Tracking Protection Working Group
Face to Face Meeting Berlin

12 Mar 2013


See also: IRC log


Markus Dunte (Office of the German Federal Data Commisioner), Thomas Roessler (W3C), Stefanie Kohnert (Zanox), Rob van Eijk (Art. 29 Working Party), Vinay Goel (Adobe), Julia Maier-Hanff (EDAA), Mike O'Neill (Baycloud Systems), Justin Brookman (CDT), Ninja Marnau (Independent Center for Data Protection Schleswig Holstein), Joanne Furtsch (Truste), Christian Pfeiffer (Nugg.ad), Nicole Nauen (Nugg.ad), Thomas Schauff (BVDW e.V.), James Gray (European Commission DG Connect), Haakon F. Bratsberg (Opera Software), Peter Swire (TPWG Co-Chair), Justin Weiss (Yahoo!), Aleecia McDonald (Stanford University), Wolf Osthaus (United Internet), Ionel Naftanaila (IAB Europe), Walter van Holst (IE), Chris Sherwood (Yahoo!), Tara Whalen (Office of the Federal Data Protection Commissioner of Canada)
Matthias Schunter (Intel)
Rigo Wenning
Ninja Marnau, Joanne Furtsch, Justin Brookman, Haakon Bratsberg, Justin Weiss, Vinay Goel


<trackbotDate: 12 March 2013

<brookman "context under the hood" . . .

<brookmanscribenick: ninja

Rigo: Doing the recap of yesterday's discussion

.... participants already jumped into a lively discussion about consent.

... First question to address - issue of first parties.

... Where in the specification do we want to address first parties. In TPE or compliance?

bookman: Wouldn't that contradict the document we created so far?

rigo: It is more of a footnote. Not contradiction but more of an extention.

weiss: this would lead to two parallel specification. We should not agree here on doing normative text. We should first evaluate how substantial the gap is.

rigo: I agree. Additions that do not change the existing spec. Are not of the same importance.

brookman: It contradicts the complete section 4. Are you saying this might be wrong?

<Weiss> test

rigo: We are already saying that law overrules the spec. This is part of this overruling of law concerning Europe.

... or in some countries of Europe

... if we bet on implied consent we could stop here.

... but continuing would be future proof.

<Thomas_Schauf> sorry ninja, I was not logged in

weiss: I completely agree with the overriding law. My concern if we focus on only one region's law it could dilute the spec.

... an overly annoted spec will be less helpful than a systematic note.

rigo: The regulated systems might be similar. I agree should not annotate too much. But this is a fundamental choice we should make regarding first parties.

james: There will be a window of time until 2016 when the regulation comes into force. We need to address the directive that is in force now but also at the regulation draft which is highly in flux at the moment.

<moneill2> +q

rigo: the issue is - we want to produce somethin that is future proof. When we want to address the issue of storing data on the terminal equipment of users, do we need a consent mechanism including first parties.

.... Using DNT including first parties could rid us of the need of window shades in many cases.

vinay: We discussed this internally. We need to have a negotiation mechanism for European users. But users do not want to pay more fore having an extra system only for one region.

rigo: this is where the problem starts. If everyone is developing there own consent mechanism it would cost much more in total.

moneill2: You need to have an option to withdraw consent. THerefore a mechanism of giving consent needs to be in place anyway.

<brookman> Letting one DPA's interpretation of one law that may be superseded is not the way to drive the DNT discussion . . .

weiss: We are discussing three different issues right now.

<vinay> Another country/website using the implied consent model is the Irish presidency website: http://eu2013.ie

rigo: fair point.

<vinay> where it points to browser controls for consumers to opt out from cookies

wolf: We cannot use the ICO model for the whole of Europe. Implied consent does not work everywhere.

... We cannot address the issue of first parties without talking about consent.

weiss: what I struggle with is understanding how first parties could be included in the spec without changing the whole document.

rigo: I want to apply DNT:1 as an easy provision for first parties to comply with the law.

... If the permitted would be aligned with with what is currently allowed by the law this would be a huge benefit.

... If a first partie wants to do more we can apply the DNT:0 consent mechanism.

peterswire: What does it mean for a first party if they receive a DNT:1 signal?

rigo: The response header says either I'm complying or I'm not complying. You could as a first party always say I'm not complying.

<moneill2> +q

brookman: At the moment a first party answers I am a first party. I do first party stuff.

kimon: What should a first party do to honor DNT:1 in your view?

rigo: Reaction similar to third parties. I honor DNT, I only use the permitted uses.

... or saying I don't honor DNT but I'm legally compliant.


<Joanne> lots of side conversations still happening...

scribenick: Joanne

UNKNOWN_SPEAKER: at some point we will return to our regularly scheduled meeting

we have come back

Rigo: two chocies move onto consnet discussion or continue first party discussion
... the first party addressed in TPE and compliance spec where first party can continue normal ops
... also a rule in compliance spec that local law overrules DNT compliance reqs

<moneill2> +q

Rigo: taking those three into acct (missed third one) we could say if in regulated environment may also use DNT as a way to org communication and consent with your users. DNT:0 can use exception use data set out in DNT:0,

(not sure if I captured that correctly)

Mike: now there could be a sep browser obtaining consent under DNT to signal consent. for dnt:1 my opinion - that consent has not been given

Vinay: calrification ques are you proposing to define what dnt:0 means in EU context or how companies in EU should treat all signals

Rigo: fair q
... but

Kimon: my issue is we don't have enough pubs in the room to understand first party issues

