W3C

- DRAFT -

Tracking Protection WG F2F, Cambridge, MA

12 Feb 2013

See also: IRC log

Attendees

Present
BrianHuseman, tlr, kulick, MIT-Star, johnsimpson, vincent, yianni, Aleecia, vinay, +1.202.656.aaaa, Jonathan_Mayer, Joanne, BerinSzoka, Dan_Auerbach, walter, +1.202.639.aabb, hefferjr, +1.206.658.aacc, +1.646.654.aadd, MIT346, +1.202.656.aaee, Fielding, Mark_Vickers, +1.415.920.aaff, Alan
Regrets
Chair
peterswire
Scribe
Yianni

Contents


<npdoty> microphones should be working to people on the phone, but we can't hear you yet, til I fix our speakers

<vincent> yes, can hear you

<johnsimpson> nick I can hear you

<BerinSzoka> code for the phone is 87225# right? anyone else having a problem signing onto the conference bridge?

<BrianHuseman> i'm on phone

<vincent> yes that's the code BerinSzoka

<vincent> it worked for me

<BerinSzoka> weird--I tried a few times...

<BrianHuseman> +1.617.761.6200, conference code TRACK (87225)

<Chris_IAB> Chris Mejia of IAB joining in person

<johnsimpson> we hear you

<aleecia> Are mics in good use?

<johnsimpson> Is some on the telephone not muted?

<aleecia> Sigh.

<johnsimpson> hearing terrible background noise is there an open mic and someone typing?

<aleecia> And cannot hear Ed if he's speaking

<johnsimpson> horrible line

<justin> Ed's slides: https://www.dropbox.com/s/klyhmpc91bxbv84/Unlinkability%20Boston.pdf

<justin> Ed is not speaking yet.

<aleecia> Just went dead?

<johnsimpson> now hearing nothing

<aleecia> Zakim thinks the line is up

<aleecia> Ah. And unmuted.

<aleecia> Then this is a good time to debug...

<johnsimpson> terrible connection

<vincent> sounds like someone his using his phone like a hammer

<aleecia> Thank you, Nick

<johnsimpson> hear peter

<Joanne> having trouble getting on the line

<BerinSzoka> Me too, Joanne

<johnsimpson> I can hear better

<aleecia> Keep trying; I needed a few rounds but it worked

<BerinSzoka> couldn't do it. been on hold for an operator for 10 minutes

<aleecia> Call back in?

<BerinSzoka> I tried 5 times

<johnsimpson> sound seems to be working

<aleecia> Oooof

<aleecia> hearing

<aleecia> scribe?

<peterswire> folks on the phone, we are working on the tech problems

<aleecia> (not in - don't hear that well)

<peterswire> question to those on the phone -- volume ok from thomas now

<peterswire> that was a question

<vinay> yep

<aleecia> fine, thnaks

<aleecia> Peter, do we have a scribe?

<johnsimpson> yes

<peterswire> yianni is preparing to scribe

<johnsimpson> that was yes on sound

<scribe> scribe: Yianni

<aleecia> thank you

<npdoty> scribenick: Yianni

Thomas: You should all know that this is all an ongoing process
... the concept of pseudonymous data
... In germany, we have 2 types of data

<justin> Thomas's slides: https://www.dropbox.com/s/klyhmpc91bxbv84/Unlinkability%20Boston.pdf

Thomas: anonymous data and personal data

<justin> He's on 2 now.

<vincent> thanks, justin

Thomas: pseudonymous data is still personal data but it is treated in a different manner

<vincent> these are Ed Felten slides no?

Thomas: anonymous data is not unique or tied to a specific person

<npdoty> slides are here: http://www.w3.org/2011/tracking-protection/mit/bvdw_w3c_pseud-data_20130211.pptx.pdf

Thomas: reading from the quote

<npdoty> (linked from the agenda and the group home page)

Thomas: if you not able to link to a person or indirectly link, you are out of scope
... if you are able to link, you are in scope

<vincent> thanks nick

Thomas: personal data is information associated with an actual person
... reading the definition from slides of personal data
... the German government years ago recognized a grey zone, something in the middle
... that is the concept of pseudonymous data
... a cookie can be identified with a device
... but not tied to a known individual
... different between US and German data
... this data cannot be treated as anonymous

<johnsimpson> what slide are we on?

<vincent> slide 8

<moneill2> hhGerman Telemedia Law http://www.cgerli.org/fileadmin/user_upload/interne_Dokumente/Legislation/Telemedia_Act__TMA_.pdf

Thomas: replace subjects name with other identifying feature to make impossible or extremely difficult to re-identify
... are processes by digital advertising business making it impossible
... huge debate around IP address, whether they are personal or not
... there are processes rendering IP address anonymous

<vincent> slide 9 now I guess

Thomas: German telemdia act, reading from slide
... yes slide 9
... Data is not allowed to be linked back then it does not make sense
... regarding DNT and the definition of tracking, this definition covers advertising, market research, and tele media
... it is a very broad approach that we can offer services without ecplicit consent
... if I feel harmed by the tracking, I can push back
... anonymous data is not personal data, it is out of scope
... pseudonymous data are personal data for the business holding the key
... third party, such as a researcher, without access to the key, that is lawful processing of the data

<vincent> slide 12

Thomas: pseudnymous service, normally 3rd parties, change IP address or cookie with random numbers
... last stage, offering users the right to object
... this is the process to change personal data to pseudonymous data, slide 13
... in German law it is a risk based approach
... German law with attention to market research and marketing, not practical to treat session data like health data
... it is difficult for companies to get huge number of consent for advertising

<susanisrael> slide 14

Thomas: there is lawful data processing without expicit consent
... we try to convince German government, that there is a huge opt out regime, and based on German law
... Slide 15 - DNT unset reading from slide

<peterswire> just to be sure -- any sound problem on the phone?

Thomas: the concept of pseudonymous data, tracking in Germany is lawful
... for us DNT unset leads to more flexibility

<vincent> no peter, sound is fine for me

Thomas: in the advertising market

<aleecia> It's ok

<aleecia> Must be Rob speaking?

Rob: this fits in well with the exercise we did yesterday
... the directive is very clear and is usually left out of discussion

<peterswire> rob van eijk

Rob: it is not just limited to data controller, it is limited to any other person
... if police can use pseudonymous identifier because they are a subject, and they can identify then it is still personal data
... pseudonymous data is not anonynous data, so data protection laws still apply
... do not agree that pseudonymous data is a subset of personal data
... it is a third subset of data

<Marc_> q

Rob: if you go through the effort of de-identified the data, you are not done
... you still need to manage the risk of re-identification
... do to changes of technology, you need to organize your busienss process to continuously measure risk
... if you are using pseudonymous data for OBA, explicit consent is still needed
... notice and choice principle
... we are making the concept of consent even stronger

<peterswire> in Q, chris mejia is first, marc groman is second; I will ask Thomas to respond to Rob before those

Rob: leaves the task that maybe in some cases there is the ability to have anonymous data and still use the data
... yesterday we used different words, red is highly detailed and identified
... in orange you take steps to de-identify
... in green, you ensure that data cannot be linked, throw away the key
... at that moment it become anonymized
... the definition of identifiability, the burden is not on the controller
... if anyone else can identify, it is personal data

Thomas: Yes it is a process of pseudonymization
... at the end you have pseudonymous data
... DPA oppinions, the federal data protection authority that you need to implement in German tele media act
... in Regulation that this proposal might have a good chance in regulation
... it is ongoing discussion, 3 out of 4 reports contain the idea of pseudonymous data
... we are trying to stregthen concept of consent

Peter: part of why this is relevant is not because Europe is a big market
... it is also important that when regulation goes forward is that 3rd parties gathering data would be expected to follow the rules of the regulation
... if you are a 3rd party on a site serving Europeans, you would have to follow regulation
... no distinction between 1st party and 3rd party
... this is a reality that may be coming

Chrs: how do you view DNT signal when it is set on by default, IE 10

Thomas: for user choice, default settings are not appropriate
... default settings are not the way to go
... we must offer a proper choice for consumers
... we must be able to recognize the non-choice
... the unset status is pretty important

<BerinSzoka> a bit hard to hear

Thomas: we are talking about global standardiztion
... default settings in spec are not the way to go
... it is not directly a market issue

<rvaneijk> for OBA explicit consent is needed for a lawull processing, even in Germany.

Marc: interplay between this law and EU data directive and e-privacy directive

Thomas: EU law is complex, EU directive is a guidline

<peterswire> kimono is in Q as well

Thomas: governments must transpose guidlines into naitonal law
... we have Germany who have pretty much done nothing
... at the end a directive may lead to 27 different laws, more or less a guidance
... the second kind of law is a regulation
... a regulation is direct to all member sin EU
... if you want lawful processing you need to look into national laws
... if you have a sentence in directive or local law, you need to look at local law

<susanisrael> * john simpson, I think they are not seeing you bc you have to say q+ not q?

Thomas: if national governments decide not to implement, then it could become law (complex)
... German has implemented e-privacy law
... German government that explicit consent is required by personal data, already covered
... the pseudonymous data is going beyond minimum set, so more than required

<johnsimpson> thanks susan, I am saying q? because I want to see who is in the q. I'm not seeking to speak

Thomas: so already under directive, German government decided not to change German tele media act

Rob: it has become clear that Germany is very specific at the moment
... still need to revise e-privacy directive
... risk in following the situation in Germany as a general consensus

<Walter> This reading of the privacy directive doesn't mesh well with current thinking among the DPAs on pseudonymous data

Thomas: pseudonymous risk of uncertainty, but also a chance to show how flexible data protection law can be

Frank: point on from practical side, users can opt out of OBA
... this is being done by different organizations, look at slides from Berkeley workshop

<rvaneijk> german pseudonymous view presentef br mr Schauf leads to legal uncertainty, you cna not generalize this situaation. DPAs postion explicit consent is needed, as indicated in teh reveised e-priv directive that has not been transporsed yet in Germany.

Frank: in adition to opt out, do not track is in place, we need to expose DNT 1 and DNT 0
... in addition we have opt out and DNT, from my practical view this will not work

Thomas: cookie opt out and cookie opt in, consent and not consent, it is a general question
... this is not only a question with pseudonymous data
... in the UK, the e-privacy directive word by word
... UK data protection authorities used implied consent
... similar to give user notice with more information then user can decide what to do
... need to be open about what spec document we send in the world
... make sure the interest of natural person is not harmed
... 95% of users who do not know what work is being done
... need to inform them when data is stored, give them the information then they can safeguard there rights
... consent is not the only way to go

<BerinSzoka> folks the german speakers have been hard to follow on the phone

<jeffwilson> wileys: data protection regulation formally introduces pseud ids

<scribe> scribenick: jeffwilson

concept will likely surive

we'll be discussing going forward, what value it provides consumers and businesses

<aleecia> scribenick: jeffwilson

<moneill2> q

kimon: there are a few things to keep in mind: eprivacy directive says you need consent to store data

it is not tech neutral

<fwagner> from a practical view out of the german law environment an approach which means that dnt is used in addition to the the oba opt-out mechanism will increase complexity users have to deal with. From our perspective dnt should be used instead of the actual opt-out approach.

