IRC log of dnt on 2013-03-27

Timestamps are in UTC.

15:56:43 [RRSAgent]
RRSAgent has joined #dnt
15:56:43 [RRSAgent]
logging to http://www.w3.org/2013/03/27-dnt-irc
15:56:50 [npdoty]
rrsagent, please make logs public
15:56:54 [npdoty]
Zakim, this is 87225
15:57:00 [Zakim]
Zakim has joined #dnt
15:57:06 [npdoty]
Zakim, this is 87225
15:57:09 [Zakim]
ok, npdoty; that matches T&S_Track(dnt)12:00PM
15:57:17 [npdoty]
Zakim, who is on the phone?
15:57:17 [Zakim]
On the phone I see +1.202.639.aaaa, ??P28, JeffWilson
15:57:20 [David_MacMillan]
David_MacMillan has joined #dnt
15:57:28 [npdoty]
Zakim, ??P28 is Chris_IAB
15:57:28 [Zakim]
+Chris_IAB; got it
15:57:29 [efelten]
efelten has joined #dnt
15:57:38 [Zakim]
+[IPcaller]
15:57:43 [WaltM_Comcast]
WaltM_Comcast has joined #dnt
15:57:47 [moneill2]
zakim, [IPCaller] is me
15:57:47 [Zakim]
+moneill2; got it
15:57:49 [Zakim]
+ +1.202.587.aabb - is perhaps Yianni?
15:57:49 [johnsimpson]
johnsimpson has joined #dnt
15:58:06 [Zakim]
+npdoty
15:58:07 [Zakim]
+ +1.404.385.aacc
15:58:14 [peterswire]
404 area code is peterswire
15:58:19 [fielding]
fielding has joined #dnt
15:58:20 [npdoty]
Zakim, aacc is peterswire
15:58:20 [Zakim]
+peterswire; got it
15:58:27 [Zakim]
+efelten
15:58:29 [Zakim]
+ +1.215.480.aadd
15:58:38 [Zakim]
+dwainberg
15:58:38 [kulick]
kulick has joined #dnt
15:58:42 [Zakim]
+Fielding
15:58:45 [Yianni]
Zakim, aabb is Yianni
15:58:45 [Zakim]
sorry, Yianni, I do not recognize a party named 'aabb'
15:59:00 [rvaneijk]
rvaneijk has joined #dnt
15:59:11 [Yianni]
Zakim, aabb is Yianni
15:59:11 [Zakim]
sorry, Yianni, I do not recognize a party named 'aabb'
15:59:13 [WaltM_Comcast]
215-480 iw alt michel
15:59:32 [npdoty]
Zakim, aadd is WaltM_Comcast
15:59:32 [Zakim]
+WaltM_Comcast; got it
15:59:32 [Yianni]
thanks
15:59:49 [Yianni]
Zakim, mute Yianni
15:59:49 [Zakim]
Yianni? should now be muted
15:59:50 [Zakim]
+??P45
15:59:50 [Zakim]
+ +1.212.768.aaee
16:00:18 [Zakim]
+Susan_Israel
16:00:19 [susanisrael]
susanisrael has joined #dnt
16:00:20 [jchester2]
jchester2 has joined #dnt
16:00:21 [Zakim]
+johnsimpson
16:00:27 [Zakim]
+RichardWeaver
16:00:31 [rvaneijk]
Zakim, P45 is me
16:00:31 [Zakim]
sorry, rvaneijk, I do not recognize a party named 'P45'
16:00:36 [rvaneijk]
Zakim, ??P45 is me
16:00:36 [Zakim]
+rvaneijk; got it
16:00:48 [Richard_comScore]
Richard_comScore has joined #dnt
16:00:48 [hefferjr]
hefferjr has joined #dnt
16:00:50 [npdoty]
Zakim, aaee is lmastria
16:00:50 [Zakim]
+lmastria; got it
16:00:53 [Zakim]
+jchester2
16:00:56 [jmayer]
jmayer has joined #dnt
16:00:58 [jchester2]
zakim, mute me
16:00:58 [Zakim]
jchester2 should now be muted
16:00:59 [aleecia]
aleecia has joined #dnt
16:01:01 [npdoty]
Zakim, aaaa is MECALLAHAN
16:01:01 [Zakim]
+MECALLAHAN; got it
16:01:03 [Zakim]
+ +1.408.836.aaff - is perhaps kulick?
16:01:10 [kulick]
yes
16:01:21 [johnsimpson]
zakim, mute me
16:01:21 [Zakim]
johnsimpson should now be muted
16:01:22 [Zakim]
+Jonathan_Mayer
16:01:46 [Zakim]
+hefferjr
16:01:53 [npdoty]
scribenick: susanisrael
16:01:53 [aleecia]
(my regrets this week -- buried in other work.)
16:01:55 [susanisrael]
scribenick: susanisrael
16:01:56 [prestia]
prestia has joined #dnt
16:02:01 [JC]
JC has joined #DNT
16:02:01 [justin]
justin has joined #dnt
16:02:05 [npdoty]
regrets+ aleecia
16:02:19 [dstark]
dstark has joined #dnt
16:02:20 [susanisrael]
peter swire: will do administrative matters until Mattias joins
16:02:31 [Lmastria_DAA]
Lmastria_DAA has joined #DNT
16:02:31 [Wileys]
Wileys has joined #dnt
16:02:38 [Zakim]
+[Microsoft]
16:02:39 [Zakim]
+[Microsoft.a]
16:02:45 [Zakim]
+[CDT]
16:02:48 [Zakim]
+WileyS
16:02:52 [Zakim]
+ +1.941.539.aagg
16:02:53 [Zakim]
-[Microsoft.a]
16:02:56 [npdoty]
Zakim, who is making noise?
16:03:01 [Zakim]
+ +1.650.465.aahh
16:03:01 [susanisrael]
Peterswire: planning to have meeting april 10 re: user interface. Have not yet seen proposed agenda items for this. Please post to list in advance of call
16:03:09 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: 24 (32%), [Microsoft] (62%)
16:03:12 [David_MacMillan]
David_MacMillan has joined #dnt
16:03:18 [Zakim]
+Dan_Auerbach
16:03:19 [Chris_IAB]
I believe Alan Chapell has something for that agenda Peterwire, but he's not on the call yet.
16:03:22 [susanisrael]
...if you want something on agenda post it by last date of march. We'll do things within the scope of things posted then.
16:03:23 [peterswire]
q?
16:03:25 [npdoty]
Zakim, mute [Microsoft]
16:03:26 [hwest]
hwest has joined #dnt
16:03:26 [justin]
zakim, [CDT] has justin
16:03:37 [Zakim]
+hwest
16:03:37 [npdoty]
Zakim, mute Microsoft
16:03:39 [susanisrael]
.....questions or comments? [none]
16:03:39 [Zakim]
[Microsoft] should now be muted
16:03:39 [Zakim]
+justin; got it
16:03:39 [Zakim]
[Microsoft] should now be muted
16:03:39 [Zakim]
+[Microsoft.a]
16:03:39 [Zakim]
+dstark
16:03:40 [Zakim]
+Keith_Scarborough
16:03:43 [johnsimpson]
zakim, who is making noise?
