IRC log of DNT on 2013-03-06

Timestamps are in UTC.

16:58:41 [RRSAgent]
RRSAgent has joined #DNT
16:58:41 [RRSAgent]
logging to
16:58:57 [peterswire]
peterswire has joined #dnt
16:59:20 [phildpearce]
phildpearce has joined #dnt
16:59:55 [Wileys]
Wileys has joined #dnt
17:00:01 [moneill2]
moneill2 has joined #dnt
17:00:17 [Joanne]
Joanne has joined #DNT
17:00:23 [jchester2]
jchester2 has joined #dnt
17:00:49 [ninjamarnau]
ninjamarnau has joined #dnt
17:00:49 [dwainberg]
dwainberg has joined #dnt
17:00:52 [moneill2]
zakim, [ipcaller] is me
17:00:52 [Zakim]
sorry, moneill2, I do not recognize a party named '[ipcaller]'
17:00:58 [jchester2]
zakim, mute me
17:00:58 [Zakim]
sorry, jchester2, I don't know what conference this is
17:01:10 [David_MacMillan]
David_MacMillan has joined #dnt
17:01:32 [jchester2]
Oh No. We have driven Zakim crazy. Maybe it has taken a position on the Charter!
17:01:37 [Yianni]
Zakim, this is dnt
17:01:37 [Zakim]
ok, Yianni; that matches T&S_Track(dnt)12:00PM
17:01:37 [fielding]
peterswire, the Adobe folks (including me) are all at the Adobe Summit (digital marketing convention) today and unable to join by phone.
17:01:40 [Zakim]
+ +1.415.920.aagg
17:01:44 [moneill2]
zakim, [IPCaller] is me
17:01:45 [Zakim]
+moneill2; got it
17:01:48 [johnsimpson]
johnsimpson has joined #dnt
17:01:50 [robsherman]
Zakim, who is here?
17:01:50 [Zakim]
On the phone I see +1.703.740.aabb, +1.703.861.aaaa, +1.540.822.aacc, +1.650.787.aadd, Joanne, dwainberg, moneill2, WileyS, jchester2, Yianni, +1.301.365.aaee, +49.431.98.aaff,
17:01:53 [Zakim]
... +1.415.920.aagg
17:01:53 [Zakim]
On IRC I see johnsimpson, David_MacMillan, dwainberg, ninjamarnau, jchester2, Joanne, moneill2, Wileys, phildpearce, peterswire, RRSAgent, Zakim, Richard_comScore, jeffwilson,
17:01:53 [Zakim]
... Yianni, justin, fielding, robsherman, JamesB, efelten, rigo, schunter
17:01:56 [robsherman]
zakim, aabb is robsherman
17:01:56 [Zakim]
+robsherman; got it
17:01:56 [Yianni]
zakim, mute me
17:01:57 [Zakim]
Yianni should now be muted
17:02:01 [Zakim]
+ +44.772.301.aahh
17:02:01 [Zakim]
17:02:04 [dan_auerbach]
dan_auerbach has joined #dnt
17:02:07 [peterswire]
anyone willing to scribe?
17:02:17 [jeffwilson]
zakim, aaaa is jeffwilson
17:02:17 [Zakim]
+jeffwilson; got it
17:02:33 [ninjamarnau]
zakim, aaff is ninjamarnau
17:02:37 [Zakim]
+ninjamarnau; got it
17:02:38 [Chris_IAB]
Chris_IAB has joined #dnt
17:02:42 [sidstamm]
sidstamm has joined #dnt
17:02:52 [Chris_IAB]
just joined via phone from a blocked number
17:03:00 [Zakim]
17:03:03 [sidstamm]
Zakim, Mozilla has sidstamm
17:03:03 [Zakim]
+sidstamm; got it
17:03:05 [Zakim]
+ +1.917.974.aaii
17:03:11 [justin]
zakim, aaii is justin
17:03:11 [Zakim]
+justin; got it
17:03:28 [Zakim]
17:03:40 [hefferjr]
hefferjr has joined #dnt
17:04:10 [Zakim]
17:04:30 [Zakim]
17:04:32 [Zakim]
+ +1.202.681.aajj
17:04:42 [npdoty]
npdoty has joined #dnt
17:04:54 [rigo]
zakim, code?
17:04:54 [Zakim]
the conference code is 87225 (tel:+1.617.761.6200, rigo
17:05:03 [npdoty]
rrsagent, make logs public
17:05:05 [Zakim]
17:05:16 [Zakim]
17:05:21 [npdoty]
hefferjr, can you scribe for us, Ronan?
17:05:27 [ChrisPedigoOPA]
ChrisPedigoOPA has joined #dnt
17:05:27 [BerinSzoka]
BerinSzoka has joined #DNT
17:05:31 [npdoty]
scribenick: hefferjr
17:05:32 [Zakim]
17:05:41 [rigo]
zakim, ??P49 is Rigo
17:05:41 [Zakim]
+Rigo; got it
17:05:47 [vincent]
vincent has joined #dnt
17:05:49 [rigo]
zakim, mute me
17:05:49 [Zakim]
Rigo should now be muted
17:05:55 [Chapell]
Chapell has joined #DNT
17:06:10 [Zakim]
+ +1.650.465.aakk
17:06:14 [Yianni]
ack yianni
17:06:30 [hefferjr]
swire: Before going into the substance, Nick Doty, can you tell us about the face-to-face in May?
17:06:54 [hefferjr]
doty: looking a hosting option in CA bay area for 2-3 days in week of May 6 or May 13
17:07:07 [BerinSzoka]
just remember that May 12 is mother's day. some of us might be busy--the good sons and daughters, at least
17:07:11 [Chris_IAB]
npdoty, can you send a doodle around re those dates?
17:07:12 [aleecia]
aleecia has joined #dnt
17:07:15 [Zakim]
17:07:25 [Zakim]
+ +1.949.483.aall
17:07:26 [hefferjr]
doty: hope to have more details soon
17:07:47 [susanisrael]
susanisrael has joined #dnt
17:07:47 [BerinSzoka]
+1 on the Doodle idea!
