Tracking Protection Working Group teleconference -- 30 Jan 2013

<npdoty> when Dave Singer sends regrets, he's still more likely than most to be on the call

<schunter1> Do we have a scribe for today?

<peterswire> no scribe yet - the person who had said yes cancelled

<npdoty> Peter's slides: http://lists.w3.org/Archives/Public/public-tracking/2013Jan/att-0139/wednesday_call.013011b.pptx.pdf

<dwainberg> I think I did 1/2 the call last week.

<dwainberg> maybe someone else can take a turn.

<aleecia> Nope

<aleecia> Sorry

<Marc-GroupM> hello

<schunter1> is it better now?

<schunter1> Let me fetch another phone. Sorry for the 1min delay.

that's fine

<npdoty> scribenick: Yianni

Mathias: open action items, there is no overdue action
... this hasn't happened for a year, thanks for everyone who has done there action items on time
... Nick doing caller identification

Nick: if you are on IRC and 202 please let us know who you are

Mathias: please register for Face to Face, no questions

Peter: Go through file send by Peter earlier
... second slides have some disclaimers
... slides are one person's attempt to summarize different perspectives
... these are not the views of Peter, he is trying to accurately say others arguments
... Why Peter is giving context
... trying to connect DNT to other debates in US and Europe generally

<eberkower> eberkower is 646-654.aall

Peter: DNT does not take place in the working group, lots of other people care
... lots of interest in what can be done in multi-stakeholder, beyond technical
... support on both sides of Atlantic by leaders to create a standard
... five ways to describe what we are doing

<jchester2> Peter: can you repeat what you said about "top down" regulatory regime. Are you suggesting that this would be bad?

Peter: technical compliance DNT=1, W3C in multistakeholder, example of multi-stakeholder process relevant to US, relevant to global internet governance
... DNT success is more than a technical thing

<justin> I think "top down" is redundant in this context.

Peter: EU Data Protection proposed in January a year ago
... Commission issued Draft Regulation, called a regulation not a directive
... a regulation applies directly to states, does not have to go through national legislatures
... beyond data protection about unifying Europe

<scribe> ...New report issued for hundreds of amendments

UNKNOWN_SPEAKER: Commission, parliament, and council in Europe
... official negotations between 3 bodies
... Goal to get this done before Parliament ends
... June 2014 is next election
... Multi-stateholder processes work in European Union
... basic approach is that in EU you need law
... Lisbon treaty made it explicit that privacy is fundamental human right
... people in speeches said they had to pass draft regulation because of Lisbon Treaty
... Another approach: limiting data and harmonizing rules accross market that allows information to flow
... 95 directive: two discourses, limiting data and common market
... skeptism of self-regulation that industry has dominate role
... skeptism of multi-stakeholder process is there enough role for government to speak up
... there is a conflict brewing about the internet, if standard does not work with EU law
... regulation makes clear that US must comply with EU rule
... advertising served to EU will be governed by new EU rules
... DNT=0, March to have in Berlin a global consideration task force
... Peter giving personal sense, DNT=0 could be a choice mechanism in EU
... could be part of consent in EU privacy directive
... if DNT=0 was a step of showing consent, could be a one stop way for websites to handle
... debate in group, for including this in the process
... it is a world comliance organization, could enable global standard
... but do not need to define the rules accross the world
... meetings in Brussels
... meet wide range of advocate, governments, etc.
... W3C has previous met with DG Connect
... DG Connect would be very happy if we do make process
... DG Justice proposed the regulation with strong fundamental rights outlook

<npdoty> in case you missed the slides link from before... : http://lists.w3.org/Archives/Public/public-tracking/2013Jan/att-0139/wednesday_call.013011b.pptx.pdf

UNKNOWN_SPEAKER: Brussels, Albreicht - lead charge on writing amendments
... more focus on fundamental rights than with original regulation
... step towards more regulatory approaches
... Report mentions DNT in 2 places: one is amendment 105
... incentives to use pseudonymous data

<jchester2> NGOs do not consider the Albrecht amendments more rgeulatory--but better protecting privacy.

