16:39:37 RRSAgent has joined #dnt 16:39:37 logging to http://www.w3.org/2013/01/23-dnt-irc 16:39:39 Zakim has joined #dnt 16:39:44 Zakim, this will be 87225 16:39:44 ok, npdoty; I see T&S_Track(dnt)12:00PM scheduled to start in 21 minutes 16:39:55 rrsagent, make logs public 16:53:21 dwainberg has joined #dnt 16:55:11 T&S_Track(dnt)12:00PM has now started 16:55:18 +npdoty 16:55:43 ninjamarnau has joined #dnt 16:55:57 fielding has joined #dnt 16:56:15 +efelten_ 16:56:26 schunter has joined #dnt 16:57:05 agenda+ scribe, if not determined already 16:57:12 agenda+ action items 16:57:33 +??P7 16:57:54 Zakim, ??P7 is schunter 16:57:54 +schunter; got it 16:58:09 agenda+ issue 153 16:58:17 +yianni 16:58:17 agenda+ issue 144 16:58:22 Wileys has joined #dnt 16:58:23 agenda+ issue 137 16:58:27 agenda+ issue 111 16:58:30 +dwainberg 16:58:33 jeffwilson has joined #dnt 16:58:33 AnnaLong has joined #dnt 16:58:36 +Fielding 16:58:40 agenda+ issues marked pending review 16:58:43 Yianni has joined #DNT 16:58:53 agenda? 16:59:02 +JeffWilson 16:59:42 vincent has joined #dnt 16:59:51 +vincent 17:00:01 + +49.431.98.aaaa 17:00:10 vinay has joined #dnt 17:00:17 zakim, aaa is ninjamarnau 17:00:17 sorry, ninjamarnau, I do not recognize a party named 'aaa' 17:00:24 Zakim, aaaa is ninjamarnau 17:00:24 +ninjamarnau; got it 17:00:28 Did any volunteer to scribe? 17:00:32 rigo has joined #dnt 17:00:34 +Peder_Magee 17:00:41 not yet -- who would like to step up to help out today? 17:00:46 kulick has joined #dnt 17:00:49 hefferjr has joined #dnt 17:00:52 zakim, code? 17:00:52 the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), rigo 17:01:02 +DAvid 17:01:03 + +385345aabb 17:01:07 zakim, aabb is vinay 17:01:07 +vinay; got it 17:01:08 +kulick 17:01:09 +Keith_Scarborough 17:01:10 +hefferjr 17:01:31 Keith has joined #dnt 17:01:36 +Rigo 17:01:36 Zakim, who is making noise? 17:01:37 David_MacMillan has joined #dnt 17:01:41 zakim, mute me 17:01:42 Rigo should now be muted 17:01:47 npdoty, listening for 10 seconds I could not identify any sounds 17:01:50 +WileyS 17:01:52 JC has joined #DNT 17:01:53 pmagee_2023263538 has joined #dnt 17:01:57 Zakim, DAvid is really David_MacMillan 17:01:58 +David_MacMillan; got it 17:02:16 +Brooks 17:02:17 Brooks has joined #dnt 17:02:17 susanisrael has joined #dnt 17:02:20 +SusanIsrael 17:02:32 +Aleecia 17:02:33 npdoty, yes 17:02:36 aleecia has joined #dnt 17:02:36 +[Microsoft] 17:02:39 Zakim, choose a scribe 17:02:39 Not knowing who is chairing or who scribed recently, I propose Rigo (muted) 17:02:46 rigo, can you scribe? 17:02:53 zakim, please mute me 17:02:53 Aleecia should now be muted 17:02:55 +bryan 17:02:58 ack ri 17:03:00 zakim, who is making noise? 17:03:11 dwainberg, listening for 10 seconds I heard sound from the following: schunter (65%), Peder_Magee (29%), Rigo (31%) 17:03:17 Zakim, choose a scribe 17:03:17 Not knowing who is chairing or who scribed recently, I propose dwainberg 17:03:18 Zakim__aaa_is_isham has joined #dnt 17:03:25 zakim, mute me 17:03:25 Rigo should now be muted 17:03:40 scribenick: dwainberg 17:03:45 +[Microsoft.a] 17:03:48 zakim, pick a victim 17:03:48 Not knowing who is chairing or who scribed recently, I propose vincent 17:03:52 zakim, [Microsoft.a] is me 17:03:52 +adrianba; got it 17:03:57 ok for me 17:04:36 +hwest 17:04:38 zakim, mute me 17:04:39 Rigo was already muted, rigo 17:04:39 vincent can take over for dwainberg at what seems like a good turning point 17:04:42 hwest has joined #dnt 17:04:55 61# 17:04:56 dwainberg, let me know when you want to switch, ok? 17:05:00 schunter: pushed out all action items because it's not clear what's going to happen w/ the schedule 17:05:06 Ok. thanks vincent. 17:05:07 mute 61# 17:05:43 +Chris_Pedigo 17:05:51 schunter: action 61 for Mike O. Is he on the call? 17:05:55 ChrisPedigo_OPA has joined #dnt 17:06:06 Chris_IAB has joined #dnt 17:06:11 +1 17:06:14 Closed or Pending Review? 17:06:14 Zakim, who is making noise? 17:06:25 npdoty, listening for 10 seconds I heard sound from the following: schunter (95%) 17:06:30 Zakim, mute me 17:06:30 schunter should now be muted 17:06:32 I believe the hum is coming from Matthias's connection 17:06:37 yep 17:06:39 + +1.916.985.aacc 17:06:44 Hmm. Maybe I should stay on mute ;-) 17:06:48 +[IPcaller] 17:06:56 I will fetch another phone. Give me 2 mins. 17:07:14 just joined the call via Skype 17:07:16 +RichardWeaver 17:07:19 ack ri 17:07:36 -schunter 17:07:38 npdoty: Rigo has action 258 17:07:38 zakim, unmute rigo 17:07:38 Rigo should no longer be muted 17:07:51 Zakim, [IPCaller] is Chris_IAB 17:07:51 +Chris_IAB; got it 17:07:53 tedleung has joined #dnt 17:07:55 +??P7 17:07:58 jmayer has joined #dnt 17:08:05 Zakim, ??P7 is schunter 17:08:06 +schunter; got it 17:08:24 rigo: action 258 was initially for Tom L, in a discussion about who is on a site composed of multiple parties. 17:08:24 +Jonathan_Mayer 17:08:47 ... It would be unclear who is a 1st party, service provider, or 3rd party. 17:08:51 +Ted_Leung 17:09:20 ... the spec currently says a browser may consider an actor on the page and not declared in the same party as malicious. 17:09:23 Malicious or just DNT=0 17:09:25 ? 17:09:46 ... Tom argued that in the spec it should say that a 1st party site SHOULD name all 1st party entitites. 