17:08:10 [Zakim]
17:08:20 [BerinSzoka]
I suggest NOT doing this on the 13th or 10th
17:08:25 [hefferjr]
doty: if we have multiple hosting options, will send a Doodle.
17:08:31 [Zakim]
+ +1.917.318.aamm
17:09:04 [Zakim]
+ +
17:09:08 [rigo]
ack ri
17:09:15 [Yianni]
Zakim, mute me
17:09:15 [Zakim]
Yianni should now be muted
17:09:22 [hefferjr]
swire: rigo will be attending meeting in Berlin this Mon-Tues, update
17:09:22 [johnsimpson]
zakim, mute me
17:09:23 [Zakim]
johnsimpson should now be muted
17:09:28 [vincent]
zakim, aann is vincent
17:09:28 [Zakim]
+vincent; got it
17:09:32 [Chapell]
zakim, aamm is chapell
17:09:32 [Zakim]
+chapell; got it
17:09:51 [hefferjr]
rigo: have 22 registrations for meeting, some who announced participation won't be able to attend due to lack of time, including Berlin DPA
17:09:57 [tedleung]
tedleung has joined #dnt
17:10:03 [npdoty]
to repeat on IRC, the weeks we're looking at are May 6th-10th and (perhaps less ideal) May 13th-17th
17:10:07 [Zakim]
+ +1.609.258.aaoo
17:10:09 [johnsimpson]
will there be a phone bridge?
17:10:13 [efelten]
Zakim, aaoo is me
17:10:13 [Zakim]
+efelten; got it
17:10:40 [npdoty]
... I'm following up with tentative offers, but I would love to follow up with people who might know organizations in the SF Bay Area that could provide hosting
17:10:44 [Zakim]
17:10:44 [hefferjr]
rigo: negotiating with Peter Shaw? to get a DPA collaborator. have a pretty good mix of industry. everyone is expecting Rob to report back to the other DPAs. hosting is in German Telekom labs outside of Berlin.
17:10:49 [rigo]
17:11:02 [npdoty]
... and let me know ( if there are common meeting conflicts you know of
17:11:25 [hefferjr]
rigo: if any feedback on agenda, please notify me. Discussion ongoing about goals.
17:11:37 [johnsimpson]
will there be a phone bridge to berlin?
17:11:45 [rigo]
17:11:45 [Vinay]
Vinay has joined #dnt
17:11:46 [moneill2]
s/Peter Shaw/Peter Schaar
17:12:24 [hefferjr]
swire: circulated all links and defintions about service provider and first party, this morning. i've been struck by how related these three definitions are. one of them is the definition of first party. Justin and Heather have been working to get the barebones draft on the website.
17:12:39 [amyc]
amyc has joined #dnt
17:12:45 [npdoty]
johnsimpson, the agenda page notes that there will be a dial-in option, and we'll need to update more closely on the exact phone number (we can probably use this regular conference code)
17:12:46 [Zakim]
17:13:44 [hefferjr]
swire: I think the langauge that has been discussed, Some folks have views that the text is hard to verify (user intent). The definition was in the materials that Rob (Microsoft?) posted.
17:14:38 [hefferjr]
swire: In many websites there is only one party the users intend to interact with, but some sites the users expect to interact with multiple parties. "Reasonably expect" definition.
17:15:02 [npdoty]
Zakim, who is on the phone?
17:15:02 [Zakim]
On the phone I see robsherman, jeffwilson, +1.540.822.aacc, +1.650.787.aadd, Joanne, dwainberg, moneill2, WileyS, jchester2, Yianni (muted), +1.301.365.aaee, ninjamarnau,
17:15:05 [Zakim]
... +1.415.920.aagg, +44.772.301.aahh, ??P12, [Mozilla], justin, johnsimpson (muted), +1.202.681.aajj, hefferjr, Chris_Pedigo, Rigo, +1.650.465.aakk, Susan_Israel, +1.949.483.aall,
17:15:05 [Zakim]
... Aleecia, chapell, vincent, efelten, TedLeung, [Microsoft]
17:15:05 [Zakim]
[Mozilla] has sidstamm
17:15:15 [hefferjr]
swire: there are additional details that Rob has proposed. Laura Gelman? expressed concern about too broad a loophole.
17:15:53 [justin]
17:16:24 [rigo] was me giving up in this discussion
17:16:36 [npdoty]
Zakim, aadd is bscannell
17:16:36 [Zakim]
+bscannell; got it
17:16:41 [hefferjr]
swire: third issue that is related gets back to issue of service provider or third party. in one case, they are operating a site jointly and there are 2 first parties. in other cases there is one operator with help from a data processor.
17:17:58 [hefferjr]
swire: to highlight what Chris did, he added a useful term "business associate" for one who has contracted to provide service. this is similar to HIPPA. non-normative language says that data can be used by service provider for "proper management" of the service (again, taken from HIPPA).
17:18:13 [Richard_comScore]
I am 540-822-xxxx
17:18:23 [Zakim]
+ +1.215.480.aapp
17:18:47 [npdoty]
Zakim, aacc is Richard_comScore
17:18:47 [Zakim]
+Richard_comScore; got it
17:18:49 [WaltM_Comcast]
WaltM_Comcast has joined #DNT
17:18:50 [Chris_IAB]
Chris_IAB has joined #dnt
17:18:57 [hefferjr]
swire: how do we let the data processor run its business, but still have the safeguards that the group wants to have in place?
17:19:24 [npdoty]
Zakim, who is making noise?
17:19:25 [johnsimpson]
17:19:35 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: +1.301.365.aaee (79%)
17:19:55 [phildpearce]
yes: I`m calling from +44.772
17:20:02 [hefferjr]
swire: definition of first party is important in our document and sometimes organizations want to have more than one first party. having first-party status has certain advantages under the spec and having multiple first-parties could be a loophole or it could just be normal operation.
