W3C

- DRAFT -

Tracking Protection Working Group Teleconference

27 Feb 2013

See also: IRC log

Attendees

Present
+1.646.654.aaaa, eberkower, Thomas, moneill2, npdoty, peterswire, +1.609.258.aabb, efelten, Yianni, +1.202.331.aacc, [Microsoft], PhilPearce, Rigo, +1.949.573.aadd, Aleecia, Amy_Colando, +1.917.934.aaee, fielding, Joanne, Chris_Pedigo, achappell?, +1.631.803.aaff, sidstamm, +49.172.147.aagg, +1.650.787.aahh, jchester2, schunter, Keith_Scarborough, +1.215.480.aaii, adrianba, +385345aajj, hefferjr, vinay, kulick, RichLaBarca, Dan_Auerbach, [CDT], +1.650.465.aakk, vincent, Jonathan_Mayer, +1.646.827.aall, hwest, dsinger, chapell, johnsimpson, [Comcast]?, dwainberg?, dwainberg, +1.678.492.aamm, +1.650.308.aann, robsherman, +31.65.141.aaoo, rvaneijk, Brooks?
Regrets
Chair
peterswire
Scribe
Yianni, susanisrael, susanisrael again

Contents


<trackbot> Date: 27 February 2013

<aleecia_> Wil be heavily multitasking and not able to speak or type for large portions today's

<npdoty> volunteer for scribing second half of the call?

<schunter> Nick/Peter: I am offline and listening only.

<Yianni> Yes

<peterswire> yianni -- can you scribe

<npdoty> scribenick: Yianni

peter: organizational about today's call and next week's call
... today's call working through agenda, assigning some action items
... chris pedigo has a definitino of servie provider

<RichLaBarca> Zakim 6318032933 is me

peter: will include definition of append and how that is handled
... will move to definition of first party
... focus on clarify of writing, heather just sent a slightly altered version
... Sid Stamm will give a breifing on the steps of the Mozilla patch on third party cookies

<sidstamm> thanks, npdoty

peter: next week on wednesday is beginning of IAPP summit
... peter will be there
... room at that meeting

<JC> -1

<Joanne> -1

<eberkower> -1

<justin_> +1

<moneill2> -1

<vinay> -1

<JC> Will be in flight on Wednesday

peter: how may people will be going to the meeting, +1 is a yes

<ChrisPedigoOPA> +1

<sidstamm> -1

peter: item 3 of agenda is to assign action items

<kulick> -1 for wed, +1 for thurs & fri

peter: would be glad to have volunteers
... pretty far toward permitted uses: frequency capping, security, debugging
... could do with editor's, want people to agree to action items for these
... does anyone agree to frequency capping action item?
... will move to editor's for language

<npdoty> I believe I've proposed text on frequency capping in an earlier round

peter: for security and fraud prevention, Callas found he was comfortable with language
... does anyone want to come forward with text on that issue?
...third: debugging, does anoyone want to take an action item?
... peter will work with Editors for language next week
... general approach is to sllim down number of open issues
... next item on list is chris pedigo has circulated updated definition of service provider or processor
... context from peter: this is language that has not been closed
... want to look at language from chris, then people may want to raise related issue of appending data

chris: Vinay and chris worked on language

service provider / data processor language

chris: allow an enitty to work on behalf of another company as long as certain conditions are met

<tlr> http://lists.w3.org/Archives/Public/public-tracking/2013Feb/0138.html

chris: seperate data, only use data as directed, and there has to be a contract that stipulates that
... included sentence at bottom, service provider still subject to same restriction of original party
... permitted uses should still apply for service providers
... Rigo said that would not fly in the EU

<efelten> Is this new language, or an attempt to consolidate the pre-existing proposed language?

chris: not really appropriate in US either
... some discussion about data append, happy to get into later

Peter: any questions or comments from the floor

<jchester2> I think the data append issues are inextricably linked to this definition. so we understand the parameters.

<dsinger> this came out while I was commuting; I'll need to read it and discuss it with my colleagues, alas

<rigo> unmute rigo

<ChrisPedigoOPA> ed, this is an attempt to consolidate

<efelten> Thanks, Chris.

