:26 [Zakim]
tl, you wanted to say DDG
13:51:35 [susanisrael]
if the queue were open, I would have said that david's comment just now suggests to me that what he is really asking for is not a "super dnt" but a "non-commercial site" designation.
13:51:58 [keith]
Critical to remember that we already have an effective self-reg program that protects consumers and preserves critical role that advertising plays for the Internet.
13:52:03 [adrianba]
tl: the reason that we get sites like DDG is because they see what we're working on and they think this is do not track, it's how much tracking is allowed and we want a way to say we really don't track
13:52:03 [rachel_n_thomas]
13:52:08 [efelten]
Matthias, couldn't a first party send "3" under the current proposal, to say that it is abiding voluntarily by the 3rd party provisions? Think the existing spec allows this.
13:52:09 [aleecia]
13:52:16 [rachel_n_thomas]
* rachel_n_thomas raises her pen
13:52:39 [rigo]
efelten, it would also mean that it considers itself a 3rd party
13:52:48 [jmayer]
This is an optional flag. What's the big deal?
13:53:13 [adrianba]
rachel_n_thomas: defining tracking or do not track would be helpful in having this discussion
13:53:24 [aleecia]
13:53:24 [adrianba]
... without the definitions the folks not in the room won't feel represented
13:53:26 [npdoty]
ack ifette
13:53:26 [Zakim]
ifette, you wanted to say we're really talking about TPE issues now
13:53:35 [susanisrael]
jmayer: i think commercial companies are concerned that they will be asked to meet any higher standard that is introduced, but I could be wrong.
13:53:39 [justin]
The point is assumed for the record that DAA wants us to define tracking. Noted for posterity. Consider it a standing objection.
13:53:42 [aleecia]
ack ifette
13:53:59 [adrianba]
ifette: i think there's some overlap for the new action and what i was trying to get to earlier which is simple compliance
13:54:06 [adrianba]
... i think this falls under simple compliance
13:54:15 [adrianba]
... if my text doesn't cover this use case then i've failed
13:54:34 [adrianba]
... there's a question about going above and beyond which i think is a tpe question
13:54:55 [adrianba]
... is this something we should expect in the compliance doc or is it for tpe about if i can express this
13:54:55 [npdoty]
I think there might be agreement that we don't need this in the Compliance doc?
13:55:10 [adrianba]
... majority of what i heard were tpe but the actions are on compliance
13:55:15 [tlr]
13:55:19 [WileyS]
Tom, how would replying to DNT and not providing a single permitted use not meet the same outcome?
13:55:23 [adrianba]
aleecia: maybe can merge the actions - you guys can figure that out
13:55:31 [ChrisPedigoOPA]
13:55:32 [adrianba]
... will it end up in compliance or tpe - it depends on the text
13:55:41 [dwainberg]
13:55:45 [npdoty]
ifette, do you have a separate action for this?
13:55:47 [adrianba]
... for now we'll discuss in compliance but may land in tpe
13:55:49 [aleecia]
13:55:54 [npdoty]
ack BerinSzoka
13:55:56 [ifette]
npdoty i had an action to define a six week grace period
13:56:01 [aleecia]
ack BerinSzoka
13:56:04 [ifette]
which i believe would cover this
13:56:08 [adrianba]
BerinSzoka: would be nice to have lots of terms defined
13:56:19 [npdoty]
ifette, got it, I wasn't sure which would cover
13:56:24 [adrianba]
... i'm a little surprised that you've been at this for a while without defining all the terms
13:56:24 [rachel_n_thomas]
berin's list:
13:56:33 [ifette]
npdoty, i do seem to have amassed a few actions today :)
13:56:39 [adrianba]
... glad we're defining not tracking but think some are more important
13:56:52 [adrianba]
... wondering if we're going to have these opened - don't understand difference between OPEN and RAISED
13:57:02 [adrianba]
... we don't understand the terms of the deal - contracts 101
13:57:11 [vincent]
how is that new? we got the same question 5 min ago?
13:57:20 [adrianba]
... shared the document with questions
13:57:26 [adrianba]
aleecia: thank you for doing that work
13:57:40 [adrianba]
... first part of first day we went into definitions early on purpose
13:57:44 [BerinSzoka]
For the fifth time, here's my list of terms that seem to be undefined
13:58:03 [aleecia]
13:58:04 [adrianba]
... secondly, we've agreed this won't be not tracking - the action has a title that we're not actually doing
13:58:09 [aleecia]
ack MikeZ
13:58:09 [npdoty]
ack MikeZ
13:58:17 [WileyS]
tl, question again, if a site provides a response and then doesn't list a single permitted use as being held out in their response, how is this different than your intended outcome? Doesn't this meet the same outcome?