UNKNOWN_SPEAKER: section 15 german telemedia law

. . . Amendment says standard needs to be approved by Commission

scribe: Another amendment is limits on definition of profiling
... shows interest in technical measures with one stop compliance
... lots of amendment will be made to ALbreicht's proposal
... Meeting with EU Data Protection supervisor (50 full time employees)
... Hustinx? fundamental rights approach, and experience as Dutch leader
... One issue: whether users understand what they are agreeing to
... thinking about how a technical standard can sit into a legal structure
... shift to previous week in meetings in DC
... Meetings in White House, Cam Kerry in Commerce, and state department
... discussion with federal trade commission, spoke with Julie Brill
... Good set of contacts of US government people

<jchester2> Peter: Please explain what the conversation with the White House discussed.

scribe: multi-stakeholder processes: Obama has supported in domestic issues
... mobile privacy, big even at white house for DNT
... FTC has supported effective DNT, and will probably continue
... DNT=1 would be a highly visible success
... if it does not work, that would be highly visible as well
... EU privacy and data protection, US government has expressed a number of concerns
... EU has to much regulation here, US wants interoperability for global companies for global data flows
... DNT is an example of multi-stakeholder facilitating ineroperability
... If it fails, US has nothing to point to out of W3C process
... having success here could ease discussion on global data flows
... US and EU free trade agreement, trying to negotiate
... trying to remove barriers to free trade and service
... push to get regulatory interoperability and harmonization
... services and regulatory harmonization are at top of agenda for free trade negotiation
... Hard to get US and EU to pass a law
... multi-stakeholder could be a good model to buttress free trade approach
... Organization that want fewer regulatory models could get that through this process
... DNT is going to be viewed as part of broader debates
... what should the role be of ITU for Internet governance
... china, russia, iraq led the way to give the ITU more power, US rejected to top down approach
... EU members were alligned with US
... meetings in May, discussion of ITU and its role
... Position that US and EU have taken is that internet governance should emphasize bottom up multi-stakeholder processes
... they should not fall under top down process
... If there is a visible inability to use bottom up governance, what would that show?
... we need to show to success stories
... remind ourself of goals of this project
... its worth doing for its own sake, but also important for general internet governance

<peterswire> q

<jchester2> +q

scribe: Any questions or comments?

Jeff Chester: who did you talk to at the white house and what did those discussion entail?

Peter: David Edelman works for ecnomic council, also office of science and tech policy
... also spoke with Michael Froman
... brieder meeting with Gene Spurling and Jason?

<jchester2> what was the nature of the WH discussion. what was specificlaly said.

Peter: Cam Kerry in Commerce, Ambassador Verveer in state department
... tried to give themes of what was said

<jchester2> Amb Verveer

Peter: EU/US dialogue, how US domestic policy would be handled, tried to be pretty specific
... For Boston, focus on uses and delinking
... hoping we can get as far as we can on those issues

Boston meeting discussion

Peter: alerting that if you have issues on those things, please let us know
... this is what we are going to try to work on
... request to editors, Heather West, Justin Brookman
... Yianni will be assisting, and David Singer will do some help as well
... hope to prepare a shorter, perhaps cleaner portion of the text
... goal of editors is not to make substantive changes
... Peter's own view, text of requirements (normative)
... text can be relative brief, and then have explanatory material
... can focus on normative language for Boston
... for Boston, trying to get people who are knowledgable about certain things to help
... example, MRC for auditing
... people in marketing research to maybe present
... German telemedia law
... encrption that can address some attacks of hashes, may have briefing on that
... Khaled has a detailed set of checklists of risks and harms
... have been working with Khaled to make list available
... this will turn out as an exercise of risks of re-identification
... own hope that people from different perspectives could work on
... could perhaps use check list to clarify where views about the world are similar
... then narrow to small list of where people's views of the world differ
... could simplify the normative discussion of how to proceed

<fielding> peterswire, I would like to see a real session on the definition of tracking and agreement on a scope for this work, preferably near start of F2F meeting

Peter: responding to Roy, why uses are relevant
... any spec that emerges that allows security uses, but does not allow other uses
... any spec that emerges here that is so aggregate and so removed, it does not count as tracking
... no longer tracking because its aggregated, uses for security may not be tracking
... close overlap of what you get with uses and de-identification, you get close to the meaning of tracking
... tracking may be difficult to define, but could be able to with specific uses and de-identification
... Peter thinks that de-identification and uses is highly relevant to tracking

<fielding> we did that … it hasn't worked for the past year

Peter: can do so without argueing about what the word tracking means
... for compliance part of Boston meeting, we are likely early in compliance
... maybe in opening remark on Monday with discussion of process
... lots of comments of when you need to raise objections
... hard to know when question is being called

<adrianba> why is it taking a long time to create a mailing list? isn't it easy to do?