17:20:11 [npdoty]
Zakim, aaee is peterswire
17:20:11 [Zakim]
+peterswire; got it
17:20:12 [hefferjr]
swire: we need a clear definition of roles.
17:20:14 [peterswire]
17:20:17 [peterswire]
17:20:18 [npdoty]
Zakim, aahh is phildpearce
17:20:18 [Zakim]
+phildpearce; got it
17:21:04 [hefferjr]
swire: Rob Sherman, briefly explain proposal and then have Justin explain concerns.
17:21:45 [hefferjr]
Sherman: this issue goes into the text from Jonathan Mayer. i don't feel strongly about the specific formulation. i think we should get this right and talk about general purpose.
17:22:15 [hefferjr]
sherman: the intent is not to say that every website has multipel first parties and that putting a logo on a website creates a first-party relationship.
17:22:28 [npdoty]
Zakim, aall is probably JamesB
17:22:28 [Zakim]
+JamesB?; got it
17:22:40 [peterswire]
17:22:58 [Wileys]
17:23:08 [hefferjr]
sherman: when there are mulitple operators of a site, we need to be able to express that. another example is Yahoo! and AT&T where Yahoo! provides functionality for AT&T customers. both privacy policies are on the website.
17:23:49 [hefferjr]
sherman: we need to be able to accommodate that example where both companies are present. a lot of what i heard in the email list were edge-cases, but we need to be able to figure out the basic concept.
17:24:02 [efelten]
What does it mean for a company to "be present
17:24:10 [hefferjr]
sherman: my suggestion is that we start with the broader concept, and then the edge cases.
17:24:12 [efelten]
"… on a site?
17:24:25 [rigo]
but I wonder how I can tell Facebook not to collect data while interacting with Macey's
17:24:29 [AnnaLong]
AnnaLong has joined #dnt
17:24:30 [Zakim]
17:25:09 [hefferjr]
justin: i don't love the idea of multiple first-parites, so I responded with language that tried to carve-out that Yahoo!/AT&T example. the platform example is a different question, like
17:25:35 [aleecia]
Is Adrian ok with this or does MSFT want to follow a traditional approach? We should keep the same across both docs. (I favor the multi-first, if we can work out details)
17:25:51 [Wileys]
Rigo, I disagree - its not a simple matter to allow multiple 1st parties technically and brands do NOT want to be disintermediated with their users from a business perspective.
17:26:19 [hefferjr]
justin: this doesn't mean that there is no communication between parties. the platform is the first-party and the content-generator provides the content. privacy policies and branding don't really help here. I tried to carve-out something really specific, but it still needs some work.
17:26:39 [Chris_IAB]
17:27:06 [hefferjr]
swire: it helps to figure-out the data flows before working on language. let's try to understand the example where there is one first party or two first parties.
17:27:08 [johnsimpson]
17:28:13 [hefferjr]
swire: on facebook, facebook gets to measure what the user is doing on their site. in the US, facebook has a lot of latitude to share that information with Macy's (under their privacy policy). if there are limits on that, in that business relationship, Macy's would be blocked unless they have first-party status.
17:28:33 [jchester2]
In this case, if Macy's has a business relationship with FB, what access to data does it get?
17:28:42 [hefferjr]
swire: what would facebook's general privacy rules be about sharing that data with Macy's?
17:28:45 [samsilberman]
samsilberman has joined #dnt
17:29:28 [justin]
I'm fine with aggregate analytics going to the party that uses the platform, and the std wouldn't prohibit
17:29:35 [npdoty]
the hosting provider is probably a classic service provider relationship, right?
17:29:56 [aleecia]
One would hope
17:29:57 [hefferjr]
fb: whatever privacy policies apply dictate the practice. our practice would be to provide aggregate analytics about the users on their page. we would not be providing user-level information to Macy's. even on facebook, users expect that when they go to Macy's page, they expect that they are interacting with Macy's
17:29:58 [rigo]
Wileys, we still miss the control - tool for users in case they want to give Information to Macey's but not to Facebook
17:30:10 [hefferjr]
(who was speaking from facebook?)
17:30:22 [Joanne]
Rob Sherman
17:30:25 [jchester2]
I don't think this provides the granular info we need on Macy/FB data flows, including when it involves offline/online purchasing data for subsequent targeting.
17:30:30 [rigo]
peterswire, what if Macey's is my first party I want to interact with?
17:30:43 [npdoty]
17:31:02 [susanisrael]
npdoty, i think if you have a hosting provider with no visible brand, merely hosting on behalf of the publicly disclosed first party, then yes, the hosting provider would be a service provider, I think.
17:31:13 [hefferjr]
swire: until the user actually click to go to Macy's site to make a purchase, they would not expect to interact with Macy's. if Macy's were also a first-party then something that would be different.
17:31:14 [efelten]
17:31:17 [jchester2]
Users have no idea that they would be subject to extensive and different data collection regimes.
17:31:23 [justin]
You don't need multiple first parties for that. FB's terms as the sole first party dictates.
17:31:33 [hefferjr]
sherman: when the user is on the Macy's page, there is an expectation that the user would know that.
17:31:36 [jmayer]
jmayer has joined #dnt
17:31:48 [npdoty]
susanisrael, right. and in fact, even if I could include the logo of my hosting provider in the footer of my page, I consider them a service provider, not an independent first party with which visitors are intentionally communicating
17:31:51 [hefferjr]
swire: if we label Macy's as a first-party then they get user-leve
17:32:05 [Zakim]
17:32:09 [Zakim]
17:32:10 [hefferjr]
sherman: if you go to Macy's page and comment or like, Macy's would be able to see user-level info on thoat
17:32:13 [peterswire]
17:32:15 [justin]
It doesn't matter if they're a first party.