13:58:22 [adrianba]
MikeZ: what we're doing is defining a spec for users to express their preferences
13:58:27 [adrianba]
... this doesn't have anything to do with that
13:58:38 [BerinSzoka]
my point was more general than this particular issue: let's define what, in general, we're talking about
13:58:44 [adrianba]
... putting this into the spec implies that if you don't respond in this way then you must be tracking
13:58:51 [aleecia]
13:58:55 [ChrisPedigoOPA]
Good Point Zaneis
13:58:57 [aleecia]
ack Chapell
13:59:01 [adrianba]
... we shouldn't create a presumption that people who don't do DNT are tracking
13:59:07 [jmayer]
Zakim, agenda?
13:59:07 [Zakim]
I see nothing on the agenda
13:59:16 [adrianba]
Chapell: thinking about a small web site - i don't understand many of these definitions so how will a small web site
13:59:28 [adrianba]
... what happens when a regulator comes calling for a deceptive statement
13:59:37 [adrianba]
aleecia: spec needs to be better written before we're done
13:59:38 [BerinSzoka]
BINGO: Folks, if you want this spec to be enforceable by regulators, it has to be very, very clear
13:59:42 [npdoty]
WileyS, I largely agree, though I think we need to define the fields so that there is a way to say that no permitted uses are claimed
13:59:45 [aleecia]
14:00:00 [adrianba]
dwainberg: is there a possibility that there is a third party that this applies to?
14:00:13 [adrianba]
... could this ever possibly apply in a 3rd party case?
14:00:14 [WileyS]
Nick, those codes are mostly in the TPE now, right?
14:00:23 [adrianba]
aleecia: you could imagine it in first or third party
14:00:37 [adrianba]
... the question is if a first party would like to communicate this
14:00:38 [npdoty]
WileyS, yes, I definitely think this is a TPE question; I have a proposal to update the TPE to clarify that
14:00:45 [Chris_DAA]
BerinSzoka, to that point, FTC is in the room, so perhaps efelton could help us understand how the FTC might enforce all of this in the US?
14:00:48 [WileyS]
Nick, agree that the "draft" definitions of the permitted uses are still unsettled but assuming that was the case then this is solved, correct?
14:00:53 [adrianba]
dwainberg: spec doesn't apply in general to first parties
14:01:08 [WileyS]
Nick, okay - sounds like we're on the same page on this one.
14:01:12 [adrianba]
aleecia: it's not that spec doesn't apply to first parties - it does, they have few limitations - they do need to ack
14:01:18 [npdoty]
WileyS, I believe my text (a small change on the qualifier flag, probably) would resolve this entirely, without defining new terms
14:01:21 [aleecia]
14:01:23 [dsinger]
14:01:33 [WileyS]
Nick, like it - look forward to seeing it.
14:01:34 [dsinger]
14:01:49 [npdoty]
action: singer to propose non-normative text on 119 (with schunter)
14:01:49 [trackbot]
Created ACTION-307 - Propose non-normative text on 119 (with schunter) [on David Singer - due 2012-10-11].
14:01:50 [adrianba]
aleecia: going take a break - back in half an hour, get as much done as we can, then leave early for dinner
14:01:59 [JBWeiss]
JBWeiss has left #DNT
14:02:15 [H9eiek]
H9eiek has joined #dnt
14:02:32 [npdoty]
WileyS, (from a few weeks back)
14:03:01 [npdoty]
14:03:11 [adrianba]
rrsagent, draft minutes
14:03:11 [RRSAgent]
I have made the request to generate adrianba
14:03:12 [Zakim]
14:03:18 [npdoty]
cheers to adrianba and dsinger for keeping up with scribing!
14:03:25 [Zakim]
14:06:59 [dsinger]
dinner location:,+Spuistraat,+Amsterdam,+The+Netherlands&hl=en&ll=52.369337,4.879303&spn=0.020988,0.034032&sll=37.0625,-95.677068&sspn=55.060677,69.697266&oq=kantijl+&hq=Kantjil+En+De+Tijger,+Spuistraat,+Amsterdam,+The+Netherlands&radius=15000&t=m&z=15
14:12:52 [ksmith]
ksmith has joined #DNT
14:13:39 [ninjamarnau]
ninjamarnau has joined #dnt
14:20:23 [tl]
tl has joined #dnt
14:22:02 [justin]
14:26:33 [jmayer]
Zakim, code?
14:26:33 [Zakim]
the conference code is 26631 (tel:+1.617.761.6200, jmayer
14:26:48 [Zakim]
14:31:21 [Zakim]
14:32:02 [johnsimpson]
we back?
14:34:02 [Zakim]
14:34:28 [BrendanIAB]
Zakim, IPCaller is probably me
14:34:28 [Zakim]
+BrendanIAB?; got it
14:35:16 [BrendanIAB]
Hmm, seems like I could have napped for another few minutes.