<rvaneijk> art 5.3 in the e-Priv directive is technology netutral.

it is a neutral assessment, we need to recognize that some countries see the req. as so strict that it would not fulfill the requiremetns of pseud data

<Wileys> Frank, why not use both? DNT for de-identification of data records and opt-out for ceasation of profiling

rob: one of the slides shows that the situation that the processing of profiles without consent is permitted

this falls into the category of personal data

text of telemedia act says this is not allowed

thomas: thats wrong - profiles can be created based on pseud data

rob: usage profile is diffferent, i dont think the two concepts are the same

thomas: if tracking personal data, need explicit consent, if pseud tracking, offer right to refuse but no explicit consent is needed

mike oneill: "to the extent that the recipient of the service does not object" is the key text

<Marc_> q

<peterswire> walter will be next; on phone, correct?

they still require consent, pseud data is personal data

<Walter> peterswire: yes, correct

thomas: text- " service provider most offer the right of refusal"

<rvaneijk> this is not the current status quo , the e-priv directive (revised version), states: after having been provide with clear and coprehencsive informatin.

<rvaneijk> This iss not an opinion, but a baseline vor lawfull processing

definition of pseud data - opinions of differ between the committees

marc groman: thanks for the pres, very interesting, i dont think anyone is saying theres a reducting in privacy, only the recognition of three types of data

and the appropriate risks each bucket has

peter: wrapping us session, thanks thomas

tim berners lee is in the room!

tim berners lee: thanks for coming, braving the snow, (lost mic)

this is hard work, creating designs, etc is not where the glory is

listening to opinions that are not consistent with yours is hard, requires mental effort, but is very important

this is how we reach consensus, however

one of the reasons w3c working groups work is there is a backdrop of assumptions that the participants have - world will be better for the work

people using the web to inform themselves, learn, buy things, - the web will be better than it was before, w3c has never been a place for people that hold on to their own opinions

we're here to work together and make progress, sacrifice is expected but appreciated.

so thanks very much

and thanks to peter

massive thank you to all

peter: question to tim - for people who havent been part of w3c before, how do participants overcome objections from companies

tim: its a bit general, but every working group is different

look at things like the history of CSS, HTML, SVG, etc - these things took a lot of time

there is a common thread, that you are the interface bettween teh group and your company

ways of getting people up to speed, ways of sharing techniques, and experiences - going back to you company

and openign up the windows a bit to see what else is out there, where things are headed

marc: regardin participation, we see huge companies - but what about the very small companies - small sites, pubishers, companies who dont have the same voice or influence

tim: very good question - we must ask ourselves this constantly

the longtail is important

yes, we have a duty to put ourselves in the shoes of small companies, communities, ind. developers

it is important to support the people who are developing the open web, much of this you dont see

we must make an effort to understand the needs and postions of all

<Walter> sound is really poor now :-(

lou: we represent companies that make content possible - how does w3c measure success?

tim: certainly - does it get used? does it solve the problems/

<Wileys> Deployment equals success - you heard it here.

are the consumers much happier, and does it unleash the potential, etc.

peter: thanks so very much, tim!

we'll break for 5 minutes

<aleecia> Peter's mic is live

<Walter> not anymore, I think

<aleecia> not so muted

peter: hello on the phone - about to start. we'll do 15-20 mins with ed then breakout to groups

after q&a with ed

ed felten: peter asked me to talk about unlinkability, what we've learned over the last decade with data science

<peterswire> sound check -- ok on the phone?

need some definition of de-identified that is precise enough that it can be applied in practice

the rationale for creating unlinkable data was to be able to override the users DNT choice

it is a mistake to think of a one dimensional privacy space - need to consider both privacy and utility

<jmayer> I believe Ed's point was that this is an area justified by very limited privacy risk. It isn't an area where we're balancing privacy and business.

if we're not careful we can design a solution that offers neither privacy or utility

so where should the trade off be?

it turns out to be easier to quantify utility, hard to quantify privacy

<aleecia> no mic = no sound on call

slide 5 - what does it mean to be privacy perserving with regards to perfomring a data operation?

<BrianHuseman> can't hear

<aleecia> nope

<peterswire> ed will repeat the question

<Joanne> can't hear anyone

<hwest> We can hear you guys!

<aleecia> matthias must be asking an epic question :-)

matthias: i like your slide, but its important to realize that there is another dimension in implementation

<hwest> He's going to put the comment in IRC

<BerinSzoka> we can hear Ed but only him

<aleecia> thanks!

<schunter> My comment (unheard, sorry) was: An important third dimension is the effort to get close to the frontier.

ed: more than 40 years of research, huge amount of work

intuition is an unreliable guide

<schunter> The slide may look hilly at the frontier: While implementations far from the frontier are simple and efficient, getting onto the border may require large implementation effort.

intuition says: if you are not in the dataset, then the data cannot inform anything about you

e.g. are you a smoker?

if so, then your cancer risk is higher

even if you are not part of the original dataset

intuition always says that aggregate data is always safe

e.g. hunch.com - make recommendations based on correlations of things about you

more than a million users were using hunch, but data was relinkable in several instances

lost.fm and amazon had similar problems, but since been addressed

what does it mean for a data operation to be privacy perserving?

imagine a raw dataset with some sensitive data (peter swire example) - some portion is private, some public

some frameworks are built on atomically sanitized queries/data

some scenarios have analyst and raw data siloed, some are not, but what must be true to maintain the privacy perserving def

for privacy perserving, need the following: feasable, techically actionable, does not ban all data release, implies some limit on data inference

rachel: from your earier comment regarding amazon, do you believe an inference is the same as knowing the actual behavior?

ed: no, what i meant to say was that members of the public can make inferences about other members

rachel: well, that is not actual knowledge - just an inference. there's a difference when considering a need to limit

ed: well, im not going to argue to epistimology

<rvaneijk> @RACHEL: if inferred data is used to base a decision upon you are treating a person differently.. !

<Wileys> +q

chris mejia: inferences are not the same as observations

<aleecia> rob++

<aleecia> but even without decisions...

peter: let me see if i can clarify

sometimes we make observations, sometimes we make inferences, difference is likelihood

<Walter> Couldn't hear Rachel, her mike was off?

<johnsimpson> Rachel needs to use the microphone, please!!

<vincent> moneill2, are you still on the qureu from your previous question on German Telemedia act or is this a new one?

inferences are probabalistic

<bryan> a statistical inference is not an implication for user privacy; to know that smokers may get cancer says nothing about a user unless you *know* they smoke, thus is not a privacy concern

david singer: theres a huge difference between finding teh record and examining the record

<BerinSzoka> Remember what Justice Kennedy wrote in the majority's decision in IMS Health v Sorrell, striking down Vermont's restriction on use of data about drugs doctors prescribe in marketing of drugs back to them: "Facts, after all, are the beginning point for much of the speech that is most essential to advance human knowledge and to conduct human affairs. There is thus a strong argument that prescriber-identifying information is speech for First Amendment pur[CUT]

ed; amazon example showed that facts could be gleened from teh public inference data

ed: must be some limit on what analyst can learn from the data

goals are modest, but hard to achieve, and knew of no definition tha can satisfy all until 2006

ed: k anon is an example that fails to meet the requirements

<BerinSzoka> total silence on the phone

<Walter> BerinSzoka: really, I wished there was a way for the USA to learn about the value of data protection without suffering a totalitarian regime such as the German nazis, but am afraid there isn't.

<Walter> efelten: poorly

<Wileys> Berin - others are saying they can hear Ed

imagine you have a bucket of hiv pos individuals, regardless of size you can infer trait

other problems, assumes tehre' s only one query ever

<BerinSzoka> no can hear Ed

<aleecia> #t

two k anon datasets combined can and have produces privacy issues

<Walter> Yes, it is much better now

<BerinSzoka> hey, Rigo, my grandparents grew up in Nazi Germany. it is very much the moral context I inherited

<Walter> BerinSzoka: It wasn't Rigo who said that, but me

<aleecia> may i politely request we drop the Berin bating on this particular one?

<Walter> you may

<BerinSzoka> second

<aleecia> thank you.

dalenius' goal - what analyst learns about you (side info + answers) is essentially the same as (side info only)

diffferential privacy is only one that meets all four criteria

means that same answer is achieved regardless of whether or not the subject is in the dataset or not

<peterswire> for the q, is everyone still requesting to speak, or were these from earlier?

your participation / presence in the data is irrelevant. can also adust "leakage" level to trade privacy vs. utility

<susanisrael> peter, i would still like to speak when ed is done

enables mutiple queries, interactions. not affected by side information - entirely safe to enhace

<vincent> I think moneill2 is from the previous session, others are requesting to speak

<Wileys> Peter - yes

enhance the data, "go wild" - it wont impact the privacy

<peterswire> susan and shane -- I see your reconfirmation

there are known methods to archieve DP for aggregate counting queries

peter: re: hashing - what are the attacks?

complex issue - individual methods can be good or bad

replacing identifiers doesn't always help

(ed's reponse)

peter: what about wriiing code to break hasing schemes?

ed: suppose you have an identifier, such as a phone number - this fails to a simple dictionary attack

<rvaneijk_> hashing does not lead to anonymization , because the one that hashed knows the algorit and the salt. The hash is reproducable.

<Walter> microphones please!

<Walter> and who is speaking now?

shane: you still need to know the key/salt

there is no brute force dictionary method if you don't know the salt

ed; can be complicated depending on whether or not keys are managed properly

<jmayer> If there's a salt or key, there are key management and oracle problems.

<BerinSzoka> +q

<rvaneijk_> salted hashing is not relevant if you want to accomplish the goal of trying to anonymize the data . The ONLY thing that is going to help you is break the LINKABILITY.

even with rotating keys it can be done improperly

<jmayer> And, as Ed and Rob just noted, that does nothing about linkability.

peter: going to queue

<marc> I think we should continue this discussion and not break out into groups yet

susan: i realized that our difference might be different with regards to privacy and de-id, your assumption about possessing info about anyone might be an invasion of privacy

<jmayer> ...is there a technical question here?

<peterswire> http://www.w3.org/wiki/Privacy/DNT-Breakouts is link to the five breakout groups

<Wileys> Peter, could you please manage the queue in order? thank you

<aleecia> same groups as yesterday?

if someone receives value/content online - they are interacting. its is important to note that not all interactions are in invasion of privacy

<peterswire> yes, same groups as yesterday; some different leaders

<aleecia> thanks

<Walter> +q

<Joanne> same dial in for the groups as yesterday?

ed: this is why we have different levels of sensitivity

<peterswire> alphabetical dial in groups as for yesterday

<moneill2> -q

the only way the definition fails is if the analyst can learn everything

shane: it is important to point out that bullet 3: "does not ban all data release" is relevant to our work

<Walter> susanisrael: I don't think anyone is advocating that any processing of personal data is inherently invasive

<jmayer> You can certainly use differential privacy for internal data practices.