17:10:31 if you've joined us from area code 916 (Sacramento or Northern Northern California), can you identify yourself on IRC? 17:10:40 ... then I found an email from Roy, with a decision tree. Very important that the 1st party can somewhat control what others do. 17:10:56 ... and one way is that 1st party is the only one to control the same party field. 17:11:32 ... the SHOULD makes sure people put sufficient attention to this fact. 17:11:38 eberkower has joined #dnt 17:11:56 ... has many advantages beyond what a statement about malicious would do. 17:12:05 ... so provided language. 17:12:36 q+ 17:12:38 + +1.646.654.aadd 17:12:48 q? 17:12:48 ... (see http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0093.html) 17:13:01 zakim, mute me 17:13:01 Rigo should now be muted 17:13:03 q- 17:13:04 Zakim, aadd is e berkower 17:13:04 I don't understand 'aadd is e berkower', eberkower 17:13:09 much better. thanks, Matthias. 17:13:17 :-) 17:13:21 Zakim, aadd is eberkower 17:13:21 +eberkower; got it 17:13:24 Zakim, who is on the phone? 17:13:25 On the phone I see npdoty, efelten_, yianni, dwainberg, Fielding, JeffWilson, vincent, ninjamarnau, Peder_Magee, David_MacMillan, vinay, kulick, Keith_Scarborough, hefferjr, Rigo 17:13:25 ... (muted), WileyS, Brooks, SusanIsrael, Aleecia (muted), [Microsoft], bryan, adrianba, hwest, Chris_Pedigo, +1.916.985.aacc, Chris_IAB, RichardWeaver, schunter, Jonathan_Mayer, 17:13:25 ... Ted_Leung, eberkower 17:13:30 + +1.646.825.aaee 17:13:32 + +1.919.349.aaff 17:13:50 schunter: Sent a batch closing email. 17:13:59 ... discussion can continue on the mailing list. 17:14:22 ISSUE-153 17:14:22 ISSUE-153 -- What are the implications on software that changes requests but does not necessarily initiate them? -- pending review 17:14:22 http://www.w3.org/2011/tracking-protection/track/issues/153 17:14:39 AN has joined #dnt 17:14:52 Zakim, aaee is probably AnnaLong 17:14:52 +AnnaLong?; got it 17:14:59 Original language vs. Matthias' new language proposal 17:15:52 q+ 17:16:20 johnsimpson has joined #dnt 17:16:22 q+ 17:16:27 Current language allows for that outcome 17:16:52 brian: believe in the current draft it does say that the setting must reflect user preference 17:17:08 s/brian/bryan/ 17:17:14 Zakim, who is making noise? 17:17:16 +johnsimpson 17:17:25 npdoty, listening for 10 seconds I heard sound from the following: schunter (8%) 17:17:29 +JC 17:17:33 +q 17:17:33 +q 17:17:52 q+ 17:17:57 issue-176? 17:17:57 ISSUE-176 -- Requirements on intermediaries/isps and header insertion that might affect tracking -- open 17:17:57 http://www.w3.org/2011/tracking-protection/track/issues/176 17:18:12 dwainberg: are we mixing up combining two issues, intermediaries vs software that are changing the setting 17:18:30 ... in ne case we might e talking about brwoser pluggins vs isp and proxies 17:18:36 brian: to the extent that a modification of a header reflects user preference, it is allowed regardless 17:19:00 dwainberg, would you suggest that we have different text for those two different cases (intermediaries vs. plugins)? 17:19:02 q+ to suggest that if they interfere, they have to be able to do exceptions 17:20:07 Rigo - agreed - if an intermediary wants to modify the DNT signal they must support all the same elements a UA must 17:20:10 ack dwainberg 17:20:33 fielding: not sure I get that. you can have a distributed user agent. 17:20:37 zakim, unmute 17:20:37 I don't understand 'unmute', rigo 17:20:40 zakim, unmute me 17:20:40 Rigo should no longer be muted 17:20:42 ... proxies, for example, are never user agents. 17:21:00 ... no as long as we stick with the terminology, we should be ok. 17:21:19 bryan: given the complexity of Web architecture, and the number of different pieces, not worth distinguishing [sorry, didn't capture in real time] 17:21:20 schunter: so a proxy because it's not initiating it's not a UA 17:21:34 fielding: it's the UA that's responsible for sending the request. 17:21:40 q? 17:21:56 bryan: I believe the question is at what layer is that header set 17:22:16 ... at what point does the user agent end. 17:23:08 schunter: so one proposal was basically it has to comply with UA requirements 17:23:31 ... wouldn't this be a solution? 17:23:32 no matter where in the chain, it has to comply with the requirements in the spec -- that would approximate the proposal from dsinger and myself 17:23:36 q? 17:23:39 what is wrong with the current text in the spec? 17:23:51 q? 17:23:54 Roy - I'm with you - current text already covers the issue 17:23:59 ack efelten 17:24:23 Thanks for reminding me that there exists a queue ;-) 17:24:43 efelten: it makes sense to avoid trying to classify all the different types of software. If you are setting or modifying the header, you have a responsibility to meet the requirements. 17:24:59 fielding, Wileys, I think issue-153 was asking for additional requirements to make it clear that any software (even if not an http intermediary) has to capture the user intent 17:24:59 ack JC 17:25:00 ... we can get to that goal more quickly by backing off the architetural taxonomy. 17:25:18 JC: how are we addressing IT departments that deploy the UA for employees? 17:25:40 rigo: it's a matter of where the declaration of the will comes from? 17:26:04 bryan: the IT department use case the same as the home router case. 17:26:06 JC, I don't think the current spec speaks to what an IT department does 17:26:20 now we are rehashing a closed issue 17:26:25 I agree. 