16:03:43 [adrianba]
zakim, [Microsoft.a] is me
16:03:43 [Zakim]
+adrianba; got it
16:03:47 [sidstamm]
sidstamm has joined #dnt
16:03:57 [Zakim]
+[Mozilla]
16:03:58 [sidstamm]
Zakim, Mozilla has sidstamm
16:03:58 [Zakim]
+sidstamm; got it
16:04:10 [npdoty]
one of the Microsoft background numbers was providing static, hence muting; let us know if you want to speak
16:04:12 [susanisrael]
.....next point, no. 6, on agenda follows up and provides more language on item raised last week...will go through....
16:04:19 [robsherman]
robsherman has joined #dnt
16:04:19 [Zakim]
johnsimpson, listening for 10 seconds I could not identify any sounds
16:04:43 [Zakim]
+Rob_Sherman
16:04:50 [susanisrael]
...need to recognize interdependcies in compliance spec. Many people are reluctant to say issues are truly closed because they are afraid they'll be permanently agreeing.
16:04:55 [Zakim]
+chapell
16:05:24 [kj]
kj has joined #dnt
16:05:24 [Zakim]
+Craig_Spiezle
16:05:42 [susanisrael]
...difficult to create new category of things, but we will create subcategory. At times, we have talked through something as much as we need to now, and text is stable pending whole package, we will call that .....
16:06:05 [CraigSpiezle]
CraigSpiezle has joined #dnt
16:06:05 [Zakim]
+??P76
16:06:10 [Zakim]
- +1.650.465.aahh
16:06:31 [susanisrael]
....pending review - Stable. we would then add a note to issue tracker categorizing it as such. we might have one text or alternatives that are pending review-stable, meaning we won't discuss them more now....
16:06:45 [rigo]
rigo has joined #dnt
16:06:46 [Zakim]
+ +1.650.465.aaii
16:06:57 [rvaneijk]
q+
16:07:00 [npdoty]
q?
16:07:05 [susanisrael]
.....similar to re-opening a closed issue. This requires real concrete text supported by more than one person.
16:07:08 [Zakim]
+vincent
16:07:13 [johnsimpson]
q?
16:07:20 [npdoty]
ack rvaneijk
16:07:28 [vincent]
vincent has joined #dnt
16:07:33 [Zakim]
+Rigo
16:07:37 [susanisrael]
rvaneijk: where would be the transparency of visibility into status of all items? Maybe it would be good to highlight it within the agenda too......
16:07:56 [susanisrael]
...if the agenda comes out a day before meeting, we may overlook these items.
16:08:08 [Zakim]
+ +1.516.376.aajj
16:08:37 [Chapell]
Chapell has joined #DNT
16:08:39 [npdoty]
scribenick: npdoty
16:08:46 [susanisrael]
peterswire: editors of compliance text are now working on updating the bare bones compliance text, partly to alert people where text is stable.
16:08:59 [cOlsen]
cOlsen has joined #dnt
16:09:14 [npdoty]
peterswire: next thing Rob is asking, the day before (for agenda) is not a lot of time
16:09:21 [Zakim]
+[FTC]
16:09:57 [npdoty]
... trying to assign things well ahead of time, encouraging people to post their language further ahead of time
16:10:04 [peterswire]
q?
16:10:05 [rvaneijk]
ok, thanks
16:10:05 [npdoty]
... in my own work, trying to find ways to see what's coming
16:10:29 [susanisrael]
*nick, sorry I can pick up again
16:10:35 [rigo]
zakim, who is here?
16:10:35 [Zakim]
On the phone I see MECALLAHAN, Chris_IAB, JeffWilson, moneill2, Yianni? (muted), npdoty, peterswire, efelten, WaltM_Comcast, dwainberg, Fielding, rvaneijk, lmastria, Susan_Israel,
16:10:38 [npdoty]
scribenick: susanisrael
16:10:39 [Zakim]
... johnsimpson (muted), RichardWeaver, jchester2 (muted), kulick?, Jonathan_Mayer, hefferjr, [Microsoft] (muted), [CDT], WileyS, +1.941.539.aagg, Dan_Auerbach, hwest, adrianba,
16:10:39 [Zakim]
... dstark, Keith_Scarborough, [Mozilla], Rob_Sherman, chapell, Craig_Spiezle, ??P76, +1.650.465.aaii, vincent, Rigo, +1.516.376.aajj, [FTC]
16:10:39 [Zakim]
[CDT] has justin
16:10:39 [Zakim]
[Mozilla] has sidstamm
16:10:43 [Zakim]
On IRC I see cOlsen, Chapell, vincent, rigo, CraigSpiezle, kj, robsherman, sidstamm, hwest, David_MacMillan, Wileys, Lmastria_DAA, dstark, justin, JC, prestia, aleecia, jmayer,
16:10:43 [Zakim]
... hefferjr, Richard_comScore, jchester2, susanisrael, rvaneijk, kulick
16:10:59 [susanisrael]
Peterswire: financial auditing slides and audience measurement text went around to list
16:11:04 [prestia]
Zakim, aagg is prestia
16:11:04 [Zakim]
+prestia; got it
16:11:22 [susanisrael]
....do we have the right people? [richard weaver and george say yes]
16:11:23 [npdoty]
topic: audience measurement
16:11:39 [susanisrael]
peterswire: can someone paste into the list the audience measurement text
16:11:41 [npdoty]
http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0335.html
16:11:45 [dan_auerbach]
dan_auerbach has joined #dnt
16:12:15 [susanisrael]
...very large players, the biggest companies in this space have contributed.....i think that's positive.
16:12:19 [rvaneijk]
q+
16:12:44 [susanisrael]
....there is talk about the expansion of self-regulatory efforts, and this is a very serious professional document that was given to us.
16:13:11 [susanisrael]
peterswire: will convey some concerns i have heard then open to questions
16:13:22 [justin]
+q
16:13:45 [Zakim]
+??P84
16:13:52 [peterswire]
q?
16:14:29 [susanisrael]
david stark: we looked at definitions of pseudonymous and didn't like [ ] definition
16:14:33 [Zakim]
+schunter
16:14:39 [Zakim]
-schunter
16:14:49 [Wileys]
s/[ ]/ICO
16:14:55 [rvaneijk]
comment......
16:14:59 [susanisrael]
....given our understanding of de-identified in dnt, we thought that would be confusing.
16:15:03 [rvaneijk]
please want to react....
16:15:20 [Wileys]
+q (for Rob)
16:15:24 [jmayer]
+q
16:15:25 [Wileys]
-1
16:15:30 [Wileys]
-q
16:15:30 [npdoty]
q- (for
16:15:31 [rvaneijk]
peter, queue please
16:15:35 [npdoty]
q- Rob)
16:15:40 [rigo]
ack (for, Rob)
16:15:41 [peterswire]
q?
16:15:46 [schunter]
schunter has joined #dnt
16:15:53 [jchester2]
key question, thanks Peter
16:15:57 [susanisrael]
peterswire: a related question, from cambridge, you can have cookies, do those need to be scrubbed out for pseudonymized.
16:16:11 [jchester2]
But you know device
16:16:11 [dan_auerbach]
q+
16:16:41 [susanisrael]
richard: we're talking about cookie id. we are not looking within other cookies for audience measurement. That's irrelevant.
