W3C

- DRAFT -

SV_MEETING_TITLE

06 Mar 2013

See also: IRC log

Attendees

Present
Regrets
Chair
SV_MEETING_CHAIR
Scribe
hefferjr, Joanne

Contents


<jchester2> Oh No. We have driven Zakim crazy. Maybe it has taken a position on the Charter!

<fielding> peterswire, the Adobe folks (including me) are all at the Adobe Summit (digital marketing convention) today and unable to join by phone.

<peterswire> anyone willing to scribe?

<Chris_IAB> just joined via phone from a blocked number

<npdoty> hefferjr, can you scribe for us, Ronan?

<npdoty> scribenick: hefferjr

swire: Before going into the substance, Nick Doty, can you tell us about the face-to-face in May?

doty: looking a hosting option in CA bay area for 2-3 days in week of May 6 or May 13

<BerinSzoka> just remember that May 12 is mother's day. some of us might be busy--the good sons and daughters, at least

<Chris_IAB> npdoty, can you send a doodle around re those dates?

doty: hope to have more details soon

<BerinSzoka> +1 on the Doodle idea!

<BerinSzoka> I suggest NOT doing this on the 13th or 10th

doty: if we have multiple hosting options, will send a Doodle.

swire: rigo will be attending meeting in Berlin this Mon-Tues, update

rigo: have 22 registrations for meeting, some who announced participation won't be able to attend due to lack of time, including Berlin DPA

<npdoty> to repeat on IRC, the weeks we're looking at are May 6th-10th and (perhaps less ideal) May 13th-17th

<johnsimpson> will there be a phone bridge?

<npdoty> ... I'm following up with tentative offers, but I would love to follow up with people who might know organizations in the SF Bay Area that could provide hosting

rigo: negotiating with Peter Schaar? to get a DPA collaborator. have a pretty good mix of industry. everyone is expecting Rob to report back to the other DPAs. hosting is in German Telekom labs outside of Berlin.

<rigo> http://www.w3.org/2011/tracking-protection/130311-gloco.html

<npdoty> ... and let me know (npdoty@w3.org) if there are common meeting conflicts you know of

rigo: if any feedback on agenda, please notify me. Discussion ongoing about goals.

<johnsimpson> will there be a phone bridge to berlin?

<rigo> yes

swire: circulated all links and defintions about service provider and first party, this morning. i've been struck by how related these three definitions are. one of them is the definition of first party. Justin and Heather have been working to get the barebones draft on the website.

<npdoty> johnsimpson, the agenda page notes that there will be a dial-in option, and we'll need to update more closely on the exact phone number (we can probably use this regular conference code)

swire: I think the langauge that has been discussed, Some folks have views that the text is hard to verify (user intent). The definition was in the materials that Rob (Microsoft?) posted.
... In many websites there is only one party the users intend to interact with, but some sites the users expect to interact with multiple parties. "Reasonably expect" definition.
... there are additional details that Rob has proposed. Lauren Gelman? expressed concern about too broad a loophole.

<rigo> http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0076.html was me giving up in this discussion

swire: third issue that is related gets back to issue of service provider or third party. in one case, they are operating a site jointly and there are 2 first parties. in other cases there is one operator with help from a data processor.
... to highlight what Chris did, he added a useful term "business associate" for one who has contracted to provide service. this is similar to HIPPA. non-normative language says that data can be used by service provider for "proper management" of the service (again, taken from HIPPA).

<Richard_comScore> I am 540-822-xxxx

swire: how do we let the data processor run its business, but still have the safeguards that the group wants to have in place?

<phildpearce> yes: I`m calling from +44.772

swire: definition of first party is important in our document and sometimes organizations want to have more than one first party. having first-party status has certain advantages under the spec and having multiple first-parties could be a loophole or it could just be normal operation.
... we need a clear definition of roles.

<peterswire> q/

swire: Rob Sherman, briefly explain proposal and then have Justin explain concerns.

Sherman: this issue goes into the text from Jonathan Mayer. i don't feel strongly about the specific formulation. i think we should get this right and talk about general purpose.
... the intent is not to say that every website has multipel first parties and that putting a logo on a website creates a first-party relationship.