Peter: Process, in first meeting, decorum is very important and has been pleasantly optimistic and hope to continue that in Boston

<npdoty> adrianba, apologies, that's a delay on my end

Peter: it is easy to do, we just have not figured how the annoucement would happen

<npdoty> ... but yes, I wanted to make sure the division of mailing lists would work correctly for clients

Matthias: my piece is very easy, since we are making progress on open issues
... want to create more work
... want to look at raised issues
... pick some issues that we want to tackle them, or this is clearly out of scope

<fielding> http://www.w3.org/2011/tracking-protection/track/products/2

Matthias: main question, which of these 10-15 we want to discuss in Boston and coming weeks
... others we can make candidates for closing

<schunter1> http://www.w3.org/2011/tracking-protection/track/products/2

<npdoty> or the bottom half of this list: http://www.w3.org/2011/tracking-protection/track/issues/raised?sort=product

<aleecia> (can sort)

Matthias: this is a list of all TPE related issues, browse down half a page

<aleecia> Issue-161?

<trackbot> ISSUE-161 -- Do we need a tracking status value for partial compliance or rejecting DNT? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/161

Raised Issues on TPE

Matthias: first 151:user agent requirement handle exception request

<npdoty> issue-151?

<trackbot> ISSUE-151 -- User Agent Requirement: Be able to handle an exception request -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/151
...means: do we want to mandate that user agents that can store exeptions
... are there oppinions on issue 151?

<schunter1> http://www.w3.org/2011/tracking-protection/track/issues/151

<fielding> we need the new text in TPE first … is that done now?

<aleecia> Required is too strong

<BrendanIAB> http://www.w3.org/2011/tracking-protection/track/issues/raised <- just the raised issues

<Wileys> Required is appropriate

<dsinger> are you asking for opinions on the issue, or opinions on whether we should take it up?

<aleecia> But having a standard mechanism is reasonable
...means: Nick, question of whether to open this issue

<Wileys> It should be open already - or is this a duplicate of an already open issue?

<aleecia> What's the alternative to opening it?

<aleecia> Closing it?
...Matthias: don't want to go into full blown discussion, but no unanimous agreement

<npdoty> fielding, David added updated exceptions at least a couple weeks ago

<Wileys> I object to closing this issue

<aleecia> If we're talking required, let's just close it
...Matthias: leaving it in the raised state, we could open it, or we could close it
... different oppinions and probably worth discussing in face to face
... will later open 151

<dsinger> on the issue itself, I think we have divergence of opinion, yes

<aleecia> Not low hanging fruit :-)

<aleecia> Issue-152?

<trackbot> ISSUE-152 -- User Agent Compliance: feedback for out-of-band consent -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/152
...Matthias: Issue 152
... Is on when you are interacting with website that tracks you to remind you of out of band consent

<dsinger> I don't think I understand the issue.

<Wileys> As a reminder - this is a "MAY" if I remember correctly - as well as allowing Servers with communicating OOB exceptions to the UA

Nick: requirement of user agent to do something with information that it receives

<aleecia> Shane -- I can live with should, if a UA can implement (and not all can) then they should do so (for last issue) But I'm going to fight limiting what a UA can be back door this way :-)

<npdoty> personally, I don't think we need a UA requirement here

<dsinger> I don't think a UA requirement is needed

Matthias: how to notify use this website is claiming out of bound consent

<justin> agreed, npdoty

Matthias: currently no user agent requirement

<aleecia> Again I'm fine with this as optional but not required

Matthias: website tells user agent, I believe I have out of bound consent

<justin> does anyone want to argue for a UA requirement?

<dsinger> UAs should be *able* to check/inform etc., but we'll go crazy trying to work out what they must/should/may/should-not/must-not show :-(

Matthias: now require user agent to notify the users regularly

<Wileys> Aleecia, understood - as per our conversation last week I believe balance is important here. If UAs are permitted with only supporting DNT:1 and not DNT:0, then they are not W3C DNT compliant (in my opinion).

<aleecia> And coming up with a common approach for those who do would be handy

Matthias: question from Justin and Nick is if anyone is pushing this at all

<Wileys> Not pushing as a requirement - only as a "may"

<npdoty> I'm willing to draft an explanation of no-requirement, and see on the mailing list if anyone disagrees

Matthias: that user agent has to give feedback with out of bound consent
... currently user agent can do whatever they like with the signals

<dsinger> as a piece of info, some folks are trying to inspire creation of a 'debugging UA' which exposes and checks all it can

<justin> Is a MAY even necessary?

Matthias: Nick's approach is right, I would like to open it

<justin> Or useful?

