IRC log of privacy on 2012-11-26

Timestamps are in UTC.

21:46:11 [RRSAgent]
RRSAgent has joined #privacy
21:46:11 [RRSAgent]
logging to
21:46:24 [npdoty]
Meeting: Workshop on Do Not Track and Beyond
21:46:31 [Zakim]
Zakim has joined #privacy
21:46:43 [npdoty]
Chair: js, npdoty
21:46:50 [npdoty]
rrsagent, make logs public
21:55:33 [presentation_screen]
presentation_screen has joined #privacy
22:07:09 [rigo]
rigo has joined #privacy
22:07:24 [rigo]
rrsagent, please set log public
22:07:32 [rigo]
scribenick: rigo
22:08:13 [Frank]
Frank has joined #privacy
22:12:52 [rigo]
Topic: Introduction
22:13:22 [rigo]
Introductions around the room: What is, can and should be the role of standards in policy?
22:13:47 [rigo]
Introduction by Nick Doty, Thanks and Administrativa and Logistics
22:14:29 [rigo]
Presentation: Frederik Borgesius, University of Amsterdam
22:14:31 [aleecia]
aleecia has joined #privacy
22:14:36 [BerinSzoka]
BerinSzoka has joined #Privacy
22:14:37 [Arnaud]
Arnaud has joined #privacy
22:14:49 [Js]
Js has joined #privacy
22:15:05 [Joanne]
Joanne has joined #privacy
22:15:05 [tara]
tara has joined #privacy
22:15:05 [aleecia]
Rigo is scribing?
22:15:09 [rigo]
22:15:15 [peter]
peter has joined #privacy
22:15:19 [johnsimpson]
johnsimpson has joined #privacy
22:15:35 [Andrew_Swerdlow]
Andrew_Swerdlow has joined #privacy
22:15:36 [rvaneijk]
rvaneijk has joined #privacy
22:15:50 [Mark_Lizar]
Mark_Lizar has joined #privacy
22:16:03 [meme]
meme has joined #privacy
22:16:04 [erikn]
erikn has joined #privacy
22:16:08 [Mark_Lizar]
Mark_Lizar has left #privacy
22:16:34 [JoeHallCDT]
JoeHallCDT has joined #privacy
22:16:35 [MarkL]
MarkL has joined #privacy
22:16:35 [nweaver]
nweaver has joined #privacy
22:16:45 [Reuben_Binns]
Reuben_Binns has joined #privacy
22:16:50 [rigo]
ND: Goal is for W3C to identify fields for future work, but also for you all to share experience. But it is also a place for the community to meet. Should mix industry and academics in the breaks, lots of breaks.
22:17:27 [jeff]
jeff has joined #privacy
22:17:30 [rigo]
npdoty: Introduction into to DNT: mentions DNT Workshop in Princeton
22:18:22 [nweaver]
nweaver has joined #privacy
22:19:33 [rigo]
Presentation around the room
22:20:28 [rigo]
22:23:17 [wseltzer]
wseltzer has changed the topic to: W3C Workshop: Do Not Track and Beyond
22:26:38 [Frank]
Frank Wagner, Deutsche Telekom, Group Privacy
22:26:56 [rigo]
Jan Schallaböck, co-chair: and secretariat of ISO/IEC JTC 1 SC 27 WG 5
22:27:09 [nweaver]
ICSI. Our firefox extension is
22:27:18 [nweaver]
22:27:21 [rvaneijk]
Rob van Eijk, PhD Student Dual PhD Center The Hague, Leiden University
22:27:21 [JoeHallCDT]
Jan explains the post-it notes attached to paper agendas: write down interesting things you think of and give them to him
22:27:37 [wseltzer]
Wendy Seltzer, W3C Policy Counsel and in research work,
22:28:24 [rigo]
Please put your ideas on the post-its that are attached to the printed agendas
22:29:10 [rigo]
JS: first topic controversial, but here is Workshop, can agree to disagree, no need for fighting
22:29:25 [rigo]
... introducing Frederik Borgesius
22:29:51 [rigo]
.. who has also consulted the EU Parliament on OBA
22:30:49 [rvaneijk]
rvaneijk has joined #privacy
22:32:13 [jeff]
jeff has joined #privacy
22:32:13 [BerinSzoka]
Thank you, Nick!
