17:36:23 Meeting: W3C Workshop: Do Not Track and Beyond 17:36:30 scribenick: wseltzer chair: js, npdoty 17:36:50 rrsagent, make minutes 17:36:50 I have made the request to generate http://www.w3.org/2012/11/27-privacy-minutes.html wseltzer 17:39:39 npdoty has joined #privacy 17:39:39 dsinger has joined #privacy Topic: User Studies and User Concerns 17:40:05 [agenda: http://www.w3.org/2012/dnt-ws/agenda.html] 17:40:29 Chris_Hoofnagle: paper, http://www.w3.org/2012/dnt-ws/position-papers/8.pdf 17:41:08 ... background and earlier work; Web privacy census, benchmark how much tracking is on the Internet 17:41:24 JoeHallCDT has joined #privacy 17:41:46 ... idea from Beth Givens, benchmark how much tracking is occurring to evaluate self-regulation 17:42:03 ... since we began 5 months ago, already seen a big uptake in 3d party tracking. 17:42:16 ... switch from LSOs to HTML5 local storage. 17:42:50 [Berkeley Web Privacy Census: http://www.law.berkeley.edu/privacycensus.htm ] 17:43:34 ... idea, as we move forward with self-reg or DNT, get a sense of impact 17:43:53 ... Other branch of work, user studies, asking consumers about privacy issues. 17:44:45 [Consumer privacy survey: http://www.law.berkeley.edu/13260.htm ] 17:46:26 jeff has joined #privacy 17:47:23 Frank has joined #privacy 17:47:59 consumers having a sense that companies have a fiduciary role with respect to their data 17:48:32 Joanne has joined #privacy 17:48:35 ... young adults care about privacy, do the worst in understanding it. 17:48:37 johnsimpson has joined #privacy 17:48:48 youngest users do the worst on privacy quizzes, interesting 17:50:36 ... OBA could be done differently, with more room for compromise between advertising and privacy 17:50:37 goldman, nissenbaum and bellovin have proposed client-side privacy preserving profiling 17:50:48 (would love cites to Goldman and Bellovin) 17:51:00 ... Fully half of users say they never click ads. 17:51:17 JoeHallCDT, the cites are in Chris's paper 17:51:21 ah 17:51:28 http://www.w3.org/2012/dnt-ws/position-papers/8.pdf 17:51:56 Chris_Hoofnagle: majority of users surveyed had not heard of Do Not Track 17:52:00 bellovin: Elli Androulaki and Steven M. Bellovin, A secure and privacy-preserving targeted ad-system, in Proceedings of the 1st Workshop on Real-Life Cryptographic Protocols and Standardization, Jan. 2010. 17:52:08 goldman: Eric Goldman, A Coasean Analysis of Marketing, 2006 WIS. L. REV. 1151 (2006). 17:52:11 Androulaki and Bellovin paper is from 2010, http://dl.acm.org/citation.cfm?id=1894875 17:52:31 ... when asked what they'd want it to do, most said "prevent websites from collecting information about you." 17:52:47 ... Changes in self-reg positions, rules have become weaker over time. 17:53:29 13% of the national population having heard of DNT seems like a large number 17:53:53 erikn has joined #privacy 17:54:33 Chris_Hoofnagle: NAI won't talk about their old rules. We don't think NAI is credible. 17:55:01 ... policy statements without purpose, no measurable standards, NAI is a project of a consulting group. 17:55:32 DavidWainberg: NAI is independently incorporated 17:56:03 Chris_Hoofnagle: There are alternatives. Find self-regulation with more credibility. 17:56:20 I've spoken with Anthony Prestia of NAI and they certainly do measurement against their guidelines 17:57:26 DavidWainberg: Ads work, companies continue to invest in advertising. Both brand and click-through. 17:57:52 Bernard_Urban: run a privacy company, formerly with SiriusXM. 17:58:22 ... I'd spend $1/4M on an initiative, I wouldn't spend that if they couldn't prove conversion. 17:58:53 ... 500k people have joined our current service to figure out how to protect themselves online. 17:59:17 rigo has joined #privacy 17:59:20 Chris_Mejia: IAB and DAA. We have an enforcement body, Council of Better Business Bureaus 17:59:47 ... where is your [Chris's] research coming from? I haven't gotten inquiries. 18:00:36 Chris_Hoofnagle: We discussed gulf in protection between 2000 NAI statement and more recent DAA 18:01:03 Arnaud has joined #privacy 18:01:07 Max: Curious about your age results. Experian's studies show younger you are, the less you care about privacy. 18:01:32 Chris_Hoofnagle: We've asked both attitudinally and willingness to share information. 