14:36:14 [aleecia]
getting back to it
14:36:24 [efelten]
efelten has joined #dnt
14:37:25 [vinay]
Matthais has put info for dinner on board
14:37:33 [vinay]
name, address will be added to board shortly
14:37:57 [vinay]
Aleecia: just one behind on various issues. Will drop last section to end early and make it early for dinner
14:38:04 [npdoty]
scribenick: vinay
14:38:10 [jchester2]
jchester2 has joined #dnt
14:38:13 [vinay]
Aleecia: Tomorrow is primarily Matthais
14:38:16 [schunter]
14:38:16 [vinay]
Host will give us take-away lunch tomorrow <clap>
14:38:24 [BerinSzoka]
can we get buttermilk to go?
14:38:24 [Simon]
Simon has joined #dnt
14:38:25 [amyc]
amyc has joined #dnt
14:38:29 [hwest]
hwest has joined #dnt
14:38:33 [npdoty]
"have really taken amazingly good care of us" -- +1
14:38:36 [npdoty]
14:38:36 [trackbot]
ISSUE-144 -- User-granted Exceptions: Constraints on user agent behavior while granting and for future requests? -- open
14:38:36 [trackbot]
14:38:42 [vinay]
Issue 144 - USer granted Exceptions
14:38:45 [ChrisPedigoOPA]
Berin, not until you define buttermilk
14:38:57 [vinay]
Raised against compliance, but Matthais has been handling it in TPE
14:39:06 [jmayer]
14:39:07 [vinay]
Aleecia Suggestion: Change 144 from compliance to TPE (where it belongs)
14:39:10 [justin]
Can we turn the screens back on?
14:39:11 [npdoty]
Zakim, open the queue
14:39:11 [Zakim]
ok, npdoty, the speaker queue is open
14:39:21 [JBWeiss]
JBWeiss has joined #DNT
14:39:22 [jmayer]
14:39:32 [vinay]
t1: can we get what we're discussing on the screens
14:39:43 [vinay]
aleecia: i'm plugged in. We'll look into it
14:40:06 [npdoty]
14:40:14 [npdoty]
ack jmayer
14:40:22 [BerinSzoka]
Caveman Lawyer welcomes further input as to key undefined terms
14:40:23 [johnsimpson]
vinay can you share?
14:40:24 [vinay]
... going to move it to TPE where it belongs
14:40:27 [vinay]
jmayer confused in moving it over to TPE
14:40:46 [npdoty]
s/jmayer confused/jmayer: confused/
14:40:49 [vinay]
Aleecia - if you join the AdobeConnect, we cna try sharing again for remote users
14:41:06 [dsinger]
even if it stays in compliance, I think it'll be much easier to discuss after tomorrow's issues are considered
14:41:09 [dsinger]
14:41:20 [vinay]
jmayer: This issue seems to have the same flavor of compounding the error of putting more stuff in TPE that didn't belong there to begin with
14:41:41 [vinay]
... perhaps it makes sense to move stuff that may not fit well in TPE into Compliance
14:41:45 [adrianba]
14:42:12 [npdoty]
ack dsinger
14:42:14 [vinay]
aleecia: suggest as an action item editors to look it over and then come up with a proposal
14:42:21 [Chapell]
Chapell has joined #DNT
14:42:24 [vinay]
dsinger: it would be easier to discuss this after tomorrow
14:42:32 [vinay]
... we will be discussing exception mechanisms tomorrow
14:42:39 [WileyS]
+1 to DSinger
14:42:44 [vinay]
... keep this as an open item for now
14:43:08 [jmayer]
Fine by me.
14:43:21 [npdoty]
action: singer (with justin) to coordinate which document contains exceptions
14:43:21 [trackbot]
Created ACTION-308 - (with justin) to coordinate which document contains exceptions [on David Singer - due 2012-10-11].
14:43:23 [vinay]
Aleecia: keep this open for now. And, Justin and DAvid to have a discussion on where Issue 144 should live
14:43:33 [ionel]
ionel has joined #dnt
14:43:37 [npdoty]
14:43:37 [vinay]
Next issue - issue 60
14:43:37 [trackbot]
ISSUE-60 -- Will a recipient know if it itself is a 1st or 3rd party? -- open
14:43:37 [trackbot]
14:43:57 [vinay]
Aleecia: Question -- will a recipient know itself whether it is a first party or a third party
14:43:58 [tl]
14:44:13 [fielding]
that sense would be wrong
14:44:23 [npdoty]
q+ fielding
14:44:24 [vinay]
Aleecia: A -- not always, but most of the time will. Heard sense that there may be some use cases where the party may not know (operating in an iframe)
14:44:28 [vinay]
... may not have anything in particular to do right now
14:44:40 [vinay]
... may be an example of moving something from open to raised
14:44:41 [tl]
14:44:48 [fielding]
14:44:52 [vinay]
... we are on track to handle this already from handling the first and third party definitions
14:44:56 [vinay]
... anyone object to parking this for now?