<Wileys> att.yahoo.com

sherman: when there are mulitple operators of a site, we need to be able to express that. another example is Yahoo! and AT&T where Yahoo! provides functionality for AT&T customers. both privacy policies are on the website.
... we need to be able to accommodate that example where both companies are present. a lot of what i heard in the email list were edge-cases, but we need to be able to figure out the basic concept.

<efelten> What does it mean for a company to "be present

sherman: my suggestion is that we start with the broader concept, and then the edge cases.

<efelten> "… on a site?

<rigo> but I wonder how I can tell Facebook not to collect data while interacting with Macey's

justin: i don't love the idea of multiple first-parites, so I responded with language that tried to carve-out that Yahoo!/AT&T example. the platform example is a different question, like facebook.com/macys.

<aleecia> Is Adrian ok with this or does MSFT want to follow a traditional approach? We should keep the same across both docs. (I favor the multi-first, if we can work out details)

<Wileys> Rigo, I disagree - its not a simple matter to allow multiple 1st parties technically and brands do NOT want to be disintermediated with their users from a business perspective.

justin: this doesn't mean that there is no communication between parties. the platform is the first-party and the content-generator provides the content. privacy policies and branding don't really help here. I tried to carve-out something really specific, but it still needs some work.

swire: it helps to figure-out the data flows before working on language. let's try to understand the example where there is one first party or two first parties.
... on facebook, facebook gets to measure what the user is doing on their site. in the US, facebook has a lot of latitude to share that information with Macy's (under their privacy policy). if there are limits on that, in that business relationship, Macy's would be blocked unless they have first-party status.

<jchester2> In this case, if Macy's has a business relationship with FB, what access to data does it get?

swire: what would facebook's general privacy rules be about sharing that data with Macy's?

<justin> I'm fine with aggregate analytics going to the party that uses the platform, and the std wouldn't prohibit

<npdoty> the hosting provider is probably a classic service provider relationship, right?

<aleecia> One would hope

robsherman: whatever privacy policies apply dictate the practice. our practice would be to provide aggregate analytics about the users on their page. we would not be providing user-level information to Macy's. even on facebook, users expect that when they go to Macy's page, they expect that they are interacting with Macy's

<rigo> Wileys, we still miss the control - tool for users in case they want to give Information to Macey's but not to Facebook

(who was speaking from facebook?)

<Joanne> Rob Sherman

<jchester2> I don't think this provides the granular info we need on Macy/FB data flows, including when it involves offline/online purchasing data for subsequent targeting.

<rigo> peterswire, what if Macey's is my first party I want to interact with?

<susanisrael> npdoty, i think if you have a hosting provider with no visible brand, merely hosting on behalf of the publicly disclosed first party, then yes, the hosting provider would be a service provider, I think.

swire: until the user actually click to go to Macy's site to make a purchase, they would not expect to interact with Macy's. if Macy's were also a first-party then something that would be different.

<efelten> +q

<jchester2> Users have no idea that they would be subject to extensive and different data collection regimes.

<justin> You don't need multiple first parties for that. FB's terms as the sole first party dictates.

sherman: when the user is on the Macy's page, there is an expectation that the user would know that.

<npdoty> susanisrael, right. and in fact, even if I could include the logo of my hosting provider in the footer of my page, I consider them a service provider, not an independent first party with which visitors are intentionally communicating

swire: if we label Macy's as a first-party then they get user-leve

sherman: if you go to Macy's page and comment or like, Macy's would be able to see user-level info on thoat

<justin> It doesn't matter if they're a first party.

<npdoty> robsherman was describing the current state of Facebook functionality there

<susanisrael> npdoty, I agree

<jchester2> +q

chrismaheia: we are trying to find a definition for first-party that is dependent on our definition of service provider. a chicken-and-egg problem. we have to think about service providers with respect to first-party. cannot silo the definitions. have we nailed-down service provider?

<justin> Also, to be clear, Facebook is *not* Macy's service provider in my scenario. Or if they are, it doesn't matter, since Macy's is a third party . . .

<fielding> once again, if we don't define what tracking is then this entire discussion about what the user wants is meaningless.

swire: i agree. in the memo from this morning I stacked the definitions for first-party, multiple-first-party, and service provider.

<rigo> fielding, on FB there is no tracking, ever, as there is always a first party

swire: if Macy's is a service provider for facebook or facebook is a service provider for Macy's then there would be something that would surprise business people and facebook would silo the data (or Macy's would), and the service provider would be limited in how to use the data.