18:02:35 DavidWainberg: You're not aware of NAI's dedicated compliance staff, do yearly reviews, worked with companies privately to improve their practices, publicly called out companies for non-compliance 18:02:53 ... Strongest compliance program of any in its space. Encourage you to talk with us. 18:03:29 Chris_Hoofnagle: World Privacy Forum 2007 study critiqued NAI 18:03:41 ... we updated that study on norms of self-reg 18:04:12 Frank_Dawson: Nokia-Siemens interested in trust perspective 18:04:14 I believe this is the WPF report on NAI that Chris mentions (I haven't read it): http://www.worldprivacyforum.org/pdf/WPF_NAI_report_Nov2_2007fs.pdf 18:05:00 ... studied emerging markets. NSN survey echoed Chris's remarks 18:05:33 ... 3 segments, "frightened family," no understanding, rational approach in the middle 18:06:01 echoed in the sense that not a big difference in views for younger users, right? 18:06:11 believe so 18:06:42 ... across all age groups, a proportionally high attitudinal concern re collection of personal data. 18:06:48 ... approx 3/4 18:07:34 Blase_Ur: here with Pedro Leon, CMU 18:07:45 ... User studies re behavioral advertising 18:07:49 tlr has joined #privacy 18:07:58 [CMU paper: http://www.w3.org/2012/dnt-ws/position-papers/6.pdf ] 18:08:33 Blase_Ur: Smart, Useful, Scary, Creepy: Perceptions of Behavioral Advertising 18:08:34 dsinger, I think Chris had referred to work from Joe Turow on trade-off studies, though I'm not familiar with them 18:08:54 ... 48 non-technical users interviewed in the lab 18:08:56 dsinger: in fact, it's weirder than that... Acquisti's recent work on "privacy paradoxes" shows that very subtle and specific ordering issues in the substance of a trade-off can make big differences 18:09:25 JoeHallCDT, dsinger so there might be differences between attitudinal and behavioral and even other dimensions (fear of loss, etc.) 18:10:44 speaking for CDT, we'd love to get some of these opposing interests into a room and hammer out a research design that everyone could agree would be relatively unassailable, then fund a good third-party to do it 18:10:55 ... Low awareness of tracking. Users don't know how it works, who's involved. 18:12:47 ... lots of misunderstanding of ad companies, business. e.g. thinking that Microsoft advertising = operating system software, not ads 18:12:54 example phrase from interviewing users: "I never really thought of Google as an advertising company" 18:13:25 ... no familiarity with opt-outs or DNT (a year ago) 18:13:37 ... expected options in Web browser and anti-virus 18:13:46 JoeHallCDT, I'm also interested in seeing what we would need in a research design in order for it to satisfy everyone's questions 18:14:24 +1 Joe 18:15:21 concern about surreptitiousness (when they've just found out about it) 18:15:43 "lack of knowledge led them to think the worst" (making assumptions about identity theft as a risk, for example) 18:16:31 Pedro_Leon: tested 9 tools for OBA control 18:16:55 ... opt-out such as DAA, blocking tools (Ghostery, Adblock plus), browser settings in IE, Firefox 18:17:47 ... 45 participants using the tools 18:18:06 ... generally, interfaces not very good, leading users to get results different from what they expected 18:18:36 ... e.g. proplematic opt-out aboutads.info showed only those companies currently showing personalized ads 18:19:23 ... jargon-heavy pages confuse users, lead to misconfiguration 18:19:28 * hs seen the problem that the DAA opt-out values may change over time, which makes the opt-outs less persistent as users may think they are 18:20:18 ... common usability problems incude blocking-tool defaults that block nothing; jargony interfaces; 18:20:37 the jargon/usability issues might be good input for the technology sessions 18:20:44 ... lack of feedback, especially with browser settings and opt-out tools, where users expected to see something happen 18:20:45 * in addition to that observation, also the opt-out variable names are not consistent over time which contributes to less persistency 18:21:13 ... misconceptions, blocking tools break functionality 18:21:57 ... recommendations: understand what users care about, how they make decisions. Conduct iterative studies to understand mental models, skills and abilities of users. 