Rigo: Vinay's q is unanswered. Yes, Ddnt:0 will carve out because you won't have to explain everytime just announce the diff and user only sees relevant prompts
... can we see a system where dnt:1 is not meaningless
... if permitted uses accepted by DPA's, then don't have to discuss in face of dnt:1. dnt:0 is only one consent mechanism - only one legal ground it offers you for overall legal strat
... if want to go beyond - could claim OOB consent

Vinay: to proceed - get the diff between dnt and the 1995 and eprivacy directive
... don't know if permitted uses aliagn with regulators would think is allowed under dnt:1 scenario
... thinks we should define what dnt:1 means in diff markets

rob: we are at an intersection now. Dnt:1 or Dnt:0 path
... tying to consent is one of the possibilities
... next to define what dnt:1 means
... vinay point is relevant

brookman: 1st party may call dnt unset and comply in a way they want
... what is tricky part of defining dnt:0?

Vinay: how to balance dnt:1 against dnt:0 is the tricky part

brookman: do it OOB and if you want to do that you can.

Ninija: if want to be benefical for EU = DNT:0 needs to mean some type of consent
... other part Dnt:1 and how do permitted uses apply in teh EU and whether its legally compliant by dpa's
... huge benfit to solve whole art 5 cookie problem and get out of rathole

Brookman: lots of ratholes..Japan, Asia, ectc. diff in other places

Weiss: would not say I'm at point that normative lang is the right step. more pre-occupied with Ninja's point and the user exp
... browser choice, US default rules at this time in spec, resolve issue what users expect will happen and how that is communicated, and have that jive with expectations

how do you reconcile those

Aleecia: let me reverse and address
... discussing Mozilla exp
... can it be done country by country
... response - done by lang
... could imagine having many builds - spanish in EU and spanish in other parts of the world

Kimon: implementation example (use FF in Belgium - listing langs). how can you control this?

Aleecia: imagines lang and region together (eg German-EU) but not country by country
... lots of issues with this - a pain. presumes many communications beyond the browser

Weiss: agreed that there will be many communication points

Aleecia: if do dnt right EU is 1. issue exists with or without dnt but reduces problem
... 1. do we need to dnt:0 differently for EU vs everywhere else. not convinced this is special. raising this as an option. one signal means the same in all places. group could suggest that consent means highest bar

Weiss: high bar under 27 dnt means same everywhere

Aleecia: go back to cos and figure what we can do. if we can do that we have a win. if we can't then figure out the deltas. if we can make the same the better

the third part - doc is the low bar for dnt;1. depending on where users are you may need to do the more. hope for this group doc what the more the is and id the deltas

scribe agrees with Aleecia's last statement

Wolf: not sure we can reach to deal with frag of eu law
... not sure if this can be reached under what is allowed under dnt:1 or 0

<brookman> For the record, the language saying that law > the standard should probably be moved within the Compliance document. Right now, it's just in the permitted uses despite DNT ---- that is, if law REQUIRES you to keep more data, that trumps DNT.

<brookman> We should probably place the language elsewhere to be more clear that it cuts both ways . . .

Wolf: question is what is the environment for consent and we need to doc that.

Brookman: clarfied settings - set (1,0), unset

Wolf: political debate - is tracking allowed or not. hardfor a co to do tracking for other legal reasons

Rigo: can we add normative text. In the permitted uses - add to address legal grounds processing

disagreement being expressed - taks too big

Brookman: if you have legit interests you can express that.

Weiss: if spec is silent on something I want to do then I don't need to respond.

Justin W -you may want to clarify your point in IRC - didn't quite capture it

Rigo: lets go back to queue

Rob: either you go with EU view which puts focus on data collection means adding privacy principles like data minizamation. US approach ifocus on transparency and give control

<brookman> rvaneijk: there will always be a gap between DNT and the European legal regime.

Rob: clear ther eis a gap between EU standard and dnt standard. assumption there is always a legal gap and needs to be put into the context of collection or control. some exs are taken in collection context or control context
... for me its important to see we are exploring the collection limitation path and if not fesialbe then we need to look at use limitation parth

Aleecia: no change in practice around collection

Rigo: lets reset and wants to explore what Rob and Justin said
... in first party context there are limitations you may use dnt:0 for consent.
... no normative text for dnt:1 but in implementation guide. normative text dnt:0 in TPE and TCS (hope I got this right)

Rob: collection limitation - have to define dnt:0 in the legal sense across EU.

back and forth between Aleecia and Rob...

Rob: hard to standardize data retention genericlly (sp)
... its a way to apply PbD but doesn't solve generic standardizaion

Frank: wants to come back to Allecia discussion
... his view. servier portal is located somewhere and the company is resp to comply with local law. has to look at the servier not the browser

Wolf: but that is different in light of international law.

Aleecia: state of CA example. have to guess where user is livining

Vinay: agreed with Rigo last statement (noted for the record) <grin>

<Weiss> but his summary was different than what Rigo said!

<Weiss> I think Rigo proposed non-normative text for DNT:1

<Weiss> and normative text for DNT:)

<Weiss> DNT 0 I mean

Rigo: we are a standards org as long as there is support. Implementation guide is a help. it also means you can endorse it - if no endorsement then need to discuss with every dpa

Kimon: can we rely on that?

discussion between rigo and kimon...

Amendment 108

<Weiss> I remember *tolerance* was the word that made Brookman grin yesterday

Rigo: if not right normative text then endorsement won't mean anything

James: we will look at ePrivacy directive once the data regulation is complete.

