Tracking Protection Working Group Face-to-Face

06 May 2013

See also: IRC log


like, 40, of, us, +1.781.479.aaaa, bilcorry, Gregg_Vanderheiden, schunter, moneill2, +1.647.274.aabb, +1.215.898.aacc, Turow?, +1.647.274.aadd, +1.202.257.aaee, +1.215.898.aaff, +1.408.223.aagg, +1.202.344.aahh, +1.202.257.aaii, mecallahan, StuIngis, Bin_Hu
npdoty, aleecia


<npdoty> trackbot, start meeting

<trackbot> Date: 06 May 2013

<moneill2> zakin,[ipcaller] is me

<aleecia> 1 Infinite Loop, 15% apple hardware, 10% 3rd party; please don't get David fired. :-)

<npdoty> scribenick: npdoty

peter: we made a point of having break out rooms, in case smaller groups want to huddle, during breaks, etc.
... talk to dsinger about the details there
... apologies for classroom style, the room got a little more full than the horseshoe plan
... pretend you're all facing each other, looking eye to eye, for better conversations
... will give you an introduction, overview of things as I see it, just to set up
... pleased to have Josh Chasin from ComScore to talk about audience measurement
... Joe Turow, an expert from Penn on the phone may give brief reactions
... a break, and then a session on item 6, browser settings
... important because last face-to-face before Last Call, won't get another chance to bring everyone together before last call is my view
... a lot of people working hard toward that, but just good to keep in mind
... put some ratholes on the side
... have a parking lot where we might come back to some important points on Tuesday afternoon/Wed morning
... the chair will cut off filibustering
... in the self-interest of major stakeholder groups to pursue the framework
... is this good public policy? economic efficiency; rights/autonomy/choice
... if we win on economy and on autonomy, then that's a win for us
... this is a draft, and a framework, doesn't have detailed language

<schunter> Are there slides that have been posted?

peter: this makes sense in my view, which is what I'll try to explain

<Wileys> Matthias - no slides

peter: is it a significant improvement of privacy and choice? can we explain it to users? can we get adoption?
... adoption, headers going out, but except for some like Twitter and AP, not getting a lot of third party adoption
... if it's easy to use and technology neutral and it's globally adopted, that's a good outcome, and the intention of the draft framework
... a public policy advantage of consensus agreement here: interoperability
... leads to an efficiency outcome; upholds choice/rights because users get the choice they thought; and interoperability is a goal of W3C
... hugely distributed system, lots of browsers, first parties, third parties, etc.
... negotiation of bilateral agreements of all of those is impossible, good place for standardization, a coordination function
... both what it means to receive and what it means to send
... having a one off of this is what it means to me isn't workable, that's the reason for standards
... much of the work in the compliance spec is about receiving the signal, in particular about how it applies to third parties
... haven't had as much discussion about the sending of the signal -- what the user sees and how the browser operates
... in the draft framework, there's a series of things we'll discuss this week regarding sending
... "a brief and neutral description"
... in a world where defaults and nudges matter (which is our world)
... the group has long agreed that the DNT signal would be unset (not "off", an imprecision in earlier language)
... from an economics point of view, the current equilibrium doesn't have agreement on sending/receiving and little user choice when sending a DNT signal
... could get worse through an arms race, people spend a lot of money and don't even get privacy and user choice at the end of it
... if we have a standard, we could have effective choice
... need to have a dependable standard, otherwise browsers and sites won't invest
... draft framework provides a structure for giving the dependability we want
... "transaction-specific capital"
... with this transaction, we need to invest together to make it work

<wseltzer> [Oliver Williamson: https://en.wikipedia.org/wiki/Oliver_E._Williamson ]

peter: imagine a ship and a dock, for the kind of thing we're shipping (specialized wheat) -- a specialized ship for dropping wheat efficiently and a specialized dock for receiving wheat efficiently
... if they both invest in that specialization (expensive), get to a more efficient outcome
... if the next day the dock-owner doubled the price (because of specialization), the ship owner would be "sad" (specific economic terminology)
... if you're worried about that, you don't build the ship at all, and so we don't get the efficient outcome
... different methods, but have to have trust
... call the browsers a dock, for example, requires investment in building a feature for users that sends a DNT signal
... and for sites and ships, sites/third parties have expenses to change back-end systems to receive DNT signal, but the concern is what if the sending of the signal suddenly changes
... one of the concerns from the sites' side is that the description to the user or the default could change some day in the future
... sites rationally won't invest if they don't have some confidence about future periods
... if you preferred one group over another, you could tell one group that they could change the deal in the future, but that would actually undermine the deal for all
... if we want the users to win (not unreasonable from a W3C point of view), we could set a standard that allowed the users to change every chance they get
... but that could inhibit investment anyway
... would undermine what you were trying to achieve in supporting users