16:16:42 [moneill2]
+q
16:16:49 [Zakim]
+schunter
16:16:53 [Zakim]
-??P84
16:16:56 [johnsimpson]
you're putting unique identifiers on a k ow device
16:16:57 [justin]
Presumably it would be a requirement that the research firms couldn't put email addresses in cookies. There's a related question if the referer urls include unique identifiers like UDIDs. There could be a requirement to have a process to strip those out in short order.
16:17:48 [efelten]
+q
16:17:50 [justin]
q?
16:17:54 [susanisrael]
peterswire: up to now, dnt standard has not had 3 stages. had de-identified and not. So one difference is this intermediate stage, pseudonymized. some people favor this and some don't. I favor.
16:18:23 [npdoty]
if you use my social security number as my cookie ID but don't attach my name....
16:18:35 [susanisrael]
....another question was length of time, 53 weeks. we had a presentation from mrc that talked about the similar length of time for auditing. They also said at that time that they have given privacy waivers....
16:18:43 [npdoty]
the definition as I read it would include device IDs as pseudonymous, justin
16:18:56 [Chris_IAB]
q+
16:19:00 [susanisrael]
for shorter times, such as 60 or 90 days. Is this linked to MRC code? or from a different set of considerations.
16:19:46 [susanisrael]
richard weaver: MRC in US, but many different auditing bodies. 53 weeks is global standard.
16:19:51 [justin]
npdoty, Not sure I understand your point. Yes, a random cookie is pseudonymous. SSN or email address or name would not be.
16:19:51 [kj]
q+
16:19:56 [Chris_IAB]
peterwire, I think there is some confusion about this idea of MRC "privacy waivers"-- I'd like to clarify
16:20:21 [rigo]
Chris_IAB: there are many people wanting to clarify many things here :)
16:20:27 [rigo]
q?
16:20:35 [susanisrael]
peterswire: most campaigns are 90 days or less, though some are last valentines day or last christmas. How easy or hard would it be to have a presumption based on shorter time....
16:20:36 [Chris_IAB]
rigo, that's why you see me on the que
16:20:45 [rigo]
:)
16:20:52 [susanisrael]
...with different approach for subset of campaigns that are year over year audience measurement.
16:21:18 [susanisrael]
richard weaver: I actually would not say that most campaigns are shorter. could you explain different approach for longer?
16:21:46 [susanisrael]
peterswire: idea is to compare in some cases to annual holiday runs in previous year.
16:22:05 [npdoty]
justin, what makes an identifier pseudonymous and not identifying? my device's UDID can correlate traffic, and for some people it can lead you back to my name, but for others it would appear to be a random pseudonym
16:22:21 [susanisrael]
....if we are trying to show we have done good measurement, we might imagine that for shorter campaigns/comparisons, we might have shorter retentions, but not for all.
16:22:50 [susanisrael]
.....for shorter campaigns, the 53 week retention seems much longer than the length of the campaign. Is it necessary for calibration?
16:23:12 [peterswire]
q?
16:23:25 [Wileys]
Nick, that is a key test for pseudonyms - the holder does not have the ability (technical, policy, process, etc.) to link the identifier to personally identifying information
16:23:31 [susanisrael]
richard weaver. initial thoughts: auditing might not take place immediately after campaign, and you might also compare several short campaigns.
16:23:39 [justin]
npdoty, You could put in a requirement that the pseudonym be party-specific. Though not sure what you do with IP addresses then . . .
16:24:01 [peterswire]
we will go to the Q once I do one more topic for question
16:24:17 [susanisrael]
george: premise, i guess of most campaigns are shorter....i am kind of aware of cookie data being used for both.
16:24:29 [efelten]
WileyS, actually the proposed definition for "pseudonymization" says they *do* have the ability to link to an individual.
16:24:44 [rigo]
q+ to ask how high the chances are that the auditing can innovate
16:24:53 [susanisrael]
....I'm not sure about the numbers, i.e. which is higher value, regardless of number of projects that may be categorized as short-term vs. year over year.
16:25:00 [npdoty]
right, WileyS, justin, I was just pointing out that the proposed definition in Kathy's email doesn't have those restrictions
16:25:17 [npdoty]
Zakim, who is making noise?
16:25:23 [justin]
npdoty, Yes, I was just assuming that would change :)
16:25:24 [Wileys]
"identifiably individual" vs. "unique browser" - meaning I know the identifier is consistent for some period of time but I don't the identity of the individual the identifier is linked to
16:25:25 [susanisrael]
peterswire: last point has to do with opt out. In your approach it provides you with an opportunity for opt out of data collection.
16:25:28 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: hefferjr (9%)
16:25:58 [susanisrael]
...we understand that today an independent opt out makes a lot of sense, in a world with no dnt running at scale.
16:26:02 [efelten]
WileyS, the definitions says "attaching a coded reference to a record to allow the data to
16:26:03 [efelten]
be associated with a particular device or individual"
16:26:16 [susanisrael]
...if dnt does get adopted and scaled, would you still need an independent opt out?
16:26:24 [peterswire]
q?
16:26:30 [schunter]
q?
16:27:03 [jchester2]
If you look at Yahoo advertising blog, it's clear that they know the identity of the individual to move them through the funnel/transaction.
16:27:10 [susanisrael]
george: audience measurement research in this context has typically worked with some control in hand of user or research subject. but we understand that internet is different from other modalities we measure....
16:27:21 [johnsimpson]
It sounds to me like you want to offer an opt-out that nobody will use ..
16:27:33 [rigo]
Wileys, the key is not only to know the name, but also to be able to single out. "Don't want to know your name" is not a possible way out as long as you can easily get back to a person (or discriminate this person)
16:27:55 [susanisrael]
we kind of conceive of what we are doing as core to Internet being viable medium for a lot of commercial purposes. We try to strike balance between giving user ultimate power and still wanting to exercise...
16:28:14 [johnsimpson]
q?
16:28:22 [susanisrael]
exclusion from even most basic counting to [general research practices?]
16:28:28 [rigo]
q-
16:28:44 [susanisrael]
peterswire: mattias now on, and we have a speaker at 1. How long do you need mattias?
16:28:51 [susanisrael]
schunter: 20 min?
16:29:32 [Wileys]
Rigo, that is not the goal of psuedonyms. The goal is to find the middle ground between "personally identifiable" and "de-identified". A psuedonym allows recognition of a unique ID associated with a browser (and therfore perhaps a person, Ed) for individual treatment - but in such a way as I don't know who that person really is in the world.
16:29:33 [susanisrael]
peterswire: i am inclined to have longer speaker queue comment but not have responses right now (due to time considerations).
16:29:34 [npdoty]
ack rvaneijk
16:30:19 [npdoty]
Zakim, who is making noise?
16:30:23 [susanisrael]
rvaneijk: I like text that says you need to process data before statistical analysis. 2nd. I don't see how oob consent description fits into this text proposal. You can't see them separately, can't have both.
16:30:34 [hefferjr]
q+
16:30:36 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: peterswire (5%)
16:31:06 [Wileys]
Jeff, we do not know the "identity" of the user but we do know a unique ID stored in a cookie is seen both at ad impression and at further states through a purchase funnel. Again - not knowing the true identity is the goal.