Rigo: agreement we should define DNT:) in spec and dnt:1 in implementation guide (how is a decision we need to make)

Weiss: not sure we have agreement
... wants to see the deltas to achieve purpose Rigo is proposing
... once we see deltas then we can determine if normative text or note is best approach

<brookman> this is all getting a little meta

Weiss: thought the purpose of the this group is to id those deltas

Rigo: we need a committment to provide resources to explre that
... what he hears can't agree to option. catch 22 situation. lets start with the delta of the eu privacy directive. can you write down what you want to know

Weiss: two delatas we id ysterday. 1st party/3rd party distinction and permitted uses.

Rigo: we won;t have any normative text in specs until there is consensus of the entire WG. consensus being sought here is do we want to work this

violent agreement in the room

<Walter> on what?

<ninjamarnau> Walter, violent agreement that we only propose normative text to the big group if we find consensus in this smaller group

<Walter> ninjamarnau: sounds reasonable, makes the process riskier though

the group wants to work on poss normative text for the spec and committment to work on this

Peterswire: for full group - timing observation. F2F in early May schedule LC in July. work here needs to meet timeframe of LC and what is done here needs to be done with that in mind
... will require thought and input form larger group

Rigo: only contraints on normative text but not on note

Weiss: likes note

Rigo: provide first wording after the delta's discussion

<aleecia> suggests deltas need to take very little time

petersiwre: committed to work with group but only if it fits into overall timetable

<aleecia> if there's a 2 week time frame for delta (which is short, actually) we've just gone through half the time Peter suggests before we even start talking about text

<rigo> JustinW: Want to see the delta for the permitted uses and the ePrivacy Directive compliance

Rigo: rephrasing Rob's comments. state of data coll minzation need consent. if we work on consent we ult work on collection environment. control scenario - don't need consent for legal grounds, etc. if hit with dnt:1 then need to worry. these are mutually exclusive. Rigo does not agree with Rob on mutually exclusive

Ninja: ask rob for specific example around how collection or use limitation will play out.

Rob: difference between setting taks for compliance in the EU and changing the balance of control. This is very complicated

Rgo: ninja does not believe this is mutually exclusive
... another agrument. if you get consent browser you get control from central point by the user.

Rob: what is meausrement criteria

Rigo: as a standard don't have to do this. Adrian go us out this

Rob: that is dnt consent but legal consent is a diff discussion

rigo: there will be an endorsement discussion that will touch on normative text and implementation guide. can adapt over time with implemenation guide

<brookman> We're not SOLVING tracking. We're limiting it. Or trying to at least.

Rob: risk of something not being endorsed is pretty big, and does not hav eclear feeling what we are solving as we are all looking at this from a diff perspecitve

Rigo: we have to agree on certain wording on specs and in longer timeframe discuss how to use tool

Rob: is the purpose of this work to become compliant in the EU

Rigo: answer what is the delta. do we want bridge this gap? id what add'l things are needed for EU
... get with dpa to validate what is mismatch. use German as the high bar

Weiss: asking Marcus if that is the measure - is it the highest bar?

Mrcus: feeling German one is the trongest


TLR: streach goal - hearing people saying a lot of the same things

Rigo: wants committment to work on delta

<brookman> rigo: point of this is to improve our changes of deemed legal compliance later

<brookman> scribenick: brookman

<Joanne> thanks Justin

rigo: legal formalization of this recognition is for the moment legally impossible because of directive model --- why we need a regulation
... Amendment 108 is being put in precisely for things like this effort. No one seems to be questioning Amendment 108.
... In between, just use your best bet --- talk to local DPAs, point to global buy-in, &c.
... Not precluding any potential dispute in court, just making a tool available for deemed-ish compliance.
... Need commitment from folks to work out what the delta is (ed: deltas are)

<Thomas_Schauf> +q Julia

rigo: Would like someone from industry and DPAs

thomas: If DNT a legal tool, why are we orienting it to the e-privacy directive?
... If policy arena is out of scope, we need a broad DNT standard so it can be adaptable to different markets
... 1, 0, unset need to be adaptable so different people in different jurisdictions can comply with varying laws

rigo: I just want someone to agree to help me find the deltas!
... legitimate question about whether the gap is too big (between current permitted uses and Euro law)

<aleecia> which people in the room can do this?

rigo: if we come back and say "Oh my God!" we will have to provide guidance in the implementation guide.

<aleecia> small set, yes?

tlr: Let's use *some* stringent jurisdiction as a benchmark and get action items assigned to map compliance vs that jurisdiction ---- that will be a proxy for overall discussion

Julia: We have very different intepretations of e-privacy directive even among German institutions. So there's that.

<Thomas_Schauf> +q

aleecia: Can we just get someone to draw up *some* interpretation of *something*? And then we can do deltas vs. the deltas (ed: grumble)?

thomas: After the work on DNT, we may have the Regulation in place, and maybe we won't have Directive problems

rvaneijk: But if you want endorsement later this year, I have concerns. But willing to share what we are think are the issues.

weiss: If we're talking endorsement, let's talk just about existing law, not possible future reg.

<aleecia> who do we have in the room who is *able* to do this?

rigo: Let's not put obstacles in the spec that we know will later bite us in the future.

many: Who can take an action item?!

ninja: Marcus and I can answer questions, but can't provide definitive, binding text

tlr: So, you seem interested in gap analysis . . .

weiss: I don't really know German law that well. Could maybe do general European law.
... willing to be a reviewer

thomas: I'll organize feedback from German industry

rigo: I will set that up.

rvaneijk: German telemedia law is not really the best example. Very different, not really transposition of e-privacy directive.

thomas: Yeah, but maybe it's not that far away.