17:32:24 [johnsimpson]
17:32:28 [Zakim]
17:32:34 [npdoty]
robsherman was describing the current state of Facebook functionality there
17:32:38 [npdoty]
ack Chris_IAB
17:32:52 [susanisrael]
npdoty, I agree
17:32:52 [jchester2]
17:32:54 [jchester2]
zakim, unmute me
17:32:54 [Zakim]
jchester2 was not muted, jchester2
17:32:56 [laurengelman]
laurengelman has joined #dnt
17:33:00 [peterswire]
17:33:26 [hefferjr]
chrismaheia: we are trying to find a definition for first-party that is dependent on our definition of service provider. a chicken-and-egg problem. we have to think about service providers with respect to first-party. cannot silo the definitions. have we nailed-down service provider?
17:33:28 [justin]
Also, to be clear, Facebook is *not* Macy's service provider in my scenario. Or if they are, it doesn't matter, since Macy's is a third party . . .
17:33:47 [fielding]
once again, if we don't define what tracking is then this entire discussion about what the user wants is meaningless.
17:33:52 [hefferjr]
swire: i agree. in the memo from this morning I stacked the definitions for first-party, multiple-first-party, and service provider.
17:34:05 [tedleung1]
tedleung1 has joined #dnt
17:34:34 [rigo]
fielding, on FB there is no tracking, ever, as there is always a first party
17:34:56 [hefferjr]
swire: if Macy's is a service provider for facebook or facebook is a service provider for Macy's then there would be something that would surprise business people and facebook would silo the data (or Macy's would), and the service provider would be limited in how to use the data.
17:35:06 [aleecia]
Rigo, there is tracking. We just don't care under DNT
17:35:17 [peterswire]
17:35:26 [hefferjr]
swire: i think one of the companies would be considered a third-party, since neither would be a service provider under our current def.
17:36:12 [aleecia]
I think Roy is at least as interested in scope as a definition of tracking.
17:36:18 [npdoty]
ack efelten
17:36:20 [hefferjr]
sherman: could be multple roles at the same time. someone who has come to facebook and viewed (or clicked) on a Macy's ad, they have interacted with Macy's so facebook could be considered a service provider for Macy's, but they are still a first-party
17:36:25 [johnsimpson]
17:36:31 [npdoty]
17:36:41 [fielding]
i you don't define what it means, telling me that it exists or not is pointless -- I can't tell you what we do (or not) without a concrete definition.
17:36:48 [robsherman]
ack Chris_IAB
17:37:09 [hefferjr]
felton: user expectations about who they are interacting with is a big part of the definition and it is important to think about when the user forms that expectation. does the user form the expectation when they click on an ad? data collection has already happened before that.
17:37:29 [robsherman]
efelten: What happens with a URL that doesn't mention the name of *any* entity?
17:37:33 [npdoty]
17:38:06 [Wileys]
Ed - this is the same issue with the ePrivacy Directive - how do you request consent prior to a page load? this is why most countries have moved to "informed consent" where branding, transparency, and notice achieve the desired outcome.
17:38:20 [npdoty]
I think we assume the resulting page is the first party even if the URL was masked for the user (a href="">click here</a>
17:38:36 [hefferjr]
felton: if you use a URL to go to it is clear that you are interacting with facebook. a "like" button is also clear. the second point is about how the parts of the standard disclosing back to the user would work. we have the well-known URI with first-party/third-party. how would that work if there are multiple first parties? there is not necessarily a URL where the UA would know to look.
17:38:42 [npdoty]
17:38:54 [peterswire]
17:39:10 [hefferjr]
felton: this is both TPE and compliance spec. the compliance spec talks about what it means to say that you are a first-party.
17:39:15 [npdoty]
17:39:24 [robsherman]
npdoty: I didn't mean the HTML anchor but the URL itself. What if the Washington Post ran a website called
17:39:35 [hefferjr]
sherman: does addding first parties as a concept require a change to TPE?
17:39:43 [robsherman]
17:39:48 [Wileys]
Ed and Peter - I don't believe so - as being 1st party means you can simply ignore the DNT header
17:40:07 [hefferjr]
efelten: yes, it wouldn't be clear to the UA to go to Macy's to get URI.
17:40:10 [aleecia]
You cannot ignore. You still ack.
17:40:15 [npdoty]
I think it would require a change; the tracking status resource currently indicates the first party
17:40:20 [aleecia]
And cannot share
17:40:31 [Wileys]
Aleecia - Ack is fair
17:40:46 [Wileys]
Aleecia - and the Ack would state 1st party
17:40:46 [hefferjr]
efelten: we need to think more broadly about how user exceptions work. we need to make sure that we don't break anything in the standard.
17:41:06 [Wileys]
17:41:16 [npdoty]
17:41:22 [aleecia]
Yes -- ok, you're doing shorthand for "ignore" and not literal. That's fine, we agree
17:41:41 [npdoty]
q+ to comment on the current state of TPE
17:41:42 [hefferjr]
swire: if we want to have multiple first-parties it sounds like there is a way to fit this together with TPE. is there anyone who wants to take on that task (who supports having multiple first parties)?
17:41:44 [Wileys]
Peter - Shane raises hand
17:41:55 [npdoty]
ack Yianni
17:42:11 [justin]
q- -
17:42:18 [justin]
q- peter
17:42:32 [justin]
ack npdoty
17:42:32 [Zakim]
npdoty, you wanted to comment on the current state of TPE
17:42:49 [hefferjr]
doty: current state of the TPE contains an array for first-pary in case there are multiple parties claiming to be first party. the tracking status resource from facebook would need to indicate Macy's as another first-party.
17:42:52 [fielding]
The tracking status resource only indicates which set of requirements are being complied with -- no server can tell you whether a given interaction was invoked in a first party context.
17:43:11 [Wileys]
Ed - can be used either way
17:43:12 [aleecia]
Yes, as I u dersatnd
17:43:13 [hefferjr]
efelten: does that not indicate that all parties follow the same policy?
17:43:53 [hefferjr]
efelten: it is important to provide accurate compliance information. is facebook responsible for providing information about Macy's policy?