Rigo: chris already mentioned exchange, valid point that data processor that processes on behalf of another party
... they still have to secure their services, still have to do debugging
... thought it was clear
... adds explanation that is worthwhiled
... in Europe good understanding of data processor

<susanisrael> *Zakim, Comcast person may by Walt Michel

Rigo: in US not as good an understanding

Peter: within Europe, certain approved processing, security and debugging
... in explanatory text in US, it would make sense to do what?

Rigo: peter understands correctly, we should not change definition but add explanatory text
... all those permitted uses must be clear in the container of the contract to the data controller

Amy: I like the text
... like the additional detail

<susanisrael> +1

Amy: we as a publisher, use vendors to help us detect fraud
... we typically allow them to detect threats to apply their learnings from working with other companies
... this is a suspicious IP address or angle of attack
... can that kind of scenario be addressed?

Peter: Is that permitted under EU law and practice

Rigo: I would like Rob's oppinion
... there is a specific security exception in all data protection laws
... if you collect for security and store forever and distribute forever

<tlr> I guess the question is whether it's third party + permitted use, or service provider.

<susanisrael> I think making the exception for learnings about security risks makes sense. But other service providers would not get any independent rights to the data itself.

Rigo: if we apply the normal exception for security, we have a general rule of use and retention limitation for as long as neccesary
... if you apply this to service providers, DPA could swallow that

<fielding> specific comments: remove "in a specific network interaction"; remove the last sentence (self-contradiction); don't use a bulleted list; don't use ambiguous targets like "other party" (be specific).

Roy: few specific comments
... generally focus seems fine, could work on log data 2 weeks after network interaction
... last sentence in description is self contradictory

<rigo> fielding; remove "in a specific network interaction"

Roy: the last thing is there are ambiguous references to other party, replace with data controller
... all are editorial, caution to use word data controller

Peter: data controller has legal connotation, may use party providing service
... does last sentence cause any problems

Roy: no mischief

Peter: why is the language in there about specific network interactions

<vinay> So, I added that following the form of previous definitions

<vinay> I'm fine with Roy's edits

Chris: not sure why it is in there
... did not want to exclude others working on log files

Peter: data processor for that time has all of these things, shifting between roles
... language that says that someone might act as data processor for some and not all activities

<susanisrael> I am happy to work with Chris and Vinay on cleaning up language. I think peter is right about where language came from

<susanisrael> peter, yes, I think you are right.

<aleecia> Q later

<aleecia> Grn

<aleecia> Thanks

Chris: data being seperated sort of addresses Peter's concern

<rigo> fielding; remove "in a specific network interaction"*In a specific network interaction"

<vinay> fine by me, too

Peter: motion to take out clause specific network interaction

Chris: fine by me

Rigo: you would also have to remove from first party definition

<tlr> errrm, no

Rigo: data processor is logically dependent on first party definition

<dsinger> but taking it out of 1st party means we could no longer distinguish 1st and 3rd, which is all contextual on the interaction...

<justin_> It makes sense in the definition of first party --- because it's distinguishing first from third. Don't need it for service provider.

<fielding> another note: it says "separated", but not separated from what … it should be siloed by first party.

Peter: Rigo, specific network interaction, processor could have different roles

<susanisrael> +1 to siloed by first party

Peter: seems you could keep for first party and not here

Nick: ask about the differences from option 1
... might be easier to review if we compare to option 1
... different I see: 1st bullet seperated by is a little less clear
... is it seperate from each data controller, or other seperation?
... 2nd bullet, more concern with other party, seems to be a little too open ended
... if I contract you to build a profile, is that a service provider relationship

<fielding> "A Data Processor is subject to the same restrictions as the other party."

Chris: if you pair with same restrictions of other party that gets to the restrictions

<Chris_IAB> FYI- I can't join via phone today, only IRC. If you need something from me, please ping me here.

