See also: IRC log
<scribe> scribenick: rigo
Introductions around the room: What is, can and should be the role of standards in policy?
Introduction by Nick Doty, Thanks and Administrativa and Logistics
Presentation: Frederik Borgesius, University of Amsterdam
ND: Goal is for W3C to identify fields for future work, but also for you all to share experience. But it is also a place for the community to meet. Should mix industry and academics in the breaks, lots of breaks.
npdoty: Introduction into to DNT: mentions DNT Workshop in Princeton
Presentation around the room
<Frank> Frank Wagner, Deutsche Telekom, Group Privacy
Jan Schallaböck, co-chair: http://www.datenschutzzentrum.de/ and secretariat of ISO/IEC JTC 1 SC 27 WG 5
<nweaver> ICSI. Our firefox extension is priv3.icsi.berkeley.edu
<rvaneijk> Rob van Eijk, PhD Student Dual PhD Center The Hague, Leiden University
<JoeHallCDT> Jan explains the post-it notes attached to paper agendas: write down interesting things you think of and give them to him
<wseltzer> Wendy Seltzer, W3C Policy Counsel and in research work, http://wendy.seltzer.is/drafts/privacy-options-feedback.pdf
Please put your ideas on the post-its that are attached to the printed agendas
JS: first topic controversial, but here is Workshop, can agree to disagree, no need for fighting
... introducing Frederik Borgesius
... who has also consulted the EU Parliament on OBA
<BerinSzoka> Thank you, Nick!
Presentation: Frederick Borgesius http://www.w3.org/2012/dnt-ws/position-papers/24.pdf
JanS: Have a question, you're reluctant to have W3C supply technical specification for compliance
FB: consent and contracts can be achieved anyway
... pop up box could do it. To my surprise Neelie Kroes suggested to use DNT. Which means do not collect. Could be seen as a technology that establishs consent
JanS: that would be a signal of DNT:0 saying consent and unset/DNT:1 would be do not collect
... but what about the defaults, is there an answer in law?
<JoeHallCDT> is Jan saying the draft DPR has a "default unset" piece?
<JoeHallCDT> I didn't know that
JanS: wouldn't be DNT:1 be more privacy client
<JoeHallCDT> if anyone has a cite to that piece of the DPR or a discussion of the issue, I'd thank you
FB: both generic law and eprivacy directive expect consent. What the technical default looks like is not relevant because the legal default is not tracking without consent
NickWeaver: How does consent have to be. For wiretapping have to be real.
<wseltzer> rigo: Whereas clause in the e-privacy directive, number 66 says browser configuration can count as a consent declaration for the purpose of storing information on terminal equipment
<wseltzer> ... this only happens if there's meaningful information around the browser tool.
<JoeHallCDT> ah, these are recitals
<JoeHallCDT> RobVanEijk: consent must be "specific, free, and informed"
RobvanEjk: Goal to have the user decide. If the browser can reflect consent or not. DNT work is to reflect consent, and there is a bridge to the legal building block, so there will be a quality assessment on the solution. Making sure that the default thing expresses what the user wants. So technical questin is that whether you use DNT or not is also whehter a user has already expressed a preference
<Dwainberg> Does anyone have advice on how to connect my Mac to the wifi? I can connect but nothing is getting through.
ShaneWiley (SW): Starting the debate; Is the policy that the TPWG should create a document that details whether something is compliant with regional laws, or should be only a technical specification that allows expression of self regulatory regimes
<tlr> dwainberg, network "AirBears"
scribe: compliance document doesn't solve the EU problem, is W3C the right place to have the debate, or have W3C only make the tech spec
<tlr> worked nicely for me
FB: if FIPs are in place, and 100 countries have. The policy has already been set. W3C only implments that
LeeTien: Two things going on: Consent to storage information, and consent that is part of the FIPs, for me two distinct things. I can see the first thing is limited. In the US context, you could consent to a lot more..