<aleecia> Rigo, there is tracking. We just don't care under DNT

swire: i think one of the companies would be considered a third-party, since neither would be a service provider under our current def.

<aleecia> I think Roy is at least as interested in scope as a definition of tracking.

Chris_IAB: could be multple roles at the same time. someone who has come to facebook and viewed (or clicked) on a Macy's ad, they have interacted with Macy's so facebook could be considered a service provider for Macy's, but they are still a first-party

<fielding> i you don't define what it means, telling me that it exists or not is pointless -- I can't tell you what we do (or not) without a concrete definition.

efelten: user expectations about who they are interacting with is a big part of the definition and it is important to think about when the user forms that expectation. does the user form the expectation when they click on an ad? data collection has already happened before that.

<robsherman> efelten: What happens with a URL that doesn't mention the name of *any* entity?

<Wileys> Ed - this is the same issue with the ePrivacy Directive - how do you request consent prior to a page load? this is why most countries have moved to "informed consent" where branding, transparency, and notice achieve the desired outcome.

<npdoty> I think we assume the resulting page is the first party even if the URL was masked for the user (a href="http://firstparty.org">click here</a>

efelten: if you use a URL to go to facebook.com it is clear that you are interacting with facebook. a "like" button is also clear. the second point is about how the parts of the standard disclosing back to the user would work. we have the well-known URI with first-party/third-party. how would that work if there are multiple first parties? there is not necessarily a URL where the UA would know to look.
... this is both TPE and compliance spec. the compliance spec talks about what it means to say that you are a first-party.

<robsherman> npdoty: I didn't mean the HTML anchor but the URL itself. What if the Washington Post ran a website called www.news.com?

peterswire: does addding first parties as a concept require a change to TPE?

<Wileys> Ed and Peter - I don't believe so - as being 1st party means you can simply ignore the DNT header

efelten: yes, it wouldn't be clear to the UA to go to Macy's to get URI.

<aleecia> You cannot ignore. You still ack.

<npdoty> I think it would require a change; the tracking status resource currently indicates the first party

<aleecia> And cannot share

<Wileys> Aleecia - Ack is fair

<Wileys> Aleecia - and the Ack would state 1st party

efelten: we need to think more broadly about how user exceptions work. we need to make sure that we don't break anything in the standard.

<Wileys> +q

<aleecia> Yes -- ok, you're doing shorthand for "ignore" and not literal. That's fine, we agree

swire: if we want to have multiple first-parties it sounds like there is a way to fit this together with TPE. is there anyone who wants to take on that task (who supports having multiple first parties)?

<Wileys> Peter - Shane raises hand

<Zakim> npdoty, you wanted to comment on the current state of TPE

doty: current state of the TPE contains an array for first-pary in case there are multiple parties claiming to be first party. the tracking status resource from facebook would need to indicate Macy's as another first-party.

<fielding> The tracking status resource only indicates which set of requirements are being complied with -- no server can tell you whether a given interaction was invoked in a first party context.

<Wileys> Ed - can be used either way

<aleecia> Yes, as I u dersatnd

efelten: does that not indicate that all parties follow the same policy?
... it is important to provide accurate compliance information. is facebook responsible for providing information about Macy's policy?

doty: facebook would have to update the tracking status resource to indicate the other sites.

<dan_auerbach> question: wouldn't the tracking status resource array on Facebook's site be giant, if it has to have information about ALL Macy's-like Facebook pages

efelten: i think you break that well-known URI scheme

<Joanne> let me know when you want me to take over scribing Ronan

<Chris_IAB> agree with efelten, that it could be complicated

<Joanne> <scribenick> Joanne

shane: i was going to make similar comments to Nick, we put in the spec to accommodate multiple first parties. we might need to indicate multiple resources (change).

<Joanne> WileyS: go back to TPE and look at this

shane: it is also worth going through compliance spec to find instances of assuming that there is one first party.

<justin> Don't think that's a problem in compliance, but I could be wrong.

<Joanne> Efelten: worth going back through compliance spec to make sure we are not msissing casess

<robsherman> Sounds good - thanks.

swire: Rob, Ed, and Shane should work on this.