16:31:22 [susanisrael]
.....3. If OOB consent description continues to play out, it's important to know where group stands on that. For me, it's important to see and focus on de-id possibility and relation of oob consent/permitted uses.
16:31:23 [Zakim]
- +1.516.376.aajj
16:31:46 [rigo]
Wileys, in that sense all web log data is already pseudonymous, so nothing to do in any way, no processing needed. Isn't that a bit short to get into Rob's "yellow" area
16:32:17 [Zakim]
+ +1.516.376.aakk
16:32:17 [susanisrael]
....this definition of pseudonymous data is old, out of date. more recently, article 29 wp has said that pseudonymization should not unduly remove data from definition of "personal" data.
16:32:45 [peterswire]
q?
16:33:05 [susanisrael]
justin: i had a question re: processing before aggregation. I don't understand the point. It seems to me more logical to collect the data in pseudonymous form. Maybe i don't understand what you're trying to do
16:33:07 [rigo]
ack justin
16:33:11 [rigo]
ack jmayer
16:33:25 [vinay]
vinay has joined #dnt
16:33:26 [Zakim]
+vinay
16:33:43 [Zakim]
-hwest
16:33:59 [susanisrael]
jmayer: there is a longstanding debate in group about whether there should be some objection to pseudonymization, which in many spaces is already the norm.
16:34:51 [susanisrael]
....many of us are concerned that it could be re-identified. some object on policy, some challenge comp sci research, but many of us find these practices objectionable. I am not certain why
16:35:12 [rvaneijk]
no definition of personal data, it will create legal uncertainty since the definitions are part of the process towards a Regulation. Any concept/defintion on pseudonymous data has to be fully consistent with the defintion of personal data and that it does not lead to unduly removing certain categories of dat from the scope of the Regulation, in particular in cases where it is not clear whether the data has indeed been fully anonimised/de-identified/pseudon[CUT]
16:35:18 [Wileys]
Rigo, to Rob's "yellow zone", that is part of the de-identification process where unique identifiers have been de-identified (no longer linkable to a unique browser) but that the key used to faciliate the process still exists (has not yet been destoryed). You only make it to "green" once the key is destroyed. Rob - is this a fair recollection?
16:35:34 [susanisrael]
....industry specific exceptions would be acceptable. Many services could be provided in privacy preserving way. I would love to help companies implement measurement without pseudonymous data.
16:35:37 [npdoty]
ack dan_auerbach
16:35:57 [Zakim]
-peterswire
16:35:59 [Zakim]
- +1.516.376.aakk
16:36:16 [rvaneijk]
For the minutes, to me the discussion on out of band consent can not be seen seperate from a call for a permitted use.
16:36:23 [rvaneijk]
You can not have both
16:36:23 [Zakim]
+peterswire
16:36:24 [susanisrael]
dan auerbach: will quickly reiterate points. at a high level, just preferring to continue to track these users shouldn't be enough to permit this permitted uses. I prefer 2 states of data, no pseudonymous.
16:36:43 [rigo]
Wileys: imagine the keys would be given to the auditor. For the moment, everything is in one hand and we are back to pure usage control and a raw store for 53 weeks, which raises eyebrows
16:36:57 [justin]
To be clear, my comment was not my only concern --- but the "pseudonymization before processing" was just a point I did not understand.
16:37:01 [hefferjr]
For the minutes, I disagree that OOBC is necessarily tied to market research exemptions.
16:37:04 [schunter]
q?
16:37:08 [npdoty]
ack moneill
16:37:16 [susanisrael]
...there is an assumption that honoring dnt will bias studies. why not measure dnt:1 requests now, before they are being honored to see if that would create bias.
16:37:43 [susanisrael]
mike o'neil: i also object to pseudonymization. this is how people are tracked over time now.
16:38:05 [rigo]
so pseudonymization is also that not every information to single out a person/browser is in one hand. So personal data is if an ID permits to re-identify and single out, but not for that one actor
16:38:22 [Wileys]
Rigo, there is risk that an outside force would legally compell an organization to release a key (wouldn't allow for direct reverse engineering but would allow for a dictionary attack). That is a risk an organization bears for holding the key (risk-based de-identification approach)
16:38:23 [susanisrael]
.....so i think this intermediate stage should be taken out. DNT is about stopping people's web history from being collected over time. this data should not be retained and associated with
16:38:33 [susanisrael]
....same device or individual.
16:38:55 [npdoty]
ack efelten
16:39:08 [susanisrael]
peterswire: pseudonymization before analysis is more rigorous than retaining identifiable data
16:39:37 [Wileys]
Rigo, as we reviewed in the HIPPA discussions, there is always some level of risk but its up to organizations to decide to what level of risk they are willing to bear with respect to their de-identification process. If they fail, they are held accountable.
16:39:44 [npdoty]
ack Chris_IAB
16:39:49 [susanisrael]
ed felten: i don't think definition is meaningful. And it's backwards. Should be in terms of what can no longer be done with data. I don't see how it would comfort user.
16:40:13 [rigo]
Wileys, sure, this is the democratic risk, and we can only mitigate that risk by shorter retentions (and 53 weeks is long for that)
16:40:24 [susanisrael]
chris_iab: my comment goes back to MRC requirement and idea of privacy waivers. MRC has legal obligation to review audit and attempt accreditation when asked.
16:40:25 [justin]
WileyS, How are you accountable if you are legally compelled by an outside force?
16:40:30 [Zakim]
-schunter
16:41:00 [peterswire]
q?
16:41:08 [rigo]
but the other risk is that all data in one hand is just so easy to abuse. If the key is in a different hands, you need more eyes to abuse the data and higher chances that it will blow
16:41:14 [susanisrael]
...they compare to industry standards or what's available. George ivie said they must review any audit, but in some cases they audit against the standard the party has offered, not indutry
16:41:21 [justin]
(To be clear, I'm open to a middle state for pseudonymous data, but not sure this is the right place, and certainly not in this way!)
16:41:22 [npdoty]
ack kj
16:41:29 [susanisrael]
...or mrc standard. But might not accredit. that's not a privacy pass
16:41:34 [npdoty]
Zakim, who is making noise?
16:41:42 [Zakim]
+schunter
16:41:46 [Zakim]
npdoty, listening for 10 seconds I could not identify any sounds
16:41:47 [Wileys]
Justin, I believe private organizations have demonstrated their ability to resist legal requests where they feel this endangers the privacy protections their users expect or have been promised
16:41:52 [npdoty]
Zakim, who is making noise?
16:41:57 [Lmastria_DAA]
q+
16:42:02 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: moneill2 (35%)
16:42:10 [susanisrael]
kathy joe: coming back to 53 weeks. These standards are drawn up by stakeholders in industry bodies that determine measurement elements and retention times.....
16:42:14 [peterswire]
q?
16:42:28 [npdoty]
ack hefferjr
16:42:34 [susanisrael]
.....but 53 weeks is industry global standard. No meaningful data.
16:42:53 [susanisrael]
ronan heffernan: oob consent is not tied to market research. they are different.
16:42:55 [rvaneijk]
@Ronan: why are they two different things...
16:43:06 [npdoty]
hefferjr: non-real-time out-of-band consent is really a different thing from market research permitted use
16:43:08 [rvaneijk]
it is about panel data..