... if no meaningful scope is given, and lots of EU things wouldn't apply. How much of the other things can you consent away
FB: good question, hasn't been tested in court: security , not waivable, access, not waivable, minimization, not really, but some
<aleecia> actually FIPPs are from the US :-)
FB: right about double layer of consent, but non lawyers will fall asleep if I start to explain
... ePrivacy Directive is lex specialis and applies, but has to cover the generic requirements two
<wseltzer> rigo: W3C is not a regulator; it produces "Recommendations"
<JoeHallCDT> The trick to me is that most of w3c's work is specific to things that would not necessarily change from jurisdiction to jurisdiction… DNT doesn't seem to be like that
<wseltzer> ... we may create documents that have influence in political discussion, but so could virtually anything
<wseltzer> ... there's always a second step, if those in the political process find Recs useful
BerinSzoka: coming to Shane's question. Can be used to implement policy or to create rules?
JanS; you get your policy space lined out and facilitate compliance with regulation. You have to agree on what regulatory environment you want to create interoperability to. This is always a heated discussion
scribe: standards can have a de-facto regulatory effect. People should be aware of that.
... in this case SDOs become governance bodies, which is an interesting topic in itself (IGF, ICANN etc)
... question SW is W3C a good place. My reaction: why not, and who else?
<nweaver> Personally i believe in client-only implementations: I don't trust servers, voluntary or not.
SW: Why not: if resulting standard is voluntary, implementing a new compliance specification would not drive that voluntary implementation. Other regimes in regions would be better for adoption
ND: m;any people believe that you've to go to W3C to force browser to do X
<wseltzer> [FTC: http://www.ftc.gov/opa/2012/03/privacyframework.shtm]
SarahSchroeder: ?? report, standards setting, establishing criteria and supports the work in W3C. We appreciate the work
<JoeHallCDT> Sarah is at FTC
<wseltzer> [Sarah is reading from http://www.ftc.gov/os/2012/03/120326privacyreport.pdf p.53]
aleecia: Shane alluding, perhaps not making 39 implementations for over 50 countries. Now for my research I have to explore that, is a nightmare. It would be handy to have one mechanism for consent would save a lot of engineering time for lots of people.
SW: current discussion in TPWG, we already determined that current document does not solve the EU problem, TPE would work, but not need compliance spec
HarlanYu: realize whatever W3C publishes is recommendation. What is it to comply with the Standard? Only one or with both?
... people are not compliant with all, could still use as technical basis for other stuff
<nweaver> If the default requires meaningful consent, the result will be NO if users actually understand what's going on. EG, explain how the like button tracks what people read (not just like) and it creeps people out, big time.
<nweaver> Well, for a huge fraction of the users
JanS; hear from FTC and if those conditions would be fulfilled that would also make it for EU
scribe: if falling back below regulation and then going into the regulated market is not possible.
... but on the other side, the de-facto regulatory effects should be taken into account.
<AndroUser> Rigo, you've stated in the past that the current compliance & scope does not meet the ePrivacy Directive requirements but that the TPE provides the necessary framework to get there. Are you suggesting now that the C&S does meet ePrivacy?
ND: it is useful to have direction from regulatory bodies. W3C should go away from setting those regulations. W3C is rather in mechanisms, a tool for making choice
DavidWainberg: Technical standards and compliance standards are different animals. National regulators weighing in is difficult. If W3C is making compliance specification, what would you change in Process?
FrankWagner: from implementers, W3C is making a switch, so we are guided. If a guide is there fine.
<JoeHallCDT> David, like a treaty process?
AlexFowler: about WAI, are legal requirements that are taken into account while drafting the standards.
<dwainberg> Joe, what do you mean about a treaty process? As model for doing this type of compliance standard?
<dwainberg> I don't think most of would like that.
<JoeHallCDT> I'm just trying to think of other cross-jurisdictional policy processes and that came to mind… and, I agree, no. Let's talk more offline.
<dwainberg> Look at some of the treaties we've seen over the last few decades.
TLR: think the discussion having here, is a scale. David's question about process is the right question to ask. To WAI, in that area there are regulatory requirement that drive that work and influence. The line depends on that particular content. The lesson from there, there is a policy component to every standards work, sometimes more sometimes less. There are areas where the policy should happen close to the technical work. It is a useful conversation to see
where the policy aspect is to technical relation, where are the lines?