<npdoty> ACTION: Shane to review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding) [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action01]

<trackbot> Created ACTION-375 - Review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding) [on Shane Wiley - due 2013-03-13].

<johnsimpson> I'd like to be involved

<Joanne> peterswire: thank you Shane for leading. Nick, Ed, and Rob to stay in close touch (may have missed some names here)

<Joanne> ...nick to assign action item. timeframe?

<npdoty> action-375 due 3/18

<trackbot> Set ACTION-375 Review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding) due date to 3/18.

<Joanne> wileys: 2 weeks due to number of folks involved

swire: 2-weeks but due on COB Monday (EST) so that people can review before the Wed meeting.

<johnsimpson> shane, i'd like to be in volved

<Joanne> Peterswire: would like it by COB Monday to give people time to read prior to call

<Joanne> WileyS; will let group know if can;t meet timeframe

<fielding> I would prefer to do more work on our mailing list.

<npdoty> efelten, do you want to take an action to review compliance spec for assumptions on single first party? /cc justin

<Wileys> John - please send me an email reminder and I'll include you in the email string. Note - I'm focused on the TPE side of the equation - NOT the compliance doc side.

<npdoty> action-375: loop in johnsimpson

<trackbot> Notes added to ACTION-375 Review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding).

chester: I think this discussion is helpful, but for user expectations there are distinct practices (data collection). One would not be aware of the facebook vs Macy's practices. Users interacting with widgets, we need to examine if users are induced to do so.

<Joanne> JeffChester: discussion helpful. need to take user expectations into account. when interacting with widgets because they may be induced to do so and may not be aware of party's data collection practices

sherman: it sounds like there are 2 buckets, combining the various comments. in the easier case, there are 2 companies providing the website. the other is the "platform" case. i am happy to work off-list.

<Joanne> RobSherman: suggest path forward. sounds like 2 buckets. easier cases of two companies to provide one site and then the platform case. will work with Justin on this

<Joanne> Peterswire: will COB Monday ET work

swire: Mon COB deadline for that also

<Joanne> RobSherman: yes

<npdoty> ACTION: sherman (with justin) to propose updates on multiple first parties (distinguishing between the one site and platform) [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action02]

<trackbot> Created ACTION-376 - (with justin) to propose updates on multiple first parties (distinguishing between the one site and platform) [on Rob Sherman - due 2013-03-13].

<npdoty> action-376 due 3/18

<trackbot> Set ACTION-376 (with justin) to propose updates on multiple first parties (distinguishing between the one site and platform) due date to 3/18.

swire: incentive effects: today we have the web where there are multiple first-parties. in the future, under the spec, people might have an incentive to build multiple first parties to gain rights under the spec. how would these propsals create a compliance "trick"?

<rigo> is there unfair advantage for FB company pages compared to a normal web scenario?

yes, thanks.

<npdoty> scribenick: Joanne

Peterswire: descrbie incentive effect. people could get first party status if they do a, b, and c. How can proposal change incientive to gain first party status. Answer the question what is the incentive effect down the line

<Wileys> +1 - as I stated earlier, business dynamics resist multi-1st party scenarios

<laurengelman> publishers let hundreds and hundreds of players in the advertising chain cookie their site now

Chris P; if I am pub, pubs may not allow third party to become first party because it may devalue first party. first party may be incentivized to push down third parties

<jchester2> we can't develop a spec based on what publishers might do. Given the extensive data collection practices of publishers, working closely with major data providers, this is a serious issue.

Chris P: members incorporating cntract lang to limit what third parties can do

<justin> Yes, YouTube has an interest in not letting Fox get all their data. So maybe they'll be forced to stop letting them offer such clearly branded pages? Is that the right result?

<Chris_IAB> Chris P brings up an interesting, perhaps unintended, consequence: competition issues re DNT

scribe: rules of the road to keep 3rd party as a third party

Peterswire: Shane to lead TPE review and Justin to write lang on compliance side (Nick did I capture that correctly)

Service Provider

who is talking

<npdoty> ChrisPedigoOPA:

Chris: lthought about including data controleer but includes other bagge. business associate terms seemed to work well there

<aleecia> Nick - wouldn't you have FB ack as first and Macy's ack as first, rather than share an array?