17:26:27 (I'm not sure there's anything our spec could do to insist who sets the preferences on a machine) 17:26:28 ... if I exercise control over the domain, I should be able to set the policy. 17:26:33 Is this concensus? 17:26:44 -vinay 17:27:03 I just want to make sure these scenarios are covered in spec. 17:27:07 q? 17:27:11 ack jmayer 17:27:32 ack ri 17:27:32 rigo, you wanted to suggest that if they interfere, they have to be able to do exceptions 17:27:44 See last para of http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining 17:27:51 jmayer: tendency to focus on specific fact patterns, but the considerations are more cross-cutting. If the question is what can/can't enterprise IT do? 17:27:58 ... we can answer that. 17:28:10 ... we can also answer what if settings conflict. 17:28:10 Rigo - we shot that idea down already 17:28:24 Nick, agreed on Issue-153 - I believe we're all saying the same thing: Any party that sends/modifies a DNT signal should be required to provide all the same functionality as the UA (explicit consent, further information, controls, exceptions, etc.) 17:28:35 ... I suggest we describe these things to make it clear we're thinking about them, but knock down issues one by one. 17:28:46 q? 17:28:51 ack npdoty 17:29:04 npdoty: Do we need text on this at all? 17:29:40 ... if there's some other piece of software that's not an HTTP intermediary, it has to follow the same requirements (proposed text) 17:29:50 > Software outside of the user agent that causes a DNT header to be sent (or modifies existing headers) MUST NOT do so without following the requirements of this section; such software is responsible for assuring the expressed preference reflects the user's intent. 17:29:58 http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0001.html 17:30:01 ... it would be adding one requirement, just to be clear there is no software not subject to the requirement. 17:30:11 q+ 17:30:28 I think the exception mechanism is key 17:30:31 Wileys, oh, that wasn't what I heard. http proxies will not implement JavaScript APIs, for example 17:31:18 Nick, then they shouldn't be able to modify the DNT signal 17:31:35 "Software outside of the user agent that inserts, modifies, or removes DNT information MUST NOT do so without following the requirements on UAs of this section including that such software is responsible for assuring the expressed preference reflects the user's intent." 17:31:42 Rigo - the problem was some user agents (already implemented) will not even have a UI. If you want to go with SHOULD do exceptions, that sounds sane, but MUST didn't work out. We've talked about this. 17:31:42 We shouldn't create different rules based on position in the communication chain 17:32:11 dwainberg: some pieces of software that have direct interaction with the user should be responsible to make sure that the signal reflect the user preference 17:32:36 +q 17:32:44 q? 17:32:51 Wileys, I don't think that's our previous agreement regarding intermediaries 17:32:55 ack dwainberg 17:32:58 ack jmayer 17:33:06 The language we use is "Implementations of HTTP that are not under control of the user must not generate or modify a tracking preference." 17:33:10 Aleecia, wouldn't you agree that UA's that have already implemented a DNT signal ahead of a final standard are not compliant with whatever that final standard is? 17:33:26 +1 to wording of fielding 17:33:28 jmayer: I agree, with one clarification -- the agreement is that the same requirements apply. That doesn't mean we have agreement on the requirements. 17:33:31 -bryan 17:33:36 Nick, I thought it was and should be. Happy to have the conversation again. 17:33:47 Oh sure, Shane. But we have a question of implementations illustrating how people want to use DNT. 17:33:55 Zakim, mute me 17:33:55 schunter should now be muted 17:33:56 -David_MacMillan 17:33:57 +bryan 17:34:07 s/requirements/, such as how defaults can be set./ 17:34:13 schunter: ok, so let's look at fine tuning the language 17:34:14 Zakim, unmute me 17:34:14 schunter should no longer be muted 17:34:19 We're in no way obligated to follow what's happened, but when we already have implementations, we should pay attention to that as a valuable input 17:34:40 just imagine opera mini as a UA and you'll see what we mean. This goes over a proxy and sends compressed images. It still can respect UA requirements 17:34:47 Wileys, okay, well, that's not what current text says, and we hadn't discussed HTTP intermediary spoofing of JavaScript when we agreed on that text 17:35:11 schunter: think it's not neceesary that it's under the control of the user, but that it refelects the preference. 17:35:19 fielding, does a plugin or software that modifies outgoing http requests count as "implementations of http"? 17:35:27 q+ 17:35:28 Setting the preference is control 17:35:34 ... for example, an ISP that offers parental control. It's not under control, but does reflect the user's preference. 17:35:39 Nick, fair - I'm more focused on the philosophy of intermediaries 17:35:49 :) 17:36:36 Di+q 17:36:37 +q 17:36:38 +q 17:36:45 ack rigo 17:36:47 ack ri 17:36:48 bryan: let's be explicit wrt reflecting user preference. we're not saying the requirement must be fulfilled by every element.. 