Chris: so they could not share the data because it is restricted
... no sharing with any third party

Peter: will get to first party sharing with third party later

Nick: first parties will share information, facebook sharing information with friends

<susanisrael> Npdoty, i would argue that you, not facebook, are sharing when you post

Chris: no intent to create a loophole

<dsinger> the first party restriction is fairly clear: "The First Party must not pass information about this transaction to non-service provider third parties who could not collect the data themselves under this Recommendation."

Aleecia: couple things: 1 - great to see text
...2: think I am hearing that there is no permitted uses except for security

<npdoty> ChrisPedigoOPA, I didn't mean to imply that you were intending to create a loophole! I just wanted to think through the implications of that bullet
...2: from Amy, we may need to change the way we are thinking about the security permitted use
... a note of need to look at how we look at security
... we need transparancy with the third parties, including with service providers

<jchester2> +1

<rigo> I think security will only work with a use-limitation (security as finality)

<fielding> Just as shoon as you have transparency regarding employee names ..
...2: could use with header response, we could do with discoverability beyond we have affiliates
... we need someway to tell users where there data went

<npdoty> dsinger, I think we have lingering uncertainty about when first parties can share data (like the intentional sharing-on-Facebook case)

Susan: listening to Aleecia, transparancy for service providers with no right to use data is different than affiliates
... we expect first parties to disclose affiliates who have rights to the data

<jchester2> +q

Susan: service providers are different, some service providers cannot be disclosed and change frequently

<dsinger> npdoty: I think we're talking in this definition about passing data to services. clearly if I publish something on my first-party site, I have no control over who reads it...

<aleecia> Agree there's nothing new here. My view remains unchanged: no secret databases

Susan: whole idea of their role, as publisher who uses service providers, we would not want service providers to use data independently

Jeff Chester: talking about whole different class of service providers

scribe: very important for users to understand where their data is going

<susanisrael> Aleecia, we are not talking about secret databases. We are talking about entities that are NOT permitted to use and keep data to build databases.

<rigo> Aleecia, a data processors are bound anyway. There can't be secret databases

scribe: we could classify service providers dealing with data integration and targeting, but users need to know

Peter: summarize some of what he has heard
... moderate number of fine tuning of text

<susanisrael> I am willing to work with Chris, Vinay and Rigo to refine and clarify the text

<aleecia> Users don't know where their data went. And it goes into a database of course. So yes, these are secret databases

<vinay> Thanks susanisrael

Peter: ask Chris without changing substance to come back with addressing language

Chris: happy to do that

Peter: another piece, a transparancy question, aware of varying views on that

<fielding> A service provider is a contractor. The notion that users need transparency of service providers and not the identity of every employee that might ever touch the data as a first party has no basis, whether or not people want to know that information. In most cases, it won't even be known at the time of interaction.

Peter: have there been specific proposals that are currently open for what the transparacy requirements would look like

<ChrisPedigoOPA> +1 to roy

Peter: anyone with the history

<susanisrael> +1 to fielding

Aleecia: could have affiliates and service providers send header back
... that is the minority view
... have not discussed any other mechanisms

<npdoty> have we ever had a proposal in the Compliance doc that had such a transparency requirement?

<npdoty> I don't see one in any of the three Service Provider definitions, for example

<susanisrael> I think it's legitimate for users to know a first party's affiliates--different from service providers

Aleecia: privacy policies use the word affiliates, probably best to drop the use of the word affiliate

<dsinger> to npdoty: It's never been proposed that service-provider flags be obligatory, just available to enable SPs to clarify their status if they wish (and it's only about end-points of HTTP transactions, as well -- what the HTTP spec. calls servers)

Aleecia: talked about third parties sending a header response as identifying themselves as being different
... we have had that discussion in the past

Peter: minority view with strong feelings on the transparacy side
... in terms of the language we have, chris will work on fine tuning
... we have a tricky question about security

<npdoty> thanks dsinger; maybe we need to ask for alternative compliance text from aleecia or others that would specify transparency

<aleecia> Could well be. I'll need three weeks

Peter: Amy, would you be willing to, looking at the security permitted use, add language addressing the practice of sharing IP addresses from attacks

<aleecia> But I would be happy to contribute a new fairly small sectio

Peter: someone else with that concern who would propose language?
... common practice that security vendors learn security concerns from multiple places
... we have a possible tension between actual practice and the current language

<dwainberg> Is that not also the same case for debugging?