<Walter> susanisrael: I wouldn't, and am probably on the protective end of the spectrum

<marc> +1

when we are discussing our practices - we are not talking external release - only internal use

<susanisrael> walter, i think they are advocating that

<BerinSzoka> Peter, I would really like to hear how Ed would respond to what our Supreme Court has said about reconciling privacy protections and free speech in the context of striking down a consent requirement: "Facts, after all, are the beginning point for much of the speech that is most essential to advance human knowledge and to conduct human affairs. There is thus a strong argument that prescriber-identifying information is speech for First Amendment purposes"

<jmayer> And, in fact, some advertising companies already do just that.

where we have the benefit of controls and practices to protect the data

FTC recognizes this

<BerinSzoka> that seems pretty relevant to me

<Walter> susanisrael: No, I think you have to decouple the question of what is linkable (personal) data and when you may process it

your presentation focuses more on external uses of the data

<Walter> susanisrael: I would concur that observation in a public space shouldn't be curtailed

<marc> q

ed: no it is not exclusive to external use

<justin> We've already had this discussion (several times) --- internal misuse/forced re-ID is one of the threat models we're concerned about.

<Walter> susanisrael: persistent observation would be a different question though

<susanisrael> walter, my point is in part that the internet is in part a public space. There is a valid discussion about where personal boundaries should lie

<vincent> +1 to justin

all i am saying is that the "analyst" can be internal or external, but the analyst still may learn from the data

controls will vary based on internal/external

<Walter> susanisrael: and there we go off the rails, a HTTP(s) session is not a public space, it is a fairly private conversation between a UA and a server

<susanisrael> walter: when I keep walking in public and you keep observing me then that is not inherently an invasion of privacy

<Wileys> All of the examples were external data releases

<aleecia> shall we close the queue?

<Walter> susanisrael: if I keep following you around you might consider a restraining order on me at some point

<aleecia> (not sure if that's what Peter wanted)

<justin> aleecia, yes, close the queue. Can I tell Zakim that?

brian: for privacy issue, you must have a link in teh data to that person

<vincent> :)

if we've done everything possible to ensure it's not linkable, then we should be safe

ed; its about whether the analyst can learn the facts about an individual

<Walter> susanisrael: one of the Transatlantic divides is the lack of appreciation that continuous observation affects access to information

the problem with hunch.com was that the analyst could learn a great deal of attributes via reverse engineering

<susanisrael> walter: in this group we are talking about whether a third party that we do not know is part of my interaction/transaction can learn things about me by lurking behind the scenes, to continue the analogy. We are not trying to outlaw observation, however persistent

<aleecia> (continuous observation makes humans neurotic, same as continuous isolation.)

jon mayer: re: differential privacy - can you provide some examples?

ed: sure - aggregate counting queries is one

<susanisrael> aleecia, i question your assertion and I don't think we are here to cure neuroses either

<aleecia> we appear to be here to cause them :-)

most common method is to compute with some amount of noise, typically less than what is in the data already

<marc> q

<Walter> susanisrael: This is my point, none is for outlawing observation. What I hope we achieve is giving users an option to say: I don't want to be observed by you or third parties outside the context of this website visit

lou: thanks, ed. what is your perspective on permitted uses here?

<susanisrael> Ed[s theory implies/rests on the assumption that all observation or collection of information is an invasion of privacy. That is clearly not true.

<justin> susanisrael, the chilling effect of persistent surveillance is absolutely one of the problems this working group is here to address. peterswire acknowledged as much yesterday with reference to the right to read anonymously.

<jmayer> Susan, this isn't a personal "theory" of privacy. It's the way computer scientists have come to think about the problem.

ed: the FTC privacy report shows a common structure - a company has enough measures in place, including contractual, internal controls, etc.

<Walter> susanisrael: no, Ed's theory is not on the legitimacy of the observation, but on the extent to which observation can take place

<aleecia> Susan - that's not actually what Ed is saying. I suggest a one-on-one discussion quickly to clear that up with Ed, if you're still interested.

the core of all that is "what is the thing that you have enough confidence in"?

what is the goal vs. the compliance superstructure

<susanisrael> Justin, while it may be the case that we would like to limit "surveillance" i.e. unknown observation, or that even persistent known observation may have a chilling effect, that does not mean that acquiring any one fact about a person is an invastion of privacy and that is what ed is saying

<Walter> susanisrael: what is contested is what is observable and what not, that is the essence of anonymisation vs pseudonimisation

<aleecia> Susan - I strongly believe that's not what Ed is saying

lou: you mentioned techniques from 2006 - its a moving target

<susanisrael> Aleecia, I do not agree.

<Walter> susanisrael: and I meant by 'can take place' not in the legal sense, but in the factual sense

<aleecia> I can tell :-) I suggest you speak with Ed.

ed: the inventor of k anon knew that some methods were inadequate

diff. privacy works, there may be new methods that will work better

<aleecia> He's looking at a way to eval different approaches

<Walter> who is whispering?

<susanisrael> justin, aleecia, and walter, my point is that we need not only agreement on de-identification, but agreement on a definition of privacy. I do not believe Ed is presenting the right parameters for this

to be clear - not proposing diff. privacy, only that we keep in mind what is feasible. k anon has its limits and may not work

<Walter> and as jmayer said, this is a computer science approach, it is the inevitable conclusion of information theory

<LMastriaDAA> i agree that specific de-id should not be set in stone

<Walter> susanisrael: Oh, i concur that a definition of privacy is also needed

felix wu: i am noticiing a disconnect in our conversation. its a question of quantifiers - are there any limits on data inferences that meet the goal?

<Walter> susanisrael: or more precisely, of what we try to protect

<aleecia> if we were to use the defn of privacy as control (not my personal favorite, but the most common) then Ed looks like he's utterly permissive

ed; the inferences i am thinking about is "facts" about individuals

<LMastriaDAA> one of the open questions from the de-id preso is what risk are we mitigating?

<aleecia> we're not mitigating risk. we're providing a PET.

<susanisrael> Aleecia, again, I do not agree

ed; need to focus about attributes on people in the world, not whats in the DB

<susanisrael> +1 to Berin

<aleecia> the alternative is we think users should not have choice, control, and transparency

berin: can you give your reaction to the supreme court for the requirements for consent that companies needed to use prescription information for marketing

<jmayer> Isn't this a question for a lawyer?

<justin> First Amendment governs W3C?

<susanisrael> Aleecia, I don't agree that that is the alternative

ed: i'll remind you of the state action doctrine (?)

peter: going to breakout now

<npdoty> http://www.w3.org/wiki/Privacy/DNT-Breakouts

<aleecia> P3P was a PET. DNT is a PET. efficacy remains to be discovered.

<Walter> aleecia: that is a lovely way of putting it

<Walter> I'll store that for later abuse

<LMastriaDAA> efficacy needs (perhaps presumes) an objective basis for determining whether we achieve or not

<BerinSzoka> for the record, I don't accept Ed's answer--in large part because I do not accept the premise that there is no state action behind this effort. Exhibit A would be the pressure brought to bear by the W3C, notably through Ed himself

<Walter> LMastriaDAA: I'd be happy to take Ovums's recent research as a starting point

<aleecia> oh, no doubt we'll be debating efficacy for years. Every time there's an attempt at legislation, at the very least

<Walter> BerinSzoka: W3C is not a state actor

<justin> Does a Joe Barton letter to a data broker asking about their practices constitute a First Amendment violation, BerinSzoka?

<susanisrael> walter< I think Berin was talking about the principal not about W3C standards. Ed was making assertions about what rules should apply.

<BerinSzoka> yes, I was talking about the general principle, which Ed dodged

<susanisrael> Justin, i don't think berin was saying inquiry about practices is a first amendment violation

<BerinSzoka> Justin: does Joe Lieberman making a phone call to Amazon and "persuading" them to cut off hosting to Wikileaks count as state action?

<Walter> susanisrael: I think that if companies agree to use standard X, which includes promises on what data to process and what not, then the FTC enforcing that as part of their consumer protection mandate is not abridging free speech since the companies chose to adhere to standard X

<BerinSzoka> could someone remind us on the phone about which group to call in for?

<Walter> this coming from someone who obviously is outside any US tradition of constitutional law interpretation

<Walter> BerinSzoka: I think that's an apples & oranges comparison

<Walter> susanisrael: and again, Ed was expressing the current scientific thought on what constitutes anonymity from a computer science perspective. That is not a value judgement of non-anonymity

<Walter> anyway, time for coffee here

<susanisrael> walter, re: comment at 11:15. No one said FTC enforcement of rules and laws re: deceptive practices is an abridgement of free speech rights

<Walter> susanisrael: I tried to infer your reasoning. I hope I don't come across as overly aggressive here, because I think your concerns are genuine and need a frank discussion.

<hwest> Folks on the phone - if you're dialled in to the normal number, you should join #dnte

<hwest> BrianHuseman, type "/join #dnte" if you want to be in the room for the discussion we're about to have

<rigo> nick? can you tell me how the zakim rooms are named?

<rigo> I want to tell zakim what conference that is

<rigo> I'm in dnte

<BerinSzoka> when are we starting again?

<aleecia> I'm calling in from home. Someone outside just started up a jack hammer. Bwah?

<johnsimpson> Thanks

<bryan> scribenick: bryan

<vinay> yep

<Joanne> yes - coming in

<npdoty> thanks to bryan and susan for volunteering

de-id working group readout, path forward

peter: struck how similar answers were from the groups
... 1st what terms to use. all groups ended up focusing on de-id
... unlinkable is a promise, de-id comes closer to the goal
... 2nd what text to use, basic agreement on the structure of the words using DAA / FTC as base

<fielding> But de-identified is a process, not a state of being. Non-identified would make more sense.

peter: Rob (FB) had a question about reliance upon agreement to not re-id

<npdoty> +1, I think this is smart, may not need any separate public statement

peter: if we put "wont" in the text we may not need a 2nd requirement to explicitly promise

<justin> I asked "what does this solve for?"

robsherman: concern is that we have a response header, but it gets complicated in addition that there needs to be text somewhere that says more than the standard calls for

<justin> As long as you still have an obligation to say you're honoring the signal, I don't care about a separate promise . . .