17:36:56 +David_MacMillan 17:36:57 That sounds right - some notion of "if you represent a user's choice, you better be sure it's the *user's* choice" 17:36:58 our proposed text was referring to requirements in Section 3 on "Determining User Preference" (to respond to bryan) 17:37:19 Disagree with Bryan - anyone setting a preference that doesn't allow of exceptions is not compliant with the standard 17:37:27 s/of/for 17:37:35 rigo: good example, matthias, because if I set a preference that only sends a fixed header, this is not a communication mechanism anymore, so I would argue for a more narrow interpretation of control. 17:37:51 bryan: we're not saying the requirement that an intermediary implement every element in the spec, the JS API for example 17:38:18 DNT is not a negotiation. DNT is not contracts-lite. DNT is a user preference. 17:38:21 q? 17:38:28 ack jmayer 17:38:46 zakim, mute me 17:38:46 Rigo should now be muted 17:38:54 to be clear, an intermediary could allow exceptions in the sense that it could have a UI where it allowed you to choose to send DNT:0 in some cases 17:39:23 jmayer: to respond to bryan. we may say in the spec you don't need the JS api if it's not practical. we might come up with cases, and some may be network level, but not necessarily because it's network level. 17:39:29 but http intermediaries are extremely unlikely to implement a JavaScript API; they won't commonly read those sections of the spec, even 17:39:34 Nick - disagree as this disintermediates the owner of the site (publisher) and creates unnecessary implementation overhead 17:39:57 ... and about what degree of preference is required ... is how we deal w/ conflicts that 17:39:59 q? 17:40:06 ack Wileys 17:40:20 bryan: yes, if we have requirements where technically applicable or feasible that's fine. 17:40:45 WileyS, you disagree that HTTP intermediaries could allow sending DNT:0 in individual cases? or just that they shouldn't? 17:41:01 Wileys, would an intermediary that always deny (or accept) exception be ok? 17:41:06 Wileys: I'm still on the hard line side, that intermediaries must be fully able to support other elements of the standard, especially exceptions. Disintermediating API calls breaks the balance we're trying to build. 17:41:32 The idea that all UAs must be browsers (which is where this ends) seems wrong to me 17:42:04 ... as long as we're saying that intermediaries fully support the rest of the standard that's fine, but we should create carve-outs, because we create imbalance, or greater burden on pubs and 3rd parties. 17:42:14 If a party asks for an exception and a user is not able to see the ask, why not just turn the user away? 17:42:37 in the earlier agreed upon text we say: "An HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests." 17:42:44 Aleecia - we're trying to build user friendly experiences - that doesn't meet the goal 17:42:55 that is, they must not modify it, *unless* it was user-configured to do so 17:43:02 I agree, Shane. Neither option does, is the problem. 17:43:09 schunter: we should take your proposal as a working assumption, and require all elements on whatever thing is doing the modification, and then look at the other UA requirements that are impossible or hard to satisfy at the network level. 17:43:36 q+ 17:43:46 Aleecia, removing intermdiaries that are unable to fully support the standard is the cleanest path forward 17:44:29 The cleanest path forward is to shoot DNT in the head. Doesn't mean it's the best... 17:44:44 brian: starting w/ that analysis is a good thing to do. we should avoid definining everything in terms of UA te hnology, because that is overly limiting. 17:44:51 s/brian/bryan/ 17:44:52 Wileys, if the intermediary inform the user that it'll always grant (or deny) exception request, why it is not ok? 17:45:04 It's entirely reasonable that someone be able to deliberately choose to turn on DNT but do so through a light-weight way that does not even have a UI in some cases 17:45:07 schunter: let's not decide at this point, but let's follow Shane's approach and do the analysis. 17:45:10 q? 17:45:14 ... anyone disagree? 17:45:32 What's not reasonable is for a UA to decide for users what DNT should be 17:45:51 (where "reasonable" encompasses some pragmatic issues) 17:46:11 Aleecia, why is that reasonable? Supporting a standard means just that - supporting ALL of that standard. I don't believe just being able to turn on DNT=1 means you're standard compliant. 17:46:14 npdoty: the text dsinger and I proposed would apply to any software. I don't think it makes much sense to require all the other elements of the spec. It makes to apply all sections on determining user preference... 17:46:41 s/any software/any software for all the requirements in the section on Determining User Preference/ 17:46:45 q? 17:46:47 q- 17:46:47 Shane we are so far down the road that supporting DNT will not mean supporting all of DNT. You can predict everything I'd say in response here :-) 17:46:56 ack npdoty 17:47:12 dwainberg, switch? 17:47:14 schunter: volunteer to go through the spec and analyze which requirements would be a problem for an intermediary? 17:47:23 yes, thanks, vincent 17:47:24 If you *really* want that approach, cool, but then you need to live with it everywhere ;-) 17:47:25 :) 17:47:26 scribenick: vincent 17:47:34 bryan has joined #dnt 17:47:39 action: schunter to review which requirements in the spec would be problematic for an intermediary 17:47:40 Created ACTION-356 - Review which requirements in the spec would be problematic for an intermediary [on Matthias Schunter - due 2013-01-30]. 