</Oliver Williamson>

draft framework

peter: talk about some of the browser and site issues in the draft framework, how it looks for users
... take two clicks to turn on Do Not Track (one to get the settings, one to change the setting), similar to how cookie policies are changed or how Do Not Call list works
... if it's hidden away where no one will use it, that might be bad for users
... based on Mozilla's stats, Firefox sees double-digit adoption, even though it's not widely advertised, people are turning it on
... it is easy to use, even easier if groups were willing to educate users on their web sites
... could be different stable and transparent ways to say what will happen on the send and on the receive side
... Tuesday morning we'll talk about how that fits into the TPE
... what if one side tries to change the rules in "Period 2" (sometime later)
... browsers are not mandated to comply with the standard, no legal requirement
... one thing that could happen is that sites could respond with a "D" signal, indicating that they don't think it's compliant
... browsers can still compete on all other aspects of the browser experience
... browsers can still leave DNT entirely if they don't think it helps users
... there's another possible part of the framework, regarding cookie blocking
... from Jonathan's blog first published, browsers could not block third party cookies for sites that are compliant with DNT
... browsers could then have a story for their users that the site is either respecting user choice (through DNT) or cookies are blocked
... gives sites a carrot to come in, to get the benefit of third-party cookies from more browsers
... have transparent, stable rules
... for the user: what if there's do DNT standard?
... can turn on the signal but it doesn't have an affect, or have the arms race
... haven't seen another package that gets users that higher equilibrium
... how can we improve things over time?
... something like the Draft Framework can bring in investment from browsers and sites
... but one major concern remained around unique ID cookies
... I asked last week for any additional plans that could address that
... we'll talk about that more tomorrow afternoon, and about audience measurement in just a few minutes
... very simple: if you turn DNT on, you don't have a unique ID following you around the Web
... could be that we can get close to that now and better in later periods
... last Wednesday, I said we had an outcome that is rational for all stakeholders
... today I've said there is an economically efficient outcome
... a lot of you have been working hard, talking within your own groups
... we can do something better for policy and for all our stakeholders
... invite Josh Chasin, Chief Research Officer for ComScore, to talk about audience measurement

rvaneijk: before we move on, can we talk about the agenda? do we need to fix it right now?


peter: audience measurement that's been a common topic
... then have david singer talk about some browser discussions about neutral presentation and common resources
... Stu Ingis available remotely to talk from a distant about some Item 6 issues around browsers
... tomorrow morning, Matthias and David leading, with some questions about technical measures around Item 6 (browser restrictions and labeling)
... tomorrow afternoon can talk more about specific areas around unique IDs, some work on facts in that area
... Tuesday afternoon and Wednesday morning can allow deeper dives into particular issues
... for example, perhaps around term of "browser" vs. "user agent"
... if you have suggestions of particular topics to be sure for us to touch on, write them down
... Wednesday afternoon we will have a "where are we now" meeting
... have we made enough progress that it's worth going to normative text, is there some other path, or is it really frankly not there
... that's a serious conversation, that I've tried to prepare people for

rvaneijk: list major items (parking lot / elephants) on this paper setup? peter: yes, we can start now.

peter: user agents vs. browsers
... more on unique IDs
... Where Are We Now
... are there other deep dives to put on the list right now?


(also linked from the agenda)

Audience Measurement

josh: Josh Chasin, Chief Research Officer at comScore, for the past 6 years
... worked in TV, radio, newspaper, billboard, Internet audience measurement, a "lifer"
... ask for a presentation from ESOMAR, I drew the short straw ;)
... define audience measurement, explain what it is we actually do
... measurement audiences are not a priori known, with radio, for example, it's just broadcast, and so you just have to measure, estimate, count

<aleecia> (thank you Roy!)