17:44:07 [hefferjr]
doty: facebook would have to update the tracking status resource to indicate the other sites.
17:44:19 [dan_auerbach]
question: wouldn't the tracking status resource array on Facebook's site be giant, if it has to have information about ALL Macy's-like Facebook pages
17:44:20 [hefferjr]
efelten: i think you break that well-known URI scheme
17:44:29 [justin]
q- shane
17:44:32 [justin]
ack wileys
17:44:32 [Joanne]
let me know when you want me to take over scribing Ronan
17:44:39 [peterswire]
17:44:50 [Chris_IAB]
agree with efelten, that it could be complicated
17:45:24 [Joanne]
<scribenick> Joanne
17:45:24 [npdoty]
Zakim, mute Yianni
17:45:24 [Zakim]
Yianni should now be muted
17:45:40 [hefferjr]
shane: i was going to make similar comments to Nick, we put in the spec to accommodate multiple first parties. we might need to indicate multiple resources (change).
17:45:44 [Joanne]
WileyS: go back to TPE and look at this
17:46:02 [hefferjr]
shane: it is also worth going through compliance spec to find instances of assuming that there is one first party.
17:46:05 [justin]
Don't think that's a problem in compliance, but I could be wrong.
17:46:09 [Joanne]
Efelten: worth going back through compliance spec to make sure we are not msissing casess
17:46:25 [robsherman]
Sounds good - thanks.
17:46:34 [hefferjr]
swire: Rob, Ed, and Shane should work on this.
17:46:36 [npdoty]
action: Shane to review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding)
17:46:36 [trackbot]
Created ACTION-375 - Review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding) [on Shane Wiley - due 2013-03-13].
17:46:37 [johnsimpson]
I'd like to be involved
17:46:37 [Joanne]
peterswire: thank you Shane for leading. Nick, Ed, and Rob to stay in close touch (may have missed some names here)
17:46:51 [Joanne]
...nick to assign action item. timeframe?
17:47:01 [npdoty]
action-375 due 3/18
17:47:01 [trackbot]
Set ACTION-375 Review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding) due date to 3/18.
17:47:06 [Joanne]
wileys: 2 weeks due to number of folks involved
17:47:14 [hefferjr]
swire: 2-weeks but due on COB Monday (EST) so that people can review before the Wed meeting.
17:47:27 [johnsimpson]
shane, i'd like to be in volved
17:47:29 [Joanne]
Peterswire: would like it by COB Monday to give people time to read prior to call
17:47:40 [peterswire]
17:47:49 [Joanne]
WileyS; will let group know if can;t meet timeframe
17:47:56 [fielding]
I would prefer to do more work on our mailing list.
17:47:58 [npdoty]
efelten, do you want to take an action to review compliance spec for assumptions on single first party? /cc justin
17:48:10 [Wileys]
John - please send me an email reminder and I'll include you in the email string. Note - I'm focused on the TPE side of the equation - NOT the compliance doc side.
17:48:27 [npdoty]
action-375: loop in johnsimpson
17:48:27 [trackbot]
Notes added to ACTION-375 Review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding).
17:48:30 [hefferjr]
chester: I think this discussion is helpful, but for user expectations there are distinct practices (data collection). One would not be aware of the facebook vs Macy's practices. Users interacting with widgets, we need to examine if users are induced to do so.
17:48:33 [peterswire]
17:48:35 [jchester2]
zakim, mute me
17:48:35 [Zakim]
jchester2 should now be muted
17:48:38 [npdoty]
ack jchester
17:48:38 [robsherman]
17:48:47 [npdoty]
Zakim, mute jchester2
17:48:47 [Zakim]
jchester2 should now be muted
17:48:48 [Joanne]
JeffChester: discussion helpful. need to take user expectations into account. when interacting with widgets because they may be induced to do so and may not be aware of party's data collection practices
17:48:49 [jchester2]
zakim, mute me
17:48:49 [Zakim]
jchester2 was already muted, jchester2
17:49:33 [hefferjr]
sherman: it sounds like there are 2 buckets, combining the various comments. in the easier case, there are 2 companies providing the website. the other is the "platform" case. i am happy to work off-list.
17:49:37 [Joanne]
RobSherman: suggest path forward. sounds like 2 buckets. easier cases of two companies to provide one site and then the platform case. will work with Justin on this
17:49:50 [Joanne]
Peterswire: will COB Monday ET work
17:49:52 [hefferjr]
swire: Mon COB deadline for that also
17:49:55 [Joanne]
RobSherman: yes
17:50:22 [npdoty]
action: sherman (with justin) to propose updates on multiple first parties (distinguishing between the one site and platform)
17:50:22 [trackbot]
Created ACTION-376 - (with justin) to propose updates on multiple first parties (distinguishing between the one site and platform) [on Rob Sherman - due 2013-03-13].
17:50:42 [ChrisPedigoOPA]
17:50:51 [npdoty]
action-376 due 3/18
17:50:51 [trackbot]
Set ACTION-376 (with justin) to propose updates on multiple first parties (distinguishing between the one site and platform) due date to 3/18.
17:50:57 [hefferjr]
swire: incentive effects: today we have the web where there are multiple first-parties. in the future, under the spec, people might have an incentive to build multiple first parties to gain rights under the spec. how would these propsals create a compliance "trick"?
17:51:02 [rigo]
is there unfair advantage for FB company pages compared to a normal web scenario?
17:51:04 [hefferjr]
yes, thanks.
17:51:10 [npdoty]
ack robsherman
17:51:15 [npdoty]
scribenick: Joanne
17:51:25 [Joanne]
Peterswire: descrbie incentive effect. people could get first party status if they do a, b, and c. How can proposal change incientive to gain first party status. Answer the question what is the incentive effect down the line
17:52:25 [Wileys]
+1 - as I stated earlier, business dynamics resist multi-1st party scenarios
17:52:27 [laurengelman]
publishers let hundreds and hundreds of players in the advertising chain cookie their site now
17:52:42 [Joanne]
Chris P; if I am pub, pubs may not allow third party to become first party because it may devalue first party. first party may be incentivized to push down third parties
17:52:42 [peterswire]
17:52:51 [npdoty]
ack ChrisPedigoOPA
17:53:05 [jchester2]
we can't develop a spec based on what publishers might do. Given the extensive data collection practices of publishers, working closely with major data providers, this is a serious issue.