14:44:59 [dtauerbach]
14:45:02 [rachel_n_thomas]
14:45:13 [justin]
fielding has been clear that he has issues on the distinction between first and third parties
14:45:22 [vinay]
npdoty: Roy - can you elaborate on why you think Aleecia may not have current state right?
14:45:36 [vinay]
fielding: the notion that a party knows what party it is is wrong
14:45:52 [tl]
14:45:55 [vinay]
Aleecia: Correction -- started the conversation that a first party won't know
14:46:23 [Chris_DAA_]
Chris_DAA_ has joined #dnt
14:46:35 [npdoty]
most of the time parties will be correct in their expectation of their party status
14:46:36 [vinay]
Correction: Most of the time, parties will be accurate in knowing whether it is a first or a third party
14:46:44 [vinay]
... suggestion -- leave it as raised rather than closed
14:46:47 [aleecia]
14:46:52 [npdoty]
ack rachel_n_thomas
14:47:07 [vinay]
... deal with defining first/third parties before doing this
14:47:19 [vinay]
rachel: clarifying question -- are we downgrading it since its open now?
14:47:31 [justin]
This language is also relevant:
14:47:39 [fielding]
most of the time, parties do not know when they are a first party because being a first party implies knowing why the user made a request; a site certainly knows when it is obeying first party or third party requirements
14:47:47 [vinay]
Aleecia: after we have the definitions for 1st/3rd party done, we should then come back to this. but, shouldn't actively discuss it now. Just don't want to lose it for the future
14:48:06 [fielding]
tl, no
14:48:11 [vinay]
t1: don't parties have all of the info they need to always know?
14:48:14 [ifette]
14:48:17 [npdoty]
14:48:18 [npdoty]
ack tl
14:48:19 [ifette]
ack tl
14:48:19 [aleecia]
ack tl
14:48:22 [justin]
fielding does not care for the high confidence test
14:48:28 [npdoty]
ack ifette
14:48:35 [vinay]
ifette: i don't think its that simple
14:48:44 [vinay]
... i like the idea of circulating back at the end after knowing the definitions
14:48:47 [Chris_DAA_]
+1 to Ian and Aleecia
14:48:50 [vinay]
t1: no objections to circulating back at the end
14:48:54 [vinay]
aleecia: okay, done!
14:49:02 [Chris_DAA_]
we should do the same for ALL definitions, including "track" and "tracking"
14:49:05 [tl]
fielding, please explain.
14:49:12 [vinay]
... now looking on to issue 73
14:49:13 [vinay]
... analytics silos
14:49:21 [ifette]
14:49:21 [trackbot]
ISSUE-73 -- In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract -- open
14:49:21 [trackbot]
14:49:35 [ifette]
14:49:35 [trackbot]
ISSUE-89 -- Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about data moving between sites. -- open
14:49:35 [trackbot]
14:49:59 [vinay]
Aleecia - -didnt have actions on this
14:50:02 [vinay]
... had two positions taken
14:50:12 [justin]
This is addressed elsewhere.
14:50:21 [vinay]
... Tom thought tracking should come down to the former; roy thought it was the latter
14:50:28 [JBWeiss]
JBWeiss has joined #DNT
14:50:30 [vinay]
... think its been handled (implicitly) by decisions already made
14:50:34 [justin]
14:50:35 [dtauerbach]
14:50:37 [fielding]
the definition is written like the LGPL license -- it uses nonsense phrases to be a first party (sufficient to be sued but not to defend) and says that otherwise you are a third party
14:50:38 [vinay]
... do we need to take this on?
14:50:45 [aleecia]
14:50:59 [dwainberg]
14:51:00 [vinay]
... suggestion - not close 89, but also not actively work on it
14:51:03 [Chris_DAA_]
14:51:06 [vinay]
... move it as well to pending
14:51:19 [vinay]
wileys: issue 89 duplicative of Issue 5?
14:51:21 [vinay]
Aleecia: remind me of issue 5
14:51:30 [vinay]
Shane: its the definition of tracking
14:51:42 [vinay]
... if we had that definition, this may be done
14:52:00 [vinay]
Aleecia: Issue 5 is a separate task
14:52:04 [Walter]
14:52:18 [justin]
+1 to WileyS
14:52:19 [vinay]
Shane: The way I hear you -- Issue 89's response is close with a 'see specification'
14:52:29 [vinay]
... doesn't see much sense to keep it open
14:52:31 [BerinSzoka]
Caveman Lawyer insists Issue 5 (defining tracking) is the most important issue--but laments that it isn't even "open"
14:52:37 [vinay]
dsinger: close without prejudice
14:52:39 [npdoty]
maybe WileyS's point is that it's too broad to have a distinct issue
14:52:41 [justin]
14:52:44 [vinay]
Aleecia: anyone want to keep it open?