<tlr> who is the caller from ontario?

josh: most media is ad-supported, advertisers and media companies need to know who the audience is in order to sell ads
... information facilitates commerce
... history of audience measurement, radio as a medium, no one was sure if it work for advertising
... a company did survey the day-after (which stations did you listen to yesterday?), which enabled advertising
... initially radio was there to sell radios (the hardware), but subsequently the commercial purpose of radio changed
... more recently "naturally occurring data" -- set-top boxes create data as the watching is actually happening
... NYT sports section, with a particular ad on the front of the section, an upscale watch ad for men
... didn't know it was me, but knew that men tended to skew male, and that the NYT has an upscale audience, contextual because the story is about the derby and the ad is about their support
... can we all agree that this is generally okay?
... but would be a problem if this ad said, "hey josh, I know you aren't wearing a watch, call this phone number just for you"
... all advertising and all marketing is targeted, but the question is more about micro-targeting, embedding data about a user through a cookie
... audience measurement doesn't support cookie targeting; if you're doing cookie targeting, you don't need audience measurement
... the two are anathema to one another
... in practice, how do we integrate panel data with site census data
... calibrating the panel data, or integrating panel and census data
... weighting or sample-balancing; weighting is a calibration
... table comparing panel demographics with government datasets and telephone surveys
... my recruitment panel is underrepresenting the young male audience; we are required to address with weighting
... apply a weight based on that ratio, calibrate the panel to a known universe
... similar, weight based on how many panel hits are on a particular site, vs. how many "beacon" hits / page views from that site
... after calibrating the panel, panel projections will more closely match the universe
... weight the panelists based on some sites which have beacons, even for sites that don't place comScore beacons on the page
... holistic, hybrid integration -- Randall Rothenberg, IAB CEO surprised that we still rely on panels, which are such an old technology
... so move more towards "site-centric audience measurement"
... count the number of cookies observed on a site that places tags on their site
... filter by country to a number of cookies, normalize via the panel on how many cookies per person
... demographics come from the panel, not from the cookie-based census style

<moneill2> if a person has multiple cookies does this represent multiple devices they use?

josh: we don't use, or attempt to know, anything about the people behind these cookies
... just counting cookies, don't believe "counting" is "tracking"
... consequence (of DNT inhibiting audience measurement) is not users seeing less relevant ads, but instead advertising going away

<Wileys> moneill2, unless the cookies are associated to a panelist (opt-in), there would be no way to tell if different cookies belonged to the same user and/or if there were multiple cookies for the same device (post cookie clearing)

josh: because advertisers would take business elsewhere if they can't get sufficient information about placing ads on which sites

<justin> Why would they go to TV where you can't do that level of calibration?

<dan_auerbach> +q

<jchester2> +q

<moneill2> nomber of cookies deleted or number of devices/browsers per person is an expected statistic of the popultion so could be determined by survey/

peter: there is normative language, Kathy Joe's version from March 27th
... permitted use for audience measurement: (would be in place of current market research exception at daa as well)

<Yianni> http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0335.html

peter: doesn't apply unless you're calibrating or otherwise supporting panels
... with MUST restrictions, de-identified, no longer than 53 weeks, no independent purpose, industry self-reg certification
... a lot of different representations and restrictions than in the previous version of the DAA code, I see this as a lot of new work

jchester: thanks to Joe Turow for agreeing to talk, very few academics in the country that have looked at advertising the way he has
... reaching out to Joe because of the evolving nature of market research

Turow: flattered and humbled, thanks to Josh for his presentation
... given that comScore just counts, rather than looking at cookies, is an interesting point
... formulation ("calibrate or otherwise support") seems to enable different functionality, weight with demographics or psychographics or behavioral activity

<moneill2> or geolocation

Turow: there may be some people who don't want to help comScore, Nielsen, etc. -- someone may well say I don't think these companies deserve my help
... comScore and Nielsen numbers are very different from one another, tens of thousands of people or rankings different, am I, by being part of this sample, supporting a specious rating system? to what extent does an individual have autonomy to choose whether to be part of that?
... and what does "otherwise support" and what "calibrate" might mean?
... don't believe advertisers would abandon the Internet for radio, given the lack of information detail on radio (regarding diaries)

jchester2: panel concept is being transformed, what is the changing nature of panels, big data, and predictive optimization?

Turow: depends on how you want to define "calibrate and otherwise support" regarding actuarial activities
... does the person want to be part of it? not a question of whether it's evil or not evil to participate
... I would expect that the rating system today won't be the same in 5 years, more likely to move towards an individual census (citing Rothenberg)

<jchester2> -q

<BerinSzoka> +q

<jchester2> +q

Josh: might just be that better language is possible, not married to it

peter: how open-ended is "calibrate"?