David: happy to take on language

Peter: have some language, and try to understanding European standard

<rigo> David, just send me email. There is a specific article

<dwainberg> ok, rigo

David: similar issue with respect to debugging?

<susanisrael> *Yianni, just let me know when you want me to take over, or I will start at 12:45

Peter: I thin you could come up with language but it would be helping to get input from debugging

taking over at 12:45 works

<dsinger> on the SP flagging, I rather suspect that the new first-party (could be data-controller) well-known resource might serve; I was hoping to spend time with Roy in Cambridge understanding what's possible, and making sure that clarity was *possible* but not required (it's not always desired). that conversation is still pending

Peter: assign an action item to david on security and debugging

<npdoty> ACTION: wainberg to propose language on security vendors as service providers sharing/combining data [recorded in http://www.w3.org/2013/02/27-dnt-minutes.html#action01]

<trackbot> Created ACTION-372 - Propose language on security vendors as service providers sharing/combining data [on David Wainberg - due 2013-03-06].

Peter: if you do debugging actual practices would be helpful

<rigo> David, look at Article 4 of 2002/58/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT

Peter: request that if you add facts to debugging language
... 2 weeks

<jchester2> +q

Peter: moving to related issue of append, Jeff do you have any comments
... use cases that Chris sent around show a variety of situations for append
... some concerns are addressed by keeping information siloed
... might be other concerns of data flowing from service provider to first party

<aleecia> I'm going to walk into a mtg w the dean at 10 am, will not be able to listen after but will watch irc

Jeff: data append, i think a user that has sent a DNT:1, would not understand the array of data that is used for the profiling and tracking function
... I think this is a really problem and guts peoples concept of do not track

<ChrisPedigoOPA> +q

Jeff: all this third party data is being integrated and used and you have no say

Rigo: in response to Aleecia, we have already discussed the serviec provider flag
... service provider can only act as contained by first party

<aleecia> Once more: sustained disagreement

<susanisrael> +1 to Rigo

Rigo: incentive to declare service providers that are used, so we do not have to be so strict on this

Peter: will follow up with Aleecia on acknowledgment flags

Chris: Data append, hear Jeff's concern, users do not want to be profiled
... DNT is about limiting data profiling

<aleecia> Note follow up with Peter, perhaps at IIAP

Chris: third parties will not be able to track data about a user
... I think it is completely acceptable for first party to learn more about their customers
... or modify the contents of site about what they know about the user

<jchester2> using 3rd party data that would otherwise would be prohibited via DNT: 1 It's not modify--its intensive databroker targeting

Chris: other point: in DNT world, data brokers will not have profilers about DNT 1 users

<susanisrael> data appends may be used by a first party site to learn about users in aggregate, rather t han to build individual profiles

Chris: will be able to attain information offline or with consent

Susan, want to take over?

<jchester2> The First party will be able to collect a wide range of data on a user, even when DNT: 1 is being used. And we shouldn't permit it.

<susanisrael> scribenick: susanisrael

aleecia: even prohibition on 1st party sharing should not permit data append

<npdoty> as I understand it, there are cryptographic techniques that would allow a first party and third party to match data without the first party revealing their customer list to the third party

npdoty, yes, I think so

<jchester2> I will work with Aleecia

<aleecia> Nick, good point

<aleecia> You are correct

<rigo> npdoty: yep, anon credentials come to my mind

<aleecia> We did not mention that prior

<rigo> yep

<npdoty> ACTION: aleecia to propose text prohibiting data append (because it requires sharing, or otherwise; with jchester) [recorded in http://www.w3.org/2013/02/27-dnt-minutes.html#action02]

<trackbot> Created ACTION-373 - Propose text prohibiting data append (because it requires sharing, or otherwise; with jchester) [on Aleecia McDonald - due 2013-03-06].

<tlr> action-373 due 2013-03-20

<trackbot> Set ACTION-373 Propose text prohibiting data append (because it requires sharing, or otherwise; with jchester) due date to 2013-03-20.