14:53:06 [npdoty]
ack dwainberg
14:53:07 [aleecia]
ack dwainberg
14:53:08 [vinay]
Chris_daa - but will speak when turn on queue
14:53:30 [vinay]
dwainberg: spec as it is now doesn't create incentives to provide customization in privacy friendly ways
14:53:43 [vinay]
... would like to keep it open to allow for this
14:53:51 [vinay]
Aleecia: i think you've suggested a new issue
14:54:08 [vinay]
... and backed an idea from Nick on creating an appendix to promote best practices on privacy friendly solutions
14:54:20 [vinay]
npdoty: not sure what title for issue would be
14:54:33 [vinay]
Aleecia: Appendix for pointers for privacy enhancing ways to perform business practices
14:54:35 [vinay]
something like that
14:54:36 [aleecia]
14:54:42 [justin]
Shouldn't necessarily be limited to appendix.
14:54:42 [aleecia]
ack Chris_DAA
14:54:54 [npdoty]
14:54:54 [trackbot]
ISSUE-175 -- Have an appendix of best practices? -- raised
14:54:54 [trackbot]
14:55:00 [vinay]
Chris_Daa: can't see fit to close issue 89 until have group consensus on definition of tracking
14:55:09 [aleecia]
14:55:14 [aleecia]
ack Walter
14:55:16 [vinay]
... request this stay open, and then revisit it until after 5 is resolved
14:55:20 [vinay]
Walter: Wondering where it was being fixed elsewhere?
14:55:33 [vinay]
Aleecia was fine with Chris' comment (not going to fight it)
14:55:34 [afowler]
afowler has joined #dnt
14:55:46 [npdoty]
dwainberg, do you think issue 175 works for what you were raising? "Have an appendix of best practices?"
14:56:15 [vinay]
Aleecia: to walter -- 'see the spec'. Mostly what we focused on was cross-site issues, but not exclusively. Should it be a or b? Mostly a, with a little b. Rather than explaining all of that, instead just say see the spec
14:56:17 [npdoty]
do we want to postpone 89 then?
14:56:22 [justin]
This concern is addressed specifically by the debate around use of first party data that we spent the previous hour discussing.
14:56:30 [vinay]
... hearing 'add a note to 89 that we will close this after Issue 5 is closed
14:56:32 [vinay]
move it to raise
14:56:32 [npdoty]
14:56:35 [vinay]
and add a dependency so we don't drop it on the floor
14:56:44 [vinay]
Nick: Can we use postpone?
14:56:46 [vinay]
Aleecia: yes
14:56:46 [aleecia]
14:56:52 [justin]
14:57:18 [dwainberg]
npdoty, not entirely.
14:57:19 [vinay]
Issue 73
14:57:24 [vinay]
Analytics Siloing
14:57:28 [Chris_DAA_]
vinay, did you log my objection to closing Issue 89 until we open and close Issue-5 (with a group consensus)?
14:57:31 [dwainberg]
but, it can wait for isse 5, as has been proposed
14:57:39 [vinay]
Aleecia: had an action for jonathan
14:57:47 [vinay]
Chris_DAA - I believe so.
14:58:08 [Chris_DAA_]
vinay, yes, i see it now- IRC seems to be case sensitive, so it didn't show up red on my side
14:58:12 [vinay]
Aleecia: Thread tapered off
14:58:37 [vinay]
... What is the state of this now, and where would you like to go to move this forward?
14:58:38 [npdoty]
14:58:39 [trackbot]
ISSUE-73 -- In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract -- open
14:58:39 [trackbot]
14:58:44 [ifette]
14:58:47 [aleecia]
14:58:49 [npdoty]
14:58:52 [vinay]
... will put in to IRC
14:59:00 [aleecia]
14:59:06 [mikeo]
mikeo has joined #dnt
14:59:06 [vinay]
.. first link was original text
14:59:07 [vinay]
... second link is the response
14:59:11 [npdoty]
ack ifette
14:59:35 [vinay]
ifette: is this subsumed by the text we provide about service providers?
14:59:42 [vinay]
aleecia: it might be. Just wanted to make sure we're on the same page.
14:59:50 [vinay]
... startign to see a theme
15:00:12 [vinay]
... anyone pushing back? not closing this, just past this text since we moved on to other items
15:00:13 [vinay]
... anyone disagree?
15:00:34 [npdoty]
should we be marking in the editors' draft that issue-73 is relevant to that section?
15:00:35 [vinay]
... not ready to close it yet
15:00:43 [vinay]
ifette: can we note in the issue that this is subsumed?
15:00:48 [vinay]
Aleecia: Can you do that?
