W3C

Workshop on Do Not Track and Beyond

26 Nov 2012

See also: IRC log

Attendees

Present
Regrets
Chair
js, npdoty
Scribe
rigo

Contents


<scribe> scribenick: rigo

Introductions around the room: What is, can and should be the role of standards in policy?

Introduction by Nick Doty, Thanks and Administrativa and Logistics

Presentation: Frederik Borgesius, University of Amsterdam

Introductions, and Policy

ND: Goal is for W3C to identify fields for future work, but also for you all to share experience. But it is also a place for the community to meet. Should mix industry and academics in the breaks, lots of breaks.

npdoty: Introduction into to DNT: mentions DNT Workshop in Princeton

Presentation around the room

http://www.w3.org/2011/track-privacy/

<Frank> Frank Wagner, Deutsche Telekom, Group Privacy

Jan Schallaböck, co-chair: http://www.datenschutzzentrum.de/ and secretariat of ISO/IEC JTC 1 SC 27 WG 5

<nweaver> ICSI. Our firefox extension is priv3.icsi.berkeley.edu

<nweaver> http://priv3.icsi.berkeley.edu

<rvaneijk> Rob van Eijk, PhD Student Dual PhD Center The Hague, Leiden University

<JoeHallCDT> Jan explains the post-it notes attached to paper agendas: write down interesting things you think of and give them to him

<wseltzer> Wendy Seltzer, W3C Policy Counsel and in research work, http://wendy.seltzer.is/drafts/privacy-options-feedback.pdf

Please put your ideas on the post-its that are attached to the printed agendas

JS: first topic controversial, but here is Workshop, can agree to disagree, no need for fighting
... introducing Frederik Borgesius
... who has also consulted the EU Parliament on OBA

<BerinSzoka> Thank you, Nick!

Presentation: Frederick Borgesius http://www.w3.org/2012/dnt-ws/position-papers/24.pdf

JanS: Have a question, you're reluctant to have W3C supply technical specification for compliance

FB: consent and contracts can be achieved anyway
... pop up box could do it. To my surprise Neelie Kroes suggested to use DNT. Which means do not collect. Could be seen as a technology that establishs consent

JanS: that would be a signal of DNT:0 saying consent and unset/DNT:1 would be do not collect
... but what about the defaults, is there an answer in law?

<JoeHallCDT> is Jan saying the draft DPR has a "default unset" piece?

<JoeHallCDT> I didn't know that

JanS: wouldn't be DNT:1 be more privacy client

?

<JoeHallCDT> if anyone has a cite to that piece of the DPR or a discussion of the issue, I'd thank you

FB: both generic law and eprivacy directive expect consent. What the technical default looks like is not relevant because the legal default is not tracking without consent

NickWeaver: How does consent have to be. For wiretapping have to be real.

<wseltzer> rigo: Whereas clause in the e-privacy directive, number 66 says browser configuration can count as a consent declaration for the purpose of storing information on terminal equipment

FB: have to be significant consent, in current discussion on Google privacy policy discussion, main problem was that the meaning was hidden. Meaningful open

<wseltzer> ... this only happens if there's meaningful information around the browser tool.

<JoeHallCDT> ah, these are recitals

<JoeHallCDT> RobVanEijk: consent must be "specific, free, and informed"

RobvanEjk: Goal to have the user decide. If the browser can reflect consent or not. DNT work is to reflect consent, and there is a bridge to the legal building block, so there will be a quality assessment on the solution. Making sure that the default thing expresses what the user wants. So technical questin is that whether you use DNT or not is also whehter a user has already expressed a preference

<Dwainberg> Does anyone have advice on how to connect my Mac to the wifi? I can connect but nothing is getting through.

ShaneWiley (SW): Starting the debate; Is the policy that the TPWG should create a document that details whether something is compliant with regional laws, or should be only a technical specification that allows expression of self regulatory regimes

<tlr> dwainberg, network "AirBears"

scribe: compliance document doesn't solve the EU problem, is W3C the right place to have the debate, or have W3C only make the tech spec

<tlr> worked nicely for me

FB: if FIPs are in place, and 100 countries have. The policy has already been set. W3C only implments that

LeeTien: Two things going on: Consent to storage information, and consent that is part of the FIPs, for me two distinct things. I can see the first thing is limited. In the US context, you could consent to a lot more..
... if no meaningful scope is given, and lots of EU things wouldn't apply. How much of the other things can you consent away