18:22:56 ... work in progress. http://cups.cs.cmu.edu/ 18:23:35 Jeff_Jaffe: are we at a point where there are best practices vendors can adopt, or is it too early? 18:24:15 rvaneijk has joined #privacy 18:24:35 Pedro_Leon: Some best practices can already be adopted. We should also iterate in testing. 18:24:40 rvaneijk, what does the opt-out variable names have to do with it? 18:25:11 Blase_Ur: design practices can help; build on what's already familiar to users 18:25:42 Max_Kilger: Experian, paper: http://www.w3.org/2012/dnt-ws/position-papers/28.pdf 18:25:50 @Joe, everything, because the opt-out will not be effective on the server if it is not matching. 18:26:48 ah, but don't the servers set those values... so that their server-side code would naturally match... let's talk offline. 18:27:29 Chris_Mejia: Be clearer on terminology 18:27:49 Blase_Ur: We didn't use "track" in our studies, but asked about data collection 18:28:12 ... or we asked users, what did you opt out of? most common response, "data collection" 18:29:52 Max_Kilger: how does privacy actually work, for people 18:30:20 ... Experian Simmons, consumer research organization, national probability sample of 25K + respondents 18:30:38 ... privacy-protected 18:31:07 ... privacy is complex and multi-dimensional; many perspectives. 18:31:34 [cites: Margulis 1977, Rosen 2000, Lie et al 2010, Norberg et al 2007, Smith et al 2011 lit review] 18:31:50 ... help companies manage privacy relations with their customers 18:31:57 npd has joined #privacy 18:33:06 ... US adults from 2012 study. 18:33:55 ... data: "I feel I understand the risks of providing personal info online" ~60% agree 18:34:11 ... "I use the internet less than before because of privacy concerns" ~25% 18:34:40 ... "I'm willing to provide some personal information to a company in order to get something that I want" ~45% 18:35:49 ShaneWiley has joined #privacy 18:37:30 the interesting quadrant are those who are proactive about privacy but also varyingly willing to trade information for a service 18:37:31 ... segments describing people's privacy attitudes 18:37:51 ... on-off is too primitive to describe attitudes 18:38:33 ... instead of giving on/off switch, suggest a series of questions to develop a strategy, tolerance 18:39:08 aleecia has joined #privacy 18:40:17 Rigo: I heard users expressing fear of decontextualization of data. 18:41:52 @@: Privacy Choice, gives people a choice to block all tracking, or block tracking by companies who haven't gotten compliance review. 18:42:11 ... @@ were comfortable releasing data to those who'd gotten compliance review. 18:42:29 On fine-grained controls: I look at the difference between Android (fine grained) and iOS (very simple) access controls and conclude that fine grained controls actually make things worse, as in practice, user's can't make meaningful decisions 18:42:35 30% IIRC 18:42:39 was the percentage 18:42:45 s/@@/JimBrock/ 18:43:36 DavidWainberg: Antitrust implications to refusals to deal with non-members 18:44:05 nweaver: Fine-grained controls are a failure because users don't understand what it means to grant or deny permissions. 18:44:31 Max_Kilger: Let's ask questions and use statistical models to understand the concerns. 18:44:41 idea is ask some simple questions and then help them decide the right settings based on that and some expertise/statistics 18:45:57 Reuben_Binns has joined #privacy 18:45:57 Berin_Szoka: start with a few questions 18:45:59 I refuse to answer Berin's "show of hands" questions 18:46:20 I do not want Berin to track me 18:46:50 [many Californians vote to bind themselves collectively to things they don't do individually] 18:47:57 important that we have people asking different types of questions 18:48:07 MarkL has joined #privacy 18:48:11 Berin_Szoka: surveys are a poor way of answering fundamental questions 18:48:43 ... answer in the marketplace is better than that given by surveys 18:49:45 ... paradox of "choice architecture" is that tools are not neutral 18:50:26 ... any time you're creating choices for users, you're influencing the choice 18:50:30 ShaneWiley has joined #privacy 18:52:03 I think the DNT architecture also works well for the type of solution Jim Brock had suggested (or for that matter the CMU guys pointed out in their paper) 18:52:39 ... you could configure your browser to send DNT signals based on some system or list, if that's what you want 18:52:40 npdoty, expand (offline if necessary) 18:52:44 ... Opt-in dystopias, Lunblad & Masiello 18:52:53 ah 18:53:09 [http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp] 18:53:24 s/Lunblad/Lundblad/ 18:54:51 rigo has joined #privacy 18:55:08 ... How would you design an experiment to figure out what users really want? 18:55:47 ... Coase, Demsetz 18:56:32 the libertarian paternalist point, we should initially allocate things efficiently -- am I getting that right? 