17:47:40 q+ 17:47:46 schunter: next issue is 144 17:47:50 issue-144 17:47:50 ISSUE-144 -- User-granted Exceptions: Constraints on user agent behavior while granting and for future requests? -- open 17:47:50 http://www.w3.org/2011/tracking-protection/track/issues/144 17:48:20 -q 17:48:28 schunter: currently with the new exception approach it means that the UA saw and retransmit the exception informatio and are allowed to modify as long as it reflects user preference 17:48:45 q+ 17:48:47 ... david's point was that we can just close issue 144 17:49:28 npdoty: just to clarify, we have two different question on issue 144, one about the UI and one about the future requirement 17:49:43 q? 17:49:43 q- 17:49:43 Aleecia - I already thought I did. If I say my company is W3C DNT compliant, then I would expect that to mean we agree with the full standard. 17:50:01 schunter: collect opinion, anyone want to keep 144 open? 17:50:03 q? 17:50:06 question 1: do we have any UI requirements? our answer: no. 17:50:26 question 2: once an exception granted, what is future behavior? our answer: send dnt:0 when an exception persists. 17:50:36 q? 17:50:40 npdoty: I'm not aware of objections to those 17:50:40 schunter: I suggest to move 144 to pending review and will be in the next batch for closing 17:50:50 q? 17:50:55 ... no discussion, it seems that we have a consensus 17:51:08 +q 17:51:08 schunter: move to issue 137 17:51:12 issue-137? 17:51:12 ISSUE-137 -- Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s) -- open 17:51:12 http://www.w3.org/2011/tracking-protection/track/issues/137 17:51:12 issue-137 17:51:13 ISSUE-137 -- Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s) -- open 17:51:13 http://www.w3.org/2011/tracking-protection/track/issues/137 17:51:42 q? 17:51:47 ack jmayer 17:52:34 jmayer: I can't speak if the new technical design allow to know if the sp is a 1st party/3rd party 17:52:57 q? 17:53:33 ... roy opposed to flag for the sp flag (if I understand correctly?) 17:53:50 q+ 17:54:14 roy: couple of different things, in some cases the SP can't reveal that the 1st party is not sending the response (for contractual reason) 17:54:32 ... even if the sp had to do this, it would not do it 17:54:35 I do not understand why those contracts would exist, at all. That seems broken and astonishingly wrong. What am I missing? 17:54:41 ... the 1st party could do that 17:55:03 ... the other issue is "what does sending a S in the response tell the user" 17:55:04 aleecia, I also would like to hear more about these claimed contractual obligations. 17:55:25 is the ability of the first-party to list its service providers likely to resolve jonathan's requirement? 17:55:35 if not, I think we should ask for an alternative proposal 17:55:43 q? 17:55:46 ack ri 17:55:47 If 1st parties are required to list SPs that works for me 17:56:00 If 1st parties may optionally list SPs, no 17:56:02 zakim, unmute me 17:56:02 Rigo should no longer be muted 17:56:05 (or maybe we had a previous 's' proposal text that would count as the alternative) 17:56:10 npdoty, I want to make sure a service provider can always be identified. I don't care so much about the technical mechanism. 17:56:25 Since I do not understand why there is this contractual obligation, I don't know if that's likely 17:56:27 But first parties aren't required to list SPs because that is undue burden for a feature that nobody has implemented 17:56:29 Not that this means a MUST, not a MAY for identifying service providers. 17:56:38 s/Not/Note/ 17:56:53 q+ 17:56:53 rigo: I would support Roy, because the SP does not have control over the data, it would only bring only statistical data about who is SP on what but no privacy material 17:57:00 Roy, to flog this again: add-ons are very likely to use this data 17:57:09 In the US, SPs are *not* part of 1st parties 17:57:09 If there eventually becomes benefit to list all same parties, then that benefit will lead to implementation (far more effectively than a SHOULD). 17:57:10 jmayer, aleecia, so do we have an alternative to Roy's most recent text that we should compare to? 17:57:13 ... the defintion of SP is such that they are part of the 1st party 17:57:31 ... nice for those who want to make statistics only 17:57:45 presumably the text prior to Roy's mods, but I'd have to look to confirm 17:57:54 schunter: SP follow the same privacy practices in the EU language of the data processor 17:58:24 we need to build something that works in areas other than the EU... 17:58:24 npdoty, yes, mandatory service provider flag language has floated about for a year 17:58:47 ... if the SP has not the same privacy principle, that it is considered as a 3rd party 17:58:47 because in the EU, there are legal liability issues, and we cannot visit those upon DNT implementors 17:58:49 q? 17:58:58 ack efelten 17:59:19 Zakim, mute me 17:59:19 schunter should now be muted 17:59:21 The text I have does require identification of the data controller (first party), so that is a means to detect a service provider when it is using its own domain. 