<npdoty> susanisrael: when a service provider doesn't have rights to use data but manipulates it on behalf of the first party, we wouldn't consider that sharing

<scribe> scribenick: susanisrael again

<moneill2> 1st party would have to identify the user (to the 3rd party) i.e. they share user id/instance of user visit to web site

<susanisrael> Peterswire: move to justin to introduce merged definition of first party

merged first party definition

<aleecia> (when people ask "what is new info that hasn't come before the group?" and want to know wigat that would look like -- Nick just demonstrated :-) not that is is closed, but if it were, that would be a great reason to revisit)

<susanisrael> Justin: maybe better defintiion is the one heather sent at 11:52. a party with which user interacts is first party

<tlr> Heather's text: http://lists.w3.org/Archives/Public/public-tracking/2013Feb/0152.html

<susanisrael> justin: talked about embedded widgets

<susanisrael> ....tried to take 3 defnitions

<vincent> so it includes redirects?

<susanisrael> Justin: tried to make it straightforward.....

<justin_> In a specific network interaction, a party with which the user interacts is the <dfn>First Party</dfn>. In most cases on a traditional web browser, the first party will be the party that owns and operates the domain visible in the address bar. The party that owns and operates or has control over an (branded/labelled?) embedded widget, search box, or similar service with which a user intentionally interacts is also considered a First Party. If a user merely m[CUT]

<justin_> mouses over, closes, or mutes such content, that is not sufficient interaction to render the party a first party. Non-First Party entities on the site are considered Third Parties.

<aleecia> Trouble: redirects

<susanisrael> peterswire: looking at heather's email, "a party with whom users interact is a first party" which is designed to get away from hard to understand intent

<npdoty> yeah, I assume this is just a typo

<fielding> I suggest using "user intentionally interacts" in the first sentence -- it is used later but is fundamental.

<susanisrael> ...concern is that users interact with third parties also, how do you distinguish....

<aleecia> Roy++

<susanisrael> peterswire: thought you could make some judgment about intended....

<justin_> fine with fielding's suggestion, though hwest wanted to stay away from judging "intent"

<susanisrael> hwest: it is intentionally intended to allow third party elements of a website to be treated as first party

<npdoty> but we are including intent, no definition has ever gotten us away from that

<susanisrael> hwest: re: "high probabability website knows intent," it's really hard to engineer to...better to stay with technical definition of first party...

<aleecia> Would expect rather than intend help at all?

<dsinger> the whole question of machine-testability is thorny

<rigo> +1 to fielding

<susanisrael> fielding: no use for heavy/high probability wording...not something a server intendes, but def should reflect intentional interaction

<susanisrael> fielding: what i did not like was idea of server determining this re: probablistic means, have no way to determine this

<dsinger> there is a gap between what the TPE says ('expected to be used in a first-party context') and the 'high probability' text

<susanisrael> peterswire: let's turn to rest of the sentences. any objections or concerns with rest of definition

<aleecia> Has it changed?

<fielding> I think judging intent should be removed … but having intent is important to distinguish from other interactions.

<susanisrael> dwainberg: similar to problem with first sentence, for a party embedded in page, how can that party know that user has interacted in a way to expect it to be first party

<justin_> What's your alternative dwainberg?

<susanisrael> dwainberg: qu is how party knows user is intentionally interacting with it

<susanisrael> peterswire: does mousing over = not enough help?

<susanisrael> dwainberg: no

<susanisrael> peterswire: any alternative language that avoids problem

<susanisrael> hwest: we might think about some guidance, but idea was that it's a bit of a judgment call

<npdoty> "conscious interaction" sounds great; similar to "intentionally"

<tlr> I'd also like to hear david's proposed change.

<hwest> I like "conscious interaction" better than intent

<susanisrael> npdoty: I think there are some real advantages to ahving party running widgets figure out when it has been interacted with........

<eberkower> Does this require the Turing test?

<Zakim> npdoty, you wanted to ask about redirects

<susanisrael> npdoty: if someone clicks like button i (fb) am in good position to know if interaction

<susanisrael> npdoty: would [......] be considered first party? [url shorteners?]