Josh: wanted to explain what we do now, "calibration" may have a more general meaning -- you might instead want to define what not occur
... with TV, calibrate by surveys, even for people that don't live in TV households
... calibrate their sample to play back to known universe values
... calibrating our panels to known behaviors in the universe
... weighting, confirming or aligning results in the panel to known phenomena in the universe
... if you had a panel about who was driving where but you also had some known counting of how many people drive down a certain road, of course you will weight your sample to that -- the question is "what may be known?"
... behooves us to weight/calibrate to known numbers
... regarding the question of whether users don't want to participate -- would actually make comScore and Nielsen results more different

<BerinSzoka> I hope we're not going to shoot down questions about ownership of data

Josh: and whose data is it, anyway? [perhaps a tough audience] shouldn't CNN have the right to count its visitors and let comScore know

<BerinSzoka> so Jeff just gets a free pass to interrupt? can the rest of us do that, too?

<peterswire> no

<susanisrael> is dislike of ratings a tracking issue?


Turow: numbers are off in comparing multiple audience measurement providers
... so a user might say that we don't want to be part of this

jmayer: clarifying, who are the panel users, how do they come to be in the panel, what is the software like and what is the consent?

<fielding> Can we limit questions to those that are relevant to DNT and not panel studies in general or comScore probing?

Richard_comScore: 2 million people have signed up for comScore's panel, individuals opt-in, displayed a communication about scope, accept the terms and install the software

dan_auerbach: thanks for presenting; when consumers opt in to a panel, users could send DNT:0, set aside for now
... what's the harm of losing the DNT:1 data? weighting to the universe of site-centric data -- could you adjust in collecting that site-centric census data?

<justin> You can still use the beacon hits --- you just can't correlate across sites.

dan_auerbach: throwing away data not from the panelists, but data from the beacon hits -- if you have a statistically prior data set, couldn't you still successfully do the correlation?

josh: that might be fine now, but what will the effect be if the DNT adoption rate is 95%

dan_auerbach: even 5% might be enough, happy to talk about Bayesian/frequentist approach

rachel_n_thomas: my concern is about asking an expert about market research, if dan's question is implying that the expert doesn't know what he's talking about....

<dsinger> I can give a naive answer to the question posed: who owns the data? If a shop records how many people visit, how long they stay, and what they buy, that's their data. If someone records what shops I visit, how long I stay, what I buy, that's my data. If there is a record of my visit to specific shop, that's shared data. Maybe this is obvious...

josh: if a DNT:1 user comes and I can't set a cookie, can I still count the request? that's what happens now, with cookie churn

<moneill2> or a short duration (<24 hrs?) cookie

<rigo> dsinger: the law says otherwise in most countries, especially if they photograph you

rvaneijk: re, what can be known with counting? regarding behavioral-centric metrics
... a whole list in @@JIGS@@ web metrics document, how does that relate to the counting?

<dsinger> if they photo me, that's no longer 'their' data, is it?

josh: right now video duration comes from the panel

rvaneijk: also the question of what would be a good price for a particular ad, given the context

josh: regarding cookie targeting of ads ... see what sites have duplication with the New York Times

rvaneijk: take it offline.

BerinSzoka: regarding expert witnesses, important assertion about the substitution effect of online advertising for other forms of advertising and the effect on revenue
... could get economic data on that, but we shouldn't dismiss it if we don't like it
... should have more economic data
... this is the single most important thing I've heard yet, want to make sure it's not lost

<justin> To be clear, I have asked for any data on this issue FOR A LONG TIME.

<jmayer> If I understood the introduction correctly, Mr. Chasin's expertise is in market measurement, not the economic analysis of online advertising markets and privacy controls.

josh: IAB program about making measurement make sense, transparency/accountability

<jmayer> Justin, right there with you. Quite strange given the industry's quantitative emphasis.

josh: wrote blog posts, found that they did a really good job, advertisers felt hamstrung, that more information would bring more money in
... publicly documented work that Bain did

<rachel_n_thomas> +rachel_n_thomas

jchester: 3MS is acknowledgment about shift to multiplatform environment, digital and out-of-home; concern about move to real-time full census environment
... where might this be in 5 years?