Matthias: if no one purshes, we can then close it

<npdoty> open issue-152

Matthias: openning 152, with hope it will be a quick one

<Wileys> Justin, I'm with you - not necessary - was okay with MAY if others were pushing for it

Matthias: 168 is a complex one

<schunter1> http://www.w3.org/2011/tracking-protection/track/issues/168

<npdoty> ACTION: doty to draft proposal that we close 152 with no UA requirements [recorded in http://www.w3.org/2013/01/30-dnt-minutes.html#action01]

<trackbot> Created ACTION-358 - Draft proposal that we close 152 with no UA requirements [on Nick Doty - due 2013-02-06].

Matthias: Is David on the call?

<justin> UAs MAY do lots of things, not sure we want to spell out all possibilities :)

<aleecia> Well, Shane, we'll see what happens with the formal objection. But for now, as things stand, your opinion is not the standard. I look forward to the final round off appeals

<npdoty> issue-168?

<trackbot> ISSUE-168 -- What is the correct way for sub-services to signal that they are taking advantage of a transferred exception? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/168

Matthias: signal they are taking advantage of transfer exception

David Singer: origninal website had orignal consent, how does the transfer of than consent gets relayed back that there is a service agreement here on the third party side

scribe: it was a resulf tof Rigo's text, section 6.7 of TPE

Nick: do we agree with that text or new issue?

Singer: not sure how to show user or user agent how to relay transfer in consent
... its a design issue, seperate from service provider flag

Matthias: wants to open this

Singer: I would like to work with Roy

<npdoty> dsinger, fielding, that sounds like an action item :)

Matthias: we need a proposal on the table, do in a small group

<fielding> I raised it.

Matthias: Issue 162 is also an interesting one, doesn't say who raised it
... if user comes to DNT=1, and only part is compliance that is easy

<dsinger> I think this is the 'under construction' issue

<npdoty> is there a difference between 162 and 161?

Matthias: you comply, you don't comply: do we want anything more detailed

<aleecia> Should we add beta as an issue?

<moneill2> can we get a link

Matthias: will take it to hunt it down

<npdoty> http://www.w3.org/2011/tracking-protection/track/issues/161

Singer: this was the under contruction issue that we did not understand

<fielding> er, no, I did 161

<npdoty> aleecia, I think "under construction" and "beta" are both covered in issue 161

Singer: not yet done, so cannot claim complaince

<aleecia> Excellent

Singer: compliance is not yet claimed by this site

<fielding> dsinger, it needs to be the TSV -- not a qualifier

<moneill2> link to 162?

<npdoty> http://www.w3.org/2011/tracking-protection/track/issues/162

Matthias: more detailed, writing down and taking a look at with whole group

<dsinger> I think it's worth having it as a qualifier so it doesn't obscure 1st/3rd claims

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0148.html

<dsinger> to Roy: but let's discuss

<fielding> http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0148.html

<aleecia> Action for david?

<trackbot> Error finding 'for'. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

<aleecia> :-)

Nick: 161 seems related to 162
... maybe we have a proposal from Roy
... do we need some additiona text before we can clearly discuss

Roy: just made a link, efficient to discuss but is not exact text
... only difference is that David wanted to put more things in the qualifier category
... do not want to make this status equivalent to the server being compliant with DNT, they are not

<npdoty> maybe we need to find someone who objects to Roy's approach, and ask them to write up their concerns

<npdoty> could "P1" indicate non-compliant but working on 1st-party compliance?

Singer: problem is indication of working on being a first party site and third party site

<johnsimpson> seems to me that you're either compliant or you're not.

<aleecia> I can live with losing 1/3

Nick: Jonathan had some concerns that we need to work out

<dsinger> to John: you use this status, you are not (yet) compliant, clearly

<dsinger> I can live with losing 1/3 too, it's sad but maybe it makes the important clear

<npdoty> so the concern on 161 may just be confusion or misunderstanding

objection of Jonathan, way to implement protocal without complying, but message is saying it is not compliant

<dsinger> means "Construction in process; response headers, the well-known-resource, and compliance may be correct, or may not be; compliance is not (yet)

<aleecia> Adding a single line of this must only be used for testing might resolve Jonathan's concern

<dsinger> claimed for this site" or something like

<vincent> I think this is a different issue

Wainberg: we should hold off dealing with tech spec for claims of compliance

<justin> Or maybe just the word "only"

<dsinger> Jonathan confused this with a different issue, I fear

<aleecia> Sure

Wainberg: what's the different between I have not fully implemented but I intend to as opposed to I do not plan to implement

<npdoty> I don't think the proposed flag indicated a commitment to do something in the future, just that it was in progress

<dsinger> I think this is HUGELY important as it encourages people to work on bring-up, and not fear that they'll be criticized for mistakes while they are working on it

Roy: no matter what compliance doc says, you don't want the first response to DNT to be legally binding

<aleecia> This is a way for companies to disclaim not complying. It's a fine thing to do.