<dwainberg> Ah.. so, yes, I see the analogy.
Jeff: WAI is a success, touches on regulatory aspects. W3C does a job of doing the pieces that makes sense for the Web, but we do not do laws. Remind everyone to what we do TPE and TCS. What does that signal mean can be used by regulator. One regulator could say, we use W3C meaning, other regulators can define their own meaning
ND: explaining more on what the WAI work is
... instead of defining our own or refer to WAI. Some devs get frustrated if legislator defines their own
Berin: Double minded here. See Shane to stop policy, but also see what W3C tries to achieve. But stopping here would be too short. There will be regulatory effects. Companies come to table because they were bullied to the table. Want a clear framework on what to think about is. On the one hand weighing tradeoffs is policy and shouldn't be done here. But on the other hand defining meaning is part of that work. Effect will because companies will be held to their
scribe: the more there is pressure, the more we are stuck in a policy situation that doesn't work well for W3C process
Jeff: could be law coming out of this, this is not our objective. WAI is interesting. Very few countries that have law saying, you should follow W3C standards.
... web standards will do whatever they will do
JoeHall: if DNT would stop, what would happen? => arms race? Thought it would be lost for consumers, but think that anymore. So we look for a compromise
... beyond the context.
Deirdre: Goal is to augment the web platform with building blocks. We blieve that technical tools can help integrate ...
... PICS, P3P, DNT have all that they have policy implications and have to discuss that, not limit discussion
... nobody will integrate that into interface decision
... talks about cases of ?? where interface was unclear. Those bodies will ask how are the defaults, how are you implementing it
... if you compare process of P3P and TPWG, you see evolution. Reach out to regulators, NGOs. But the last thing I would say is that we don't have a role
SW: in general we are in agreement. If we look at policy we wouldn't have spec that wouldn't have impact. But prob is level of details in TPWG, has moved into the broader debate, meaning of consent, meaning of data minimization
... if you look beyond TPE , the struggle begins. Helpful to provide viewpoints. But not the appropriate for final say
Deirdre: you support that or you don't support that? Defaults?
SW: if silent ok, if not silent on defaults
... . if you go back in data handling, than it goes to policy side
AlexFowler: goal of W3C to privacy. W3C be great if this expertise is taken from here and apply it in other contexts of other SDOs. Cookie Specification would have benefited from such expertise
JanS: reminds people to fill in post its
<aleecia> do we have a scribe?
<aleecia> (because I didn't quite follow what just went by)
<aleecia> perhaps Frederick could summarize the outcome on that little back & forth on current consent for OBA -- I think I missed at least one of the twists & turns there.
JoeHall: beyond, is the single point not only for expressing preference, but also a single point of information, but heavy lifting for an os?
FW: necessary to guide the user. I have to write down in an app where my data is going. Hard to find?
<aleecia> (of note for Joe, Mozilla put DNT into the OS for phones; others have not yet. OS seems to make sense for phones)
SW: ad choices, does that change the disoverabilty.
<JoeHallCDT> (of note to Aleecia, I'd argut that iOS' LAT setting is also close, but a bit different. ;)
FW: how the icon is served, if it is guided out of portal, users tend to be confused. Is not the same design
ChrisMejia: Simpler opt-out mechanism, do not track is not well defined, what do you mean?
FW: coming from a legal framwork that defines what it means, hopefully DNT will match that
ND: do people want to opt out of three different things, or is one single click better?
FW: have no experience there
<ShaneWiley> Aleecia, have you checked out iOS6's Advertising Identifier option?
DavidWainberg (DW): Work for NAI, presentation of NAI, and what brought us here
<JoeHallCDT> I think what Chris was saying there is that the more onerous opt-out mechanisms provide rich definitions about what each flavor of tracking is… DNT as it exists now in the browser do not do that.
<aleecia> Shane, I haven't yet -- thanks for the pointer.
scribe: also tell you what 3rd party are and why they are important to the eco system
... NAI codes of conduct, last update 2008, limitation on use of PII and sensitive data, enforceable rules
<nweaver> A quick summary to save others looking up. For iOS6, the basic idea is a persistent per-advertiser cookie, that gets reset if the device is blanked. So its persistent like the UUID (device ID) while a device is owned, but is flushed on change. It can be disabled as well, General:About:Advertising. in the settings.
scribe: DNT and privacy debate has been over politicised and think we should get back into productive mode.