<justin> If there's a link, I would appreciate it. I can't find anything doing a search for BAIN or 3MS on the mailing list.

josh: would be better to use "breadcrumb" than "cookie", the forces at play from the research companies are employing data assets to provide solutions for buyers and sellers of advertising

<LMastria_DAA> +q

josh: research companies look as data assets as input into audience measurement models

<fielding> http://www.iab.net/mmms (5 seconds on google)

<rvaneijk> http://www.measurementnow.net/

josh: consumer concern is a limiter / governor of what we can do

aleecia: two groups: an opt-in panel and census visitors who aren't aware. josh: yes.
... consent always trumps DNT:1, regarding the panel, you're good -- still some technical issues about how to let users know
... only dealing with the size of the census, whether the census includes data from DNT:1 or not

<dsinger> presumably also whether the census can identify users (user agents or devices)

aleecia: already have service provider provision, standing in the shoes of first parties, can still collect data as long as it's not combining data with visitors from other sites

<BerinSzoka> So... are we not going to do introductions of participants? There are some new faces here

aleecia: so how much of a problem is it, given that service providers can collect data for each first party?

<susanisrael> aleeca, doesn't that contradict the idea thta service provider provides services only to and for the first party?

Josh: if this provision enables us to do what we do, then that's the research exemption we need.

<justin> Still trying to find the data in those links.

aleecia: you offer an opt-out today, how does your current opt-out differ?

josh: defer to Richard. Richard_comScore: we do have individual opt-outs, with information about what our data collection is, on our web sites

<aleecia> Actually, no: I was looking for an answer on that.

Richard_comScore: also proposed to create an omnibus site regarding all market research sites, to explain and have an opt-out

paulohm: if the census isn't to provide richness, you could do that without any identifiers or exceptions, right?
... you don't need an identifier in the cookie

josh: yes, the cookie could be empty

<BerinSzoka> after the break, the original Unfrozen Caveman Lawyer (me) v Unfrozen Caveman Policy Lawyer (Paul)... outside... to the death...

<LMastria_DAA> -q

<justin> So have we solved this now?

paulohm: to confirm, you don't need to know anything about the cookie, just aggregate by country, so we're all agreed

susanisrael: I thought what paulohm said was correct

<justin> Does anyone want to stand up and say why individual cross-site correlation is necessary?

<moneill2> short duration identifiers when DNT:1 is fine.

peter: having agreement break out is a good thing

<justin> For census-level calibration?

josh: it's going to have a unique-identifier, but don't embed any characteristics with that cookie

<moneill2> a unique id but how long does it last?

peter: okay, no data associated. so why do you need a unique identifier?

josh: need to measure cookie deletion

<moneill2> measure by survey?

josh: need to know that it's not the same cookie as last time

<jchester2> +q

susanisrael: we've discussed freq. capping as a permitted use, require some exceptions even when users don't want to be tracked

<LMastria_DAA> +q

susanisrael: need to know if someone is re-sending a cookie or if it's a new viewer

<moneill2> if DNT:1 they have opted out

susanisrael: does it matter if there's some opt-out of your cookies? was your response, up to a point it's fine, but with a big number it would be a problem? josh: yes.

<aleecia> N.B. for frequency capping we were talking about scoped to one party only.

susanisrael: if someone doesn't like advertising or some player on the Internet, is that really part of tracking?

<fielding> The scorecardresearch.com cookies on my browser include a UID (persistent to 2038 -- 32bit max date) and a UIDR (persistent for two years)

jmayer: understanding non-panelists visitors, is it right that unique ID cookies are used to count the number of unique visitors to a page?

josh: we count unique cookies, and then use the panel to count the number of people

<justin> This could be done with first-party cookies then, yes.

<fielding> aleecia, when did we say that frequency counting is per party? It usually isn't in practice.

jmayer: alternatives: a cookie with just the number of times the visitor has seen the page, that's a first pass response although there could be other techniques
... a way that moves away from unique identifiers

<aleecia> That was the discussion around frequency capping with double-keyed cookies, which is where we left things last time we talked about the topic in any serious way

josh: I'm not sure about the technology, one criterion, having a tag on the page must not effect the user experience of loading a page

<fielding> oh, the double key was the campaign ID, not the site, IIRC

<aleecia> Roy you are correct - my error.

jmayer: I don't think it would affect the loading of a page
... you would still have the numbers you need? josh: perhaps.

<aleecia> We had left the dialog with "what's a campaign?" not nailed down.

<susanisrael> As I understand it, in talking about whether we want to create/allow a permitted use for audience measurement, what we are trying to determine is whether this is important enough to the operation of the internet that the aggregate counting should be permitted, despite a user's desire not to be tracked. And furthermore, I think we are hearing that the counting here may not even be tracking.