<rigo> ACTION: Thomas_Schauf to organize german industry to participate in the work of the delta [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action01]

<trackbot> Error finding 'Thomas_Schauf'. You can review and register nicknames at <http://www.w3.org/2011/tracking-protection/track/users>.

rvaneijk: It's another unnecessary layer of uncertainty. You'll need to convince DPAs that it maps (ed: to the thing that you're trying to map to something else).

<rigo> ACTION: Rigo to play editor for the ePrivacy Directive - permitted uses delta and organize first teleconference [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action02]

<trackbot> Created ACTION-379 - Play editor for the ePrivacy Directive - permitted uses delta and organize first teleconference [on Rigo Wenning - due 2013-03-19].

silence in room

<rigo> ACTION: Rigo to invite Frank into the Group [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action03]

<trackbot> Created ACTION-380 - Invite Frank into the Group [on Rigo Wenning - due 2013-03-19].

rigo: We have successfully concluded the first party/third party distinction. <general laughter>
... half an hour left to discuss requirements for consent and/or DNT:0 definition
... "freely, specific, and informed"

rvaneijk: isn't that really part of the deltas (comparing Euro law to compliance spec)

Not sure how you can map when there isn't a definitive statement on this in the compliance doc today

rigo: I have put something together on my own (with no input) to present to the group on what DNT:0 should do.
... Based on P3P and data classes.

<rigo> http://www.w3.org/TR/P3P11/

rigo: <showing base data schema> It's an ontology of web traffic. Checked it worldwide.

<Weiss> Question: is DPA endorsement of plan (including possible normative text) a pre-condition to submission to full DNT working group for approval?

rigo: You be very specific about what you're collecting: name, employment data, etc.
... We can say what needs a prompt and what doesn't.
... If you go beyond what we define as permissible, then you would need a window shade and not a button.

rvaneijk and vinay: We need more explanation about what the schema are.

vinay: How will browser know what's being collected?

rigo: It won't know. You would need additional P3P implementation to tell the user what you're actually doing. DNT:0 is a potential allowance, not a precise statement about what's actually happening.
... To say what you're actually doing, you would need to do P3P.

tlr: You're conflating a few things here.
... We don't have a shared understanding of P3P data schema among the people in this room
... Maybe better to say, hey, there are data classes. Among those, let's say that DNT:0 = consent to play with those data.

rigo: The javascript API would allow you to convey a message to the user. If you're within DNT:0 confined, you wouldn't need additional interaction.
... But if you're talking about sensitive data (medical, sexual, sensitive), a button is not enough, you would also need a shade

aleecia: I think you're doing this to reflect that consent has to be specific. But since this is just potential instead of WHAT YOU'RE ACTUALLY DOING how is that actually specific?

<rigo_> rvaneijk: we need not only data definitions, but also purpose definitions (tracking)

rvaneijk: If you're tying this to consent, this is WAY TOO MUCH detail to qualify the element of specific.

aleecia: Having this level of specific disclsoure was one of the key implementation difficulties of P3P.
... suggest we not do this.if it will be a barrier to implementation.

peterswire: Maybe just say that that DNT:0 doesn't apply to "sensitive data" in Article 8.

The definition of DNT:0 *will* be in the standard.

rigo: Hey, you guys asked for a definition of tracking.

peterswire: Why not just say that DNT:0 = the right level of consent under EU law except for sensitive stuff under Article 8.

<aleecia> peter++

rvaneijk: If DNT:0 = normal consent, then you need to do more for sensitive categories.

vinay: How could the API mechanism store special status for "sensitive data"?

<rigo_> JB: Don't know why we have to spell out the level consent.

<rigo_> ... DNT just signals consent

moneill: maybe this ties to the albrecht amendments re pseudo data

rigo: The idea is that you need legal and informed consent. You are in a specific context which should be clear to you. In this content, you signal DNT:0. And DNT:0 means that you agree to this data collection.

moneill: DNT:0 is just a signal.

rigo: We are trying to standardize a description of DNT:0 that requires window shades.

moneill: Window shades are a UI. We're not supposed to be worried about that.

rigo: But if you leave everyone to fight with their DPA over what constitutes consent, then you don't have standardization.

moneill: Is that our job?!?

rigo: That's my plan.

+1 to moneill

weiss: Going back to UI question. I hear you to say: First they see the browser offering DNT choices. Then they see what the website sends back to interpret that consent. If they're playing with sensitive data, it will be really big and robust. If it's more commonplace, it can be more lighttouch.
... In either case, it will be some sort of pop-up to clarify the scope of consent.
... Is there any scenario where a pop-up of some sort isn't required?

rigo: It could be the case that we could agree that certain of these things are normal processes so you don't need a pop-up every time.

weiss: But "tracking" is different than what the e-privacy directive covers.

rigo: I'd like a def that covers 98-99% of the average use cases.

weiss: And how will the user know what's covered?

rigo: We don't specify --- leave it to the site to specify. They can have a personalization button. People over time will learn what this means

rvaneijk: A limited list could work when you're dealing with exceptions because you want to put constraints on something. But this is the other way around. What if new data flows/usages pop up? If there's a category of "others" that could weaken that definition.
... Not sure limited list really works here.

rigo: You can describe things in lots of ways: everything but . . ., or bottom up, or positively describe everything.
... If we define tracking in a specific way, maybe that means a relatively small window frame.