<justin_> Yes, there is existing language on url shorterners, but we were going to move to appendix.

<justin_> But it's also not consensus --- Google disagreed with my (our?) suggestion.

<susanisrael> peterswire: nick might have additional language, support from roy for keeping third sentence/from justin for first

<susanisrael> ...propose taking that text and nick have action item around language he just proposed.....

<susanisrael> ....david and heather have concerns re: intentional, could propose other language. any objections?

<susanisrael> justin: so should i put idea of intention in first sentence as well?

<npdoty> ACTION: doty to suggest how redirection proposals can factor in to the first party definition [recorded in http://www.w3.org/2013/02/27-dnt-minutes.html#action03]

<trackbot> Created ACTION-374 - Suggest how redirection proposals can factor in to the first party definition [on Nick Doty - due 2013-03-06].

<susanisrael> peterswire: yes, that's one approach, other is for heather or david or others to propose other language

<Zakim> dsinger, you wanted to comment

<rigo> +1 to dsinger

<susanisrael> dsinger: want to point out what fielding wrote in tpe..."designed to be used as a first party resource" then maybe that affects these definitions, eliminates need to think about intent

mozilla presentation

<susanisrael> peterswire: thank you sidstamm for being here, I thank sid for being a brave and good person and briefing us on Mozilla patch on third party cookies. Goal in call is to get factual understanding...,.

<susanisrael> I hope everyone will speak respectfully and in professional way

<susanisrael> sid: i may be assuming knowledge, so don't be shy to ask questions about how this works...

<susanisrael> we have been trying to think of ways to close gap between what happens on web and what people think happens.

<susanisrael> ...it's how we approach privacy. Users are concerned about cookies and tracking. ...

<fielding> http://allthingsd.com/20130224/mozilla-to-block-third-party-cookies-in-firefox/

<fielding> https://wiki.mozilla.org/SecurityEngineering/ThirdPartyCookies

<susanisrael> not new, safari has been doing it. allow first party cookies and used to allow third parties, but now will permit them only if cookie already set on device....,

<susanisrael> idea is that if people have established relationship in first party context they can continue to interact with the entity in third party context.....

<susanisrael> it's in our nightly build, fairly long release cycle, then graduate to alpha, beta, then release channel...

<susanisrael> in each channel there is different set of users....

<susanisrael> we have time to experiment with really early adopters in nightly, mostly developers.

<susanisrael> ....until we feel confident we won't move forward. You can get involved by joining discussions on privacy, or testing firefox on nightly and see how it works for you....

<susanisrael> jonathan did i miss anything since you wrote the code......

<susanisrael> chrispedigo: thanks sid for brief description. I am not a technologist. 2 questions from members: different from safari? what happens to analytics?

<susanisrael> sid: if analytics provider uses 1st party cookies, no problem

<moneill2> safari just allows 3p cookies on POST vferb

<susanisrael> jmayer: when safari checks to see if first party content has cookie permission: [jmayer, can you clarify this or can someone help report it?]

<npdoty> safari does its check based on whether cookies were sent in the outgoing HTTP request

<susanisrael> ex: if you go to a. foo.com, get a cookie for b.foo.com, there is embedded content for c. foo.com

<susanisrael> *npdoty, thanks

<npdoty> while Firefox instead checks whether there is a cookie permission for something on the top-level domain

<susanisrael> jmayer: under firefox approach both a and c .foo.com would have cookie permission. It's a corner case, in practice unlikely that difference matters

<aleecia> Is there a practical diff or just imp diff?

<sidstamm> aleecia, it was just an implementation convenience and a minor diff

<susanisrael> ...jmayer in practice safari practice is more stringent, but effect similar,

<aleecia> Thanks, sorry I cannot be on the call

<ChrisPedigoOPA_> Sid and Jonathan, thanks for the explanation

<susanisrael> [*sorry interrupted for a min-missed end of jmayer]

<npdoty> jmayer, can you mute?

<susanisrael> rigo: any plan to have mechanism open up again?

<peterswire> someone is typing without mute

<susanisrael> ....some third parties need to set cookie, and won't have a nother chance. I have complaints from developers. Any plans for exception handling?