16:43:19 [susanisrael]
lou mastria: this is not a preference. this is how ad funded content works. This has the objective of funding content.
16:43:23 [npdoty]
rvaneijk, I think this particular permitted use is *not* about panel data
16:43:46 [rvaneijk]
Nick, yes agree, but audience measurement depends on panel data
16:44:00 [susanisrael]
....i also want to put a push pin in idea of whether comp sci is correct or not. we are not questioning that. But some people do not want to take into account additional administrative safeguards....
16:44:06 [rvaneijk]
the exemption cannot be seen seperate from the OOBC discussion !!!
16:44:06 [schunter]
q?
16:44:11 [susanisrael]
...I don't think that is getting enough credence in this group.
16:44:12 [rigo]
ack Lmastria_DAA
16:44:19 [npdoty]
topic: TPE
16:44:42 [susanisrael]
schunter: sorry for being late. OOB consent discussed in IRC channel. background as follows:
16:45:09 [rvaneijk]
q+
16:45:17 [jmayer]
q+
16:45:24 [susanisrael]
during tpe discussion people also said there is also oob consent for things otherwise not permitted by dnt:1. Should be registered. we agreed that this exists and will continue, for example....
16:45:47 [schunter]
q?
16:45:54 [susanisrael]
by contract. led by ronan we now have a discussion about how this actually works in practice and how privacy can be preserved in such a setting.
16:46:04 [susanisrael]
who is speaking?
16:46:14 [Wileys]
+q
16:46:35 [fielding]
ack rvaneijk
16:46:42 [hefferjr]
q+
16:46:46 [Wileys]
Rob, DNT is one type of a consent mechanism but is not the only one - I believe that is the point. There are other methods to obtain user consent - not only DNT.
16:47:07 [susanisrael]
rvaneik: I am concerned that oob consent could undermine consent mechanism and global considerations work. could just result in use limitations framework. Limited.
16:47:16 [moneill2]
q+
16:47:33 [npdoty]
rvaneijk, is your concern about the short-term collection? we had currently proposed an exception for short-term data, for example to de-identify data you collected
16:47:44 [rvaneijk]
yes agree that there is OOBC
16:47:45 [jmayer]
+q
16:47:49 [schunter]
q?
16:47:49 [susanisrael]
schunter: would like to push time gap out a bit. where i think we have agreement is that there is something like out of band consent. dnt: 0 is not only means to gather consent. do we have agreement?
16:47:51 [hefferjr]
yes
16:47:57 [npdoty]
I think there is agreement that it's compliant to get consent out-of-band
16:47:58 [rigo]
q+
16:48:11 [susanisrael]
schunter: please offer comments on this topic
16:48:34 [fielding]
we already have a "time gap" for existing permitted uses, so I don't see how that makes any difference -- DNT doesn't mean the UA is invisible.
16:48:38 [susanisrael]
jmayer: my understanding of group history to explain why i think agreeing on this is"sort of right"
16:48:43 [schunter]
topic is "out of band consent in general" (not yet implementation details)
16:49:06 [Zakim]
+ +1.415.695.aall
16:49:21 [susanisrael]
....initially we focused exclusively on oob consent, then we developed interest in browser based api. there would still be background of oob consent but maybe something like a "should."
16:49:27 [Zakim]
- +1.650.465.aaii
16:50:08 [susanisrael]
...now it seems group has shifted back and people want to have both modes that will co-exist. so I agree oob consent would EXIST. But your suggestion that this is a normal mode of operation, is something...
16:50:53 [Zakim]
+ +1.650.465.aamm
16:50:55 [susanisrael]
...where i think there will be much less comfort. to say that you can use it instead of API where API is available. I and others are concerned about race to bottom, with web sites stretching definition....
16:51:15 [dan_auerbach]
q?
16:51:26 [npdoty]
ack jmayer
16:51:41 [susanisrael]
....of consent. There are 2 checks on this. 1 = policy check, and 2= procedural, moving consent into browser on notion (which i know is controversial) that browswers are a user interface.
16:52:23 [fielding]
It hardly matters what comfort there is in the group -- it is impossible to make use of an API which has not been implemented anywhere and is unlikely to be implemented correctly for a long time (if ever). Hence, OOB consent is the only option right now and will remain the only option for a very very long time.
16:52:28 [susanisrael]
schunter: so if i understood, your view is if there is api consent use that, and only go to oob consent if api is not available.
16:52:46 [hefferjr]
q-
16:52:50 [susanisrael]
jmayer: anything that gives users meaningful choice and prevents race to bottom is ok with me
16:52:54 [npdoty]
ack Wileys
16:52:56 [rigo]
ack Wileys
16:52:56 [schunter]
ack Wileys
16:53:28 [Zakim]
- +1.650.465.aamm
16:53:39 [susanisrael]
shane: i am with jonathan re: oob consent being necessary. It already exists by law and we have agreed standard will not modify law. so any agreement i have with user under law has to be honored.
16:54:17 [schunter]
q?
16:54:22 [jmayer]
fielding, Perhaps you misunderstood. I'd be more fine with using out-of-band consent where in-band consent isn't implemented by a browser.
16:54:31 [schunter]
ack moneill
16:54:35 [susanisrael]
but that said, [.....] i look at this from browser questioning consent point of view. I am afraid if they do this, they will create a race to bottom from browser perspective that will requiore oob consent to maintain....
16:54:42 [susanisrael]
balance in the ecosystem.
16:54:50 [adrianba]
q+
16:54:56 [Zakim]
+ +1.650.365.aann - is perhaps david_macmillan?
16:55:05 [susanisrael]
mike o'neil: I don't see point of oob consent. easy enough to get browser based consent.
16:55:09 [rigo]
ack rigo
16:55:12 [jmayer]
s/browswers are a user interface/browsers have better incentives and capacity to deliver meaningful consumer choice./
16:55:13 [schunter]
ack ri
16:55:16 [David_MacMillan]
zakim, yes
16:55:17 [Zakim]
I don't understand 'yes', David_MacMillan
16:55:23 [Zakim]
+ +1.206.716.aaoo
16:55:39 [David_MacMillan]
zakim, +1.650.365.aann is David_MacMillan
16:55:39 [Zakim]
sorry, David_MacMillan, I do not recognize a party named '+1.650.365.aann'
16:55:43 [susanisrael]
rigo: for me signaling oob consent or "c", shane, is like signaling "d" for "dismissal."
16:56:01 [npdoty]
Zakim, aaoo is probably Tim_Davis
16:56:01 [Zakim]
+Tim_Davis?; got it
16:56:04 [justin]
As I've said repeatedly, I don't care whether it's in-band or out-of-band --- let the marketplace work it out. But there has to be transparency if any claimed exception wants to trump DNT:1.
16:56:29 [David_MacMillan]
zakim ann is David_MacMillan
16:56:38 [susanisrael]
....what shane is fearing, and I agree, is that if browsers create a reaction to dnt signal. .....and dnt is real communication mechanism....then c just means "give me the data, because
16:56:44 [David_MacMillan]
zakim aann is David_MacMillan
16:56:50 [susanisrael]
...i promise that i have some reason you should open up."
16:57:07 [jmayer]
Re: Shane's point, contract formation has been greatly watered down by some courts in the U.S. I would not link the Do Not Track consent standard to vague, diverse, and widely-criticized contract formation standards.