17:59:31 jmayer, great, I think it might be good to clarify what the exact text is (even if we're just pointing to a previous email/proposal) 17:59:35 efelten: there is a case where users have a reason to know the difference, imagine that there is a primary site that include content from SP.com 17:59:52 .. SP.com indicate that it is a 1st party 18:00:14 which is a good step. but we know service providers don't always use their own domains. 18:00:36 Off to class. I sure hope we don't batch close this issue... 18:00:37 in case firstparty.com has not indicated fp.com "same party" I wouldn't believe any "1" from fp.com 18:00:40 ... it could mean that SP is a first party and can use the data for itself, if it s a pure service provider SP can not use the data for itself 18:00:43 -Jonathan_Mayer 18:00:48 Zakim, unmute me 18:00:48 schunter should no longer be muted 18:00:50 q? 18:00:53 ... it's a case where the difference matters 18:00:59 q+ 18:01:09 q- 18:01:20 My guess is if we go down that path, we'll see more SPs not using their own domains. 18:01:24 aleecia, the only reason that 1st party does not include its service providers is because we defined it that way. It is not a US thing. In EU, they have data controller and data processor. 18:01:39 schunter: this issue will take longer than the last one, would like to have several proposal for the next face to face and try to find common ground 18:01:58 schunter: postponed the issue until f2f 18:02:12 q+ 18:02:16 yes - in the EU, to use the terms we have here, the 1st party is responsible for the SP. not so in the US 18:02:18 q? 18:02:24 ... propose alternative text into the spec 18:02:33 ... fro the enxt f2f 18:03:12 roy: the 1st party member is not really an alternative to the S flag, it's a solution to indicate multiple 1st parties 18:03:26 zakim, unmute rigo 18:03:26 Rigo was not muted, rigo 18:03:29 ... would not be a complete alternative 18:04:04 rigo: if somebody is sending back S instead of 1, it'll be fine to? 18:04:30 so that's where i'm having trouble: the idea that there's no way to visualize the difference between a service provider and a 1st party 18:04:36 roy: yes, but we would have to change the meaning of 1 18:04:42 users should be able to have visibility into where their data flows 18:04:54 schunter: but it would not give much information 18:05:07 rigo: legally tehre is no protection between 1 and S 18:05:10 q+ to ask about volunteers for text 18:05:11 this is basically FIPPS -- it's "no secret databases" into current times 18:05:17 S does not have the same meaning as 1. S means data can be used on behalf of a (separate) first party. 1 means you can use the data yourself. 18:05:19 aleecia, there is no way to visualize the difference between contractors and employees. It is NOT a privacy problem and has nothing to do with DNT. 18:05:39 schunter: proposal is to add 2 lines to the spec to have a concrete proposal to discuss during the f2f 18:05:40 ed, I haven't really understood your use case. Can you put that in email? 18:05:57 npdoty: make sens, do we have an action item? 18:06:03 of course we can visualize the difference between 1st parties and SPs. 18:06:26 this is not contract employees working for a first party. this is an entirely different company 18:06:29 schunter: roy can you write this text and then send it to jmay or the complete list? 18:06:32 with different data practices 18:06:32 fielding, would you be willing to take that action? 18:06:46 fielding: lack of time 18:07:12 schunter: will see with dsinger 18:07:16 q? 18:07:22 ack npdoty 18:07:22 npdoty, you wanted to ask about volunteers for text 18:07:22 it doesn't have to be a privacy *problem* at all, just a way for users to see where their data goes. 18:07:26 ... anything else on issue 137? 18:07:29 aleecia, not according to our definitions. 18:07:35 issue-111 18:07:35 ISSUE-111 -- Signaling state/existence of site-specific exceptions -- open 18:07:35 http://www.w3.org/2011/tracking-protection/track/issues/111 18:07:57 action: singer to add service provider option text (with jmayer) as an issue in the draft with an option box 18:07:57 Created ACTION-357 - Add service provider option text (with jmayer) as an issue in the draft with an option box [on David Singer - due 2013-01-30]. 18:08:01 and the letter "s" does not inform the user of where their data goes. 18:08:03 not according to what you've proposed for definitions :-) 18:08:13 schunter: we had this postponed, the point is that if you get DNT:0 you don't know if it's a general preference or an exception 18:08:32 All of the UAs in the room said they will support site-specific exceptions - if we remove them from the specification then we can equate an exception to site-wide exception (as the publisher) 18:08:36 +q 18:08:44 I did not propose those definitions. 18:08:44 either we let users block data collection, which we aren't, or at least we have to offer users a way to see what's going on. if we cannot even do that -- this is untenably broken. 18:08:45 q? 18:08:53 ... do we need some extra signal to tell if the 0 is an exception or a general preference 18:08:54 action-357: the goal is to have a concise alternative/additional text for the "s flag" or otherwise an alternative to roy's most recent proposal 18:08:54 Notes added to ACTION-357 Add service provider option text (with jmayer) as an issue in the draft with an option box. 18:08:54 ack Wileys 18:09:18 if you want to back away from giving users the ability to have transparency, then we need to let them just block collection. full stop. 18:09:38 q+ 18:09:43 aleecia, that simply isn't relevant. Go ahead and block the entire Web. 18:09:45 Wileys: somewhat tide to what we decide on site-specific exception, the publisher receiving DNT:0 could know if the 3rd parties are covered 18:09:55 having DNT mean "your data flings around and you have no control over it, and no idea what's even happened" is not a reasonable outcome. 