FB: good question, hasn't been tested in court: security , not waivable, access, not waivable, minimization, not really, but some

<aleecia> actually FIPPs are from the US :-)

FB: right about double layer of consent, but non lawyers will fall asleep if I start to explain
... ePrivacy Directive is lex specialis and applies, but has to cover the generic requirements two

<wseltzer> rigo: W3C is not a regulator; it produces "Recommendations"

<JoeHallCDT> The trick to me is that most of w3c's work is specific to things that would not necessarily change from jurisdiction to jurisdiction… DNT doesn't seem to be like that

<wseltzer> ... we may create documents that have influence in political discussion, but so could virtually anything

<wseltzer> ... there's always a second step, if those in the political process find Recs useful

BerinSzoka: coming to Shane's question. Can be used to implement policy or to create rules?

JanS; you get your policy space lined out and facilitate compliance with regulation. You have to agree on what regulatory environment you want to create interoperability to. This is always a heated discussion

scribe: standards can have a de-facto regulatory effect. People should be aware of that.
... in this case SDOs become governance bodies, which is an interesting topic in itself (IGF, ICANN etc)
... question SW is W3C a good place. My reaction: why not, and who else?

<nweaver> Personally i believe in client-only implementations: I don't trust servers, voluntary or not.

SW: Why not: if resulting standard is voluntary, implementing a new compliance specification would not drive that voluntary implementation. Other regimes in regions would be better for adoption

ND: m;any people believe that you've to go to W3C to force browser to do X

<wseltzer> [FTC: http://www.ftc.gov/opa/2012/03/privacyframework.shtm]

SarahSchroeder: ?? report, standards setting, establishing criteria and supports the work in W3C. We appreciate the work

<JoeHallCDT> Sarah is at FTC

<JoeHallCDT> atty

<wseltzer> [Sarah is reading from http://www.ftc.gov/os/2012/03/120326privacyreport.pdf p.53]

aleecia: Shane alluding, perhaps not making 39 implementations for over 50 countries. Now for my research I have to explore that, is a nightmare. It would be handy to have one mechanism for consent would save a lot of engineering time for lots of people.

SW: current discussion in TPWG, we already determined that current document does not solve the EU problem, TPE would work, but not need compliance spec

HarlanYu: realize whatever W3C publishes is recommendation. What is it to comply with the Standard? Only one or with both?
... people are not compliant with all, could still use as technical basis for other stuff

<nweaver> If the default requires meaningful consent, the result will be NO if users actually understand what's going on. EG, explain how the like button tracks what people read (not just like) and it creeps people out, big time.

<nweaver> Well, for a huge fraction of the users

JanS; hear from FTC and if those conditions would be fulfilled that would also make it for EU

scribe: if falling back below regulation and then going into the regulated market is not possible.
... but on the other side, the de-facto regulatory effects should be taken into account.

<AndroUser> Rigo, you've stated in the past that the current compliance & scope does not meet the ePrivacy Directive requirements but that the TPE provides the necessary framework to get there. Are you suggesting now that the C&S does meet ePrivacy?

ND: it is useful to have direction from regulatory bodies. W3C should go away from setting those regulations. W3C is rather in mechanisms, a tool for making choice

DavidWainberg: Technical standards and compliance standards are different animals. National regulators weighing in is difficult. If W3C is making compliance specification, what would you change in Process?

FrankWagner: from implementers, W3C is making a switch, so we are guided. If a guide is there fine.

<JoeHallCDT> David, like a treaty process?

AlexFowler: about WAI, are legal requirements that are taken into account while drafting the standards.

<dwainberg> Joe, what do you mean about a treaty process? As model for doing this type of compliance standard?

<dwainberg> I don't think most of would like that.

<JoeHallCDT> I'm just trying to think of other cross-jurisdictional policy processes and that came to mind… and, I agree, no. Let's talk more offline.

<dwainberg> Look at some of the treaties we've seen over the last few decades.

<JoeHallCDT> word

TLR: think the discussion having here, is a scale. David's question about process is the right question to ask. To WAI, in that area there are regulatory requirement that drive that work and influence. The line depends on that particular content. The lesson from there, there is a policy component to every standards work, sometimes more sometimes less. There are areas where the policy should happen close to the technical work. It is a useful conversation to see

where the policy aspect is to technical relation, where are the lines?