Matthias: It does not have any meaning at this point, may just be a fixed header

<justin> Of course, there is always the fear that parties will just stay in perpetual BETA to avoid responsibility.

Matthias: use as beta testing with example users, when you are comfortable, you will put the site in projection mode

<aleecia> I can live with either David or Roy's approach with small preference for Roy's

Wainberg: I would like to see text, this is on but it does not mean anything, so ignore it

Matthias: It is okay if Roy puts proposal in text in option block as issue 161

<dsinger> I'll concede to Roy, but I'd like to find some way to know which way the flag will be after it's turn off (1 or 3), if we can

<aleecia> Roy, could you also add a quick "this is for testing" line to address Jonathan's concern?

<justin> I think dwainberg just articulated jmayer's point for him, in absentia :)

<fielding> ACTION: fielding to make text proposal on ISSUE-161 in draft with option block [recorded in http://www.w3.org/2013/01/30-dnt-minutes.html#action02]

<trackbot> Created ACTION-359 - Make text proposal on ISSUE-161 in draft with option block [on Roy Fielding - due 2013-02-06].

Matthias: that's all from my point of view

<aleecia> It will help others understand what we're doing anyway

Matthias: is there any other topic that we have not discussed that people want to start discussing in Boston?

<fielding> aleecia, yes

Matthias: If Yes, you can contact Matthias

<aleecia> Thank you!

Matthias: issue 183: header status for Europe

<npdoty> issue-183?

<trackbot> ISSUE-183 -- Additional Tk header status value for EU -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/183

Matthias: proposal from Mike Oneil
... you raised an issue that servers would want to indicate they are in the EU

Mike: In the EU, not having a DNT set would be equivalent to DNT=1

<aleecia> May I, quickly?

Matthias: want to push for global consideration piece
... I would like to discuss first in European context
... if certain part of protocal need extension, then can come back to TPE for European improvements
... Is that okay with you? (Mike - Yes)

<schunter1> 1?

Singer: I think it will be worth while (112, 167) - design issues

<npdoty> issue-112?

<trackbot> ISSUE-112 -- How are sub-domains handled for site-specific exceptions? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/112

<npdoty> issue-167?

<trackbot> ISSUE-167 -- Multiple site exceptions -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/167

Singer: working with Nick to work on design issues for Boston

Matthias: 168 is also another side group, does it make sense to keep 3 seperate

<Zakim> dsinger, you wanted to say we should have a design meeting on sub-domains (flag needed?) and also-applies-to lists, in Boston

<schunter1> q

<fielding> no, please no more parallel sessions

Aleecia: I'm fine with moving Mike's to global, not where server is located, what matters is where the person is located

<fielding> ditto what aleecia said, though that only applies for those of us who do business in EU

Aleecia: it only matters where the user is located

<npdoty> aleecia, moneill2, was the proposal that the flag indicated server location? or to indicate a level of compliance that would satisfy a certain EU regulation?

Aleecia: suggesting we do not add anything because user already knows where they are located

Matthias: we can close the meeting a bit earlier

<dsinger> we have the user's nationality and location, the party's nationality, service location, and probably a few more to thgro into the mix...

Matthias: I will work on a more detailed agenda with Peter
... Monday and Tuesday for compliance, TPE for Wednesday

<Wileys> Matthias, can you send that out in email?

<npdoty> https://www.w3.org/2002/09/wbs/49311/tpwgmit2013/

<Wileys> Agenda, yes

Matthias: any final remarks, questions?

<Wileys> ETA?

Matthias: will send out a detailed agenda when Matthias has it

<Wileys> Thank you!

<fielding> note there is a process requirement on agenda

Matthias: hopefully we will have agenda by the end of the week

Peter: it depends, we can provide some more detailed things sooner, understanding that it may shift

<Wileys> Shifting is okay - document requirements are critical to know ASAP

<fielding> umm, agenda must be published before meeting … see process

<phildpearce> Thanks

Matthias: thanks and see you next week, if not in Boston

<johnsimpson> Will there be call-in arrangements?

<aleecia> Two weeks in advance for in person as I recall

Nick: will follow up with registration emails either today or tomorrow

<Wileys> Aleecia - that was my understanding as well - meaning this past Monday

- DRAFT -

Tracking Protection Working Group teleconference

30 Jan 2013

Attendees

Contents

Boston meeting discussion

Raised Issues on TPE

Summary of Action Items

Scribe.perl diagnostic output