16:57:08 [susanisrael]
....for now we just send people to pointer [link?] where we explain.
16:57:23 [David_MacMillan]
np - thanks
16:57:41 [npdoty]
q?
16:57:44 [susanisrael]
......this "c" as "d" would be race to bottom. But should be discouraged because we are only specifying that browser can make meaningufl choices.
16:57:46 [Wileys]
Jonathan, I would leave it up to courts to decide what is a meaningful contract and not this working group
16:57:51 [johnsimpson]
q?
16:57:57 [rigo]
ack adrianba
16:57:57 [schunter]
ack adrianba
16:57:58 [npdoty]
ack adrianba
16:58:32 [susanisrael]
adrianba: i think we are drifting slightly off topic with discussion of whether there should or shouldn't be oob consent and how it should be used. we have discussed a lot in past....
16:59:06 [jmayer]
Shane, consumer protection law exists to, among other things, protect consumers from the excesses of contract law. Why would we devolve our responsibility to users?
16:59:12 [Zakim]
-Keith_Scarborough
16:59:30 [susanisrael]
... a use case was if a service wants to roam across devices. exception api should only be called when user wants to authenticate for exception. I don't think we should discuss if oob consent is necessary....
17:00:05 [susanisrael]
....it is. on strict issue of issue 252, this should be a may not should or must, shouldn't require particular ui implementation
17:00:09 [jmayer]
Moreover, we already lack consensus on whether a contract should trump Do Not Track. We had that conversation in the context of service providers.
17:00:31 [Lmastria_DAA]
Lmastria_DAA has left #dnt
17:00:40 [Zakim]
-lmastria
17:00:43 [susanisrael]
schunter: what we have to do on oob consent is discuss reasons, implemtnation, but no more time for this today.
17:01:15 [susanisrael]
peterswire: next week the whole meeting will be on compliance. Introducing rena mears and time davis re: financial auditing permitted use
17:01:27 [Zakim]
-schunter
17:01:36 [npdoty]
Topic: Financial Auditing
17:01:54 [susanisrael]
important questions are: how long do you need data for different uses? differeint in us and europe? specific text that would capture this permitted use?
17:02:25 [Wileys]
Jonathan, I'm not suggesting we devolve our responsibilities to users (and you know that) - I'm saying that the concepts of what represents a valid, enforceable contract is a matter of law and this group shouldn't attempt to solve that for the courts. As you said, this is already a sticky situation but with respect to the FTC Sears Consent Decree, I believe industry has good guidance on how best
17:02:25 [Wileys]
to address these situations from a consumer protection perspective.
17:02:26 [susanisrael]
rena mears has impressive background on privacy auditing, for deloitte and touche, and tim davis has been an expert on online advertising for them.
17:02:55 [susanisrael]
rena: it would be helpful if you ask questions. we will do slides quickly.
17:03:04 [npdoty]
http://lists.w3.org/Archives/Public/public-tracking/2013Mar/att-0320/mears.financial_accounting_use.pdf
17:03:15 [npdoty]
(direct link to PDF of slides) ^
17:03:42 [susanisrael]
.....this addresses accounting and auditing standards, which are 2 different bodies of standards.
17:03:48 [susanisrael]
...questions may apply differently to accounting and auditing.
17:03:56 [Brooks]
Brooks has joined #dnt
17:03:56 [Zakim]
+Brooks
17:04:40 [susanisrael]
tim: to frame discussion of what requirements there are for financial auditing, need to discuss what the auditing is and the frameworks against which it is conducted.
17:04:56 [susanisrael]
...these are important but some audits may have greater need for that informatoin.
17:05:11 [npdoty]
(page 3 of 7)
17:05:13 [susanisrael]
rena: next slide discusses some of your questions, peter.
17:05:23 [susanisrael]
not on irc, can't see questions....
17:06:20 [susanisrael]
financial audits are only one set of audits that company is subject to....soc 1 and soc 2 have now replaced sas 70s, or regulatory audit, AT 101 type literature, industry audits, and others.
17:07:12 [susanisrael]
....financial audits governed by many standards. country by country. ifrs is ongoing discussion to bring commonality to international discussion.
17:08:08 [susanisrael]
guidance from fasb, sec and pcob for public company, accounting requires keeping records in reasonable detail to support transactions that are merely economic events within companies.
17:08:27 [susanisrael]
aipc gives guidance that records should be kept for not shorter than 5 years.
17:08:34 [susanisrael]
....pcob says 7 years....
17:09:07 [susanisrael]
record retention differences apparent in different standards, and companies may produce records in different forms.
17:09:20 [susanisrael]
...ex: GAAP based statements and regulatory statements
17:09:32 [justin]
Say, log files?
17:09:42 [npdoty]
"economic event"
17:09:47 [susanisrael]
peterswire: what triggers 5 year or 7 year requirement
17:10:12 [susanisrael]
rena: it depends, but it depends on economic event definition, and is changing [this is for data retention]
17:10:38 [susanisrael]
tim: predominant types of audits: about accuracy of financial statements and internal controls.
17:11:02 [Zakim]
-[Microsoft]
17:11:04 [jchester2]
Clearly the economic event should be documented in a truly privacy respectful way, esp in the real-time Big Data targeting environment.
17:11:13 [susanisrael]
....in terms of detail needed, if it affects revenue of entities, basic elements, is there contractual arrangement in place, and if so what is it.....
17:11:51 [susanisrael]
...auditors typically understand how systems work. may rely on how those systems work/report ....rely on reports at level of aggregation above pii
17:12:24 [npdoty]
"all they want to see is some evidence that that ad was delivered"
17:12:28 [justin]
"some evidence that ad was delivered" . . .
17:12:34 [susanisrael]
...rarely is financial auditor concerned with how info collected. just want to confirm that ad was delivered
17:13:00 [npdoty]
financial statement auditor is less concerned about the quality [apologies, trying to track phrases I know we'll have to come back to]
17:13:00 [susanisrael]
rarely is auditor concerned with quality (targeting) of delivery. wants to confirm payment for ad delivery....
17:13:14 [susanisrael]
...typically not concerned with level of detail that is subject of dnt....
17:13:50 [susanisrael]
audit work of iab re: standards for impression membership, audience measurement, MRC as independent auditor using those standards.....
17:14:11 [jchester2]
But isn't it so that auditing is also concerned with the quality of the delivery (interactions, for ex), even on a per user basis (given growing payment systems by brands related to performance)
17:14:14 [susanisrael]
want to confirm that impressions are legitimate and valid, (human initiated).....
17:14:25 [susanisrael]
so they need more detail re: quality of delivery.
17:14:51 [susanisrael]
....other concern advertisers have is brand protection. advertisers want to know where their ads are showing up online......
17:14:53 [npdoty]
MRC/IAB auditors more concerned with, for example, whether it was a human that viewed that ad
17:15:02 [susanisrael]
....not places that would harm brand...
17:15:02 [justin]
Basic question: do sites need to retain cookie data/IP address/referer url for 5-7 years? Is retention of referer url necessary?
17:15:20 [susanisrael]
*NICK: are you scribing, or just supplementing?