18:56:52 npdoty, not inefficiently 18:57:01 [but then there are information-forcing rules, other values] 18:57:16 [and public goods problems] 18:57:31 I have a hard time considering any suffering in a voluntary standard 18:57:48 Berin_Szoka: Don't presume to know what users would actually choose 18:59:09 I'm trying to understand the point, is it that users wouldn't choose a market system that had a particular opt-out/opt-in system with outcomes they wouldn't like? 18:59:46 DavidWainberg: Is Blase's educational video available? 18:59:51 Blase_Ur: from the WSJ 19:00:35 npdoty, I think it's more about that the initial configuration of these kinds of tools will be what people use 19:00:35 DavidWainberg: How can we use this information to develop new and better ways to communicate with users? 19:00:48 http://cups.cs.cmu.edu/ 19:00:50 Pedro_Leon: Our papers, http://cups.cs.cmu.edu/ 19:01:08 ... work has identified gaps and misunderstandings, so look to fill those holes. 19:01:22 npdoty, I'd encourage you to ask Berin to restate that, maybe less in terms of Law and Econ 19:02:25 and I take it "frictionless" is more than just asymmetry of information 19:02:32 ... cognitive biases, challenges are even worse when users are poorly informed about the choices / practices 19:03:48 Berin is making a good case for regulation 19:03:58 Berin_Szoka: people are ignorant of the vast majority of things in life. Why should they know about privacy? 19:04:56 Pedro's point is that we would need more information if users are going to make good decisions 19:05:54 Blase_Ur: there are opportunities for companies to compete on privacy 19:06:08 from Blase (picking up on Berin), the expectation that someone is looking out for me 19:07:15 wseltzer: CMU says lack of understanding, have done little work on feedback loops to help people understand 19:08:06 Shane_Wiley: Do you also look at the concept of harm? What happens to users when they feel their privacy isn't being respected? 19:08:33 Interestingly, users talk about privacy rights rather than privacy harms. 19:08:33 ShaneWiley has joined #privacy 19:08:35 Chris_Mejia: How big are the chicken cages? 19:11:18 q? 19:11:33 Zakim has joined #privacy 19:11:47 Pedro_Leon: Feedback is important to show users the status of the system, the impact of their actions 19:11:51 Peter has joined #privacy 19:12:33 ... so one important element of feedback would be an indicator of status, ad-blockers show ing the number of elements blocked 19:13:06 Max_Kilger: Context question, harm question 19:13:48 tl has joined #privacy 19:13:57 * does Zakim have a memory beyond the irc-logs? 19:14:05 ... harm is an educational experience, but doesn't seem to deter 19:14:32 Pedro_Leon: concerns about "being followed" 19:14:57 context? what context? 19:15:06 :-/ 19:15:34 I thought maybe Shane's point was that we both see differences in choices/preferences and differences in potential implications/harms among the public 19:16:05 ... multiple users of the same computer 19:16:57 I've seen that in location privacy that there are strongly different preferences that are sometimes tied to past experiences (having had a stalker, for example) 19:17:04 Blase_Ur: We want to support users. If users want "privacy," 19:17:18 aleecia_ has joined #privacy 19:17:25 ... Feedback: is it on or off; opportunity for dialog 19:18:03 Berin_Szoka: fear that advertising is bad; economic literature says advertising benefits consumers and new entry to markets 19:18:15 an interesting analogy from Blase, some preferences are innate, that I don't necessarily explain why I don't like chocolate 19:19:55 rrsagent, make minutes 19:19:55 I have made the request to