LMastria_DAA: need to reign in hypotheticals, hear from Josh, this will be a subject for further exploration

<rvaneijk> so for the minutes: <Josh> would only need to know the number, as a counter and if the technology provided for this, unique IDs would not be necessary.

LMastria_DAA: hypotheticals that may or may not occur or technologies that may or may not work

peter: this discussion is important to the draft framework, helps to inform how we look at the framework

<rvaneijk> @LU, it is important to discuss proportionality of the uniqe id's connected to audience measurements and to explore subsidiarity, for DNT needs to be future proof.

peter: the topic of unique ids in general is quite strong discussion for us in general, unique IDs is the area we've seen the most focus on

LMastria_DAA: solutioneering it here might not be the best

<Wileys> +q

rachel_n_thomas: spec shouldn't have specific technologies in the language

<susanisrael> the question is whether the bsuinesses on the Internet need audience measurement in order to operate, just as they need financial accounting, frequency capping, fraud detection and other things that we have deemed to justify permitted uses.

<justin> I think the point is that it sounds like you could accomplish everything that Josh is describing under the "service provider" language, so you wouldn't need a separate market research exception.

jchester: how do you work on the mobile environment?

<susanisrael> I believe that the reference to other companies was not necessarily a reference to other audience measurement companies?

josh: can't speak to Nielsen

<rvaneijk> http://www.comscore.com/Products/Audience_Analytics/GSMA_Mobile_Media_Metrics_MMM

josh: have multiple mobile panels, iOS, Android, tablet, etc.

<susanisrael> Justin, I don't understand the service provider provision to operate the way Aleecia suggested it does. My understanding of what is permitted under this provision is actually much more limited.

<rvaneijk> GSMA Mobile Media Metrics provides a powerful view of the who, what and where of the mobile web to give publishers more comprehensive measurement and advertisers more extensive media reach data.

<moneill2> cant hear anything

dan_auerbach: didn't mean to make you feel more unwelcome here. josh: didn't feel that way at all.
... software running on users' computers that is making requests to users' computers
... any challenge to that software altering outgoing headers

josh: need an engineer to answer that. [follow up offline]

Richard_comScore: in general, researchers don't want to modify an experience, only monitor

<justin> susanisrael, Well, the more important point (for me) would be that you could do it all through first-party cookies. If you're just trying to count uniques to EACH website, not ACROSS websites.

Wileys: since it wouldn't effect the personal experience, wouldn't have any of the yet-to-be-defined harm, just have the question of whether unique IDs are necessary
... for other audience measurement groups, use census data across single-site counting issue [so would need unique IDs]

<justin> Ah, thanks WileyS, I figured it wouldn't be that easy.

<susanisrael> But the first party could not provide that information to a third party. And there is mistrust of first parties providing their own measurement. That's one of the reasons third parties do it.

Wileys: recommendations have come to approach novel technologies that would let us move away from unique identifiers

<justin> susanisrael, I was thinking more along the lines of what Omniture and Google Analytics do, but WileyS points out that wouldn't be sufficient for what a lot of companies do (though it would be useful to hear an ESOMAR member explain that).

Wileys: unproven at scale, would require expense to make the shift, overinvestment with little guarantee of return

<fielding> justin, were you looking for http://www.iab.net/insights_research/industry_data_and_landscape/digital_pricing_research

Wileys: have offered in the past to enter into a parallel discussion or Lab to move down that path, prove to our engineers that this is how to make the move
... can't sign a blank check on day one
... not realistic for a July Last Call

<susanisrael> justin, when a service provider does that for a first party, it does it only for/to the first party. Not for disclosure to others, if it's just a service provider.

peter: unique id, what can credibly be done now vs. down the road?

<justin> susanisrael, They could use aggregate data. But I would be fine revising to make clear that first party cookies are OK for market research.

Wileys: hard to commit to an unknown future. people conceptually like the Lab concept, but pushback that this is a "one time" situation (under regulatory, market and press pressure)

<jmayer> This is the level of difficulty associated with many privacy-preserving approaches: https://github.com/jonathanmayer/Tracking-Not-Required/blob/master/conversion-measurement/ConversionMeasure.js

Wileys: fear then that the Lab effort would dissipate

<susanisrael> Justin, let's take the conversation offline later.

<jmayer> We aren't talking about lab hypotheticals. We're talking about trivial JavaScript.