rvaneijk: Isn't that point of all this to NOT have pop-ups for everything?

moneill: DNT can keep state on the user in the browser per website.
... DNT:0 has a site-specific exception that can be stored in the lawyer.

peterswire: I don't see why people don't get this.
... This is like a standard contract that defines the 12 ordinary things. If you're outside that list of 12 things, then maybe you need to do something more.
... This is standard across a lot of industries..

aleecia: This isn't specific consent.
... I guess you could in the browser say I consent to all 12 things going forward for everyone. But that's not specific consent.

ninja: I see dnt:0 as a standard contract. (1) They need to be accept that DNT:0 isn't a white card to do anything. (2) We need to get all the DPAs that even if it's just 12 things, is that specific enough.
... compares this to the Google privacy policy.
... not specific enough.

rigo: maybe that means that our standard contract is not good enough.
... If you sign up prospectively for personalization across some set of sites, no need for pop-up shades.

peterswire: Responding to Google point.
... Euro law cracks down on standard contracts that are not proportional. But we can define 12 things that might work here.

ninja: Also concerned about lock-in. Maybe not as big a deal as I originally thought.

<Weiss> correction for scribe: "log-in," not "log-in"

rigo: consent for 12 things is what DNT:0 means, if you want more it has to be out of band.

<Zakim> ninjamarnau_, you wanted to suggest a lunch break

ninja: We are 12 minutes behind and it's lunchtime.

aleecia: I want to come back to rvaneijk's point --- you need context, can the 12 point contract work?

vinay: it sounds like euro regs might want DNT:0 just for the more benign uses (like first party analytics). But not OBA/personalization.

rvaneijk: Not sure where the threshold should be.

rigo: You can do DNT:0 store for that more sensitive stuff, but I will explain privately during lunch (!?)

<breaking for lunch>

<haakonfb1> scribenick haakonfb

Rigo: DNT:0 have a basic understanding after peterswire: standard contract

… what this contract will look like will be subject to fierce debate

… now a meta discussion. The industry comments: 1) we do DNT and 2) EU regulation is not industry friendly

… do we want to discuss how DNT is used in the Brussel policy discussions?

… do we want a sanitisation of DNT?

… what is the relationship to self regulation?

… should we bring into the table what we other groups are doing?

… should we have this discussion?

rob: would like to se DAA at the table. Will DNT take part in the notice framework.

<rigo_> Julia: q?

rob: idea to create neutral table - with everyone that matters in the ecosystem.

Rigo: When you are debating DNT - invite someone from this table to present ideas about DNT to EDAA board?

Julia: It is a nice offer

Thomas_Schauf: How could an cooperation work on a technical level.

… serve to the consumers. not competing solutions, but cooperative solutions.

rob: demonstrates no support for DNT in European industry.

Kimon: Look internally for solutions. Don't see DNT will replace the need for the commitments made.

Justin: Usecase of DAA participation. Clearest path to interoperability: DNT could be one of many signals to trigger the commitments.

… EDA has it's own code of commitments. The interoperability depends on the different commitments map.

… there is a potential, but need something clear to compare against.

rigo: either need to talk to the board, or someone has to provide a dif.

… rob saying no one is coming out

Thomas_Schauf: Industry supports DNT - invest time+++

… EDA around the table. Robert Madelin told W3C invite EDA

… will go back to the steering group and ask them to accept the invitation

… technical cooperate or define who is first and second in the user dialogue

… this work will take time.

rigo: the only thing that counts is commitment to come back with a result on the question: What is the dif between EDA and the DNT permitted uses.

kimon: we make sure that EDA will now

Thomas_Schauf: Rigo send an email to Kimon, Julia and Thomas about this.

(all quiet)

<rigo_> ACTION: Rigo to send email to Thomas Schauf, Kimon and Julia to get someone from DAA to help with the DIFF between permitted uses in TCS and the allowances under Opt-out in the EDAA framework [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action04]

<trackbot> Created ACTION-381 - Send email to Thomas Schauf, Kimon and Julia to get someone from DAA to help with the DIFF between permitted uses in TCS and the allowances under Opt-out in the EEDAAA framework [on Rigo Wenning - due 2013-03-19].

rigo: succeeded skipping the first part by directly discussing the meat of it. expected this to be a big battle. Allotted lots of time to it

rob: is it consensus to commit to a strong DNT-standard while we are waiting for the new DP regulation?

… does this consensus exist?

Vinay: A challenge would be to understand the interplay spec and regulation - and the timing. Difficult to accommodate the standard without knowing the content of the regulation

rob: as any external risk factor. has to mitigate that risk.

Vinay: Companies know the current law. Companies would wait for the new regulation before changing behaviour.

… wouldn't worry about the DNT standard in the mean time, but will wait for the DP regulation

rigo: we need speaking points against this argumentation

justin: I see more uncertainty with getting certification / approval for a solution. DNT will not be a complete tool for compliance.

peterswire: Common in the past with a version 1 and then people learn and then a version 2

… companies prefer building once, not required to reengineer.

… how is this reality handled in other W3C cases?

rigo: It has been order and chaotic approaches. Example: Big debate XML schema. one side: too much fluff, other side: we need to specify all the details. Both ways happened. let the market figure it out

… Web as platform: Defining all kinds of relations to device APIs etc. Not the assumption that what they are doing is the ultimate solution in 5 years. Want to solve the current situation. We cannot decide to throw the connection approach out of the window

… we need the delta: this is what you need to do to comply.

… we are in this regulation discussion. The industry *and* DPAs are under pressure.