generate http://www.w3.org/2012/11/27-privacy-minutes.html wseltzer 19:20:58 JoeHallCDT has joined #privacy Topic: Tools for User Control 19:27:28 npdoty: Some of the papers presented technical measures as an alternative to Do-Not-Track signal 19:27:46 MikePerry: Tor Project is a 501(c)(3) non-profit 19:28:04 ... core purpose is to provide an anonymity and censorship-resistant network 19:28:21 ... core network and source code just celebrated 10 years 19:28:42 ... I started working on the project with a Firefox extension, TorButton 19:29:09 ... Tor's thinking has now shifted from a toggle to a dedicated browser 19:29:18 ... that changes what privacy properties we can provide. 19:29:49 ... Tor now provides its own downloadable browser bundle 19:30:12 [https://www.torproject.org/download/download-easy.html.en] 19:30:31 MikePerry: Three technical changes could provide DNT from the browser-side 19:30:44 ... First-party identifier unlinkability 19:30:56 johnsimpson has joined #privacy 19:31:03 ... first-party IP address unlinkability, 1st-pty fingerprinting unlinkability 19:31:57 ... Goal, simplify interfaces to let users contextualize relationships 19:32:40 ... mock UI: let all your identifier storage be represented by an icon per domain, show options below, 19:32:58 ... e.g. site permissions, data and history, tracking 19:33:12 ... silo all the data to its first party 19:34:01 Frank has joined #privacy 19:34:40 ... Identifier unlinkability. jail/silo identifier sources to 1st pty dommain 19:34:59 Arnaud has joined #privacy 19:35:04 ... disable or limit features that aren't siloed 19:36:48 ... double-key cookies, to both 1st and 3d party where it appears 19:37:14 [Mike's Tor Project paper: http://www.w3.org/2012/dnt-ws/position-papers/21.pdf] 19:38:45 MikePerry: prompt before cross-domain redirects so change of first-party is transparent 19:39:35 ... IP address unlinkability, Tor can provide 19:40:20 ... use SOCKS username as first-party domain to isolate streams 19:40:27 Mark_Lizar has joined #privacy 19:41:05 ... modularize, so proxies can provide stream unlinkability 19:42:16 ... recognize we can't make browsers indistinguishable across different products, but could make indistinguishable sets among a given browser's users 19:42:49 I like the report OS as windows :-) 19:43:18 aleecia_ has joined #privacy 19:43:39 jeff has joined #privacy 19:43:50 ... fingerprinting defenses include disabling plugins, reporting a fixed set of window sizes, many more 19:44:21 ... new HTML5 features need evaluation 19:44:32 ... create a uniform font pack for browsers? 19:44:56 ... what about Like buttons? 19:45:06 tlr has joined #privacy 19:45:18 ... Google's web-send.org privacy-preserving link-sharing 19:45:54 ... W3C draft, but no longer exists in Chrome 19:48:36 ... browser-side tracking, open source, could provide targeting without server-side tracking 19:48:48 ... help the long-tail survive 19:49:06 Chris_Mejia: How would advertisers protect against fraud? 19:49:46 Blase has joined #privacy 19:51:14 DavidWainberg: Huge benefit of Internet advertising is measurability. How can you account for that? 19:52:05 MeMe_Rasmussen: How are you dealing with third-party service providers? 19:52:17 ... e.g. site optimization analytics 19:52:51 MikePerry: currently disabled. but dual-keyed cookies could allow them to work per-domain 19:53:38 Shane_Wiley: What do you do with user-agent string? Is it known that the user is using Tor? 19:54:04 MikePerry: The list of Tor exit nodes is public, easy to identify Tor users (and block, if you choose). 19:54:44 ... OS/UA question is harder. We report Windows, but trying to obscure from fingerprinting is a deep rabbithole. 19:55:13 Shane_Wiley: So if a content provider were to decide to block Tor, would you attempt to override that? 19:55:31 MikePerry: We make no attempt to circumvent providers' blocks. 19:55:55 Rigo: I'm a regular Tor user 19:56:27 Rigo: On measurement, have you worked with anonymous credentials to allow proof without identification? 19:56:58 MikePerry: We've been thinking of proof-of-work mechanisms, Nymble 19:58:11 ... invite help! 19:59:23 @@: GetCocoon is ad supported, give user tools to set privacy level 20:00:16 nweaver: ICSI presenting http://priv3.icsi.berkeley.edu/ 20:00:48 ... work with Mohan Dhawan, Christian Kreibich 20:01:15 ... why should I have to rely on the trackers to stop being creepy, wnen we can build protections into the browser? 