17:15:22 [Wileys]
Contracts now included elements of "quality" of delivery, as Tim just mentioned, whereas we are being asked to prove impression by real human (not a bot), in the location expected (not low quality sites), and within the dimensions of targeting (geolocation for example).
17:15:35 [Zakim]
+[Microsoft]
17:15:37 [moneill2]
+q
17:15:50 [susanisrael]
peterswire: just to clarify, it sounds like you said mrc, is closer to quality
17:15:55 [justin]
WileyS, so retention of referer url necessary?
17:15:56 [susanisrael]
*npdoty, tx
17:16:07 [susanisrael]
*again, tx
17:16:14 [Zakim]
-Jonathan_Mayer
17:16:39 [susanisrael]
tim: financial statements are at levels of aggregation, not referring to dnt data itself.
17:16:53 [Wileys]
Justin, yes - for site quality requirements (where possible - often obscurred via iFrame)
17:16:59 [susanisrael]
tim: might refer to auditors working papers, necessary support for financial statement.
17:17:19 [justin]
WileyS, thanks, that's what I thought.
17:17:23 [susanisrael]
...nothing says explicitly that the dnt level detail must be retained. judgment required.....
17:17:38 [Wileys]
Justin, a real-world use case, advertiser states they do not want their ads to appear on "adult oriented" websites - how do we prove that we met that contractual requirement?
17:17:45 [susanisrael]
....in my experience many companies don't keep data just because there is so much, so they provide aggregated reports.
17:18:26 [justin]
WIleyS, no I get it, just wanted to be clear. But it doesn't sound like you're required to retain that for seven years --- speakers just said that companies often aggregate at some point.
17:18:27 [susanisrael]
.....less focused on is the back end data bases being collected for these reasons. these secondary repositories may be where the risk is.
17:18:59 [susanisrael]
rena: i want to be cautious. i would be concerned that someone walks away thinking there is or is not a definite need for specific information.
17:19:33 [susanisrael]
...there are accounting requirements, and there are auditing requirements. Back end info that time is concerned about, granularity, is used in ACCOUNTING (not auditing) information....
17:19:36 [rigo]
Wileys, you have to keep that as long as the prescription runs. There is a german company for toll roads called Toll collect that has a well developed concept for data deletion. And we need some kind of agreement there. IMHO this is a role for DAA to get to industry practices. Because this would be overkill for the TPWG
17:19:45 [Wileys]
Justin, agreed - at some point aggregation is acceptable - question is when. Some argue a few years - some argue something longer. Its a corporate risk dimension - what level of financial risk do you take on by aggregating data too soon?
17:19:54 [susanisrael]
....and that trend will probably continue. transaction acctg is just economic events....
17:20:07 [jchester2]
Can you identify Best Auditing Practices emerging from this field to address AdEx', predictive optimization, geo-targeting, etc?
17:20:19 [susanisrael]
accting is method of recording. what systems are in and out, which are financial, will affect what time just said.....
17:20:26 [rigo]
Wileys, exactly, you need a common practices, and those will be localized as they are closely tied to local law
17:20:54 [rigo]
q?
17:20:54 [susanisrael]
....that same level of discussion (re browswers) goes on re: revenue recognition, what is transaction, what is cost, all requires judgment.....
17:21:07 [susanisrael]
it's an art and requires audit evidence to determine validity....
17:21:11 [rigo]
q+ to ask if the data is still needed after audit
17:21:22 [jchester2]
+q
17:21:40 [susanisrael]
where there is risk you will need more info....we are talking about controls. if there are good controls and you are comfortable with that....
17:22:02 [susanisrael]
you may require less substantive auditing. More of this when risk that controls are not adequate.
17:22:17 [peterswire]
about Q-- priority to get explanation of the slides, given limited time; sorry on that!
17:22:18 [justin]
WileyS, Yikes. If you're saying companies need to keep at cookie/IP/referer individualized level for at least three years . . .
17:22:23 [susanisrael]
...so controls will be analyzed at higher level, but if not good enough you need more granular data.....
17:22:50 [susanisrael]
how long do you keep? AICPA has list of how long you may need accounting records......
17:23:02 [susanisrael]
....depends on which acocunting schedule you fall under....
17:23:19 [susanisrael]
peterswire: so lots of ways data may be swept in.....
17:23:58 [susanisrael]
tim: marked trends underway that buyers of behavioral advertising are increasingly looking for assurance on quality of the product they are buying, so more demand for auditing.....
17:24:09 [Brooks]
q?
17:24:37 [susanisrael]
....are ads being targeted as advertised. i.e. moms age 30-35, are you delivering to that demographic. today not much assurance but this is where it is headed.....
17:24:49 [susanisrael]
so i anticipate the need for a lot of retention of this information....
17:24:50 [Brooks]
q+
17:25:24 [susanisrael]
peterswire: is it simplistically said that as this becomes more important economically for companies auditing will be more rigorous....
17:26:10 [susanisrael]
...as info from browser more restricted....lots of pressure on companies to justify what they do...advertisers understand.....and want assurances that they should pay a premium...
17:26:10 [dan_auerbach]
q+
17:26:54 [susanisrael]
rena: one trend with impact on this is what is financial system, and what is auditing target (may be database with pii)...
17:27:20 [npdoty]
tim: harder for us to be confident that this user is the same user as last week, or fits into that particular demographic (for which the advertiser is paying a premium)
17:27:20 [susanisrael]
....as targeting becomes more mainstream that affects materiality , so requires more examination....
17:27:35 [johnsimpson]
q?
17:27:43 [npdoty]
ack moneill
17:28:28 [susanisrael]
moneilll: same issue as for audience research. re: unlinkability, how long do you need to retain connection to a particular user or device?
17:28:40 [jchester2]
zakim, unmute me
17:28:40 [Zakim]
jchester2 should no longer be muted
17:28:45 [rigo]
ack rigo
17:28:45 [Zakim]
rigo, you wanted to ask if the data is still needed after audit
17:29:09 [Zakim]
-WaltM_Comcast
17:29:10 [susanisrael]
rigo: my qu is on retention....there is clear accounting data that for legal reasons you have to retain.....
17:29:44 [susanisrael]
...but raw data to justify fulfillment of contract, must this also be held beyond the audit? when you then stand for the accuracy of data? and how long do you take to audit campaing?
17:29:45 [Zakim]
-[Mozilla]
17:29:52 [npdoty]
ack jchester
17:30:03 [rigo]
zakim, mute me
17:30:03 [Zakim]
Rigo should now be muted
17:30:33 [peterswire]
q?
17:30:33 [susanisrael]
jeff chester: given flood of big data in digital advertising system that is now material can you describe debate in privacy audit community re: best practices
17:30:33 [jchester2]
zakim, mute me
17:30:33 [npdoty]
ack Brooks
17:30:37 [Zakim]
jchester2 should now be muted
17:30:37 [Zakim]
-Rob_Sherman
17:30:42 [Zakim]
-efelten
17:30:50 [npdoty]
ack dan_auerbach
17:30:58 [susanisrael]
brooks dobbs: can you clarify that what you are talking about is not simply re: oba but for all online advertising; the measure of where economic event occurred
17:31:18 [npdoty]
Brooks, that was my understanding as well
17:31:29 [susanisrael]
dan auerbach: if i am an ad network that wants to delete raw log data after 2 months, rena urged caution. Might that change?