17:53:08 [Joanne]
Chris P: members incorporating cntract lang to limit what third parties can do
17:53:09 [justin]
Yes, YouTube has an interest in not letting Fox get all their data. So maybe they'll be forced to stop letting them offer such clearly branded pages? Is that the right result?
17:53:24 [Chris_IAB]
Chris P brings up an interesting, perhaps unintended, consequence: competition issues re DNT
17:53:29 [Joanne]
...rules of the road to keep 3rd party as a third party
17:54:03 [Joanne]
Peterswire: Shane to lead TPE review and Justin to write lang on compliance side (Nick did I capture that correctly)
17:54:20 [npdoty]
Topic: Service Provider
17:54:27 [Joanne]
who is talking
17:54:32 [npdoty]
17:55:15 [Joanne]
Chris: lthought about including data controleer but includes other bagge. business associate terms seemed to work well there
17:55:25 [aleecia]
Nick - wouldn't you have FB ack as first and Macy's ack as first, rather than share an array?
17:55:46 [npdoty]
aleecia, I think there's only a single tracking status resource for a single HTTP response
17:55:48 [susanisrael]
*Joanne, Chris Pedigo is talking
17:55:59 [Joanne]
...included sentence data processors may merge and use data for fruad prevention and want to allow for that
17:56:15 [peterswire]
17:56:23 [Joanne]
...non-normative text refernce back to those allowances are allowed under existing laws today
17:57:01 [Joanne]
Peterswire: to clarify. third party langauge has been deleted. Chris' email version correct. Memo version incorrect
17:57:31 [aleecia]
And cached data was the issue for well-known URI. Hm. Is that likely a big issue here? (I fear yes)
17:57:33 [rigo]
17:57:43 [npdoty]
not all associates are businesses, right?
17:57:57 [Joanne]
...pleads guilty to intro to business assicoate term. afraid it doesn't work. in HIPAA world - means service provider and its upside down for DNT context
17:58:23 [Joanne]
...don't want to use controller due to legal baggage. nedd to continue to look for right term
17:58:35 [peterswire]
17:58:37 [npdoty]
aleecia, if who-is-within-the-first-party varies by response, the server will have to forgo caching in some cases
17:58:41 [npdoty]
ack rigo
17:58:50 [Joanne]
..David W has open action item on de-bugging polus data security. Has two weeks versus one week
17:59:11 [Zakim]
- +1.202.681.aajj
17:59:24 [npdoty]
was "contracting party" suggested by Peter?
17:59:42 [Joanne]
Rigo: we create more baggage, complexity for maybe political reasons becuase we turn explantory text into normative text. thinks Dsinger text is better
17:59:53 [peterswire]
"counter party" often used in financial and other settings -- the other party to a contract
18:00:13 [Joanne]
...(not catching Rigo's point)
18:00:48 [susanisrael]
rigo, I think the idea is that the service provider cannot use the data on its own
18:00:57 [npdoty]
rigo, do you have a link to text from dsinger on this?
18:01:03 [ChrisPedigoOPA]
Justin, answering your earlier question, yes - one outcome could be YouTube limiting Fox's ability to get data.
18:01:27 [Joanne]
will fit better into political discussion and with advocates.
18:02:00 [Joanne]
Rigo - can you provide link to David Singer's text?
18:02:29 [fielding]
Dynamic per-resource tracking status is already supported in TPE when it is needed. We can't cache any better than the complexity of how the server is implemented to adhere to DNT.
18:02:29 [Wileys]
Rigo - so you agree that a Service Provider is granted the same Permitted Uses as a 3rd party, correct?
18:02:55 [Joanne]
....service provider can do security stuff but not permitted use
18:02:59 [aleecia]
Nick would it be possible to just have multi-first party go with known URI?
18:03:09 [Joanne]
peterswire: similar to EU law?
18:03:10 [justin]
chrispedigoopa, isn't the better answer saying YT is the first party, and then they can set the terms for data sharing on their platform?
18:03:36 [Joanne]
Rigo: huge difference. I can work on your behalf and still use what I did on your behalf for my own purposes
18:04:08 [johnsimpson]
18:04:15 [Joanne]
Peterswire: what about routine maitenance and run there operations as allowed under HIPAA. current lang does not support this
18:04:26 [aleecia]
I've forgotten by now why and when caching broke known URIs, despite having written about it, but it's been going on two years
18:04:52 [npdoty]
aleecia, I believe we're discussing multiple first parties for a single HTTP request/response; there will only be a single tracking status resource for that response, which may be cached (if it's the same for all responses on that server) or not
18:04:54 [ChrisPedigoOPA]
Justin, under that scenario, the two parties could not share data without violating DNT
18:05:03 [Joanne]
Rigo: that needs to be clarified. every party ahas duty to keep data secure. we all agree that service provider should not use data for its own purposes. only as dictated by first party
18:05:26 [rigo]
"no own rights" is just not "working on behalf"
18:05:48 [peterswire]
18:05:53 [Joanne]
Peterswire: I think we agree on that. but routinue actions won't be spelled out in contract. How can those be permitted under current lang
18:06:03 [ChrisPedigoOPA]
Need to allow flexibility for multiple first parties, while understanding that companies aren't going to be rushing out to do this because they don;t always want to share data
18:06:17 [fielding]
I disagree -- a service provider is the first party as far as our requirements are concerned as long as the data retention is siloed or deidentified.