15:00:55 [vinay]
ifette: sure (in a depressed voice)
15:01:15 [vinay]
Issue 99 now
15:01:25 [vinay]
Aleecia: thread went off the rails
15:01:29 [ifette]
ISSUE-73: This is largely subsumed by new text on service providers, so people should look at that text and raise any issues they have with _that_ text, not the old text in this issue/action
15:01:29 [trackbot]
ISSUE-73 In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract notes added
15:01:39 [vinay]
... lets see if we can focus it again. very long thread. picked out three bits of text that seem most relevant
15:01:42 [aleecia]
15:01:46 [fielding]
15:01:46 [trackbot]
ISSUE-99 -- How does DNT work with identity providers? -- open
15:01:46 [trackbot]
15:01:48 [vinay]
... lot of grumpiness that may not be as relevant
15:01:56 [aleecia]
15:01:59 [vinay]
.. first is Ian's in response to Action 187
15:02:00 [vinay]
... second is Rob's response
15:02:05 [aleecia]
15:02:12 [vinay]
... time in between, with some other discussions
15:02:13 [vinay]
... third is comments from Rigo
15:02:29 [vinay]
... for Ian's -- "Reading Text"
15:02:55 [vinay]
... when the user is interacting with the identify provider, it is clearly a first party
15:02:58 [rachel_n_thomas]
15:03:01 [vinay]
... but what happens afterwards?
15:03:14 [npdoty]
15:03:16 [vinay]
... rob's proposal - can't use the data beyond authentication unless needed for business needs
15:03:19 [jmayer]
15:03:21 [robsherman]
15:03:22 [vinay]
... can we replace that with 'other permitted uses'?
15:03:24 [dwainberg]
15:03:28 [vinay]
... rob may not accept it
15:03:35 [justin]
Or consent/UGE
15:03:53 [vinay]
... finally - from rigo -- different suggestion that OOB always trumps
15:04:02 [vinay]
... not proposed text, but an idea on how this might work
15:04:08 [vinay]
... dont have proposed text along these lines yet
15:04:10 [lmastria-DAA]
15:04:22 [vinay]
... two texts, with possibility that a 3rd person might
15:04:22 [ifette]
15:04:26 [npdoty]
ack rachel_n_thomas
15:04:29 [aleecia]
ack rachel_n_thomas
15:04:38 [Chris_DAA_]
Rigo, what is an "identity provider"?
15:04:47 [vinay]
Rachel: Helpful to walk through proposals. In one of them, there was a use of 'first party'.
15:04:55 [Chris_DAA_]
rigo, that's not an industry term I'm familiar with?
15:04:58 [vinay]
... will be hard to close this until we clarify what first party is
15:05:11 [vinay]
Aleecia: won't close this todya, but can discuss it
15:05:13 [npdoty]
ack jmayer
15:05:15 [aleecia]
ack jmayer
15:05:22 [vinay]
Rachel: Would be tough to discuss without knowing what 1st party is
15:05:25 [vinay]
jmayer: suggest we don't have text on it
15:05:42 [vinay]
... interaction with widgets and interaction with websites should be accurate to cover this use case
15:05:54 [rachel_n_thomas]
noting that discussion based definitions that do not yet exist is fine as a hypothetical exercise, but not to inform formal decisionmaking related to the standard.
15:06:05 [vinay]
... suppose SSO on website, the widget use case is a nice example, but it doesn't seem to me that we don't need a separate section to address it
15:06:07 [justin]
I disagree jmayer, I don't know how the ID provider fares after authentication.
15:06:24 [aleecia]
15:06:27 [vinay]
jmayer's response to Justin's question: login process is well definied
15:06:34 [vinay]
... he's right that post-log in, it will vary
15:06:50 [susanisrael]
vinay i thought jonathan was saying login process NOT well defined
15:07:09 [vinay]
... some situations it will follow to be a first party; other situations will not be followed as a first party
15:07:09 [Chris_DAA_]
rigo is no longer in IRC? does he know that? This is his issue, and I have questions
15:07:21 [justin]
15:07:33 [aleecia]
15:07:37 [susanisrael]
rigo is trying to get back on irc
15:07:39 [npdoty]
susanisrael, I think jmayer is saying that it is clear/well-defined that an identity provider would be a 1st party during the authentication process
15:07:47 [vinay]
jmayer: can you let the minutes know whether you said 'login process was well defined' or 'login process was not well defined'?
15:07:53 [rigo]
rigo has joined #dnt
15:08:05 [robsherman]
15:08:06 [rigo]
Chris_DAA_, what is your question?
15:08:06 [Chris_DAA_]
see you now rigo
15:08:09 [vinay]
jmayer: place where he thinks justin and he has a bit of back and forth is what happens after you sign in
15:08:15 [ksmith]
15:08:19 [ksmith]
15:08:21 [Chris_DAA_]
Rigo, what is an "identity provider"?
15:08:24 [susanisrael]
ok i am sorry if i misunderstood jmayer
15:08:25 [rigo]
can someone re-paste the message from me that Aleecia mentioned?
15:08:36 [vinay]
... in the majority of cases, he doesn't see the ID provider as a first party because the ID provider fades into the background
15:08:40 [aleecia]
15:08:42 [Chris_DAA_]
rigo, that's not an industry term I'm familiar with?