22:34:15 [rigo]
Pressentation: Frederick Borgesius
22:35:11 [Js]
Js has joined #privacy
22:35:27 [jeff]
jeff has joined #privacy
22:38:28 [tlr]
tlr has joined #privacy
22:39:46 [jeff]
jeff has joined #privacy
22:40:40 [pleon]
pleon has joined #privacy
22:41:14 [jeff]
jeff has joined #privacy
22:44:45 [rigo]
JanS: Have a question, you're reluctant to have W3C supply technical specification for compliance
22:44:59 [tara]
tara has joined #privacy
22:45:04 [rigo]
FB: consent and contracts can be achieved anyway
22:46:05 [rigo]
... pop up box could do it. To my surprise Neelie Kroes suggested to use DNT. Which means do not collect. Could be seen as a technology that establishs consent
22:47:07 [rigo]
JanS: that would be a signal of DNT:0 saying consent and unset/DNT:1 would be do not collect
22:47:21 [rigo]
... but what about the defaults, is there an answer in law?
22:47:29 [JoeHallCDT]
is Jan saying the draft DPR has a "default unset" piece?
22:47:34 [JoeHallCDT]
I didn't know that
22:47:48 [rigo]
... wouldn't be DNT:1 be more privacy client
22:47:51 [rigo]
22:48:13 [JoeHallCDT]
if anyone has a cite to that piece of the DPR or a discussion of the issue, I'd thank you
22:48:42 [rigo]
FB: both generic law and eprivacy directive expect consent. What the technical default looks like is not relevant because the legal default is not tracking without consent
22:49:27 [rigo]
NickWeaver: How does consent have to be. For wiretapping have to be real.
22:51:19 [AndroUser]
AndroUser has joined #privacy
22:51:28 [mikeperry]
mikeperry has joined #privacy
22:51:35 [wseltzer]
rigo: Whereas clause in the e-privacy directive, number 66 says browser configuration can count as a consent declaration for the purpose of storing information on terminal equipment
22:51:56 [rigo]
FB: have to be significant consent, in current discussion on Google privacy policy discussion, main problem was that the meaning was hidden. Meaningful open
22:52:09 [wseltzer]
... this only happens if there's meaningful information around the browser tool.
22:52:10 [JoeHallCDT]
ah, these are recitals
22:53:10 [JoeHallCDT]
RobVanEijk: consent must be "specific, free, and informed"
22:53:38 [Dwainberg]
Dwainberg has joined #privacy
22:54:33 [rigo]
RobvanEjk: Goal to have the user decide. If the browser can reflect consent or not. DNT work is to reflect consent, and there is a bridge to the legal building block, so there will be a quality assessment on the solution. Making sure that the default thing expresses what the user wants. So technical questin is that whether you use DNT or not is also whehter a user has already expressed a preference
22:56:13 [Dwainberg]
Does anyone have advice on how to connect my Mac to the wifi? I can connect but nothing is getting through.
22:56:21 [rigo]
ShaneWiley (SW): Starting the debate; Is the policy that the TPWG should create a document that details whether something is compliant with regional laws, or should be only a technical specification that allows expression of self regulatory regimes
22:57:07 [tlr]
dwainberg, network "AirBears"
22:57:09 [rigo]
... compliance document doesn't solve the EU problem, is W3C the right place to have the debate, or have W3C only make the tech spec
22:57:16 [tlr]
worked nicely for me
22:58:01 [rigo]
FB: if FIPs are in place, and 100 countries have. The policy has already been set. W3C only implments that
22:59:19 [rigo]
LieTien: Two things going on: Consent to storage information, and consent that is part of the FIPs, for me two distinct things. I can see the first thing is limited. In the US context, you could consent to a lot more..