<BerinSzoka> yes, I'm on the phone

efelten: you can say that compliance means that you promise to not re-id

<BerinSzoka> but not in the queue

<BerinSzoka> I'm muted

<BerinSzoka> I can hear you fine

<BerinSzoka> yes

peter: next task was to id examples via use cases that do or not qualify for de-id
... a # of examples that were not de-id, e.g. UDID on smarphone

fwagner: on the case of UDID, it can be directly id'd to a user, thus cannot be classed as de-id supporting
... cookie info similarly cannot be classsified as de-id

dwainberg: looked at de-id methods per its risk of re-id, and UDID is one that had high risk

peter: ed explain other use cases

<LmastriaDAA> +1 relative re-id

efelten: 3 use cases did not meet the definition
... #1 ???
... #2 there is something in the URL that contains a de-identifier
... e.e. user name, email address, id on sites where that's correlatable,
... #3 URL history where company holding the data cannot reasonably say that the history can't be linked

lmastria: on the 1st, PII, straighforward
... 2nd also if PII it's similar
... 3rd one is hard to define, and not sure it moved the concensus forward

peter: open to comments on the use cases, presume they will be written up

<fielding> I still don't see any connection between de-id and tracking given that we have already agreed that tracking is turned off for DNT:1 unless consent has been given. De-id is a general privacy concern for keeping data beyond the permitted uses, but we do not have any reason to keep data that cannot be used for tracking and isn't necessary for one of the permitted uses. So, I'd rather see a definition for tracking.

peter: any comments on the rest? none
... other question: need to a 2nd category on pseudomized data

shanew: on the use cases, we also id'd two other areas re other things to prohibit; modeling to a small population
... e.g. this model can work for one user, the pattern is too specific
... also do we infuse concepts of sensitivity into this

<efelten> "Modeling of an individual user" sounds a lot like re-identification.

shanew: e.g. HIV example, none of us would do that, but does it have a place in this conversation

peter: sounded like there were certain categories in which an extra level of screening is needed... how would that qualify for de-id

<npdoty> for child data, we explicitly chose to leave that sensitive category out of the standard altogether

<aleecia> This issue is closed

<aleecia> http://www.w3.org/2011/tracking-protection/track/issues/15

shanew: should we just be silent, leave to regulatory / legal? fine with that

<susanisrael> efelten, i think what shane said is that he would not model at the level of one user or even a small group. I think it was just not captured right here.

<justin> Sensitive data is stuff you should get an opt in for. DNT is an opt out standard --- goes to everything else.

aleecia: we close the issue whether we would treat sensitive data differently, e.g. for children's data

<Wileys> Justin - that works for me

<Wileys> Aleecia - thank you, I'm fine with keeping it closed

aleecia: if there is new info we can reopen the earlier issue

chrisPedigoOPA: we talked about browsing history. a concern from a publisher view is that the user turned DNT on, and is served an ad based upon a visit to the publisher's site,

<aleecia> For first parties?

chrisPedigoOPA: something would seem to be awry, if the ad was based upon browsing history

<aleecia> I'd support that

<npdoty> was that concern about ads customized to other articles on the same site?

efelten: FTC thought its definition did apply to browsing history; the key question was to the level of confidence, but no special treatment for history

felix: what happens when you have tracking enabled by browsing history? if history is collected, building a model that feeds back to UX, can we distinguish ways that is OK?

<ChrisPedigoOPA> Aleecia, my concern is that a user may be retargeted off the publisher's site based on their visit to that site

felix: an example is that it feeds back based upon a sensitive category

<susanisrael> aleecia, i think chris is talking about 3rd parties, but he can comfirm

felix: it's no purely a use case question, but the notion of how the nature of de-id'd data could affect its future use

<aleecia> That seems a reasonable concern, but I am still not clear if you mean first or third parties

<aleecia> (we may already have this covered, depending)

efelten: thru the 2nd branch of the FTC language, promise not to re-id speaks to how to use the data

<aleecia> -- still disagree

<npdoty> bryan: very much in line with what we asserted; a de-identified privacy history is not a privacy concern, the concern is if it is reattached to a user at a later date

bryan: a de-id'd history by itself is not a concern, but only when it was reconnected to a user

<aleecia> (disagreeing with Bryan, that is)

peter: on the role of admin/tech controls
... shane has spoken about the role of these controls

<ChrisPedigoOPA> I mean 3rd parties

<fielding> Content customization based on request context is not tracking -- that is anticipation of needs based on similar requests that occurred in the past (models) or based on the guesses of the content developers.

shanew: this comes to the confidence question, the risk based model, its not a technical outcome but a confidence-based one

peter: commenting on that, re HIPAA, it has a standard for ver low risk
... there is some low risk that is acceptable
... but in HIPAA de-id'd means that you can put it on the net with no controls

<npdoty> fielding, did that just come up? or is that a general comment?

peter: but in a database/locked world, the risk may be greater give someone breaches the controls
... that's a reason for org controls to be considered

<Wileys> The user never said that

efelten: the user has said they do not want that info to be collected, retained, or used.

<fielding> npdoty, it was based on some earlier comments about models that was not clear

efelten: the question is whether what is done with the data is aligned with user preference

<susanisrael> *Bryan, let me know when you want me to scribe. We can take short turns.

<rachel_thomas> it is difficult to make statements about "what the user wants" with any certainty when we haven't defined what tracking means.

chapell: since we decided not to require browser to define DNT, it's not reasonable to say that a promise is being made to the user

<susanisrael> Bryan, shall i scribe?

chapell: (please correct if I did not get that)

ok

<aleecia> scribenick: susanisrael

<scribe> scribenick: susan

<npdoty> Chapell: "promise" seems to imply a regulatory involvement, as opposed to just complying with a standard

<susanisrael> peter: ......my working assumption was that you said you were going to do something, if you say you are doing do not track, so that we be something ftc could hold you to

<justin> Promise is not magical. Any statement (as we've agreed to in the std) is actionable by regulators.

<rvaneijk_> agree with Rigo, in the EU it is a legal obligation.

<efelten> I didn't mean "promise" as a legal term of art (if it is one). I just meant a clear representation to the user that a company was compliant.

<susanisrael> peter: can you review history?

<Chapell> efelten, thanks for the clarification.

<justin> Privacy policy or elsewhere (response header, wkr, etc)

<susanisrael> aleecia: talked about regulatory hook, conclusion was that we didn't need separate statement for reg hook, but saying they are following dnt in privacy policy ok in us, at least

<susanisrael> peter: what i heard you say was if you put in priv policy we are following dnt that would trigger sec 5 kind of promises in us

<susanisrael> has there been discussion whether there is discussion in tech spec

<susanisrael> shane: we have open issue on this

<aleecia> that was our belief, but we are not the FTC

<fielding> At least some of us are not lawyers and cannot answer that question.

<npdoty> that was one of the stated goals of the tracking status response

<aleecia> and by "our" my meaning here is the WG, not the academic or royal we

<susanisrael> davidwainberg: if a co were to act contrary to specific statements, like saying they are 3rd party not 1st, yes, that's deceptive,

<susanisrael> but idea of commitment to spec being a promise that gives rise to sec 5 authority was contentious, open issue

<npdoty> dwainberg: agreement that if specific statements in the tracking status resource is incorrect that would be binding, but dispute whether tracking status resource implied compliance with entire standard

<susanisrael> rigo: i think there is no contention here bc main discusison was that sending headers back and forth was not sufficient to trigger liability for lying or deceptive practices

<justin> 6.6 of the Compliance std: In order to be in compliance with this specification, a third party must make a public commitment that it complies with this standard. A "public commitment" may consist of a statement in a privacy policy, a response header, a machine-readable tracking status resource at a well-known location, or any other reasonable means. This standard does not require a specific form of public commitment.

<aleecia> justin, my memory is that was one option, yes?

<susanisrael> bc of p3p cases where companies sent deceptive p3p headers to make ie6 work and court said that was not sufficient to trigger deception

<npdoty> as I understand the current draft (and the stated purposes during the design process) of the TPE, tracking status resource files/headers indicate third- or first-party compliance

<justin> aleecia, I thought we were in agreement --- you have to make some sort of representation. I disagree with rigo that a response header would not be sufficient.

<susanisrael> that is why i think no contention, but that is why us side wanted statement in privacy policy

<fielding> who is speaking?

<npdoty> to be clear, none of us knows for sure what the FTC would do.

<susanisrael> chris p: no company--I would be shocked if any co just said I am w3c compliant...they would lay out in privacy policy how they comply when 1st/3rd party, how they de-id data, etc

<aleecia> the concern was it might not be enough in the non-US countries

<aleecia> that it might not be enough in the US was not a widely voiced view at the time

<susanisrael> peter: to confirm, merely sending headers would not be deemed a commitment for which violation would be deceptive

<aleecia> but the idea was you accept all of DNT, not that you reply with an ack and then put in your privacy policy "but what my implementation is..."

<aleecia> (that is, the point David is making right now)

<BerinSzoka> +q

<Wileys> open issue - providing a response header that points the user to the specific representation by a website

<susanisrael> david singer: browsers want to know what you get when you implement/send dnt, and compliance doc needs to establish a baseline of meaning

<johnsimpson> +1 to Justin

<susanisrael> justin: I thought if you acknowledge dnt header, and then disobey, i thought that was to be actionable

<susanisrael> shane: 2 points: to this point, we have an open issue as to allowing orgs to point to response header, as to opposed to just acknowledging receipt of header

<susanisrael> peter: in tpe?

<susanisrael> shane, yes. to ed's point : the user has asked for x and we don't know that - up to this group to decide what we want to offer

<aleecia> Turns out there's research on that, Shane

<justin> Yes, agree (somewhat) with WileyS on that --- I don't like that disparate compliance approach, but either way I think the server response would be actionable . . .

<aleecia> We can answer reasonably well what users (say) they (think they) want

<wseltzer> [My recollection of the P3P case was that the incorrect response was deemed sent in order to trigger browser action, rather than as indication of a promise. That's different from just "standards compliance."]

<fielding> NOT an open issue

<susanisrael> peter: suggest we take off meaning re: sec 5 of response to dnt header from today's discussion

<johnsimpson> Please note Roy's comment

<aleecia> wendy - actually, FTC said they would enforce for P3P. Ignoring CP abuse is rather absurd.

<susanisrael> chris_iab: don't understand how ftc's view is relevant

<Wileys> Aleecia - I disagree that you can make that assertion - surveys are all over the map on this (directional or tied to material impact to real-world give-n-take scenarios)

<wseltzer> aleecia - I was commenting in reference to Rigo's comment

<susanisrael> peter: bc of rob sherman's point that we don't need an independent promise, but now I think we may have to revisit that.

<ChrisPedigoOPA> Justin, I'm not saying that companies are going to blatantly depart from the W3C standard. Just that they wouldn't open themselves to broad liability by simply saying they are DNT compliant.

<Chapell> My apologies to the group - I wish I had not brought this up. The more important point is that we seem to be assuming that the User is being promised something, but we aren't defining what that thing is

<aleecia> Shane - would love to trade references some time, but I disagree with you. Perhaps you are reading things I am not -- I'm open to learning more. At present, I believe you are quite wrong.

<susanisrael> so that was a specific point about whether such a promise, which some people thought was stronger, would be duplicative

<justin> ChrisPedigoOPA, I thought we had agreement that you had to make a public assertion of compliance in order to be compliant. I thought that issue was closed. Either way, I think the response header from a company will suffice as that representation.