20:01:36 ... Safari, "allow on previous interaction" makes sense as a cookie policy 20:03:17 ... Challenge of multi-function trackers. trackers that also provide information on popularity, comments/feedback on products 20:03:32 ... simply blocking them disrupts user experience. 20:04:01 ... Google and Facebook are tracking; their business is collecting user data and selling ads. 20:04:45 ... shows a "Like" button on "Genital Herpes" page. I don't want FB to know if I'm reading it. 20:05:16 ... Priv3 tool designed to work with big 4: Google, Facebook, Twitter, LinkedIn. Goal to capture user intent. 20:05:37 ... show the elements as un-logged-in until the user clicks. 20:07:41 [demo] 20:09:17 ... I focus on self-help in the browser because I don't think I'll ever agree with NAI on whether it's OK to track me 20:09:48 ... what happens if trackers decide to sell data to credit bureaus, get subpoenaed 20:10:33 ... Story: I started to do some research on guns. Signed up for web forums 20:10:55 ... with email address. a few weeks later, I got physical mail at work inviting me to join the NRA. 20:12:25 npdoty: @@ 20:13:16 MikePerry: With enough engineering effort, we can make these tools usable and functional 20:13:51 nweaver: we started with the Like button because we wanted to show that hard cases can be addressed with minimal disruption. 20:14:15 ... on a click of the like button, just refresh the widget 20:14:53 npdoty: self-help in the browser is distinct from the cooperative approach, doesn't require agreement of the server 20:15:11 s/@@/Can browser self-help match current functionality?/ 20:15:54 Craig_Spiezle: Online Trust Alliance @@ 20:18:01 Deirdre_Mulligan: Security was once not a part of IETF consideration, now it's fully integrated. We don't say "that's policy". Do you see that happening in privacy? 20:18:57 nweaver: As a field, we've horribly violated the do-no-harm principle. Since tech has created a problem, it should help solve it (though we also require policy elsewhere) 20:20:10 ... I like the Safari cookie policy, because it's tech backed by FTC enforcement 20:22:03 Frank has joined #privacy 20:22:15 Jan: Can DNT and browser-enforcement go together? 20:24:20 nweaver has joined #privacy 20:24:30 JoeHallCDT: At CDT, we thought about a few version of "beyond" 20:24:40 is there any RESPONSE to DNT that says "yes I at least theoretically respect it?" 20:25:14 ... e.g. mobile apps, iOS 6.1 centralizes ad tracking preference 20:26:02 ... other platform-level tracking preference expression 20:26:51 ... Apple, documentation for limit ad-tracking preference has a number of exceptions, hard for me to understand how the exceptions are policed. 20:27:00 tl has left #privacy 20:27:17 To answer my own question, its OPTIONAL. 20:27:33 So I can't rely on DNT even assuming an honest server 20:28:04 ... What happens when tracking gets even more complex? HTML5 20:28:37 Since I don't have a feedback mechanism that guarantees that the server accommodates it, thus self-help needs to be client-only even if DNT is widely but not universally accepted. 20:28:42 and clients are honest 20:29:08 ... Consider just-in-time notifications 20:30:14 ... Support PING's work to do cross-WG review of privacy implications 20:31:05 LUNCH BREAK 20:32:05 JoeHallCDT has joined #privacy 21:00:55 aleecia_ has joined #privacy 21:19:44 Zakim has left #privacy 21:26:41 zakim! come back! 21:32:03 johnsimpson has joined #privacy 21:32:13 test 21:33:17 nweaver has joined #privacy 21:33:55 npdoty has joined #privacy 21:34:01 jeff has joined #privacy 21:34:16 check 1-2 21:34:32 I'm doing it 21:34:41 rrsagent, pointer? 