… if small gap political solutions are possible

… implementation guide can be approved by DPA(s)

… our chances for success depends on the gap analysis.

… can we whenever we are asked say it this is not a panacea, but trying to solve a specific problem for the web.

justin: we define that problem after the gap analysis

rigo: we have some challenges wrt permitted uses, but not likely a big gap

Vinay: gap will be about first party vs third party and permitted uses

justin: priority is the gap analysis. that will identify our issues

<rigo_> Justin sees the biggest issue in First Party reaction on DNT:1 signal in Europe. This will be subject to the gap analysis

peterswire: Question: Compliance cost - I just want to only build once. In Europe: Why should I do anything on DNT:0 when the regulation can change everything

… gap analysis - useful for getting ready for DP regulation.

… why should we implement DNT:0

rigo: US compliance stands for basic protection on the web. In Europe could have a similar but different function

… instead of everybody on their own, try to get together 80 percent of the result with 20 percent of the effort.

… remove the shading + providing users control

… you enable to give the engineers their say in the debate.

… also discuss the technical aspects

… by removing most annoying parts avoid arm-race between blocking and tracking technologies.

… ref geolocation. The browser must provide the user a certain interface. Grant and revoke access to location.

… dnt-system: would have the advantage by providing this kind of interface. It is a clean and viable framework.

peterswire: by have engineers and the general terms we will facilitate a more orderly transition.

rigo: 108 Amendement does not stem from the industry, but the green party

… by offering first kind of shot we have three years to create version 2.

peterswire: This is the best path to end up with a good technological solution.

rigo: go away from the original agenda. When this group agrees on normative texts for the specs, text will be added.

rob: are you going to inform the big group about progress here?

… informing allows for others to enter into this work

peterswire: summarise the conclusion and bring back to bigger group

… allows for other perspectives to be included

rigo: July deadline - last call

peterswire: (outlines the step of w3c process)

<brookman> Whoa, there's interservice review?

rigo: last call is used to clear up any dependencies. All other groups look at the spec to identify any dependencies.

… public available - gets comment from the general public

… has to address the public comments

… next step: candidate recommendation. The industry implements the spec. New issues might be discovered, and the spec has to be fixed.

<brookman> FYI, timeline here: http://www.w3.org/2011/tracking-protection/

… in the end advisory committee vote. If sufficient support and approved by director turns into candidate recommendation.

thomas: review - has the process been followed properly.

peterswire: Suppose we get to last call, but DNT:0 is not finished.

… and no new information. How can we put DNT:0 back in.

thomas: split into to specifications, or ask for mandate for a next version. Neither is optimal. Best of having DNT:0 in last call.

peterswire: what about put 80% ready in the last call? Fix afterwards.

Thomas. Depends on which parts that are ready.

… if not concluded on normative text, it should not be included.

… purpose of last call is to get feedback from the public. better to have a single coherent document.

justin: work product as a note - incremental step. Question: Will the note go through a similar process?

Thomas: A note is a document that a group chose to publish. No formal status (or endorsement)

rigo: we have little things preventing us for doing stuff outside the recommendation track

… W3C attracts lots of comments, and this is a burden. You do not want to do this twice.

justin: can a note be published after last call

rigo: a note can be published as long as a group is chartered.

… we are done when the charter ends

rigo: Next topic: Consent mechanism (can be discussed without gap analysis)

justin: How to deal with the process in Canada?

… take this as part of next steps.

rigo: There is some specific issues in Canada.

<Joanne> scribenick: Joanne

Joanne: Weiss: proividing update on Canada

<haakonfb> justin: Status in Canada: Law about behavioural advertising. The privacy commissioner has assed DAA principles++

Joanne: several similar questions from PIPEDA in the Privacy Directive context
... Commissioner ananlysis of OBA and outlined conditions of transparnecy requirements
... oppy to takethat piece to do a gap analysis

Rigo: can you send th epointer to this report

Rob: Andrew Patrick replied to Chris M's comments so its on mailing list

Weiss: Guidelines on OBA

<rigo_> ACTION: Rigo to take Canadian references to OBA "Guidelines on Online Behavioral Advertisement" report and link it from the Global consideration page [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action05]

<trackbot> Created ACTION-382 - Take Canadian references to OBA "Guidelines on Online Behavioral Advertisement" report and link it from the Global consideration page [on Rigo Wenning - due 2013-03-19].

<vinay> I believe its here: http://www.priv.gc.ca/information/guide/2012/bg_ba_1206_e.asp

Weiss: its useful because its sits somewhere between self-regulation and EU.

Rigo: allows us to be more informed in our consent discussion

Weiss: US and Canada may have few requiremetns that are not addressed in EU

Rigo: we need gap analysis of Canada

<rigo_> tara, are you on the call?

Weiss: can happen in paraellel with German analysis

Rigo: Justin to take action to contact Tara about mapping out gaps

<rvaneijk> here is the mail with the links: http://lists.w3.org/Archives/Public/public-tracking-international/2013Feb/0023.html

Weiss: what about Asia?

Rigo: Asia is interested. Spoke with Malcom Crompton. forced getting APEC agenda. reviewed APEC enforcement system

Peterswire: not aware of anything in APEC outside of EU

Weiss: except for third party verification

Rigo: once complying with German system you can play anywhere

Justin: follow EU law or TRUSTe standard

<brookman> APEC privacy principles as attested by TRUSTe :)

Rigo: do we need to take more into account; opening up is the challenging task; doesn't prevent you from doing other stuff in less restrictive system

Weiss: Hong Kong and Japan that have standards.