<susanisrael> rachel: i think it's context of this discussion today that is making a promise about re-id more important

<susanisrael> rachel: i question whether we need to revisit that

<susanisrael> rob sherman: just to respond--suggest we leave specific commitment out, unless we decide we need that globally and not on this specific issue

<ChrisPedigoOPA> I think if a company is DNT compliant, they are most certainly going to publicize that. But they won't simply say they are DNT compliant. They will want to lay out exactly how they comply so there is confusion or ability to interpret it differently

<rigo> aleecia, wendy, it wasn't the FTC, it was the court that decided it is "mere technical exchange of messages", so the FTC is not in question

<BerinSzoka> Can I just have 30 seconds on the FTC enforcement issue?

<BerinSzoka> I think it's quite simple

<BerinSzoka> =q

<BerinSzoka> +q

<susanisrael> don't want to set up precedent that no magic language on something makes it different, and we can't resolve ftc authority here

<efelten> +q

<justin> ChrisPedigoOPA, that is not a unified DNT standard. There has to be a floor.

<aleecia> Rigo that's new to me -- would love a citation (not arguing with you, would really like to see what that was.)

<susanisrael> chappell: apologies for rathole, i think we've been careful about describing promises

<npdoty> Chapell, I think dsinger's response was that the browser couldn't explain to the user until we set what compliance would mean

<susanisrael> fielding: what we are describing here is protocol, cannot decide how regulators will interpret. If we do i will log off, can't participate in those discussions

<jmayer> I don't think this is or should be a TPE issue.

<jmayer> +q

<susanisrael> peter: have sense that response to header is more limited to some people

<rigo> aleecia, I never saw the orginal text of that court decision. I think it would be worthwhile to ask Lorrie whether she has the text

<susanisrael> peter: shane made a point that there would be lower risk in practice with these organizaitonal controls

<npdoty> is there disagreement between WileyS and efelten on applicability of organizational controls? would either differ on how to apply the FTC definition of de-id?

<aleecia> rigo having talked about CPs with Lorrie and written on the topic of their abuse, to the best of my recollection she never mentioned any such thing

<susanisrael> ed: definition talks about how a company has to have a necessary level of confidence that data can't be used to infer or ...........

<susanisrael> ed: i don't know how we know an actor not in this room has org controls

<susanisrael> lou: ftc definition does not include infer

<susanisrael> ed: i will find it

<justin> From FTC report: First, the company must take reasonable measures to ensure that the data is de-identified. This means that the company must achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.

<justin> Page 21 of http://www.ftc.gov/os/2012/03/120326privacyreport.pdf

<jmayer> If "topic" = "talking point," then yes, the good actors vs. bad actors line is a common recurrence.

<susanisrael> peter: i think there has been discussion re: good actors and spec, vs bad actors who will not sign on. Aleecia, history?

<bryan> "a particular consumer..."

<LmastriaDAA> my bad

<justin> Good actor v bad actor is not a dichotomy.

<susanisrael> aleecia: generally we are speaking more about good actors, but not exclusively

<bryan> not a modeled class/set of consumers

<efelten> -q

<susanisrael> ed: p. 21 of march 2012 ftc report: means co must have reasonable confidence that co cannot infer ....identity....etc. [quotes]

<fielding> efelten, "infer information about" is awful broad

<susanisrael> jmayer: we noted in our group lack of agreement re: how ftc/daa texts apply

<npdoty> jmayer: there might be less agreement than there appears

<vinay> yep

<bryan> and the inference cannot occur unless the data controls are breachedm, which is intended to be an unreasonable situation

<aleecia> P3P != P3P CPs

<susanisrael> berin: people who are referring to p3p statements being nonenforceable are citing red herring. issue in those cases was materiality. should assume enforceability

<BerinSzoka> fair, aleecia

<susanisrael> peter: propose to state from de-id today: the term de-identify. re: a no of use cases, i heard several people say agree.

<BerinSzoka> (But let's not use CP for "compact policy." It's generally used in tech policy to mean child porn)

<susanisrael> propose to have a task to clean up this part and create text on it

<fielding> efelten, for example, distinguishing a human from a zombie attack robot is inferred information about the user but is in no way identifying that user

<susanisrael> dwainberg: in our group no consensus that definition of de-identify is right place to draw line re: what is in scope for specification

<susanisrael> peter: understood that to be a logical requirement for a standard that at some point things be aggregated enough or de-identified enough that spec does not apply

<aleecia> (thanks for that tip, Berin)

<efelten> Roy, the definition was aimed at linkability, which isn't quite the same thing as identifiability.

<susanisrael> dwainberg: appreciate approach of taking risk-based approach, but don't know that we are at point of defining state of things outside do not track

<susanisrael> have not had conversation about what is in scope and what we are trying to solve

<rigo> aleecia, here it is http://blog.ericgoldman.org/archives/2011/12/the_cookie_crum.htm

<aleecia> without mic -> hard to hear

<susanisrael> Peter: undrestand link in your mind between scope and definition of tracking

<aleecia> Rigo thank you, but that's LSOs

<rigo> I know, but perhaps we can write the guy to find out what happened and get the decision

<susanisrael> fielding: where we state that de-identifiable data is ok the most common practice in the room people exclude [delete] the data

<aleecia> there is no user representation other than members of IAB promise not to use LSOs for behavioral advertising

<susanisrael> BREAK

<wseltzer> [adjourn for 10 min]

<aleecia> pulling the decision shouldn't be hard, but it's a decision about a very different thing

<fielding> efelten, then it should say "infer linkability to" and not "infer information about"

<npdoty> scribenick: bryan

peter: starting again

achieving success in the compliance spec

peter: asked to co-chair in Nov, since then >50 stakeholder meetings

<susanisrael> *Bryan if you want me to do this part let me know

peter: attempt to listed to the very diverse input so far
... 1st question: working slowly on the TCS we could be here a year, any problem with that?

shanew: agree that we could be here for a year, but would rather put in the time to ensure that the spec is not full of unintended consequences

peter: what will it take for us to converge sooner? an april F2F may be needed...

<fielding> how about fewer F2F meetings and more time spent writing the actual draft?

peter: Tim spoke today, he described what we are doing as (1) relieving the tension, that have led to contentious debate, and (2) the result should not be null
... (showing "Criteria for Standard" slide)

<npdoty> http://www.w3.org/2011/tracking-protection/mit/plenary.swire.021113.pptx.pdf

<npdoty> slides 5 and 6, I believe

peter: overall criteria is to create a W3C standard, not null e.g. exactly the same as when this started, and that can reduce tracking for participating sites
... looking at the charter
... mission of the WG is (reads the mission in the charter)
... (reading from the scope)
... also compliance
... (reading deliverables)
... group has decided not to move forward on TSL
... sine I'm chairing the compliance spec, producing one is what we have to do

<npdoty> (slide 3 from peter's opening slides)

peter: (looking at "History & DNT" slide)
... persistent, one-time choice for user; tech neutral, and reversible
... talk about choice and harm
... I understand that DNT Is a choice mechanism for users
... we have at least one other, eg. the DAA mechanism
... I asked yesterday what was the harm that resulted in the DAA, and did not hear anything, thus consider it a choice mechanism
... so we are looking at a choice mechanism; now will consider some things we might to do complete that

<vinay> Is Peter talking off of slides? If so, can someone share them to those on the phone

<BerinSzoka> +q

<johnsimpson> Are there slides on this?

peter: laying out a set of things, trying to make sense of this; every decision will be subject to consensus, and issues will be discussed one by one
... the job is to determine if there are reasonable objections to each item, not all at once; capped by an overall process to determine if you can live with it
... consensus on any one item does not affect agreement to the whole thing
... another way... there are not line item vetoes
... Tim said we are here to get a job done, not make a point; sacrifices are expected and appreciated; listening to other opinions is hard but important
... now talk about the provisions
... permitted uses
... an optimistic thing; there is a lot of consensus on what's important on what is needed for the net to continue

<Wileys> John, no slides here in the room

peter: on de-id, we know now what should go into the normative text

<aleecia> thanks, Shane

peter: we may need more work on explanatory text, but need to create issues and work them
... re service providers... some things to make all sides upset
... for SPs, there are well defined procedures for controllers and processors; turns out to be identical those rules under HIPAA
... e.g. responsibility is to the principle and contractually bound
... defining details of inhouse and outhouse gets into difficulty
... I would suggest that this not be in the standard: a list of SPs that can be shared with the world
... also a list of who may be getting the data but not complying
... similar to HIPAA that a practical level, it is very difficult for large companies to provide a list of every SP

<justin> Current strawman text from bare bones document: Outsourced service providers are considered to be the same party as their clients if the outsourced service providers only act as data processors on behalf of that party in relation to that party, silo the data so that it cannot be accessed by other parties, and have no control over the use or sharing of that data except as directed by that party.

<npdoty> justin, that seems promising. is there a reason permitted uses compliance heading now includes service providers?

<rigo> I thought we have had consensus on service providers since ages as "having no own rights on the data" In which case they are considered first party

<aleecia> Rigo, not only do I disagree, this is a body-on-the-tracks disagreement

peter: I have heard proposals about appending data; as I understand there is 1st party known info that can shared with data brokers, to get more info about users; my understanding is that this is outside DNT's intent re limiting leakage

<aleecia> In the EU, you have legal liability resting with the data controller. In the US, we do not.

<aleecia> We cannot add liability to a technical spec

peter: also some aspects of market research; thanking ESOMAR for explaining how this works

<justin> npdoty, don't understand the question

<npdoty> I think we have ISSUE-170 for data append, though BareBones.html refers to a non-existent issue-229

<aleecia> To me this is about transparency: no secret databases. No data flows that users cannot understand

peter: one aspect is the panel-based collection and use; this works and is understood

<npdoty> justin, sorry, the heading for section 6.2, Permitted Uses, now explicitly includes service providers as well as third parties

<rigo> aleecia, we said that first parties better mention those service providers (should) because browser could consider them third parties or malicious

peter: 2nd is the targeted collection of info for specific demographic groups; under DNT 1, this would be reaching out for additional info after they have said they do not want to be tracked

<fielding> aleecia, curious where you get the idea that US has no liability for data handling, but we should have that conversation in person some time

<Wileys> Aleecia, for users the important element is who is responsible for the relationship with them. In this case, the 1st party is responsible, not the Service Provider. Companies should not be forced to display who their vendors are if those vendors are simply agents of that company. LEGALLY that Service Provider is no different than the company it is representing.

<aleecia> Roy any time we're in the same place, I will buy the first round

<justin> That should go out.

peter: seems to me hard to explain how pervasive tracked info put into databases is OK as long as it's not shared

<aleecia> Rigo if you listen to Peter he is saying no, there's no need to mention service providers. That the companies themselves do not know where they send data, so we should not worry about it because it's too hard. I deeply disagree.