17:31:50 [robsherman1]
robsherman1 has joined #dnt
17:31:51 [susanisrael]
rena: divide between true financial and other audit
17:32:01 [Brooks]
Nick, I just think it is important that this is well understood, not that it should be particularly contraversial
17:32:15 [susanisrael]
tim: how long does underlying detail have to be retained. Judgment for company and audit based on risk that auditor received
17:32:32 [susanisrael]
...there is also judgment in interpretation of legal requirements too, so no precise answer.....
17:33:16 [susanisrael]
so as a practical matter, i have seen companies disposing of data after some time, but i advise they speak to stakeholders, attorneys, auditors, customers (who may have audit rights in contract)....
17:34:12 [susanisrael]
rena: may seem obvious but whatever standard you adopt must be incorporated into a corporate policy document because you will talking about policy and compliance....
17:34:18 [susanisrael]
peterswire: one question is what are trend and why....heard about increasing materiality
17:34:39 [Zakim]
-dwainberg
17:34:57 [susanisrael]
rena: my concern, which also addresses my cautioin note, is that since this is judgment call, and i am on advisory board of oba company, you see this moving to mainstream company....
17:35:01 [Zakim]
-JeffWilson
17:35:14 [Chris_IAB]
ultimately, an audit is only as good as the market perceives it to be rigorous, fair and accountable and impartial
17:35:39 [susanisrael]
when you audit you look at main chunks of revenue and assign more risk there.....
17:35:53 [susanisrael]
you end up with auditors having to recognize major business model change which is a risk, along with amount, when it becomes material.....
17:36:11 [susanisrael]
need to understand requirements given those trends......
17:36:12 [Zakim]
-Fielding
17:36:37 [justin]
And "Do Not Track" is only useful insofar as it's perceived as a meaningful limitation on data collection.
17:36:59 [susanisrael]
tim: we have seen major corporations getting into this business but also a tremendous amount of fragmentation in this business with many intermediaries in the value chain......
17:37:28 [Wileys]
Justin, I believe the focus on "collection" versus "use" is still murky. While all agree on "use" not as many agree on "collection".
17:37:40 [susanisrael]
but if you are small to medium player you will not do everything yourself but will rely on third parties, and complexities makes it hard for intermediaries to determine who is responsible and has data and for how long.....
17:37:41 [Zakim]
-WileyS
17:37:53 [Zakim]
-adrianba
17:37:53 [jchester2]
what about emerging ethical best practices from the auditng field? Are they working on it?
17:37:55 [susanisrael]
peterswire: how tied to financial auditing....
17:38:22 [susanisrael]
tim....goes back to popularity of soc 1 and soc 2 reports, may ahve to get representations from other auditors....
17:38:43 [npdoty]
+1, yes, many thanks
17:38:47 [susanisrael]
peterswire: thank you , we look forward to possibly continue the conversation
17:39:12 [rvaneijk]
rvaneijk has left #dnt
17:39:12 [npdoty]
Zakim, list attendees
17:39:39 [Zakim]
As of this point the attendees have been +1.202.639.aaaa, JeffWilson, Chris_IAB, moneill2, +1.202.587.aabb, npdoty, +1.404.385.aacc, peterswire, efelten, +1.215.480.aadd,
17:39:43 [Zakim]
... dwainberg, Fielding, WaltM_Comcast, +1.212.768.aaee, Susan_Israel, johnsimpson, RichardWeaver, rvaneijk, lmastria, jchester2, MECALLAHAN, +1.408.836.aaff, Jonathan_Mayer,
17:39:43 [Zakim]
... hefferjr, [Microsoft], WileyS, +1.941.539.aagg, +1.650.465.aahh, Dan_Auerbach, hwest, justin, dstark, Keith_Scarborough, adrianba, sidstamm, Rob_Sherman, chapell,
17:39:47 [Zakim]
... Craig_Spiezle, +1.650.465.aaii, vincent, Rigo, +1.516.376.aajj, [FTC], prestia, schunter, +1.516.376.aakk, vinay, +1.415.695.aall, +1.650.465.aamm, +1.650.365.aann,
17:39:47 [Zakim]
... +1.206.716.aaoo, Tim_Davis?, Brooks
17:39:47 [Zakim]
-Craig_Spiezle
17:39:47 [Zakim]
-[FTC]
17:39:47 [Zakim]
-[CDT]
17:39:47 [Zakim]
-Dan_Auerbach
17:39:47 [Zakim]
-[Microsoft]
17:39:47 [Zakim]
-Susan_Israel
17:39:47 [Zakim]
-RichardWeaver
17:39:47 [Zakim]
-Tim_Davis?
17:39:48 [Zakim]
-peterswire
17:39:48 [Zakim]
-jchester2
17:39:48 [Zakim]
- +1.415.695.aall
17:39:48 [Zakim]
-kulick?
17:39:48 [Zakim]
-vincent
17:39:50 [Zakim]
-johnsimpson
17:39:50 [Zakim]
-hefferjr
17:39:50 [Zakim]
-rvaneijk
17:39:50 [Zakim]
-npdoty
17:39:50 [Zakim]
-Rigo
17:39:50 [Zakim]
-moneill2
17:39:50 [Zakim]
-dstark
17:39:50 [Zakim]
-Yianni?
17:39:50 [Zakim]
-prestia
17:39:50 [Zakim]
-vinay
17:39:50 [Zakim]
-Brooks
17:39:51 [Zakim]
-??P76
17:39:51 [Zakim]
-Chris_IAB
17:39:51 [Zakim]
-chapell
17:39:54 [Zakim]
-MECALLAHAN
17:40:01 [Zakim]
-david_macmillan?
17:40:03 [Zakim]
T&S_Track(dnt)12:00PM has ended
17:40:03 [Zakim]
Attendees were +1.202.639.aaaa, JeffWilson, Chris_IAB, moneill2, +1.202.587.aabb, npdoty, +1.404.385.aacc, peterswire, efelten, +1.215.480.aadd, dwainberg, Fielding, WaltM_Comcast,
17:40:03 [Zakim]
... +1.212.768.aaee, Susan_Israel, johnsimpson, RichardWeaver, rvaneijk, lmastria, jchester2, MECALLAHAN, +1.408.836.aaff, Jonathan_Mayer, hefferjr, [Microsoft], WileyS,
17:40:04 [Zakim]
... +1.941.539.aagg, +1.650.465.aahh, Dan_Auerbach, hwest, justin, dstark, Keith_Scarborough, adrianba, sidstamm, Rob_Sherman, chapell, Craig_Spiezle, +1.650.465.aaii, vincent,
17:40:04 [Zakim]
... Rigo, +1.516.376.aajj, [FTC], prestia, schunter, +1.516.376.aakk, vinay, +1.415.695.aall, +1.650.465.aamm, +1.650.365.aann, +1.206.716.aaoo, Tim_Davis?, Brooks
17:40:19 [johnsimpson]
johnsimpson has left #dnt
17:41:01 [kulick]
kulick has left #dnt
17:43:36 [adrianba]
adrianba has joined #dnt
19:49:26 [Zakim]
Zakim has left #dnt
21:15:15 [schunter]
schunter has joined #dnt
23:15:13 [npdoty]
npdoty has joined #dnt