Rigo: hard for those participatns to participate due to time diff.

Figo: describing with privacy issues in Japan and have member interested in this and should poke them

Rigo: can poke Japanes contact before behand

Weiss: ask Malcom about Aussie OBA guidelines

<rigo_> ACTION: Rigo to ask Malcom Crompton about the Australian OBA guidelines [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action06]

<trackbot> Created ACTION-383 - Ask Malcom Crompton about the Australian OBA guidelines [on Rigo Wenning - due 2013-03-19].

<Weiss> Scribenick: Justin Weiss

<Joanne> scribenick: Weiss

Rigo: Requirements for consent contemplated = consent as DNT 0, with user resetting/revoking to DNT 1 as desired

Brookman: you can always revoke by removing DNT 0

<vinay> scribenick: vinay

rob: should not limit the discussion to just consent; but should also include 'revoking consent'

<moneill2> +q

should be easy

not just globally, but individually

rob: very essential element for regulatory framework

mike o'neill: important for consent

brookman: can't you just say dnt:1 and then get the pop-up again

rob: the how question and the what question are different
... the option needs to be a requirement

<rigo_> rob: there should be a requirement that the browser must offer a possibility to revoke the consent

<Weiss_> scribenick: Justin Weiss

Rigo: I think Opera is not opposed to having a requirement that revocation should be possible, but they will be 'allergic' to the revocation window design

Vinay: should you accept global revocation or site specific? That kind of requirement could be contemplated

...the question to the browsers is whether granular revocation is possible

Moneill: site specific DNT:1 could be put in now before last call as a requirement

> . . .now the API can only set DNT zero

Brookman: there's no reverse exception right now

Ninja: do we really want negative exceptions and generate use cases for this?

Vinay: any dependencies that rely on the browser should be avoided, because we can't depend on them

> (channelling Roy)

Moneill: raised with Matthias before -- and I have presented multiple use cases

Brookman: there are out of band exceptions. YOu could require sites to use opt out cookies, for example (laughs)

Rigo: how long will it take you to paste in next steps and major agreements?

Peter: will paste in wrap up and summary for discussion

<peterswire> 1. The group had a constructive discussion, with civil and detailed analysis of the relevant issues.

<peterswire> 2. Task Force should proceed. There was consensus that the Global Considerations Task Force (GCTF) should continue to work on issues relating to DNT:0 setting. Members of the working group are welcome to join the GCTF mailing list at ___.

<peterswire> 3. Gap analysis. The first task for the GCTF is to assess the delta between the current DNT draft specification and what is legally required under current EU law. Also, assess the delta between the DNT draft specification and the EDAA approach. There may be a similar gap analysis with respect to Canadian law, pursuant to the opinion of the Office of the Federal Privacy Commissioner concerning OBA.

<peterswire> 4. Standard contract. Once gap analysis is concluded, there will be discussion, including DPAs, industry, and other stakeholders, of the meaning of DNT:0 compliance. The group discussed the possible usefulness of a “standard contract” that could be understood in the EU as authorizing a number of actions by the server. The standard contract would not have to address all possible uses; for instance, it likely would not authorize collection and use of

<peterswire> “sensitive” data such as the categories in Article 8 of the EU Data Protection Directive.

<peterswire> 5. Provide technical forum that informs EU discussions. The W3C process offers a helpful convening of multiple stakeholders who are involved in the ongoing discussions in the EU about future data protection measures. Specifically, the W3C includes participants with a strong technical background. The GCTF had consensus that the W3C work should continue, to provide this technical and stakeholder input.

<peterswire> 6. Time line. The GCTF plans to work intensively to determine if normative text is appropriate concerning DNT:0. The GCTF understands that normative text is subject to the Working Group’s July, 2013 deadline for Last Call. It also understands that any such normative text would be included in the compliance spec only if consensus is reached in the Working Group.

<peterswire> 7. Possible non-normative text. In addition to determining whether and what to propose as normative text, the GCTF may work on non-normative text. Specifically, the group discussed the possibility of drafting a Note, which would be subject to discussion and review in the full Working Group. Topics of the non-normative text may include a guide about compliance with the compliance spec, with citations and assistance to organizations in different regions

<peterswire> about local requirements and implementation.

Brookman: in the main group it will be controversial to repurpose DNT:)

> DNT 0

Brookman: spec could be revised in 'minor' ways as a viable alternative to the idea here

Peter: next to standard contract, there could be another path

Vinay: could be a part of the compromise

Rob: important to emphasize the 'go' 'no go' discussion about the group after gap analysis. .. .

...second point is a procedural question about the mandate of the group. The blueprint itself should get an 'ok' consensus from the full group. Needs to be anchored in advance.

Swire: full group Wed call will review summary here

> . .. or via email

Rob: it should be a formal group decision

...I also have to explain back at the office to justify the travel and work; many are in this camp

<vinay> at least some of us in the industry are in that camp, too

Peter: Number 4 will be rewritten

Sherwood: how do we envision input from this group to an EU legislative process?

Peter: This language is carefully crafted to be cautious in characterization of the role of the group

...to 'provide' technical stakeholder input;

Sherwood: so is lobbying contemplated?

Peter: mere participation will inform other secondary outreach by participants

> . .. taskforce members will provide the input directly themselves

Rigo: in Brussels, there is already DNT discussion

> . . .they may know very little about DNT technically. So if participants make factual statements about DNT, they can come to this group to ask whether it's aligned with our goals

Sherwood: members are provided as a resource to those involved in the legislative discussion

Peter: Agreed.