<aleecia> the nice thing for ComScore is it's not like they need to do a real time auction

<justin> fielding, I thought this was what he was discussing --- (though not precise as to the value of calibration): http://www.iab.net/media/file/BAIN_BRIEF_Digital_Advertising_4-19-10_FINAL.pdf

<BerinSzoka> I note there are chocolate chip COOKIES waiting for us all outside. since Apple blocks third party cookies, I assume they were baked on premise. Caveat emptor! (Also, note there's whole milk)

<big round of applause for Josh>

<fielding> justin, could be … I wasn't paying attention to why the mention came up

peter: a bunch of things that people might be able to get on board for this week, and others that are unknown

<justin> I just want a sense of how mission critical the calibration is to measurement. But it sounds like the answer is perhaps entirely dependent upon the level of DNT adoption . . .

peter: if people can figure out a concrete, credible structure, I think that could be a way forward
... that may be the best I've heard so far

[on break until 4pm]

<mecallahan> nick --sorry was on another call. mary ellen callahan is the DC cell phone.

<mecallahan> aaii mecallahan

<moneill2> zakim. aaii is mecallahan

<peterswire> we're gathering, start within 5 minutes; (1) wrap up of prior session; (2) david singer; (3) DAA


<aleecia> For JC, the agenda has: Dinner on your own, but meet for drinks at Firehouse Brewery, 111 South Murphy.

peter: available until Wednesday afternoon, we can do Where are We Now earlier if ready

<aleecia> nick I could

<scribe> scribenick: aleecia

peter: three pieces
... 1. wrap up

2. dsinger, browsers

3. Stu by phone, ad perspective

scribe: on market research, helpful info and Q&A, possible follow up later with other companies
... next, looking at action items from last session
... one piece of text: calibrate or otherwise support. Would be constructive to have a task to understand "otherwise support" from industry who worked on the text.
... make this less vague.
... other issues related to the text? Justin, then Rob

Justin: getting more data about how important?

Peter: if 10% DNT, 50%, or 90% DNT, how would this change? Any data we know of?

Richard: Esomar will work on that

Rob: more normative text on the problem we're solving, need justification for audience measurement to be an exception. Not sure the problem we're solving.

<npdoty> Richard_comScore, can we give you two actions? (one on updated text regarding "otherwise support"; one on additional data)

Susan: Allows us to be in business.
... that's the problem it solves.

Chris: Siri, what is track?

Siri: silence

<tlr> Siri: I'm sorry, Chris, but I can't let you do that.

Peter: there was a pool, it took 3 hours 20 seconds to raise that

<justin> For the compliance standard:

<justin> "Tracking" is understood by this standard as the collection and retention of data across multiple parties' domains or services in a form such that it can be attributed to a specific user, user agent, or device.

Rob: if we do need an exception, that would be a bad way of handling a possible future scenario. Prevent an arms race, but if we don't need reasons other than "we would go out of business," can we at least flesh that out?

Peter: needs to be proportionate and legit even given risks, is that right?

<npdoty> ACTION: weaver to look into data around the impact of audience measurement / changes to census calibration [recorded in http://www.w3.org/2013/05/06-dnt-minutes.html#action01]

<trackbot> Created ACTION-397 - Look into data around the impact of audience measurement / changes to census calibration [on Richard Weaver - due 2013-05-13].

<justin> Aleecia has lodged some concerns about this definition, but by and large it reflects our understanding from Cambridge.

Rob: yes. But if just aggregated, can do processing under statistical exception.

<npdoty> ACTION: weaver to work with ESOMAR folks on clarifying "otherwise support" in audience measurement proposed text [recorded in http://www.w3.org/2013/05/06-dnt-minutes.html#action02]

<trackbot> Created ACTION-398 - Work with ESOMAR folks on clarifying "otherwise support" in audience measurement proposed text [on Richard Weaver - due 2013-05-13].

Rob: might set up a good case for statistical exception, OR the legit interest, but which is it?

<Thomas_Schauf> +q

Susan: US don't have that

Rob: could be non-normative text to explain that.
... may be a US-centric problem, but then I would like to know what it is

<justin> susanisrael, rvaneijk's issue is closely linked to my question --- how mission critical is the DNT:1 data for calibration of opt-in panels?

Susan: struggling to understand the need to know something about your audience in the aggregate, how many there are, and the demographics to sell advertising which supports content distribution services
... allows a company to be in business
... we're not operating under European laws. We're creating a set of rules.

Rigo, Jeff, then Dan.