21:34:41 See http://www.w3.org/2012/11/27-privacy-irc#T21-34-41 21:34:55 Zakim has joined #privacy 21:35:10 scribenick: JoeHallCDT 21:35:25 Topic: Mechanisms for Transparency 21:35:42 JanS: moving to future oriented topics 21:35:46 ... this one is about transparency 21:36:08 some potential inputs into future development 21:36:09 ... we will start with the remainder of the preso. from Pedro (CMU) 21:36:29 ... will move on to Mark (Open Notice) 21:36:40 ... then another Mark (IBM) 21:37:01 Pedro_Leon: studies about OBA privacy disclosures 21:37:08 ... online study, N=1500 21:37:21 ... this is about the "AdChoices" disclosures in ads 21:37:28 ... and what they know from corresponding opt-out pages 21:37:38 ... did they notice the disclosure and what is the message being conveyed 21:37:48 rigo has joined #privacy 21:37:58 ... started by showing a simulated version of the NYT page 21:38:09 erikn has joined #privacy 21:38:24 ... tested "why did I get this ad" and "adchoices" 21:38:50 ... first tested to see if they noticed, then alerted them to the disclosures 21:39:00 ... asked some questions about what the user thinks it could do 21:39:10 ... two icons, and seven taglines 21:39:54 ... some taglines were blank or meaningless 21:40:04 ... results: OBA disclosures were not noticed 21:40:19 ... purpose was misunderstood 21:40:44 ... with "AdChoices" people thought it was to purchase ads on that site 21:40:56 ... two taglines they made up were better at communicating OBA disclosure 21:41:17 ... users were wary or afraid to click on these icons, regarless of icon/taglines 21:42:09 ... 63% thought that "Stop advertising companies form collecting information about your browsing activities." was true 21:42:25 ... recommendations [too fast to scribe] 21:42:44 npdoty has joined #privacy 21:43:02 http://www.cylab.cmu.edu/research/techreports/2012/tr_cylab12008.html 21:43:15 Shane_Wiley: does it seem that this has changed in the past year? 21:43:25 ... where should it be today, 2 years from now, 5 years? 21:43:40 Pedro_Leon: don't think the icons themselves are enough for education 21:43:47 ... maybe enough to exercise their choices 21:44:03 ... am aware that the DAA campaign launched recently will aim to educate users 21:44:11 ... that is a good thing to do 21:44:21 ... whatever the tagline is, it is hard to communicate a clear message 21:44:46 ... not surprised our two made-up taglines performed better. 21:44:52 ... than "AdChoices" 21:45:09 Chris_Mejia: we have served billions of those impressions 21:45:20 ... impressions of the educational campaign 21:45:27 ... full-display ads 21:45:51 ... you may have not seen it because we're targeting people that don't know what it is 21:46:07 ... don't create a brand overnight... difficult endeavor... long arc 21:46:21 ... easy in the early days of brand establishment for people to say, "It's not working" 21:46:51 ... it's sort of the tortoise and the hare analogy... the brand eventually wins because it is seen over and over and over again 21:46:58 ... and people eventually will see that 21:47:15 ... we're just rolling out the brand campaign... at trillions of impressions for the icon 21:47:24 ... would appreciate any help in educating users 21:47:35 Frank has joined #privacy 21:47:45 Pedro_Leon: we want to repeat these experiments to measure effectiveness of the campaign 21:47:58 ... following a more systematic approach with users is probably more helpful 21:48:10 ... doing research like they do at CMU could help 21:48:21 Chris_Mejia: the design was very thorough 21:48:34 ... we'll have to give this a chance to see if it sticks with users 21:48:49 ... better to stick with this than changing the icon/tagline at this early stage 21:49:34 JanS: next session will be videotaped... any objections 21:50:06 Arnaud has joined #privacy 21:50:06 Thomas_R: fine with video of the talk, cut off discussion 21:50:27 agree to video record this talk, but not the group discussion. 21:50:28 shit 21:50:32 I have made the request to generate http://www.w3.org/2012/11/27-privacy-minutes.html wseltzer 21:50:34 s/shit// 21:50:35 Blase has joined #privacy 21:50:39 I have made the request to generate http://www.w3.org/2012/11/27-privacy-minutes.html wseltzer 21:50:48 16:42 < wseltzer> Suggestions for the wrap-up: 21:50:57 s/16:42 < wseltzer> Suggestions for the wrap-up:// 21:51:03 Mark_Lizar: Presenting on Open Notice 21:51:23 ... currently notices are not open... no backise structure, written ad hoc, not localized 21:51:37 ... what does this have to do with DNT... users need to understand what DNT means 21:51:55 ... because notice is not standardized, this limits choices people have 21:52:04 ... open and notice are specifically selected... 21:52:09 ... open refers to transparency 21:52:10