<Wileys> Aleecia, for US conteaxt, please review the legal concept of "agency" (which is a bit more limited in the Service Provider case as they are not able to take on liability for the company they are serving)

<justin> "real market research" . . . I don't see how you can draw that line.

<Wileys> It is this same concept of responsibility in representation that leads to the Data Controller / Data Processor divide in the EU.

<susanisrael> justin, it is worth further discussing how you draw that line

peter: sitting down with W3C staff, there aren't many more unresolved pieces in the document;much is stable

<rigo> aleecia: I see. I say: We have a good definition, everybody was ok with it and we have a reasonable "should" for the tracking status. I do not see why we should get rid of that

peter: there may be some areas where more work is needed; issues can be created with leaders and small groups to work on them

<justin> susanisrael, sure, I'm willing to have the conversation. I just don't see from peterswire's talk where that line logicially is, and why "real market research" would logically retain less data.

<aleecia> Shane you've read the FIPPs. without knowing where your data goes, you cannot have notice, choice, access, or user-initiated redress

peter: two things not mentioned: default settings, and meaning of compliance to DNT

<aleecia> and that's just the US subset

<susanisrael> justin, i think he is suggesting it is better defined and arguably has a known scope in each instance

<justin> Also, if there is a *narrow* carve-out for market research, that argues for a stronger locking down on the deidentification requirement.

peter: a continuing thread about the def of tracking
... the spec is the simple answer
... others have said no def is the way to proceed

<justin> susanisrael, and I disagree at first blush, but willing to have the discussion! Maybe there's a silver bullet.

<aleecia> Rigo that's not what Peter just suggested. He just suggested not even a should. Just: companies don't know where they send data, so don't worry about it.

<aleecia> That's not reasonable at all.

peter: any def limits everything in the spec

<susanisrael> aleecia, if a service provider has no rights to the data independently, your data does not 'go' there

<rigo> +1 to Wileys It is funny that the service provider/ data processor is the only thing where we clearly opted for the EU model. Nowhere else we did that

peter: having a separate conversation about the meaning opens up revisitation of everything

<hefferjr> I did not hear that companies don't know where they data before they send it, but they might not know (or update the list) in real-time to inform the user at time of collection.

<aleecia> Susan if Amazon sends my home address and credit card number to FedEx, my data does go there.

<fielding> IRC please

peter: David had put up a definition of tracking

<Wileys> Aleecia, its a representation issue - as long as the 1st party takes responsibility then knowing the exact details of vendor relationships is not a required transparency element

<wseltzer> [slide: "Tracking is the retention or use, after a transaction is complete, of data records that are, or can be, associated with a single user."]

<justin> aleecia, I don't think that's what peterswire was suggesting. Just that you don't need to document to the user every service provider.

<johnsimpson> Can we get in IRC

<justin> aleecia, I don't think that's what peterswire was suggesting. Just that you don't need to document to the user every service provider.

<rigo> aleecia, getting rid of that definition means that those other deliveries will become third parties according to the definitions we have currently in the specification

<efelten> "Tracking is the retention or use, after a transaction is complete, of data records that are, or can be, associated with a single user."

<Wileys> Aleecia, this aligns with FIPPs

<aleecia> And I'm saying that secret databases are anathema to privacy protections

peter: there may be problems with this at a text level; but I invite any input on what may be a problem with this

<aleecia> Not even asking for user control. Just transparency.

<rigo> efelten: we have to define it in further detail for DNT 0 because we need clear permissions for the EU market

peter: now on procedures; the effort to simplify down the open issues; the bare bones is not that long, and is the normative representation

<susanisrael> aleecia, too long for irc, but happy to discuss offline. If fedex has no right to retain your data, but it "passes through" their hands, it does not go (end up) there

<dsinger> …notes that the definition was an attempt to 'shrink the ocean' -- if your data falls outside this, we're not interested; if inside, read on for the details.

<efelten> I'm just quoting what Peter had on the slide, for those who aren't in the room.

peter: something that length should not take another year

<aleecia> thanks, Ed

<susanisrael> * Bryan, do you need me to scribe shortly?

sure

<rigo> susanisrael, fedex is delivery. Can they take the data to profile the people delivered?

<Wileys> Aleecia, Companies are not compelled to release their intellectual property - vendor relationships are part of the competitive landscape. There is no "secret database" there is only I'm working with company XYZ and who they decide to hire to assist them in that regard as a pure Service Provider is no different than still just working with company XYZ

scribe: from Nov to now was a listening session, now we need to work hard on closing the issues

<peterswire> q;

<aleecia> Susan happy to take you up on that, and this suggests at least some path forward: if we truly had short retention times for SPs, this would not be something I would like, but it would take me from body-on-the-tracks to being unhappy. Which would be a real upgrade.

<rigo> Wileys: would you consider it harmful to have "should" of service providers in tracking status file?

<susanisrael> rigo, don't think fedex is best example, but idea is a service provider cannot use or retain the data except to help the first party do something

<Wileys> Rigo, I believe it should be a MAY (sorry to mix the terms in my response :-) )

<rigo> susanisrael, yes, this is exactly the idea I had in mind as an consensus

BerinSzoka: when you mentioned the harm question for the DAA, ... (could not summarize, help is welcome)

<aleecia> ouch

<tlr> ouch in the room, too

<npdoty> SORRY

<fielding> I like the direction forward, but I think that where the charter says "This specification defines the meaning of a Do Not Track preference" it means a definition that can be adequately conveyed to a user that is making such a preference. I think that definition is the basis of all of the other definitions we have discussed, and should be understood first before attempting to decide smaller issues.

<rigo> Wileys, yes, even a MAY, because if you don't, the browser MAY consider it a third party and block it

<aleecia> Berin's basic point is that he still does not agree we should do DNT, as I understood it, because he is not convinced there is harm.

<dsinger> roy, speak up and slowly

<aleecia> Berin please tweak as needed

<johnsimpson> David Singer: Does you definition apply to 1st parties?

<justin> fielding, is dsinger's definition sufficient?

fielding: comment in irc; think the def of DNT is critical; we cant make reasonable statements re what the user is expecting without it

<Wileys> Rigo, I'm fine with MAY and that company takes the risk their Service Providers are accidentally blocked

<fielding> dsinger, that's why I typed it in irc ;-)

jmayer: how would this approach apply to permitted uses other that those that were broader than they should have been

<dsinger> johnsimpson: it's just a definition of tracking; yes, it applies, but first parties are allowed to track

jmayer: would a site be able to set ID cookies despite a DNT 1 signal?

<BerinSzoka> Aleecia, what I'm saying is that Peter (at least seemed to have) missed the important point Rachel made yesterday: the DAA opt-out was offered even because there was no demonstrated harm because the COST of doing so was so low because the adoption rate was expected to be so small, but that's completely different from a world where DNT adoption is several times higher--if not a majority of users globally

<susanisrael> * Bryan, you ok? or should i scribe?

go ahead

<aleecia> ah, you were giving history rather than making an argument. missed that, thank you

<npdoty> scribenick: susanisrael

<bryan> peter: financial reporting and audits are the longest lead time permitted uses

<BerinSzoka> My broader point, Aleecia, is that, when we debate what DNT should mean, I think those who want to push DNT to limit practices that create value (that ultimately funds media) should bear the burden of establishing SOME kind of harm to justify the cost of their proposals

<johnsimpson> David Singer: Thanks, that's how I understood it, though I would say that there would still be some limits on first party tracking, i.e., can't share the data...

peter: optimism re agreement on categories of permitted uses

on unique id i took this to be related to our de-identification discussion today, you all will help me understand better

<peterswire> q>

there was discussion about what it would take to help us meet the de-id standard, and that's where we need to talk more about unique id

<justin> deidentified data and permitted uses are different issues . . .

<fielding> justin, dsinger's definition covers all data collection, not tracking across different websites (what the user means by do not track)

<rachel_thomas> To clarify / correct Berin's note, my point yesterday was not an economic one. Rather that the DAA principles took into account potential harm in coming out with prohibitions for practices that had a strong potential for harm, versus an opt-out (or no permission needed) for practices that had no strong potential harm - OBA.

chris: thanks, peter. concerns re: data append.

<efelten> I think Jonathan was asking whether Peter is suggesting that routine collection of ID cookies by third parties would be okay?

when first party goes to get more data re its users, there may be a service provider relationship

peter: i forgot to say that

<BerinSzoka> And, finally, it's worth noting that the DAA cross-site principles DO address real harm--without the need for consumers to excercise choice.

<dsinger> johnsimpson: yes, if you are 'tracking', even as a 1st party, you should read the spec., it applies to you. Not very much if you are a first party, to be sure, but it does apply

chris: data added may be public data, or gained with some explicit consent, so don't think broad data append restriction is particularly helpful

<justin> fielding, how about what I previously suggested: tracking is "the collection and retention of data across multiple parties' web domains in a form such that it can be attributed to a specific user or device."

<jmayer> Yes, exactly Ed.

<BerinSzoka> Peter simply dismissed those points

peter: factual q --need more help with this but append where data broker does not get the data is a service provider

<justin> Could sub out "collection and retention" with "retention, sharing, and use" if you like . . .

chris: so that is transfer of data, vs broad restriction on all practices of data append

<fielding> justin, I think that definition would be fine

<justin> "ownership of data" . . . <shudder>

peter: this is an area where i want to learn more about service provider

chrispedigo: i am frustrated on this issue, this is history on this

<johnsimpson> justin, Roy: Please put full definition in IRC when you have it.

<npdoty> I think we have a short thread on data append starting here: http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0002.html

<npdoty> and the issue is 170: http://www.w3.org/2011/tracking-protection/track/issues/170

<aleecia> history is, we were waiting on a defn of data append

<aleecia> which was attempted and wandered sideways

peter: i don't have all history, so some data append is a service provider relatioonship, but some is not and there may well be ways to draw lines, protecting against where data broker is enriching its own data base

<justin> johnsimpson, my proposed definiton: the collection/retention/use/sharing of data across multiple parties' web domains in a form such that it can be attributed to a specific user or device." Which of those terms we use is dependent somewhat on how those terms are defined.

fielding: frustrated, if 1st party uses service provider to retarget data from its own site.......

<BerinSzoka> gee, good thing we didn't actually dwell on those pesky harm and cost/benefit questions so we could race through this enormously long queue...

peter: is this the qu? if first party retargets based on surfing on own site using processer

<justin> Could Amazon or Zappos use a third party ad network (in a service provider relationship) to serve ads based on its first-party data?

fielding: meant that service provider uses data from first party site to retarget user

<rvaneijk> Justin: my view is no.

<vinay> Is the use case to serve targeted content/ads on its own site, or on an unrelated site?

susan: not sure this use case exists but theoretically it could

<justin> Curious what Peter's view is.