<npdoty> aleecia, I think there's only a single tracking status resource for a single HTTP response

<susanisrael> *Joanne, Chris Pedigo is talking

Chris: included sentence data processors may merge and use data for fruad prevention and want to allow for that
... non-normative text refernce back to those allowances are allowed under existing laws today

Peterswire: to clarify. third party langauge has been deleted. Chris' email version correct. Memo version incorrect

<aleecia> And cached data was the issue for well-known URI. Hm. Is that likely a big issue here? (I fear yes)

<npdoty> not all associates are businesses, right?

Peterswire: pleads guilty to intro to business assicoate term. afraid it doesn't work. in HIPAA world - means service provider and its upside down for DNT context
... don't want to use controller due to legal baggage. nedd to continue to look for right term

<npdoty> aleecia, if who-is-within-the-first-party varies by response, the server will have to forgo caching in some cases

Peterswire: David W has open action item on de-bugging polus data security. Has two weeks versus one week

<npdoty> was "contracting party" suggested by Peter?

Rigo: we create more baggage, complexity for maybe political reasons becuase we turn explantory text into normative text. thinks Dsinger text is better

<peterswire> "counter party" often used in financial and other settings -- the other party to a contract

Rigo: (not catching Rigo's point)

<susanisrael> rigo, I think the idea is that the service provider cannot use the data on its own

<npdoty> rigo, do you have a link to text from dsinger on this?

<ChrisPedigoOPA> Justin, answering your earlier question, yes - one outcome could be YouTube limiting Fox's ability to get data.

will fit better into political discussion and with advocates.

Rigo - can you provide link to David Singer's text?

<fielding> Dynamic per-resource tracking status is already supported in TPE when it is needed. We can't cache any better than the complexity of how the server is implemented to adhere to DNT.

<Wileys> Rigo - so you agree that a Service Provider is granted the same Permitted Uses as a 3rd party, correct?

scribe: service provider can do security stuff but not permitted use

<aleecia> Nick would it be possible to just have multi-first party go with known URI?

peterswire: similar to EU law?

<justin> chrispedigoopa, isn't the better answer saying YT is the first party, and then they can set the terms for data sharing on their platform?

Rigo: huge difference. I can work on your behalf and still use what I did on your behalf for my own purposes

Peterswire: what about routine maitenance and run there operations as allowed under HIPAA. current lang does not support this

<aleecia> I've forgotten by now why and when caching broke known URIs, despite having written about it, but it's been going on two years

<npdoty> aleecia, I believe we're discussing multiple first parties for a single HTTP request/response; there will only be a single tracking status resource for that response, which may be cached (if it's the same for all responses on that server) or not

<ChrisPedigoOPA> Justin, under that scenario, the two parties could not share data without violating DNT

Rigo: that needs to be clarified. every party ahas duty to keep data secure. we all agree that service provider should not use data for its own purposes. only as dictated by first party

<rigo> "no own rights" is just not "working on behalf"

Peterswire: I think we agree on that. but routinue actions won't be spelled out in contract. How can those be permitted under current lang

<ChrisPedigoOPA> Need to allow flexibility for multiple first parties, while understanding that companies aren't going to be rushing out to do this because they don;t always want to share data

<fielding> I disagree -- a service provider is the first party as far as our requirements are concerned as long as the data retention is siloed or deidentified.

Peterswire: suggest Peter, Rigo, and Chris P follow up on this to get to an approach

Rigo: yes, its a small clarification

<npdoty> ACTION: ChrisPedigoOPA (with rigo, peterswire) to follow up on service provider and independent rights clarification [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action03]

<trackbot> Error finding 'ChrisPedigoOPA'. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

<npdoty> ACTION: pedigo (with rigo, peterswire) to follow up on service provider and independent rights clarification [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action04]

<trackbot> Created ACTION-377 - (with rigo, peterswire) to follow up on service provider and independent rights clarification [on Chris Pedigo - due 2013-03-13].

<npdoty> action-377 due 3/18

<trackbot> Set ACTION-377 (with rigo, peterswire) to follow up on service provider and independent rights clarification due date to 3/18.

<justin> chrispedigoopa, No, it depends on what the site has messaged to users and what they've agreed to. YT could certainly clearly message frictionless sharing of passive site activity. Quora does that today, I think, and some of the social reading apps on FB.