18:09:59 q+ 18:10:21 schunter: we agreed that we have explicit-explicit api, so there can be a case where you have explicit list 18:10:36 Okay - if explicit lists exist, then the publisher will need a way to determine which of their 3rd parties are not covered. 18:10:57 schunter: there can be arbitrary wierd user preferences supported by wierd user agent 18:11:40 Wileys: then the publisher need to know which 3rd party are not covered either to ask new exceptions, modify user experience or block third party 18:11:55 q? 18:12:11 ack npdoty 18:12:14 schunter: this would have to be handled o the server side cause user could modify the browser 18:13:12 npdoty: two points: 1) wether we provide the explicit list, the exception does not inform the publisher that there is an all--target exception 18:13:33 Even if we have DNT0e (for: you have a site-wide exception), my self-compiled user agent can still continue sending DNT1 to all third parties. 18:13:51 q? 18:13:55 ack adrianba 18:13:59 -johnsimpson 18:14:00 johnsimpson has left #dnt 18:14:13 npdoty: there is a JS API now to know if there is an exception for this lsit (I missed some of it) 18:14:21 SPs have to be knowable. it's just that simple. i'm not asking for users to be able to block SPs, which would be an entirely sensible thing, but if users cannot even know who the SPs are, this is a bankrupt exercise. 18:14:38 I was trying to clarify that we need to solve this whether or not explicit lists are supported in our JS API 18:14:49 q+ to say that it doesn't exclude a summary treatment, this is not a feature to me 18:15:03 -vincent 18:15:20 I'm ot on the call anymore 18:15:27 scribenick: npdoty 18:15:30 -AnnaLong? 18:15:48 adrianba: propose that we remove the array of domains 18:15:49 q+ 18:16:30 schunter: be optimistic, leave things as they are; if we find that there are mixed signals, we can come back to it then 18:16:48 adrianba: I expect us to request that this feature be marked "at risk" 18:16:56 q? 18:17:01 ... will send a mail with problems, shouldn't send time solving them 18:17:02 ack rigo 18:17:02 rigo, you wanted to say that it doesn't exclude a summary treatment, this is not a feature to me 18:17:29 aleecia, SPs have requirements on data is siloing, non-disclosure, and no independent use -- all to ensure privacy; the corresponding benefit they get is that they are not treated as a third party. 18:17:52 q+ 18:17:53 rigo: explicit/explicit domains can be complex, if you allow for *.* and the UA is clear, the specification would not force you to implement it, just doesn't exclude others from doing it 18:17:57 ... what is the hindrance? 18:18:00 i'm not suggesting treating SPs as third parties. 18:18:08 ack npdoty 18:18:10 but i am saying no secret data stores. 18:18:11 ... can't be forced to implement it, don't see why exclude it 18:18:15 pretty basic. 18:18:49 -Peder_Magee 18:19:28 The question is "Can we really believe that?" If not, publisher need a way to poll. 18:19:36 alecia, and I am saying that if a first party can keep a secret data store, then a service provider can too -- there is no difference to the user's privacy risk. 18:20:08 huh? no. the identity of the SPs is the issue here. users should know who they're dealing with, that's all. 18:20:22 npdoty: we don't currently require the UA to send DNT:0 to the first party if there is an all-trackers, site-wide exception 18:20:23 npdoty, I'm having phone problem, can't join 18:21:02 ... because the user is still indicating to the first party that they want the first party compliance 18:21:11 aleecia, the service provider has no own rights. So if the service provider lacks secure storage, it is the fault of the first party not ordering the sp to have secure storage 18:21:19 if that means the 1st parties list the SPs rather than the SPs list themselves, that's fine 18:21:22 ack adrianba 18:21:50 Rigo - that's not the point at all. (and isn't quite true in the US i expect...) 18:21:54 schunter: so you might send DNT: 1e or DNT: 0e, to indicate the difference between the first party and the third party 18:22:07 adrianba: in response to nick's question, depends on the wildcard 18:22:09 -ninjamarnau 18:22:14 ... a query method with the same signature as the set method 18:22:20 +1 to adrianba on the relation to the domain wildcards 18:22:26 which is precisely my point 18:22:27 aleecia, they should know who is the data controller. The notion that the user ever knows "who they are dealing with" on the Internet is not realistic. 18:22:38 ... if you call the query method with the same parameters, then it will tell you whether that set method has been called in the past 18:22:43 + +33.6.50.34.aagg 18:22:51 ... changes it from being a simple property to a method 18:22:55 ephemeral data and packet forwarding are an entirely different issue, Roy 18:22:56 zakim, aagg is vincent 18:22:56 +vincent; got it 18:23:02 ... call the query method with the same arguments 18:23:14 ... tell the site whether it previously recorded that exception 18:23:25 +1 to adrianba 18:23:27 q+ 18:23:41 schunter: from your point fo view the query api is enough to inform the site? 18:24:04 adrianba: I think the API need to be able to know if it's a web wide or site wide exception 18:24:34 the primary purpose of this is to not bother the user but know when the site get the exception 18:24:35 this is just so basic. it's pretty much Shane's "discoverable" approach, in a different context. 