<dwainberg> Ah.. so, yes, I see the analogy.

Jeff: WAI is a success, touches on regulatory aspects. W3C does a job of doing the pieces that makes sense for the Web, but we do not do laws. Remind everyone to what we do TPE and TCS. What does that signal mean can be used by regulator. One regulator could say, we use W3C meaning, other regulators can define their own meaning

ND: explaining more on what the WAI work is
... instead of defining our own or refer to WAI. Some devs get frustrated if legislator defines their own

Berin: Double minded here. See Shane to stop policy, but also see what W3C tries to achieve. But stopping here would be too short. There will be regulatory effects. Companies come to table because they were bullied to the table. Want a clear framework on what to think about is. On the one hand weighing tradeoffs is policy and shouldn't be done here. But on the other hand defining meaning is part of that work. Effect will because companies will be held to their

promises.

scribe: the more there is pressure, the more we are stuck in a policy situation that doesn't work well for W3C process

Jeff: could be law coming out of this, this is not our objective. WAI is interesting. Very few countries that have law saying, you should follow W3C standards.
... web standards will do whatever they will do

JoeHall: if DNT would stop, what would happen? => arms race? Thought it would be lost for consumers, but think that anymore. So we look for a compromise
... beyond the context.

Deirdre: Goal is to augment the web platform with building blocks. We blieve that technical tools can help integrate ...
... PICS, P3P, DNT have all that they have policy implications and have to discuss that, not limit discussion
... nobody will integrate that into interface decision
... talks about cases of ?? where interface was unclear. Those bodies will ask how are the defaults, how are you implementing it
... if you compare process of P3P and TPWG, you see evolution. Reach out to regulators, NGOs. But the last thing I would say is that we don't have a role

SW: in general we are in agreement. If we look at policy we wouldn't have spec that wouldn't have impact. But prob is level of details in TPWG, has moved into the broader debate, meaning of consent, meaning of data minimization
... if you look beyond TPE , the struggle begins. Helpful to provide viewpoints. But not the appropriate for final say

Deirdre: you support that or you don't support that? Defaults?

SW: if silent ok, if not silent on defaults
... . if you go back in data handling, than it goes to policy side

AlexFowler: goal of W3C to privacy. W3C be great if this expertise is taken from here and apply it in other contexts of other SDOs. Cookie Specification would have benefited from such expertise

<Arnaud> +1

JanS: reminds people to fill in post its

coffebreak:

Impacts

<aleecia> do we have a scribe?

<aleecia> (because I didn't quite follow what just went by)

<aleecia> perhaps Frederick could summarize the outcome on that little back & forth on current consent for OBA -- I think I missed at least one of the twists & turns there.

JoeHall: beyond, is the single point not only for expressing preference, but also a single point of information, but heavy lifting for an os?

FW: necessary to guide the user. I have to write down in an app where my data is going. Hard to find?

<aleecia> (of note for Joe, Mozilla put DNT into the OS for phones; others have not yet. OS seems to make sense for phones)

SW: ad choices, does that change the disoverabilty.

<JoeHallCDT> (of note to Aleecia, I'd argut that iOS' LAT setting is also close, but a bit different. ;)

FW: how the icon is served, if it is guided out of portal, users tend to be confused. Is not the same design

ChrisMejia: Simpler opt-out mechanism, do not track is not well defined, what do you mean?

FW: coming from a legal framwork that defines what it means, hopefully DNT will match that

ND: do people want to opt out of three different things, or is one single click better?

FW: have no experience there

<ShaneWiley> Aleecia, have you checked out iOS6's Advertising Identifier option?

DavidWainberg (DW): Work for NAI, presentation of NAI, and what brought us here

<JoeHallCDT> I think what Chris was saying there is that the more onerous opt-out mechanisms provide rich definitions about what each flavor of tracking is… DNT as it exists now in the browser do not do that.

<aleecia> Shane, I haven't yet -- thanks for the pointer.

scribe: also tell you what 3rd party are and why they are important to the eco system
... NAI codes of conduct, last update 2008, limitation on use of PII and sensitive data, enforceable rules

paper http://www.w3.org/2012/dnt-ws/position-papers/10.pdf

scribe: most difficult thing was that sometimes information is sensitive in a certain context. Is our solution the best? Don't know, but have advanced the practice. Read every privacy policy and have improved them. Now disclosure of retention practices.