22:59:54 [Frank]
Frank has joined #privacy
22:59:55 [rigo]
... if no meaningful scope is given, and lots of EU things wouldn't apply. How much of the other things can you consent away
23:00:40 [rigo]
FB: good question, hasn't been tested in court: security , not waivable, access, not waivable, minimization, not really, but some
23:00:41 [aleecia]
actually FIPPs are from the US :-)
23:00:48 [wseltzer]
23:01:12 [rigo]
... right about double layer of consent, but non lawyers will fall asleep if I start to explain
23:01:39 [rigo]
... ePrivacy Directive is lex specialis and applies, but has to cover the generic requirements two
23:03:13 [dwainberg]
dwainberg has joined #privacy
23:03:36 [wseltzer]
rigo: W3C is not a regulator; it produces "Recommendations"
23:04:02 [JoeHallCDT]
The trick to me is that most of w3c's work is specific to things that would not necessarily change from jurisdiction to jurisdiction… DNT doesn't seem to be like that
23:04:28 [wseltzer]
... we may create documents that have influence in political discussion, but so could virtually anything
23:04:57 [wseltzer]
... there's always a second step, if those in the political process find Recs useful
23:05:05 [rigo]
BerinSoka: coming to Shane's question. Can be used to implement policy or to create rules?
23:05:26 [wseltzer]
23:06:28 [rigo]
JanS; you get your policy space lined out and facilitate compliance with regulation. You have to agree on what regulatory environment you want to create interoperability to. This is always a heated discussion
23:06:56 [rigo]
... standards can have a de-facto regulatory effect. People should be aware of that.
23:08:09 [rigo]
... in this case SDOs become governance bodies, which is an interesting topic in itself (IGF, ICANN etc)
23:08:20 [dwainberg]
dwainberg has joined #privacy
23:09:32 [rigo]
... question SW is W3C a good place. My reaction: why not, and who else?
23:10:29 [nweaver]
Personally i believe in client-only implementations: I don't trust servers, voluntary or not.
23:10:39 [rigo]
SW: Why not: if resulting standard is voluntary, implementing a new compliance specification would not drive that voluntary implementation. Other regimes in regions would be better for adoption
23:11:19 [rigo]
ND: m;any people believe that you've to go to W3C to force browser to do X
23:11:57 [wseltzer]
23:12:10 [rigo]
SarahSchroeder: ?? report, standards setting, establishing criteria and supports the work in W3C. We appreciate the work
23:12:20 [JoeHallCDT]
Sarah is at FTC
23:12:23 [JoeHallCDT]
23:13:11 [wseltzer]
[Sarah is reading from p.53]
23:14:44 [rigo]
aleecia: Shane alluding, perhaps not making 39 implementations for over 50 countries. Now for my research I have to explore that, is a nightmare. It would be handy to have one mechanism for consent would save a lot of engineering time for lots of people.
23:15:37 [rigo]
SW: current discussion in TPWG, we already determined that current document does not solve the EU problem, TPE would work, but not need compliance spec
23:16:29 [rigo]
HarlanYu: realize whatever W3C publishes is recommendation. What is it to comply with the Standard? Only one or with both?
23:16:42 [AndroUser]
AndroUser has joined #privacy
23:18:57 [rigo]
... people are not compliant with all, could still use as technical basis for other stuff
23:19:12 [jeff]
jeff has joined #privacy
23:19:13 [nweaver]
If the default requires meaningful consent, the result will be NO if users actually understand what's going on. EG, explain how the like button tracks what people read (not just like) and it creeps people out, big time.
23:19:30 [nweaver]
Well, for a huge fraction of the users
23:19:35 [rigo]
JanS; hear from FTC and if those conditions would be fulfilled that would also make it for EU
23:20:46 [rigo]
... if falling back below regulation and then going into the regulated market is not possible.
23:21:25 [rigo]
.. but on the other side, the de-facto regulatory effects should be taken into account.
23:22:07 [AndroUser]
Rigo, you've stated in the past that the current compliance & scope does not meet the ePrivacy Directive requirements but that the TPE provides the necessary framework to get there. Are you suggesting now that the C&S does meet ePrivacy?
23:22:10 [rigo]
ND: it is useful to have direction from regulatory bodies. W3C should go away from setting those regulations. W3C is rather in mechanisms, a tool for making choice
23:23:56 [rigo]
DavidWainberg (DW): Technical standards and compliance standards are different animals. National regulators weighing in is difficult. If W3C is making compliance specification, what would you change in Process?
23:25:00 [rigo]
FrankWagner: from implementers, W3C is making a switch, so we are guided. If a guide is there fine.
23:25:04 [JoeHallCDT]
David, like a treaty process?
23:26:01 [rigo]
AlexFowler: about WAI, are legal requirements that are taken into account while drafting the standards.