18:25:00 q? 18:25:12 +1 18:25:14 ack npdoty 18:25:16 +1 18:25:29 schunter: what I'll do is leave this open and wait until we have the wild-card api 18:25:45 blocking users' ability to find out what's happened with their data, even after the fact, is a broken approach 18:25:46 Aleecia, the difference here is the legal concept of "agency" and/or "service provider" - depending on which side of the pond we're on. In both cases, a company is not compelled to disclose those that work on its behalf as legally they are the same party in that context. 18:25:50 adrianba, can you read over the confirmSiteSpecificTrackingException code and see if that's all you need? 18:25:53 q? 18:25:53 npdoty, did not capture that 18:26:09 schunter: anything else o issue 111? 18:26:11 npdoty, yes, hadn't seen that was added 18:26:24 Aleecia, from a domain listing perspective though I don't see how we'll be able to avoid listing the domains for our service providers/agents so they get the appropriate DNT signal. 18:26:25 If a SP screws up and accidentally publishes all the data they hold, we sue the SP, right? 18:26:29 npdoty: dsinger already wrote up a confirmSiteSpecificException, which does have the same parameters, as adrianba indicated, so that might be sufficient 18:26:31 npdoty, don't think it was in when i reviewed for this on monday 18:26:50 schunter: that's all from my point of view, reminder: registration for the f2f 18:27:03 thursday 31st? 18:27:05 ... please register before the end of the month 18:27:07 If we are unable to attend the f2f, will there be a dial-in line that can be used? 18:27:14 Aleecia - it depends, if an SP/vendor is hosting an element of my business and that is breached - then I'm sued and I in turn sue my SP/vendor. 18:27:17 https://www.w3.org/2002/09/wbs/49311/tpwgmit2013/ 18:27:42 schunter: any questio about the f2f, how do we register people that would attend but are not part of the group? 18:27:55 q 18:27:59 q? 18:28:02 xxx: how do we register people that would attend but are not part of the group? 18:28:09 s/xxx/bryan/ 18:28:10 If we are unable to attend the f2f, will there be a dial-in line that can be used? 18:28:10 -Chris_Pedigo 18:28:13 - +1.916.985.aacc 18:28:14 Aleecia, good example was a recent breach by Epsilon of email addresses for some of its largest clients - their clients are being sued by their customers and they are in turn suing Espilon 18:28:15 npdoty: send an email to the chair 18:28:20 - +1.919.349.aaff 18:28:21 kulick, I think so 18:28:21 -hwest 18:28:22 -RichardWeaver 18:28:22 -hefferjr 18:28:23 -bryan 18:28:24 -SusanIsrael 18:28:25 -efelten_ 18:28:25 -adrianba 18:28:25 -Ted_Leung 18:28:26 -yianni 18:28:26 -Chris_IAB 18:28:27 -Rigo 18:28:28 -JeffWilson 18:28:28 But they're not the same entity... 18:28:29 -Keith_Scarborough 18:28:29 -schunter 18:28:30 -dwainberg 18:28:31 -kulick 18:28:33 -[Microsoft] 18:28:33 -vincent 18:28:34 -Fielding 18:28:35 adrianba, it's possible that dsinger has been adding that recently, I haven't kept up with his schedule ;) 18:28:36 …as that example demonstrates. 18:28:39 npdoty, when did you send the f2f registration email? 18:28:42 Zakim, list attendees 18:28:42 As of this point the attendees have been npdoty, efelten_, schunter, yianni, dwainberg, Fielding, JeffWilson, vincent, +49.431.98.aaaa, ninjamarnau, Peder_Magee, +385345aabb, 18:28:45 ... vinay, kulick, Keith_Scarborough, hefferjr, Rigo, WileyS, David_MacMillan, Brooks, SusanIsrael, Aleecia, [Microsoft], bryan, adrianba, hwest, Chris_Pedigo, +1.916.985.aacc, 18:28:45 ... RichardWeaver, Chris_IAB, Jonathan_Mayer, Ted_Leung, +1.646.654.aadd, eberkower, +1.646.825.aaee, +1.919.349.aaff, AnnaLong?, johnsimpson, +33.6.50.34.aagg 18:28:49 -eberkower 18:28:57 rrsagent, draft minutes 18:28:57 I have made the request to generate http://www.w3.org/2013/01/23-dnt-minutes.html npdoty 18:29:13 -Aleecia 18:29:31 Zakim, bye 18:29:31 rrsagent, bye 18:29:31 I see 2 open action items saved in http://www.w3.org/2013/01/23-dnt-actions.rdf : 18:29:31 ACTION: schunter to review which requirements in the spec would be problematic for an intermediary [1] 18:29:31 recorded in http://www.w3.org/2013/01/23-dnt-irc#T17-47-39 18:29:31 ACTION: singer to add service provider option text (with jmayer) as an issue in the draft with an option box [2] 18:29:31 recorded in http://www.w3.org/2013/01/23-dnt-irc#T18-07-57 18:29:31 leaving. As of this point the attendees were npdoty, efelten_, schunter, yianni, dwainberg, Fielding, JeffWilson, vincent, +49.431.98.aaaa, ninjamarnau, Peder_Magee, +385345aabb, 18:29:31 Zakim has left #dnt 18:29:34 ... vinay, kulick, Keith_Scarborough, hefferjr, Rigo, WileyS, David_MacMillan, Brooks, SusanIsrael, Aleecia, [Microsoft], bryan, adrianba, hwest, Chris_Pedigo, +1.916.985.aacc, 18:29:34 ... RichardWeaver, Chris_IAB, Jonathan_Mayer, Ted_Leung, +1.646.654.aadd, eberkower, +1.646.825.aaee, +1.919.349.aaff, AnnaLong?, johnsimpson, +33.6.50.34.aagg