15:08:50 [npd_test]
npd_test has joined #dnt
15:08:51 [justin]
I think I agree with that result, but I'm not sure it's clear from the text. The widget example doesn't get that deep.
15:08:53 [vinay]
... but in cases that the ID provider stays involved (like a FB example), then they are remaining a first party
15:09:02 [vinay]
... it depends on website design
15:09:10 [rigo]
Chris_DAA_, this is a well defined term from single sign on scenarios
15:09:25 [npdoty]
I believe the definition of corporate-affiliates/easy-discoverable is the breadth of a party
15:09:27 [vinay]
Chrispedigo: What definition of first party is he using? His or the one we're discussing with affiliates?
15:09:47 [vinay]
jmayer: might be conflating two issues: 1) extent of a party; 2) 1st vs 3rd party
15:09:50 [Chris_DAA_]
rigo, can you please point to the definition in the record? I couldn't find it
15:09:58 [ifette]
And there can be more than one first party on a given page
15:10:05 [ifette]
e.g. after you interact with a widget
15:10:20 [aleecia]
Train for dinner leaves in 20 minutes
15:10:25 [aleecia]
And this is our last issue
15:10:26 [npdoty]
15:10:30 [ifette]
so brief answers please :)
15:10:42 [aleecia]
zakim, close queue
15:10:42 [Zakim]
ok, aleecia, the speaker queue is closed
15:10:44 [vinay]
chrispedigo: trying to get a sense on which definition of 1st party he's using
15:10:46 [justin]
ChrisPedigoOPA I don't think it matters.
15:11:03 [aleecia]
15:11:06 [vinay]
aleecia: if you disagree, let us know
15:11:09 [npdoty]
ChrisPedigoOPA, I think he's referring to meaningful interaction; and that both optional definitions refer to interaction
15:11:16 [rigo]
Chris_DAA_, look at which points you to the SAML Specification
15:11:20 [vinay]
jmayer: if you went with ownership approach, it makes it a much harder case for the ID provider to continue to be a first party after login-flow
15:11:23 [tlr]
chris_DAA, look at any of the common identity systems. OpenID, SAML, ... all use the term consistently.
15:11:30 [ifette]
Can we pelase stick to the queue? Jonathan seems to be answering every single question
15:11:30 [justin]
The widget exception is in the second definition as well . . .
15:11:33 [ifette]
but many of us had proposed text
15:11:42 [rigo]
SAML is an OASIS Specification
15:11:43 [ifette]
and are not answering every question in real time
15:11:45 [npdoty]
+1 justin, both options refer to interactions
15:11:47 [justin]
15:11:56 [Chris_DAA_]
ok rigo, has the wikipedia definition been entered into the record here in this forum?
15:12:02 [aleecia]
to add to issue-99: action-187,, silence
15:12:05 [vinay]
aleecia; add to issue 99
15:12:06 [aleecia]
15:12:11 [aleecia]
ack dwainberg
15:12:12 [npdoty]
ack dwainberg
15:12:22 [ksmith]
I think it matters in that JMayer proposed we remove this issue based on the fact that it is covered in the text. However, it is only covered in text that is in his definition for 1st party, which is still up for debate
15:12:37 [vinay]
dwainberg: question -- given Rob's language, what is the difference between this and calling an ID provider a 3rd party and giivng it a permitted use?
15:12:58 [WileyS]
15:12:59 [vinay]
... and is there anything in the permitted use section that needs to change?
15:13:04 [Zakim]
15:13:11 [ifette]
we do need to say something, as we want to allow customization by that login provider on the page
15:13:16 [vinay]
... is something missing from there?
15:13:19 [npdoty]
I think dwainberg is going further to say that identity providers is always a third party, and we have permitted uses
15:13:30 [vinay]
rob: in the time of progress from june and now, things have changed
15:13:46 [jmayer]
ksmith, that's right. One of the reasons domain ownership is so problematic is we have to start making one-off exceptions for particular business practices.
15:13:54 [vinay]
... some example about castles and bridges
15:14:03 [vinay]
... made progress on permitted uses
15:14:04 [justin]
ifette, is that sufficient for you?
15:14:25 [vinay]
Aleecia: action is for Rob to edit last line that removes everything after so that things are covered by permitted uses/first party
15:14:31 [aleecia]
Identity providers must not use user data beyond the purpose of
15:14:31 [aleecia]
identification and authentication
15:14:38 [justin]
15:14:38 [robsherman]
15:14:42 [vinay]
... that is the full proposal from rob
15:14:42 [ifette]
15:14:42 [trackbot]
ISSUE-99 -- How does DNT work with identity providers? -- open
15:14:42 [trackbot]
15:14:50 [npdoty]
ack lmastria-DAA
15:14:51 [vinay]
... three proposals that are flushed out better. trying to fly thru this to get to dinner
15:15:09 [vinay]
Lou: still struggle with this as to what's a first party. a bit of a challenge
15:15:46 [vinay]
... going back to Chapell's point from before, it seems that what we're doing is looking for edge cases that suggest that we don't really know what tracking is to then assume that everything's underneath it
15:15:48 [rigo]
15:15:49 [vinay]
... there are frameworks in place that deal with this
15:16:00 [vinay]
... government bodies that haven't gotten around this issue
15:16:10 [aleecia]
ack ifette
15:16:12 [robsherman]
rvaneilk, I need to think more about your language, but are you okay modifying to say "Identity providers that do not otherwise qualify as first parties" or similar? I'm thinking about Jonathan's Facebook example — on many websites, we are an identity provider but also provide other social services that people engage with, and I don't want this to be read that we cannot use data as a first party simply because we're ALSO an identity provider.