Peterswire: Chris you have lead on this. Week form Monday. Talk in Berlin and get meeting f the minds

<npdoty> justin, is that compatible with the restrictions in First Party Compliance today?

Peterswire: we have talked about first party,multiple first party, and service provider. Propose in last 20 mins to look at market research discussion and thinking

<fielding> A SP must be able to receive data for many companies, parse it, and only retain it in siloed form outside of the general form except for what is necessary for overall security and what is aggregated/deidentified for capacity planning.

<justin> npdoty, the first party compliance section is a mess today, and I've said repeatedly that the text is messed up.

<rigo> David's text was: The outsourced company has no independent rights to the collected information

Richard_Comscore: market research group met worked to refine auidence measurement as a permitted use. Definition needed to be tighten up. Look at Kathy Joe's text sent around this AM

<johnsimpson> Justin, how a mess?

Richard_Comscore: some concerns may lie around the retention period and may be dictated by regulation, audting reqs, etc. diff bodies have diff reqs. auditing period is precieved to be dictated by
... the market research cos but by the regulatory body

<jchester2> The auditing requirements are set by industry. It hasn't accommodated the privacy issues.

Richard_Comscore: why we tried to hit 53 weeks to meet the sweet spot to meet cross country requirements

<npdoty> though our MRC briefer told us they waived retention duration requirements for providers who minimize data for privacy purposes, right?

<justin> npdoty, johnsimpson, If nothing else, we should add an explicit statement saying you can get consent to share with third parties that couldn't otherwise get. May already be implicit, but should add.

Richard_Comscore: purpose limitation - typcial needs demo'd by clients and need to do validated measurements as opposed to ads that may never be seen because appear at bottom of page

<jchester2> In the real-time and ongoing campaign targeting environment, such retention times need to be reviewed. It's about individual users ultimately.

Peterswire: to extent visitor is a repeat, is that psuedynoous (sp)

<efelten> You can't recognize a particular browser or user when they come back later?

Richard_Cpomscore: correct

Peterswire: will need to define term though no small task

<jchester2> Richard: Can you provide further details on this. The market research is used to fine-tune targeting of users.

Richard_Comscore: list not intended to be comprehensive

Peterswire: should it be broader or narrower?

Richard_Comscore: open to suggested edits to the text eg terminology

<jchester2> We need to have specifics presented on how it is used in the digital marketing "ecosystem."

Peterswire: two thigs. One - people who touch data are under confidentialty code. are there codes on what is expected.

Richard_Comscore: yes ther is a code that members agree to

<jchester2> Peter: Any code would need to have a honest analysis of actual use practices.

Peterswire: Tow: will this work a use case discussion on Monday and Tuesday. Rigo - will this fit?

<jchester2> Peter: Why is this being discussed in Berlin, when many of us can't be there?

<npdoty> per efelten's comments in email, is it possible for us to clarify what the actual normative text would be for this proposal?

Rigo: it could go to issue creation or have it during product session or in the disucssion around consent. (short answer - yes)
... audience measurement important use case
... warrants discussion

Peterswire: relevant to both global considerations and the standard

<efelten> It would be useful to have a clear explanation of why third-party tracking of users without consent is necessary for these purposes.

Rigo: Tuesday one is better - consent. no one from ESOMAR (?) attending and it would be good to have them in the room

<jchester2> +q

Rigo: encourage them to attend and people who understand measurement will be there

<aleecia> Nick so I think we're talking more frito/yahoo, rather than FB like button, which is what we've typically discussed. I confess to over multitasking today. But I think I'm finally getting why I've had e wrong model of discussion , thanks

Peterswire: lets continue figuring this out off list

<aleecia> Joanne - really nice scribing all call, which I appreciate greatly. Thanks!

Peterswire: thanks to the group that worked on this. needs to be put into standard W3C lang

<rigo> jeff, it will come back to this group anyway

<Chris_IAB> agree with jchester2

JeffChester: many of us not going to Berlin. would like conversation on the regular call. should include entire group

Peterswire: we'll have oppy to work on this

<jchester2> zkim, mute me

JeffChester: disagress and ask Peter to reconsider it

De-Identification

DanA: likes 1:30 AM PT

<Wileys> -1 for the rest of us on the West coast :-)

<npdoty> +1 on 1:30am PT

<susanisrael> *I am also willing to do 4:30 EST

DanA: : deidentified term. issue discussed at F2F and that deidentified is better versus unlinkabile
... inclarifying FTC lang. Happy to take Rob and Shane's edits to more closely mirror FTC lang
... happy to bracket second clause of def. It is a more gransular committment versus the comply with DNT committmeent.