18:06:45 [Joanne]
...suggest Peter, Rigo, and Chris P follow up on this to get to an approach
18:06:58 [Joanne]
Rigo: yes, its a small clarification
18:07:20 [npdoty]
action: ChrisPedigoOPA (with rigo, peterswire) to follow up on service provider and independent rights clarification
18:07:20 [trackbot]
Error finding 'ChrisPedigoOPA'. You can review and register nicknames at <>.
18:07:29 [npdoty]
action: pedigo (with rigo, peterswire) to follow up on service provider and independent rights clarification
18:07:29 [trackbot]
Created ACTION-377 - (with rigo, peterswire) to follow up on service provider and independent rights clarification [on Chris Pedigo - due 2013-03-13].
18:07:36 [npdoty]
action-377 due 3/18
18:07:36 [trackbot]
Set ACTION-377 (with rigo, peterswire) to follow up on service provider and independent rights clarification due date to 3/18.
18:07:42 [justin]
chrispedigoopa, No, it depends on what the site has messaged to users and what they've agreed to. YT could certainly clearly message frictionless sharing of passive site activity. Quora does that today, I think, and some of the social reading apps on FB.
18:07:43 [Joanne]
Peterswire: Chris you have lead on this. Week form Monday. Talk in Berlin and get meeting f the minds
18:08:06 [npdoty]
justin, is that compatible with the restrictions in First Party Compliance today?
18:08:43 [Joanne]
....we have talked about first party,multiple first party, and service provider. Propose in last 20 mins to look at market research discussion and thinking
18:08:57 [fielding]
A SP must be able to receive data for many companies, parse it, and only retain it in siloed form outside of the general form except for what is necessary for overall security and what is aggregated/deidentified for capacity planning.
18:09:21 [justin]
npdoty, the first party compliance section is a mess today, and I've said repeatedly that the text is messed up.
18:09:22 [Zakim]
18:09:38 [rigo]
David's text was: The outsourced company has no independent rights to the collected information
18:09:51 [Joanne]
Richard_Comscore: market research group met worked to refine auidence measurement as a permitted use. Definition needed to be tighten up. Look at Kathy Joe's text sent around this AM
18:10:21 [johnsimpson]
Justin, how a mess?
18:10:54 [Joanne]
....some concerns may lie around the retention period and may be dictated by regulation, audting reqs, etc. diff bodies have diff reqs. auditing period is precieved to be dictated by
18:11:13 [Joanne]
...the market research cos but by the regulatory body
18:11:30 [jchester2]
The auditing requirements are set by industry. It hasn't accommodated the privacy issues.
18:11:43 [Joanne]
...why we tried to hit 53 weeks to meet the sweet spot to meet cross country requirements
18:12:17 [npdoty]
though our MRC briefer told us they waived retention duration requirements for providers who minimize data for privacy purposes, right?
18:12:35 [justin]
npdoty, johnsimpson, If nothing else, we should add an explicit statement saying you can get consent to share with third parties that couldn't otherwise get. May already be implicit, but should add.
18:12:39 [Joanne]
..purpose limitation - typcial needs demo'd by clients and need to do validated measurements as opposed to ads that may never be seen because appear at bottom of page
18:13:11 [jchester2]
In the real-time and ongoing campaign targeting environment, such retention times need to be reviewed. It's about individual users ultimately.
18:13:18 [Joanne]
Peterswire: to extent visitor is a repeat, is that psuedynoous (sp)
18:13:19 [efelten]
You can't recognize a particular browser or user when they come back later?
18:13:27 [Joanne]
Richard_Cpomscore: correct
18:13:50 [Joanne]
Peterswire: will need to define term though no small task
18:14:07 [jchester2]
Richard: Can you provide further details on this. The market research is used to fine-tune targeting of users.
18:14:27 [Joanne]
Richard_Comscore: list not intended to be comprehensive
18:14:42 [Joanne]
Peterswire: should it be broader or narrower?
18:15:08 [Joanne]
Richard_Comscore: open to suggested edits to the text eg terminology
18:15:13 [Zakim]
18:15:37 [jchester2]
We need to have specifics presented on how it is used in the digital marketing "ecosystem."
18:15:49 [Joanne]
Peterswire: two thigs. One - people who touch data are under confidentialty code. are there codes on what is expected.
18:16:10 [Joanne]
Richard_Comscore: yes ther is a code that members agree to
18:16:27 [jchester2]
Peter: Any code would need to have a honest analysis of actual use practices.
18:16:33 [rigo]
ack ri
18:16:37 [susanisrael]
susanisrael has joined #dnt
18:16:43 [Joanne]
Peterswire: Tow: will this work a use case discussion on Monday and Tuesday. Rigo - will this fit?
18:16:58 [jchester2]
Peter: Why is this being discussed in Berlin, when many of us can't be there?
18:17:00 [npdoty]
per efelten's comments in email, is it possible for us to clarify what the actual normative text would be for this proposal?
18:17:43 [Joanne]
Rigo: it could go to issue creation or have it during product session or in the disucssion around consent. (short answer - yes)
18:18:06 [Zakim]
18:18:47 [Joanne]
Rigo: audience measurement important use case
18:18:55 [Joanne]
...warrants discussion
18:19:16 [Joanne]
Peterswire: relevant to both global considerations and the standard
18:19:16 [efelten]
It would be useful to have a clear explanation of why third-party tracking of users without consent is necessary for these purposes.
18:20:04 [Joanne]
Rigo: Tuesday one is better - consent. no one from ESOMAR (?) attending and it would be good to have them in the room
18:20:18 [jchester2]
18:20:23 [jchester2]
zakim, unmute me
18:20:23 [Zakim]
jchester2 should no longer be muted
18:20:30 [Joanne]
...encourage them to attend and people who understand measurement will be there
18:20:37 [aleecia]
Nick so I think we're talking more frito/yahoo, rather than FB like button, which is what we've typically discussed. I confess to over multitasking today. But I think I'm finally getting why I've had e wrong model of discussion , thanks
18:20:45 [Joanne]
Peterswire: lets continue figuring this out off list
18:21:02 [aleecia]
Joanne - really nice scribing all call, which I appreciate greatly. Thanks!