<nweaver> A quick summary to save others looking up. For iOS6, the basic idea is a persistent per-advertiser cookie, that gets reset if the device is blanked. So its persistent like the UUID (device ID) while a device is owned, but is flushed on change. It can be disabled as well, General:About:Advertising. in the settings.

scribe: DNT and privacy debate has been over politicised and think we should get back into productive mode.
... want a free democratic internet. (lists other agreements)

<JoeHallCDT> quick corrections: UUID is not UDID as UUID() function in iOS includes timestamp (so unique, but includes time of creation, for storing). Also, the next iOS (6.1?) will allow resetting the identifier without a reset.

<nweaver> OOPs, yeah. UDID...

scribe: will create incentives for good actors.

<nweaver> thanks. (I use UUIDs so much that I simply brain-typo UDID as UUID)

scribe: Limitations can come from W3C or elsewhere, but have to be fair and reasonable.
... Believe that the current DNT is creating perverse incentives.

<nweaver> We already HAVE huge PII data collection. Google, Facebook are exhibit 1 and 2

scribe: first party will collect, can do even collect PII.

<nweaver> Both collecting massive PII for advertising

scribe: while third parties are punished but only collect one id point
... => makes a point of advertisement as part of ecosystem
... need to have an impact assessment and consequences of how things are designed
... third parties support publishers

<erikn> The iOS identifier for advertising is a single identifier. It is not per-advertiser. It can be changed (without buying a new phone), unlike the UDID — that part is accurate. It cannot be disabled, but its use can be limited, as explained in a link within the Settings app.

scribe: why behavioral is so important and contextual doesn't really help
... some are too small for contextual, some with niche content, but not interesting to advertiser
... because its behavioral, it also works on niche content. Also helps SMEs as they can improve their impact per dollar

<nweaver> Anyone try legally subpoenaing or search warrants submitted to advertising networks to recover user history?

scribe: NAI committed to continue working on this, respect user's choices. And provide democratic internet

<aleecia> @Shane, oh the UDID replacement. I drop nouns, yes: this.

Jeff: overly politicised: applaud your for that comment, applaud for going back in productive mode
... noted with interest the high complexity of getting the stakeholders so balanced. Not all of that can be done in TPWG due to charter limitation, looking forward to continue for the "beyond" part

FrankDawson: Perspective on future beyond DNT, advertisement and apps. In-App advertisement as the major increase. DNT may or may not solve that. For NAI, what are you doing for mobile apps? Code of conduct? What else?

DW: mobile is difficult, something we are working on. WGs are working on, currently not decided what directions

Deirdre: what the real problems are we are not focusing on? Can you elaborate?

DW: reluctance to enumerate the problems we are trying to solve? People have ideas, but difficult to really identify users concerns, real concerns like identity theft, what are risks of online advertisement. Like to do more work on NAI with users to address their concern

FW: practical: discovered privacy policies. What kind of privacy policy you mean. Policy of advertisers? Or the responsible for the portal?
... in EU portal also responsible for 3rd parties they chose

DW: we watch the first parties of our member companies
... back to Deirdre's question. Personalization is creepy. Irony is that is only one single datapoint. Other things are more difficult have more data points and people do not realize.

Deirdre: Why should that happen here?. First vs Third parties is creating distortion, but in light of last discussion, what is the goal, this is data backend stuff

DW: anybody who is talking about it should think about the bigger picture

Christine: things you want to improve is that user shoudl be better improved.

?? from??: like your idea. I want thoughts on opt out of companies as opposed to DNT as browsing context

scribe: people were not aware of all those tracking companies

DW: dunno about solution, DNT may be an improvement.
... can offer pick and chose, but users have to understand

<tlr> rigo: David, I hear two things

<tlr> ... better information of the user - transparency

<tlr> ... in the discussion tomorrow on technical merits

<tlr> ... have submitted position paper that also goes toward the mobile stuff

<tlr> ... the other one is the "switch" thing

<tlr> ... next-generation information tools?