Rigo: explanations with pictures and such are contemplated. . .

<peterswire> The GCTF had consensus that the W3C work should continue, and that these discussions will inform the participants and thus the ongoing debates.

Julia: there are diverse backgrounds within the steering group - some participants may want that kind of briefing too

<peterswire> The GCTF had consensus that the its work should continue, and that these discussions will inform the participants and thus the ongoing debates.

Rob: let's document the criteria that will inform the 'go' 'no go' decision

Peter: Yes, we'll rewrite this text

<brookmanOption: There was some recognition at the meeting that the DNT standard we're negotiating will in any event not be sufficient to reach the level of legal requirements in the European Union (and quite possibly elsewhere). Instead of repurposing DNT:0 as web-wide (or more granular) agreement to a set of less controversial uses (such as first-party analytics, first-party personalization, or audience measurement), we could edit the TPE (and to a lesser exten[CUT]

<brookman> ) to allow for *any* party (first or third) to take advantage of the exception-API mechanism to ask for consent if that party believes that adhering to the DNT standard alone will not be sufficient for legal compliance in a particular jurisdiction. Thus, if a first party believes it needs consent to do first-party analytics despite the TCS exemption of first parties from compliance obligations, that first party could call the exception-API to get permissi[CUT]

<brookman> engage in tracking on its own domain. Or if market research was deemed a permitted use, an audience measurement company could still trigger a call to the API for consent to track around the web even if the TCS allowed for market research.

Brookman: lets' document this and consider as part of 'go' 'no go'

Rigo: if you want to have a description of the context, you have to give information before permission. But if you take permission out of the context, then you have another problem

Rob: more interesting to focus on purpose limitation and permitted uses, in function of consent

> . .. and secondary uses

<rigo_rob: purpose limitation and secondary use are central to the consent. You should stay close to the purpose for which the data has been collected for.

<rigo_> .. re-use may trigger a new request for consent

<rigo_Justin: unless it is compatible?

...you should stay close to the original purpose for which it was originally collected

<rigo_Rob: yes...

<peterswire> 5. After the gap analysis. One gap analysis is concluded, there will be a go/no-go discussion about how and whether the GCTF will proceed. That discussion will include consideration of the practicality and implementability of any normative text. One path may be drafting of a “standard contract” that could be understood in the EU as authorizing a number of actions by the server. Another path might recognize that meeting the DNT:0 standard will not be

<peterswire> sufficient to reach the level of legal requirements in the EU (and possibly elsewhere). In that case, an option might be to explore if DNT:0 could be a mechanism for providing a specific grant of permission by a user to an action by a server.

Rob: an option would also be to close the group

Rigo: if gap is too big, and prefer mutual destruction

...the game is over

Vinay: I think Brookman's language is an option, that would be surprising for the full DNT group to accept, but it's possible

Rigo: Brookman includes DNT: 0 mechanism, and excludes DNT:1 for first parties

...but even DNT 1 for first parties is a beneficial option for industry, serving as a safe harbor

...if you specify it, and it's recognized as an option, you are not forced - but you can claim in the absence of consent my implementation follows these rules

Vinay: I see that -- but customers don't want that

Rigo: but if this group had as much trouble understanding our discussion, so did the clients. Maybe a second pass is worth it with them.

Rigo: so from here we are now constituted

> biweekly teleconference is the next step, probably starting next week

> [group discusses scheduling]

<rigo_ACTION:Rigo to make a doodle for weekly calls and open an issue for gap analysis [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action07]

<trackbot> Created ACTION-384 - Make a doodle for weekly calls and open an issue for gap analysis [on Rigo Wenning - due 2013-03-19].

Ninja: timeline for gap analysis?

<rigo_> ASAP

Peter: May 6-8 will be F2F full working group

Thomas: F2F prior?

<tara> Apologies - have been called away all morning here (worst possible time!) and haven't been able to phone in or follow along on IRC.

<tara> But please do contact me for followup on Canadian issues!

<rigo_> we will do, it is in the actions

> Thanks Tara -- I've an action to speak with you about this

> we didn't forget Canada!

<tara> Yes, I did a quick scan - wanted to acknowledge and encourage!


> We're closing out

> bye

<tara> bye

<rigo_> trackbot, end meeting

Summary of Action Items

[NEW] ACTION: Rigo to ask Malcom Crompton about the Australian OBA guidelines [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action06]
[NEW] ACTION: Rigo to invite Frank into the Group [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action03]
[NEW] ACTION: Rigo to make a doodle for weekly calls and open an issue for gap analysis [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action07]
[NEW] ACTION: Rigo to play editor for the ePrivacy Directive - permitted uses delta and organize first teleconference [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action02]
[NEW] ACTION: Rigo to send email to Thomas Schauf, Kimon and Julia to get someone from DAA to help with the DIFF between permitted uses in TCS and the allowances under Opt-out in the EDAA framework [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action04]
[NEW] ACTION: Rigo to take Canadian references to OBA "Guidelines on Online Behavioral Advertisement" report and link it from the Global consideration page [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action05]
[NEW] ACTION: Thomas_Schauf to organize german industry to participate in the work of the delta [recorded in http://www.w3.org/2013/03/12-dnt-minutes.html#action01]
[End of minutes]

Minutes from the F2F meeting, done by the scribes, beautified by Rigo
Last update $Id: 12-dnt-minutes.html,v 1.4 2013-03-15 13:13:15 rigo Exp $