18:21:12 [npdoty]
18:21:17 [Joanne]
...thanks to the group that worked on this. needs to be put into standard W3C lang
18:21:18 [peterswire]
18:21:21 [npdoty]
ack jchester
18:21:50 [rigo]
jeff, it will come back to this group anyway
18:21:50 [Chris_IAB]
agree with jchester2
18:21:53 [Joanne]
JeffChester: many of us not going to Berlin. would like conversation on the regular call. should include entire group
18:22:16 [Joanne]
Peterswire: we'll have oppy to work on this
18:22:30 [jchester2]
zkim, mute me
18:22:36 [npdoty]
Zakim, mute jchester
18:22:36 [Zakim]
jchester2 should now be muted
18:22:36 [Joanne]
JeffChester: disagress and ask Peter to reconsider it
18:22:37 [jchester2]
zakim, mute me
18:22:37 [Zakim]
jchester2 was already muted, jchester2
18:23:00 [npdoty]
Topic: De-Identification
18:23:01 [Joanne]
DanA: likes 1:30 AM PT
18:23:02 [Wileys]
-1 for the rest of us on the West coast :-)
18:23:09 [npdoty]
+1 on 1:30am PT
18:23:10 [susanisrael]
*I am also willing to do 4:30 EST
18:23:36 [peterswire]
18:23:47 [Joanne]
DanA:: deidentified term. issue discussed at F2F and that deidentified is better versus unlinkabile
18:23:50 [Zakim]
18:24:25 [Chris_IAB_]
Chris_IAB_ has joined #dnt
18:24:29 [Joanne]
...inclarifying FTC lang. Happy to take Rob and Shane's edits to more closely mirror FTC lang
18:25:11 [Joanne]
...happy to bracket second clause of def. It is a more gransular committment versus the comply with DNT committmeent.
18:25:34 [peterswire]
18:25:36 [robsherman]
18:25:42 [Joanne]
Peterswire: put inot brackets for now. if no committment else where in package we need to have it here
18:25:45 [npdoty]
if we take out the public commitment, we would need to say that the party won't try to re-identify the data
18:26:37 [Joanne]
RobSherman: if the cleanest way to do this use FTC lang but ???(didn't catch last part of Rob's point)
18:26:40 [peterswire]
18:27:16 [Joanne]
DanA: won't have exact FTC lang. not alot lost if we deviate (sp) in this case
18:27:27 [Chris_IAB_]
can someone post the link for this thread?
18:27:34 [Joanne]
Peterswire: Dan to update lang for next compliance meeting
18:27:42 [npdoty]
18:27:44 [robsherman]
s/???/clarify that we think "reasonable measures" require all three of physical, technical, and procedural safeguards/
18:28:07 [Zakim]
18:28:14 [npdoty]
action: auerbach to update de-identification definition based on feedback from Rob, Shane, public commitment
18:28:14 [trackbot]
Created ACTION-378 - Update de-identification definition based on feedback from Rob, Shane, public commitment [on Dan Auerbach - due 2013-03-13].
18:28:23 [Zakim]
18:28:23 [Joanne]
Peterswire: happy travels to those going to Berlin and next compliance call 2 weeks
18:28:24 [Zakim]
18:28:24 [Zakim]
18:28:25 [Zakim]
18:28:25 [Zakim]
18:28:25 [Zakim]
18:28:25 [peterswire]
peterswire has left #dnt
18:28:26 [Zakim]
18:28:26 [Zakim]
18:28:27 [Zakim]
18:28:27 [Zakim]
18:28:27 [Zakim]
18:28:27 [Zakim]
18:28:27 [Zakim]
- +1.415.920.aagg
18:28:27 [Zakim]
18:28:27 [Zakim]
18:28:28 [Zakim]
18:28:28 [Zakim]
- +1.650.465.aakk
18:28:28 [Zakim]
18:28:29 [Zakim]
18:28:30 [Zakim]
18:28:30 [npdoty]
dan_auerbach, is March 13th a good deadline for that action?
18:28:32 [johnsimpson]
johnsimpson has left #dnt
18:28:33 [Zakim]
18:28:35 [Zakim]
18:28:37 [tedleung1]
tedleung1 has left #dnt
18:28:37 [Zakim]
18:28:39 [rigo]
RRSAgent, please draft minutes
18:28:39 [RRSAgent]
I have made the request to generate rigo
18:28:46 [Zakim]
18:28:48 [Zakim]
18:28:51 [Zakim]
18:28:53 [rigo]
rigo has left #dnt
18:29:07 [Zakim]
- +1.215.480.aapp
18:31:03 [Zakim]
18:31:04 [Zakim]
T&S_Track(dnt)12:00PM has ended
18:31:04 [Zakim]
Attendees were +1.703.861.aaaa, +1.703.740.aabb, +1.540.822.aacc, +1.650.787.aadd, Joanne, dwainberg, WileyS, jchester2, Yianni, +1.301.365.aaee, +49.431.98.aaff, +1.415.920.aagg,
18:31:04 [Zakim]
... moneill2, robsherman, +44.772.301.aahh, jeffwilson, ninjamarnau, sidstamm, +1.917.974.aaii, justin, johnsimpson, hefferjr, +1.202.681.aajj, Chris_Pedigo, Rigo, +1.650.465.aakk,
18:31:06 [Zakim]
... Susan_Israel, +1.949.483.aall, Aleecia, +1.917.318.aamm, +, vincent, chapell, +1.609.258.aaoo, efelten, TedLeung, [Microsoft], bscannell, +1.215.480.aapp,
18:31:06 [Zakim]
... Richard_comScore, peterswire, phildpearce, JamesB?, AnnaLong, Jonathan_Mayer
19:09:48 [npdoty]
npdoty has joined #dnt
20:30:34 [Zakim]
Zakim has left #dnt