DW: Don't know. Too blunt of an instrument and too much of a choice so users do not understand. We don't understand and make choice. There is a balance somewhere, but dunno where it is. Google and Yahoo have interest manager, users where given
... then found out that people where editing the categories, not only removing

AndrewSwerdlow: yes, people added categories, removed others. But a very low rate of opt-in

============

Reed Freeman, ESPC http://www.w3.org/2012/dnt-ws/position-papers/13.pdf

Reed: a lot of concern on ability to be tracked, put into narrow categories
... look at my google thing and both categories where wrong
... .this will not be our last discussion
... company send email on behalf of other companies, fight spam, and enhance reach of the legitimate email
... => explains company

<npdoty> http://www.espcoalition.org/

Reed: we've been watching the W3C dialog. We appreciate the diligence and were uneasy about the lack of civility. Are happy that W3C is a good place for the exchange of information. Sometimes we have prejudices into all directions that are wrong and are here to revert them.

<nweaver> I wonder if the NAI opt-out is actually effective/reliable. E.g. I tried it on a clean firefox run, which had somehow gotten a Yahoo advertising cookie. I ran their opt-out tool and although the opt-out cookie is set, the yahoo "B" cookie, with value aaji3qd8b8489&b=4&d=4auM3vprYH0wsQ--&s=0r is still set, and that certainly looks like a tracking cookie to me. An opt-out to tracking should clear tracking cookies.

Reed: this is good forum to discuss. Must happen is civility must reign.

<aleecia> Reed just became my hero

RF: the beyond is premature. What data should be collected in DNT:1 has become thorny issues. Let the standard be finalized, let it work, let see if it is adopted, how governments react. Before W3C drags resources of industry into new work.

JoeHall: How DNT will affect email?

RF: we don't know. We don't know waht DNT is. Therefore we are jumping off the cliff on how to back that
... in context of sending email. Selling stuff, but not good in sending email. Is targeted or re-targeted? Who is the first party? Who is the third party? In the context of deliver of email, we are a service provider. We are transmitting, not for other purposes. That's what I want to find out

ND: thanks for coming
... emails can have images, some clients will refuse to load the content, others will perhaps send DNT

FrankDawson: are you fixed on email or other formats? SMS? MMS?

RF: great question, lets pause before going email only. Our members are primarily in email, but will expand and consolidate

aleecia: suggest to approach email, instead in terms of consent. As long as you have consent, no matter for party you are. Can factor that in.

RF: consent often very unspecific
... in marketing law there is big difference between EU and US, very complex

Jeff: David says we have lots of things to consider, you say do not do anything new until it is done
... how to figure out, scoping next thing is a large undertaking. Scope is 3/4 of the battle
... like to suggest, continue 95% of effort into DNT, but background thinking should continue to think about what could be the scope for next thing to do

RF: don't think we disagree. Any organization has long range strategic planning, or medium range planning. But prudent not finish scope what to do outside the current scope

<jeff> +1 to Reed - yes we agree.

Berin: want to get remarks: Current model is not huge success, non technical work, designed by committee,

RF: we should see how this works out before making more
... be careful about the unintended consequences of what you do

Berin: measure of success?

RF: in order for ESPC to agree that DNT for email is a good idea, we need: DNT is finished, deployed, consumers like it, standard is working, then we can imagine to apply it to email

ND: success criteria in W3C normally for interoperability
... serviing the purpose for consumers, satisfying?

DW: what was the idea couple of deliverables, the problem was never really scoped. Persistent problem of the TPWG

Jeff: metrics for success: One would be adoption, interoperability, consensus, being well balanced in the market place
... those are great metrices.
... what we would do differently, some may laugh but I think we are on a path to a standard, but it took much effort since, think there was sufficient misunderstanding, process etcc.
... we would have told stakeholders what we are doing and what we are not doing, we would have had less fire works

LeeTien: widespread adoption was a secondary concern for us. Ability to express user preference was more important than how many companies will adopt the system. Are aware of the cost.
... dev simple mechanism that is feasible is still a valuable thing to have and would push for it

Deirdre: on success criteria. Metrics... Perceivable success in Congress. Sometimes you lose fairly, you come back play again. But if metrics, it must be substantially legitimate, not only about industry adoption, but not only about interoperability only either. Gives some concreteness to what Reed is saying

JanS: Criteria??? What those criteria are? And to Jeff: 95%: Having impression that scoping was done carefully. In a process if people will lose things, is not going to work in a consensus process. Nobody will say "I will lose something, but I'm fine with it".
... Thsi is what we need to achieve and those will lose and we will implement it.

ND: revenue impact

Berkeley Thai House

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2013-03-04 06:48:17 $