... want a free democratic internet. (lists other agreements)
<JoeHallCDT> quick corrections: UUID is not UDID as UUID() function in iOS includes timestamp (so unique, but includes time of creation, for storing). Also, the next iOS (6.1?) will allow resetting the identifier without a reset.
<nweaver> OOPs, yeah. UDID...
scribe: will create incentives for good actors.
<nweaver> thanks. (I use UUIDs so much that I simply brain-typo UDID as UUID)
scribe: Limitations can come from W3C or elsewhere, but have to be fair and reasonable.
... Believe that the current DNT is creating perverse incentives.
<nweaver> We already HAVE huge PII data collection. Google, Facebook are exhibit 1 and 2
scribe: first party will collect, can do even collect PII.
<nweaver> Both collecting massive PII for advertising
scribe: while third parties are punished but only collect one id point
... => makes a point of advertisement as part of ecosystem
... need to have an impact assessment and consequences of how things are designed
... third parties support publishers
<erikn> The iOS identifier for advertising is a single identifier. It is not per-advertiser. It can be changed (without buying a new phone), unlike the UDID — that part is accurate. It cannot be disabled, but its use can be limited, as explained in a link within the Settings app.
scribe: why behavioral is so important and contextual doesn't really help
... some are too small for contextual, some with niche content, but not interesting to advertiser
... because its behavioral, it also works on niche content. Also helps SMEs as they can improve their impact per dollar
<nweaver> Anyone try legally subpoenaing or search warrants submitted to advertising networks to recover user history?
scribe: NAI committed to continue working on this, respect user's choices. And provide democratic internet
<aleecia> @Shane, oh the UDID replacement. I drop nouns, yes: this.
Jeff: overly politicised: applaud your for that comment, applaud for going back in productive mode
... noted with interest the high complexity of getting the stakeholders so balanced. Not all of that can be done in TPWG due to charter limitation, looking forward to continue for the "beyond" part
FrankDawson: Perspective on future beyond DNT, advertisement and apps. In-App advertisement as the major increase. DNT may or may not solve that. For NAI, what are you doing for mobile apps? Code of conduct? What else?
DW: mobile is difficult, something we are working on. WGs are working on, currently not decided what directions
Deirdre: what the real problems are we are not focusing on? Can you elaborate?
DW: reluctance to enumerate the problems we are trying to solve? People have ideas, but difficult to really identify users concerns, real concerns like identity theft, what are risks of online advertisement. Like to do more work on NAI with users to address their concern
... in EU portal also responsible for 3rd parties they chose
DW: we watch the first parties of our member companies
... back to Deirdre's question. Personalization is creepy. Irony is that is only one single datapoint. Other things are more difficult have more data points and people do not realize.
Deirdre: Why should that happen here?. First vs Third parties is creating distortion, but in light of last discussion, what is the goal, this is data backend stuff
DW: anybody who is talking about it should think about the bigger picture
Christine: things you want to improve is that user shoudl be better improved.
?? from??: like your idea. I want thoughts on opt out of companies as opposed to DNT as browsing context
scribe: people were not aware of all those tracking companies
DW: dunno about solution, DNT may be an improvement.
... can offer pick and chose, but users have to understand
<tlr> rigo: David, I hear two things
<tlr> ... better information of the user - transparency
<tlr> ... in the discussion tomorrow on technical merits
<tlr> ... have submitted position paper that also goes toward the mobile stuff
<tlr> ... the other one is the "switch" thing
<tlr> ... next-generation information tools?