<robsherman> +q

Peterswire: put inot brackets for now. if no committment else where in package we need to have it here

<npdoty> if we take out the public commitment, we would need to say that the party won't try to re-identify the data

RobSherman: if the cleanest way to do this use FTC lang but clarify that we think "reasonable measures" require all three of physical, technical, and procedural safeguards(didn't catch last part of Rob's point)

DanA: won't have exact FTC lang. not alot lost if we deviate (sp) in this case

<Chris_IAB_> can someone post the link for this thread?

Peterswire: Dan to update lang for next compliance meeting

<npdoty> http://www.w3.org/mid/5134D890.5040408@eff.org

<npdoty> ACTION: auerbach to update de-identification definition based on feedback from Rob, Shane, public commitment [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action05]

<trackbot> Created ACTION-378 - Update de-identification definition based on feedback from Rob, Shane, public commitment [on Dan Auerbach - due 2013-03-13].

Peterswire: happy travels to those going to Berlin and next compliance call 2 weeks

<npdoty> dan_auerbach, is March 13th a good deadline for that action?

Summary of Action Items

[NEW] ACTION: auerbach to update de-identification definition based on feedback from Rob, Shane, public commitment [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action05]
[NEW] ACTION: ChrisPedigoOPA (with rigo, peterswire) to follow up on service provider and independent rights clarification [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action03]
[NEW] ACTION: pedigo (with rigo, peterswire) to follow up on service provider and independent rights clarification [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action04]
[NEW] ACTION: Shane to review TPE for updates necessary on multiple first parties (with Ed, Nick, RobS, possibly fielding) [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action01]
[NEW] ACTION: sherman (with justin) to propose updates on multiple first parties (distinguishing between the one site and platform) [recorded in http://www.w3.org/2013/03/06-DNT-minutes.html#action02]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2013/03/06 18:28:45 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.137  of Date: 2012/09/20 20:19:01  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/Peter Shaw/Peter Schaar/
Succeeded: s/Laura/Lauren/
Succeeded: s/fb:/robsherman:/
Succeeded: s/sherman/Chris_IAB/
Succeeded: s/felton/efelten/
Succeeded: s/felton/efelten/
Succeeded: s/felton/efelten/
Succeeded: s/sherman/peterswire/
Succeeded: s/???/clarify that we think "reasonable measures" require all three of physical, technical, and procedural safeguards/
Found ScribeNick: hefferjr
Found ScribeNick: Joanne
Inferring Scribes: hefferjr, Joanne
Scribes: hefferjr, Joanne
ScribeNicks: hefferjr, Joanne

WARNING: No "Present: ... " found!
Possibly Present: Aleecia AnnaLong BerinSzoka Chapell Chris ChrisPedigoOPA Chris_IAB Chris_IAB_ Chris_Pedigo DanA David_MacMillan Efelten JamesB JeffChester Joanne Jonathan_Mayer Microsoft Mozilla P12 P49 P74 Peter Peterswire Richard Richard_Cpomscore Richard_comScore Rigo RobSherman Sherman Susan_Israel Vinay WaltM_Comcast Yianni aaaa aabb aacc aadd aaee aaff aagg aahh aaii aajj aakk aall aamm aann aaoo aapp action-375 amyc bscannell chester chrismaheia dan_auerbach doty dwainberg fielding hefferjr jchester2 jeffwilson jmayer johnsimpson justin laurengelman moneill2 ninjamarnau npdoty phildpearce samsilberman schunter scribenick shane sidstamm susanisrael swire tedleung tedleung1 trackbot vincent wileys
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy


WARNING: No meeting title found!
You should specify the meeting title like this:
<dbooth> Meeting: Weekly Baking Club Meeting


WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 06 Mar 2013
Guessing minutes URL: http://www.w3.org/2013/03/06-DNT-minutes.html
People with action items: auerbach chrispedigoopa justin pedigo peterswire rigo shane sherman with

[End of scribe.perl diagnostic output]