<susanisrael> sid: no concrete plans right now but i agree there should be a way for trusted sites to have third party cookie users...

<jmayer> Better example: you get an a.foo.com first-party cookie, then visit bar.com which embeds third-party b.foo.com content. Safari would not allow cookie permissions for b.foo.com, Firefox would.

<susanisrael> as we still believe in dnt, maybe there is a way for sites that respect dnt to get third party cookie access

<dsinger> perhaps worth saying that we (at least) are interested in DNT as it's a consensus solution, rather than one-sided (like cookie or ad blocking)

<susanisrael> peterswire: end of call, but if you will be at iapp, pls email me so i can get sense of count and what kind of room we would need

<npdoty> I think third-party servers with a satisfactory ./well-known/dnt would be a great time to relax the cookie restriction

<susanisrael> peterswire: thanks everyone, and we will be in touch fgor next wednesday

<npdoty> rssagent, make logs public

Summary of Action Items

[NEW] ACTION: aleecia to propose text prohibiting data append (because it requires sharing, or otherwise; with jchester) [recorded in http://www.w3.org/2013/02/27-dnt-minutes.html#action02]
[NEW] ACTION: doty to suggest how redirection proposals can factor in to the first party definition [recorded in http://www.w3.org/2013/02/27-dnt-minutes.html#action03]
[NEW] ACTION: wainberg to propose language on security vendors as service providers sharing/combining data [recorded in http://www.w3.org/2013/02/27-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2013-02-27 18:16:36 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.137  of Date: 2012/09/20 20:19:01  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/stan/Sid Stamm/
Found ScribeNick: Yianni
Found ScribeNick: susanisrael
Found ScribeNick: susanisrael again
WARNING: No scribe lines found matching ScribeNick pattern: <susanisrael\ again> ...
Inferring Scribes: Yianni, susanisrael, susanisrael again
Scribes: Yianni, susanisrael, susanisrael again
ScribeNicks: Yianni, susanisrael, susanisrael again
Default Present: +1.646.654.aaaa, eberkower, Thomas, moneill2, npdoty, peterswire, +1.609.258.aabb, efelten, Yianni, +1.202.331.aacc, [Microsoft], PhilPearce, Rigo, +1.949.573.aadd, Aleecia, Amy_Colando, +1.917.934.aaee, fielding, Joanne, Chris_Pedigo, achappell?, +1.631.803.aaff, sidstamm, +49.172.147.aagg, +1.650.787.aahh, jchester2, schunter, Keith_Scarborough, +1.215.480.aaii, adrianba, +385345aajj, hefferjr, vinay, kulick, RichLaBarca, Dan_Auerbach, [CDT], +1.650.465.aakk, vincent, Jonathan_Mayer, +1.646.827.aall, hwest, dsinger, chapell, johnsimpson, [Comcast]?, dwainberg?, dwainberg, +1.678.492.aamm, +1.650.308.aann, robsherman, +31.65.141.aaoo, rvaneijk, Brooks?
Present: +1.646.654.aaaa eberkower Thomas moneill2 npdoty peterswire +1.609.258.aabb efelten Yianni +1.202.331.aacc [Microsoft] PhilPearce Rigo +1.949.573.aadd Aleecia Amy_Colando +1.917.934.aaee fielding Joanne Chris_Pedigo achappell? +1.631.803.aaff sidstamm +49.172.147.aagg +1.650.787.aahh jchester2 schunter Keith_Scarborough +1.215.480.aaii adrianba +385345aajj hefferjr vinay kulick RichLaBarca Dan_Auerbach [CDT] +1.650.465.aakk vincent Jonathan_Mayer +1.646.827.aall hwest dsinger chapell johnsimpson [Comcast]? dwainberg? dwainberg +1.678.492.aamm +1.650.308.aann robsherman +31.65.141.aaoo rvaneijk Brooks?
Found Date: 27 Feb 2013
Guessing minutes URL: http://www.w3.org/2013/02/27-dnt-minutes.html
People with action items: aleecia doty wainberg

[End of scribe.perl diagnostic output]