23:26:21 [dwainberg]
Joe, what do you mean about a treaty process? As model for doing this type of compliance standard?
23:27:25 [dwainberg]
I don't think most of would like that.
23:28:12 [JoeHallCDT]
I'm just trying to think of other cross-jurisdictional policy processes and that came to mind… and, I agree, no. Let's talk more offline.
23:28:25 [dwainberg]
Look at some of the treaties we've seen over the last few decades.
23:28:33 [JoeHallCDT]
23:28:40 [rigo]
TLR: think the discussion having here, is a scale. David's question about process is the right question to ask. To WAI, in that area there are regulatory requirement that drive that work and influence. The line depends on that particular content. The lesson from there, there is a policy component to every standards work, sometimes more sometimes less. There are areas where the policy should happen close to the technical work. It is a useful conversation to see
23:28:41 [rigo]
where the policy aspect is to technical relation, where are the lines?
23:28:44 [dwainberg]
Ah.. so, yes, I see the analogy.
23:31:12 [rigo]
Jeff: WAI is a success, touches on regulatory aspects. W3C does a job of doing the pieces that makes sense for the Web, but we do not do laws. Remind everyone to what we do TPE and TCS. What does that signal mean can be used by regulator. One regulator could say, we use W3C meaning, other regulators can define their own meaning
23:31:26 [rigo]
ND: explaining more on what the WAI work is
23:32:25 [rigo]
... instead of defining our own or refer to WAI. Some devs get frustrated if legislator defines their own
23:35:31 [rigo]
Berin: Double minded here. See Shane to stop policy, but also see what W3C tries to achieve. But stopping here would be too short. There will be regulatory effects. Companies come to table because they were bullied to the table. Want a clear framework on what to think about is. On the one hand weighing tradeoffs is policy and shouldn't be done here. But on the other hand defining meaning is part of that work. Effect will because companies will be held to their
23:35:33 [rigo]
23:36:15 [rigo]
... the more there is pressure, the more we are stuck in a policy situation that doesn't work well for W3C process
23:37:35 [rigo]
Jeff: could be law coming out of this, this is not our objective. WAI is interesting. Very few countries that have law saying, you should follow W3C standards.
23:37:46 [rigo]
... web standards will do whatever they will do
23:38:54 [rigo]
JoeHall: if DNT would stop, what would happen? => arms race? Thought it would be lost for consumers, but think that anymore. So we look for a compromise
23:39:24 [rigo]
... beyond the context.
23:40:18 [rigo]
Deirdre: Goal is to augment the web platform with building blocks. We blieve that technical tools can help integrate ...
23:40:50 [rigo]
... PICS, P3P, DNT have all that they have policy implications and have to discuss that, not limit discussion
23:41:19 [rigo]
... nobody will integrate that into interface decision
23:42:24 [rigo]
... talks about cases of ?? where interface was unclear. Those bodies will ask how are the defaults, how are you implementing it
23:43:18 [rigo]
... if you compare process of P3P and TPWG, you see evolution. Reach out to regulators, NGOs. But the last thing I would say is that we don't have a role
23:44:51 [rigo]
SW: in general we are in agreement. If we look at policy we wouldn't have spec that wouldn't have impact. But prob is level of details in TPWG, has moved into the broader debate, meaning of consent, meaning of data minimization
23:45:35 [rigo]
... if you look beyond TPE , the struggle begins. Helpful to provide viewpoints. But not the appropriate for final say
23:45:45 [JoeHallCDT]
JoeHallCDT has joined #privacy
23:45:59 [rigo]
Deirdre: you support that or you don't support that? Defaults?
23:46:21 [rigo]
SW: if silent ok, if not silent on defaults
23:46:36 [rigo]
.. . if you go back in data handling, than it goes to policy side
23:47:08 [ShaneWiley]
ShaneWiley has joined #privacy
23:47:44 [rigo]
AlexFowler: goal of W3C to privacy. W3C be great if this expertise is taken from here and apply it in other contexts of other SDOs. Cookie Specification would have benefited from such expertise
23:47:54 [Arnaud]
23:47:59 [rigo]
JanS: reminds people to fill in post its
23:48:22 [rigo]
23:57:25 [Zakim]
Zakim has left #privacy