<vinay> for example, is the question can Amazon use appended data from a service provider to serve targeted content on amazon.com; so long as the service provider cannot use any of amazon.'s data outside of this particular use cae

<justin> vinay, unrelated site.

fielding: if dat ais being passed outside control of first party, and third party can use it then not permitted by dnt 1, but if still in 1st party control, then wouldn't that be outside dnt 1

peter: this is my first take on this

justin: follow up based on roy

<vinay> ah, okay -- i thought you were answering on a related site. on an unrelated site, i would consider that a company can't do that (if DNT:1 was enabled).

can amazon use doubleclick as service provider

to retarget based on activity on its own site

<fielding> works for me to say it is an issue going forward

peter: will work on that

davidsinger: wanted to reduce size of ocean when i wrote this definition

<fielding> dsinger, I disagree -- we have been stalled for six months

I think we have on table a doc that has not changed much in 6 months, we have general consensus about shape of doc.

my feeling is we are not learning much any more, need to go ask people to go try to implement it

<aleecia> +1 for getting a draft into the wider world

<aleecia> and planning to revise

it's voluntary, need voluntary experimentation phase

also good that it's a global doc, so that helps implementers, it's global

let's just try to get something out, a last call which means it may not be right or perfect but let's get something out soon

peter: for other standards, is last call imperfect?

davidsinger, yes

dwainberg: we were mixing up a lot of issues

peter: this is partly the chair not having worked through all the pieces before
... with your help and help form others, let's try to get issue out in next couple weeks

<fielding> Can we please put Justin's definition instead?

peter: let's consider david singer's definition

rachel: not an all inclusive concern but any customer list would be included as tracking going forward

<wseltzer> [slide text: "Tracking is the retention or use, after a transaction is complete, of data records that are, or can be, associated with a single user."]

peter: so problem is that this is not limited to online?

<Wileys> +q

rachel: even online
... transaction is a broad word

<Joanne> *thanks Wendy

<npdoty> to be clear, we could include many things in tracking and then narrow it later (to third-party, to non-permitted uses, to retention beyond a short-term period)

<aleecia> historical note: we are not limited to HTTP

peter: any short definition may be amplified elsewhere, but what about offline and through http header

<aleecia> SPDY was the example there

aleecia, i was told by w3c that we were limited to http

lou mastria: we have a definition

peter: pls send language

<rachel_thomas> DAA definition of multi-site data is "data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites."

<aleecia> that is incorrect

chris pedigo: echoing lou: "over time and across sites"

<aleecia> that = limited to HTTP

<fielding> tracking should be about user activity across sites

<justin> rachel_thomas, that's very similar to my proposed definition

peter: so across unaffiliated sites over time

<dsinger> by 'transaction' I meant 'HTTP transaction' i.e. a request and response

fielding: [can't hear roy]

<rachel_thomas> justin, can you repost your definition - missed it.

<justin> My definition: the retention, use, or sharing of data across multiple parties' web domains in a form such that it can be attributed to a specific user or device." Which of those terms we use is dependent somewhat on how those terms are defined.

<rachel_thomas> thx!

[add daa language to ds language

<npdoty> fielding: would prefer to refer to tracking across sites, which is closer to [what I think of as] tracking

<justin> q_

<efelten> Would like to understand how, if at all, "web viewing" differs from "HTTP transactions".

<rigo> I think that DNT:0 is sometimes needed beyond only cross site permissions. So reducing the scope may backfire here

rob van eijk: 2 issues. I would like to append "by a party or other person" to reflect data controller unable to do it

<fielding> npdoty, to what we are trying to define under do not track (and hence would want to explain to a user)

<robsherman> +q

<aleecia> Cross-site only doesn't at all seem a reasonable defn of tracking (though we may or may not limit what we care about that way)

rob van eijk : scope still limited to one who is processing, account for possible risk associated with abilities of others

<johnsimpson> Do we have DAA definition

<tlr> "Data Collected from a particular comuter or device regarding Web viewing over time and across non-Affiliate Web Sites"

<justin> aleecia, sure we could define "tracking" as knowing more than one fact about a particular individual. But I'm not sure why that helps us (for the record, I'm not sure how any of this helps us).

<efelten> DAA definition (on slide): "data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web Sites."

[yanni can you copy the definitions into irc]

<justin> Issue 5!

<fielding> issue-5?

<trackbot> ISSUE-5 -- What is the definition of tracking? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/5

peter: need an issue on this, there has been a big appetite for it

rob van eijk: 2nd issue, we somehow need to include something about unlinkable state as well as de-id state

<aleecia> We're going to set scope in many, many places

peter: my own take is that it's out of scope by de-id

<aleecia> I'd do an intellectually honest defn of tracking and then limit scope as applicable

<johnsimpson> Do we have DAA in IRC, I've not seen it?

<rachel_thomas> i put it in earlier john

<npdoty> DAA definition (on slide): "data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web Sites."

<rachel_thomas> thanks nick.

<johnsimpson> sorry see it now

wileys: both daa and justin's defnition use terms particular or specific, whereas in your definition you say a single, but de-identification schemes often resolve to something single, but not particular and specific

<rigo> efelten: and across non-Affiliate Web Sites should be tight to DNT:1 and not to entire specification. Otherwise it kills DNT:0 meaning as it would only mean agreement to cross site collection and no permission for first party collection...

peter: david is that ok?

david: yes

<tlr> john, please restart

<wseltzer> johnsimpson: What concerns me about both definitions, is that they elide a number of activities traditionally considered tracking

<aleecia> +1

<fielding> yes, but what does the user want when they check that DNT box?

<aleecia> to be treated as if they were brand new each time

<fielding> by first parties?

johnsimpson: there are whole sets of experiences that should be intuitively considered tracking, including one that is first party, so if you go with david singer's idea that it applies to all, should apply to third parties

<justin> aleecia, I could certainly live with a broader definition of tracking to note that first party tracking is a thing. But limiting to third-party tracking is a closer approximation of what we're doing here. And even that we're not totally stopping.

<rigo> justin, but it creates a logic gap for varies things we do

<aleecia> That's fine, Justin, but the idea that first parties don't track is absurd on its face. That we ask less of first parties is deeply established, I'm not attacking that. But first parties do track.

<rigo> so it is bad drafting IMHO

<aleecia> If we're defining tracking, let's do it honestly.

<rachel_thomas> the DAA definition is from https://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf. Note that the full doc includes permitted uses, prohibitions (against use for eligibility purposes), responsibilities for first, third and service providers, etc.

<aleecia> And cross-site is not required for tracking either.

<efelten> Rachel, does it contain any limitations on collection or retention?

<rachel_thomas> yes.

<aleecia> We're defining a term. We should be able to have another group copy & paste our defn and use it.

<efelten> What limitations?

<fielding> aleecia, the traditional meaning of tracking does not involve activity at a single site -- it is following someone as they travel across some distance (not the same site)

peter: so if there are 43 clicks on first party sites is that tracking, is that the issue?

<justin> aleecia, you want a definition that Field and Stream could cut and paste to use?

<aleecia> "traditional"? <grin>

<rigo> rachel_thomas: you're right, the DAA definition was taken out of context

<fielding> aleecia, when a user says "tracking is bad", what do you think they mean?

chris pedigo: we have agreed to carve out first parties, my belief is that first parties should be completely exempt, and we should be allowed to share datas, but agreed to limit on sharing data to avoid a loophole

<aleecia> justin if any other W3C WG later grabs the defn and says "here's what tracking is" they shouldn't need to edit it

<rachel_thomas> Ed, The Data Security Principle requires entities to provide reasonable security for, and limited retention of, data collected and used for OBA/MSD purposes. http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf

chrispedigo: concerned about unintended consequences, and having it be deemed to apply to first parties

<justin> aleecia, to be clear, I think this discussion is more about coming up with a definition of what we're trying to address in a scope section rather than an operational definition. Because, you know, "tracking" is not an operational term in the document.

john simpson: i thought purpose of working group was to provide choice about what data collected and for average user collection of data is an issue regardless

<rigo> rachel_thomas: nice definition for what "cross-site" means. I think defining first parties away is a mistake. We can talk about permissions or only limited requirements for first parties, but ruling them out of scope is unwise IMHO

<aleecia> then let's have a section that specifically says "if X isn't you, ignore this doc" rather than trying to shoehorn it into a defn that doesn't actually work out

<vincent> rachel_thomas, so it's just focusing on data used for OBA right? ohter collection is not considered as tracking?

<rachel_thomas> Ed, limits on collection are included on page 2 - https://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf

<aleecia> agree with David Singer that there's a whole world who can ignore or just read a very tiny portion, and we should help them out

in a trade off we decided fewer limits on 1st party sites, but we got around this by avoiding definition, but since so much demand for one i think we need to acknowledge all kinds of tracking

<justin> aleecia, I think there are a lot of people in the group who would prefer this discussion just to go into SCOPE.

<aleecia> so do a scope section

<Chris_IAB> How about:  "Tracking is the retention of a user's Web browsing history over time, across unaffiliated sites, that is linked or may be reasonably linkable to a unique device." 

<jmayer> Rachel, could you provide a few concrete examples of collection or retention practices that would be prohibited by the DAA principles?

<aleecia> we've intertwined defn and scope. not sure that's a great idea.

<rachel_thomas> vincent, good question. NO. The multi-site data principles (https://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf) expand upon the OBA principles (http://www.aboutads.info/resource/download/seven-principles-07-01-09.pdf) to cover all multi-site data, not just OBA.

<npdoty> (in fact, the title of the document is "Tracking Compliance and Scope")

peter: we are having this conversation and including idea of no defintion, "null" which is still on table, but here we are exploring language we could use if we have a definition

<efelten> Rachel, I see a limitation of retention to "as long as needed …" Thanks for that. Is there a limit on collection somewhere?

<rachel_thomas> jmayer, i believe i answered your question in my two posts directed at ed felten.

rob sherman: wanted to respond briefly to exchange between chris and john, and i think there is less defintiion than is apparent, about what goes into defintion of tracking

generally i think this group has been on same page.....think this is about framing defintion not about what we actually do

<jmayer> Rachel, you pointed to language. Many have objected that the language does not actually limit practices. I'd like to understand, through examples.

peter: trying to understand, let me proble: do you see any defintions between what is permitted?

rob sherman: i actually don't fully understand john simpson's approach

<rachel_thomas> the language outlines buckets - clearer than one-off examples.

what is the effort we are making with defintions on screen, which they are debating?

<aleecia> Limiting to across sites (affiliated or not) doesn't make sense for a defn of tracking. It may make perfect sense for scope.

peter: one reason to have defintion of tracking is that it sets defintion of what is in scope.....put people on alert, hey you are inside scope of spec

this definition would be an alert of who is covered....another possibility, would be to say here is a guide to what we think is tracking but this is not binding part of spec

<jmayer> Rachel, I have difficulty understanding to contours of the permitted use buckets. Peter has testified on the Hill that they're practically unlimited. If you can't give examples, it seems fair to assume the permitted uses are so broad as to swallow the collection rules.

another way to go is this is normative part of spec

this is why this is important discussion

<bryan> scribenick: bryan

<susanisrael> scribenick: bryan

<fielding> TPE requires a definition of tracking

<fielding> or at least what DNT: 1 conveys

<Zakim> npdoty, you wanted to discuss editors' handling

nick: the editors could put a def in and rewrite the rules so they address that term, it wouldn't change the substance; as a question for the editors...

peter: is it just a rewriting matter?