15:16:14 [vinay]
... until we get those definitions settled, we're spending many cycles talking past each other
15:16:25 [ksmith]
15:16:30 [robsherman]
15:16:53 [vinay]
ifette: one of the important things we're trying to capture is that you want continued experiences from the ID provider (after logging in via facebook, can still see enhanced experiences by them)
15:17:10 [vinay]
... rob's proposal is really a 1-time use; just outsourcing the account. Ian's proposal allows for personalization after login
15:17:15 [aleecia]
15:17:16 [vinay]
Aleecia: we still have both texts
15:17:25 [npdoty]
is personalization after the login flow a case of multiple first parties?
15:17:26 [vinay]
... thanks kevin for dropping out of queue
15:17:29 [vinay]
... move forward with there
15:17:32 [vinay]
three proposals
15:17:37 [vinay]
one from rob, one from ian, and silence
15:17:40 [vinay]
move on to dinner
15:17:41 [jmayer]
jmayer has left #dnt
15:17:42 [BrendanIAB]
enjoy your foods!
15:17:44 [vinay]
move on to TPE from there
15:17:46 [Zakim]
15:17:52 [npdoty]
adjourned for dinner.
15:17:53 [johnsimpson]
When will you discuss getting to last call?
15:17:54 [ifette]
Also, the fact that we have options and confusion here points to having text to make sure this is clear...
15:17:58 [Zakim]
15:18:00 [Zakim]
15:18:03 [Zakim]
15:18:05 [ksmith]
ksmith has left #DNT
15:18:27 [fielding]
zakim, list attendees
15:18:27 [Zakim]
As of this point the attendees have been BrendanIAB?, Telegraaf, fielding, johnsimpson, Jonathan_Mayer
15:18:58 [npdoty]
rrsagent, draft minutes
15:18:58 [RRSAgent]
I have made the request to generate npdoty
15:21:58 [johnsimpson]
johnsimpson has left #dnt
15:24:05 [Zakim]
15:24:06 [Zakim]
Team_(dntchairs)07:04Z has ended
15:24:06 [Zakim]
Attendees were BrendanIAB?, Telegraaf, fielding, johnsimpson, Jonathan_Mayer
15:34:44 [ionel]
ionel has joined #dnt
15:43:32 [tedleung]
tedleung has joined #dnt
15:57:32 [KevinT]
KevinT has joined #dnt
16:01:50 [efelten]
efelten has joined #dnt
16:03:36 [mischat]
mischat has joined #dnt
16:04:13 [adrianba]
adrianba has joined #dnt
16:07:07 [dwainberg]
dwainberg has joined #dnt
16:08:01 [dwainber_]
dwainber_ has joined #dnt
16:14:34 [KevinT1]
KevinT1 has joined #dnt
16:27:13 [dwainberg]
dwainberg has joined #dnt
16:29:07 [dwainber_]
dwainber_ has joined #dnt
17:18:51 [Zakim]
Zakim has left #dnt
17:59:55 [tl]
tl has joined #dnt
18:14:38 [KevinT]
KevinT has joined #dnt
19:07:20 [tlr]
tlr has joined #dnt
19:08:51 [tedleung]
tedleung has joined #dnt
19:14:10 [efelten]
efelten has joined #dnt
19:17:02 [schunter]
schunter has joined #dnt
19:42:39 [dsinger]
dsinger has joined #dnt
19:55:43 [mischat]
mischat has joined #dnt
20:52:54 [schunter]
schunter has joined #dnt
21:19:45 [KevinT1]
KevinT1 has joined #dnt
21:23:24 [dsinger]
dsinger has joined #dnt
21:47:42 [tedleung]
tedleung has joined #dnt
21:49:47 [KevinT]
KevinT has joined #dnt
21:50:01 [KevinT1]
KevinT1 has joined #dnt
22:19:47 [KevinT]
KevinT has joined #dnt
23:06:06 [KevinT]
KevinT has joined #dnt
23:22:55 [dwainberg]
dwainberg has joined #dnt
23:23:39 [dwainber_]
dwainber_ has joined #dnt
23:24:44 [ionel]
ionel has joined #dnt