DW: Don't know. Too blunt of an instrument and too much of a choice so users do not understand. We don't understand and make choice. There is a balance somewhere, but dunno where it is. Google and Yahoo have interest manager, users where given
... then found out that people where editing the categories, not only removing
AndrewSwerdlow: yes, people added categories, removed others. But a very low rate of opt-in
Reed Freeman, ESPC http://www.w3.org/2012/dnt-ws/position-papers/13.pdf
Reed: a lot of concern on ability to be tracked, put into narrow categories
... look at my google thing and both categories where wrong
... .this will not be our last discussion
... company send email on behalf of other companies, fight spam, and enhance reach of the legitimate email
... => explains company
Reed: we've been watching the W3C dialog. We appreciate the diligence and were uneasy about the lack of civility. Are happy that W3C is a good place for the exchange of information. Sometimes we have prejudices into all directions that are wrong and are here to revert them.
<nweaver> I wonder if the NAI opt-out is actually effective/reliable. E.g. I tried it on a clean firefox run, which had somehow gotten a Yahoo advertising cookie. I ran their opt-out tool and although the opt-out cookie is set, the yahoo "B" cookie, with value aaji3qd8b8489&b=4&d=4auM3vprYH0wsQ--&s=0r is still set, and that certainly looks like a tracking cookie to me. An opt-out to tracking should clear tracking cookies.
Reed: this is good forum to discuss. Must happen is civility must reign.
<aleecia> Reed just became my hero
RF: the beyond is premature. What data should be collected in DNT:1 has become thorny issues. Let the standard be finalized, let it work, let see if it is adopted, how governments react. Before W3C drags resources of industry into new work.
JoeHall: How DNT will affect email?
RF: we don't know. We don't know waht DNT is. Therefore we are jumping off the cliff on how to back that
... in context of sending email. Selling stuff, but not good in sending email. Is targeted or re-targeted? Who is the first party? Who is the third party? In the context of deliver of email, we are a service provider. We are transmitting, not for other purposes. That's what I want to find out
ND: thanks for coming
... emails can have images, some clients will refuse to load the content, others will perhaps send DNT
FrankDawson: are you fixed on email or other formats? SMS? MMS?
RF: great question, lets pause before going email only. Our members are primarily in email, but will expand and consolidate
aleecia: suggest to approach email, instead in terms of consent. As long as you have consent, no matter for party you are. Can factor that in.
RF: consent often very unspecific
... in marketing law there is big difference between EU and US, very complex
Jeff: David says we have lots of things to consider, you say do not do anything new until it is done
... how to figure out, scoping next thing is a large undertaking. Scope is 3/4 of the battle
... like to suggest, continue 95% of effort into DNT, but background thinking should continue to think about what could be the scope for next thing to do
RF: don't think we disagree. Any organization has long range strategic planning, or medium range planning. But prudent not finish scope what to do outside the current scope
<jeff> +1 to Reed - yes we agree.
Berin: want to get remarks: Current model is not huge success, non technical work, designed by committee,
RF: we should see how this works out before making more
... be careful about the unintended consequences of what you do
Berin: measure of success?
RF: in order for ESPC to agree that DNT for email is a good idea, we need: DNT is finished, deployed, consumers like it, standard is working, then we can imagine to apply it to email
ND: success criteria in W3C normally for interoperability
... serviing the purpose for consumers, satisfying?
DW: what was the idea couple of deliverables, the problem was never really scoped. Persistent problem of the TPWG
Jeff: metrics for success: One would be adoption, interoperability, consensus, being well balanced in the market place
... those are great metrices.
... what we would do differently, some may laugh but I think we are on a path to a standard, but it took much effort since, think there was sufficient misunderstanding, process etcc.
... we would have told stakeholders what we are doing and what we are not doing, we would have had less fire works
LeeTien: widespread adoption was a secondary concern for us. Ability to express user preference was more important than how many companies will adopt the system. Are aware of the cost.
... dev simple mechanism that is feasible is still a valuable thing to have and would push for it
Deirdre: on success criteria. Metrics... Perceivable success in Congress. Sometimes you lose fairly, you come back play again. But if metrics, it must be substantially legitimate, not only about industry adoption, but not only about interoperability only either. Gives some concreteness to what Reed is saying
JanS: Criteria??? What those criteria are? And to Jeff: 95%: Having impression that scoping was done carefully. In a process if people will lose things, is not going to work in a consensus process. Nobody will say "I will lose something, but I'm fine with it".
... Thsi is what we need to achieve and those will lose and we will implement it.
ND: revenue impact
Berkeley Thai House