<susanisrael> justin and roy, thinking about the retargeting using only first party data i think the issue there is really a first party turning around and acting as a third party, not really a service provider issue

justin: instead of making a def for a word that does not matter in the document, we could address this in the scope so it does not affect normative text

peter: is the scope normative?

<fielding> it would be odd for scope to be normative

tlr: it can be, or not. depends upon how the scope is written

<justin> I am not proposing that we write the Scope discussion of "tracking" (why are we here?) to be normative.

peter: the binding about the def of tracking would need to follow with a decision on the normative impact of that def

jmayer: suggest that the group should move onto another topic

<npdoty> agree with fielding that it might be unusual for Scope to be normative; in HTML5 for example: http://www.w3.org/TR/html5/introduction.html#scope

<fielding> actually, no, we have been procedurally prevented from talking about tracking definition in any meaningful way

jmayer: if we are to agreement, it will be thru competing text proposals
... urge that we not define tracking, even moreso that we don't talk about it

peter: as co-chair I have not understood these issues, and this helps; also ecosystem stakeholders have asked for this discussion; but it will end soon

<npdoty> is the concern actually issue-6 rather than issue-5?

<npdoty> issue-6?

<trackbot> ISSUE-6 -- What are the underlying concerns? Why are we doing this / what are people afraid of? -- closed

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/6

chrispedigoOPA: this def does help identify the problem we are trying to solve, and it includes over time and cross-site

<npdoty> "capture the lens through which we're looking"

chrispedigoOPA: as this doc evolves, it's important for future users that we capture the lens through which we are looking

peter: i need to understand the current things that 1st parties re not passing on

<npdoty> justin and heather, we have "2. Scope and Goals" empty now with a link to issue-6

<npdoty> ... with the note that we would come back to it later

chrismejia: I have 3rd party tracking as the retention of user's web behavior over time that may be linked to a particular user or device (chris please correct as needed)

<npdoty> Chris_IAB, can you drop that definition into IRC in case we didn't get the language correctly in scribing?

dwainberg: there is I think consensus that use of 1st party data in that context is definitely out of scope
... it would thus be more precise not to talk about the party, but the data in the context of collection and use

<rigo> if you want to define tracking, please help with the definition of DNT:0 in the global considerations

<Chris_IAB> Here ya go: "3rd Party Tracking is, for the purpose of this spec, the retention of a user's Web browsing history over time, across unaffiliated sites, that is linked or may be reasonably linkable to a unique device."

<npdoty> would it put less burden on the permitted uses? incorporating a permitted use into a one sentence definition of tracking seems like a great challenge

dwainberg: on the def of tracking, we put less of a burden on permitted uses when we define it; enable more innovation and flexibility in the spec to accomodate it
... what is lacking in David's def is more explanation of the type of data that is included in tracking
... e.g. browsing history is in, similar to data on web viewing over time

fielding: scope def is important but defining user preference is more important

<efelten> We should be talking in terms of HTTP (which the server sees, and which is the protocol carrying the headers) vs. "web browsing" which is a user-interface notion.

<aleecia> New topic - can we do one at a time, please?

fielding: we need a simple way for users to define their preference

<npdoty> "need to have a simple way of informing the user"

fielding: reason we are here is to adhere to user preference; that's why we are focusing on a def of user tracking

<aleecia> for what it's worth, I disagree with Roy still. Not a surprise to anyone so I'll keep out of the queue.

<aleecia> But in case we're doing the "sustained objection" model. Users are not asking for cross-site only.

<rigo> web-history sounds compelling, but what about the combination with data from other sources?

Chris_IAB: it's easier to solve for n, when we know what n is. Offering a narrow def for this spec and purpose creates an n that is solvable

<npdoty> do we have a separate issue for user presentation / education? if Roy's concern is less scoping and more user presentation, that might be something we can take up separately

Chris_IAB: disagree with the assertion that it would be a waste of time to revisit when n included everything. it would be worthwhile to reconsider

<aleecia> Agree that's a distinct issue. Not sure there's much we can say there (see discussion Alan and I had yesterday) but we might at least get some good "shoulds" there, which would make me happier.

<johnsimpson> This is from the charter: "The Working Group will produce Recommendation-track specifications for a simple machine-readable preference expression mechanism ("Do Not Track") and technologies for selectively allowing or blocking tracking elements." Does not say only third party tracking.

<fielding> aleecia, until we define what users are actually asking, I don't see how you can make any assumptions about what they are asking

<aleecia> Users would like DNT to stop first party tracking

peter: a path for compliance, from here; we have worked on compliance, and a def of tracking; some of the fault lines are clearer

<npdoty> I think we've lost Chapell for the afternoon, but he might be interested in working with fielding on the importance of user presentation.

<aleecia> Nick that sounds like a constructive approach forward.

<Chris_IAB> johnsimpson, respectfully, it depends on how you define the word "track" in the context of "do-not-track"

peter: the remaining pieces are permitted uses, service provider de-id, market research, and provisioninally the def of tracking
... that is not a huge # of things

<Chris_IAB> my point is that we have to agree on the definitions of the words we use in a scope to understand the scope itself

<fielding> npdoty, please don't try to relegate this to an out of scope discussion on UI. What I want is a required deliverable of the WG.

<rigo> fielding: part of the issue is really that aleecia's research created evidence that users want that "off" button and that the industry fears that this is too much in the current eco-system. A dilemma IMHO

<Wileys> Aleecia, could you please reference the source of data you are referring to in your assertions of what all users want? It would be helpful to review the integrity of the research your relying upon in your declarations.

peter: a reasonable list that can be addressed; I intend to work directly to get specific text to close the issues

<npdoty> fielding, I was hoping to divert discussions on UI into a more helpful discussion on what we need for effective communication to the user

peter: I will push, and you have your chance to let me know what you think
... that's it for the agenda for today

<rigo> Wileys: I've seen aleecia's research presented on several occasions. see above, it is a dilemma, somewhat.

<justin> +q

<aleecia> Shane, your implicit point that users want different things is correct.

<rigo> how to get out: more communication

<wseltzer> [Mead Hall]

<npdoty> http://www.themeadhall.com/

<rigo> backside of legal seafood

<aleecia> There's work from Berkeley as well

mschunter: there a re minor changes to the agenda, just reshuffling; we can maybe take less time

<aleecia> Some of what I reference was not published; we did a large study at Mozilla of Mozilla users on the geek side. More representative than I would have expected, but assuredly not a random sample.

<aleecia> And Microsoft has done their own research as well

<johnsimpson> where do we subscribe to the list

mschunter: we have a special public tracking annc list, enabling only chairs to post issues, sort of a warning function

<npdoty> http://lists.w3.org/Archives/Public/public-tracking-announce/

<Wileys> John - you are already subscribed

<npdoty> members of the working group are already subscribed

<aleecia> As for tradeoffs, once again I point you to the Annenberg work that's been replicated many times

mschunter: will send a message to the list to let those know who are on it

<Wileys> thank you Aleecia - I'll take the weight of your assertions with the transparency their supporting representation is provided.

peter: one method to warn you of issue closing

<jmayer> +q

<aleecia> parse failure. I mean, I get there's snark, but I'm not sure what you were trying to say since the grammar there failed

peter: you will have a chance to object

justin: you said we would reintro market research and permitted use; what is the plan?
... eg work up permitted use language?

peter: will work offline on that

<npdoty> David Stark, Richard Weaver, Justin Brookman -- all good people to talk together on the market research issue

<Wileys> Aleecia, apologies, I see the grammar miss now. I mean to say it'll be difficult to put much weight behind your assertions without supporting evidence (aka - lack of transparency). So feel free to continue to share your beliefs of what "all users want" but please understand if many of us don't place as much confidence in those assertions as we could if there was reliable, well-thought out research

<Wileys> approaches behind it. That rarely exists in this space unfortunately.

jmayer: concern that there are some interdependencies on issues; we might get more work done up front with a constelllation of options rather than tackling each issue
... e.g. browser-based API for exceptions; some have suggested a linkage with the consent standard
... knowing that linkage in advance would help

<aleecia> Shane - I've just given you pointers to research from multiple organizations. You've likely read all of them already.

<aleecia> You're right that I short cut "the majority of users" to "users" and did not in any way mean to imply "all users." If you seriously mistook that, sorry for the short hand. That was not my intent.

peter: sympathy for that proposal; we may get to options for issues and note that solutions are related to other issues, with provisional closure

<aleecia> Users are absolutely not a monolithic block, which is a point you'll find I make frequently

peter: until the related discussions are done we will not have final closure; would that help?

jmayer: entirely reasonable

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2013-02-12 21:57:36 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.137  of Date: 2012/09/20 20:19:01  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/felton/felten/
Succeeded: s/Peter/Ed/
Succeeded: s/actor/action/
Succeeded: s/efelton:/efelten,/
Succeeded: s/elsewhee/elsewhere/
Succeeded: s/agreement/consensus/
Succeeded: s/insetad/instead/
Succeeded: s/entire DNT/entire specification/
Succeeded: s/dawinberg/dwainberg/
Found Scribe: Yianni
Found ScribeNick: Yianni
Found ScribeNick: jeffwilson
Found ScribeNick: jeffwilson
Found ScribeNick: bryan
Found ScribeNick: susanisrael
Found ScribeNick: susan
WARNING: No scribe lines found matching ScribeNick pattern: <susan> ...
Found ScribeNick: bryan
Found ScribeNick: susanisrael
Found ScribeNick: bryan
Found ScribeNick: bryan
ScribeNicks: Yianni, jeffwilson, bryan, susanisrael, susan
Default Present: BrianHuseman, tlr, kulick, MIT-Star, johnsimpson, vincent, yianni, Aleecia, vinay, +1.202.656.aaaa, Jonathan_Mayer, Joanne, BerinSzoka, Dan_Auerbach, walter, +1.202.639.aabb, hefferjr, +1.206.658.aacc, +1.646.654.aadd, MIT346, +1.202.656.aaee, Fielding, Mark_Vickers, +1.415.920.aaff, Alan
Present: BrianHuseman tlr kulick MIT-Star johnsimpson vincent yianni Aleecia vinay +1.202.656.aaaa Jonathan_Mayer Joanne BerinSzoka Dan_Auerbach walter +1.202.639.aabb hefferjr +1.206.658.aacc +1.646.654.aadd MIT346 +1.202.656.aaee Fielding Mark_Vickers +1.415.920.aaff Alan
Got date from IRC log name: 12 Feb 2013
Guessing minutes URL: http://www.w3.org/2013/02/12-dnt-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]