<justin> WHAT I SAID. We need data about mission critical this is.

Rigo: transatlantic misunderstanding we can clear up.
... Rob is saying you can do it anyway without text in the specification, hear back we want to be sure it's in to describe what we do
... Rob says then please describe it in a way that avoids the risk of EU misunderstanding

Peter: drafting to address EU and US, we'd all be in favor of magical normative text that does that.

Susan: very helpful, happy to work on that.

Jeff: since Nielsen is here, let's have public conversation just as ComScore did

Peter: holding that aside for now

<npdoty> ACTION: susan to propose text (with Rigo and Rob v.E.) on harmonizing audience measurement permitted use in EU context [recorded in http://www.w3.org/2013/05/06-dnt-minutes.html#action03]

<trackbot> Created ACTION-399 - Propose text (with Rigo and Rob v.E.) on harmonizing audience measurement permitted use in EU context [on Susan Israel - due 2013-05-13].

Dan: echo Rigo, we don't need an exception, you can still do everything you need to do

Susan: if that's true, it helps to -
... if we understand what is prohibited, if there's no tracking and it's permitted without an exception, then this is permitted under EU law

<npdoty> ... might just be a permitted activity that doesn't require an exception [permitted use]

Susan: do we need permitted use to ensure it can continue, and we need to clarify

Peter: DAA code has market research exception. Quite broad.
... if we go to something different, that's a change for a lot of companies. Not just a W3C conversation.
... turning to part 2 from David Singer, on how users find out what DNT means

dsinger: browser cos talk and realized it would help to have common terms

<rvaneijk> audience measurement may or may not be permitted under EU law. http://lists.w3.org/Archives/Public/public-tracking/2013May/0002.html

dsinger: don't want to confuse people with needlessly different terms
... meshes with what DAA would like to explain to users what things mean
... neutrally phrased common resource, so users don't get confused

<rigo> rvaneijk, depends on how it is done. So a permitted use would do audience measurement as it would be allowed, thus the need for a good description to come to a common understanding

dsinger: imagine a preference, let's talk about browsers for a moment. They often have a ? or something similar with a link to more information
... would like to like "if you want to know more about DNT, W3C (or somewhere) explains in more detail" in neutral terms
... also, if you're in Europe, here's how it meshes with EU law

<Thomas_Schauf> it seems we need a break out session on audience measurement and compliance

dsinger: some companies are members of DAA, to learn what they say about it, click here,
... branches in several ways with links to many place.
... have been chatting about this

<rigo> Thomas_Schauf: yes, Rob says, if we are just counting, there is no issue. If we attach properties, we have trouble

dsinger: would like to keep it short, comprehensible, not sure we do that in the WG :-)
... needs to be carefully written. Hesitant to mention while we're doing normative work here, don't want to distract.
... but want it accurate, friendly, and informed. And we'd like neutrally hosted. Don't want Apple to link to a Microsoft page...

<Thomas_Schauf> rigo: Sure, but regarding EU law and lawful processing audience measurement is only one case, a view similar might exist on national level and maybe on EU level in the near future.

dsinger: not sure how to proceed, would be happy to talk with others.
... Not very formal yet, but that's where we are. We've come up with the same idea as the DAA for the same reasons, don't want confusion or people to click things blindly.
... no browser company has said the idea is stupid, but if it ends up a complete mess perhaps groups won't sign on.
... can link to more for details

<rigo> sure, but a permitted use has to work globally. So you can't run the edge here

Peter: in draft framework, part 6d has brief & neutral impact of turning the setting on.
... this could be a way to get comfort there.
... Nick has talked about how a W3C role might happen here?

Nick: we do host docs like this, webplatform.org
... could do it there, or a WG note, would be happy to host if it helps.

Peter: if there's a better way to do it, W3C wouldn't insist on hosting.
... Alan worked on this, including a protest

Alan: see this as a positive step forward, but what is this specifically?
... just a link or more?

Peter: before the jump, or after?

David: it's after the "tell me more"
... browser help explains what the check box does, and then link to more from W3C

Alan: see this as two stage. What's communicated pre-jump, and then what's described post-jump (e.g. the link)

David: browsers need to work that out

Alan: helpful for part II of the discussion, but still need to talk about part I

(what's part I or II?)

David: "To learn more, click here" or something short

<justin> part I is pre-jump, part II is post-jump


Alan: what happens before the spec?
... applaud the effort, want to understand Part I better

Chris: also applaud, Google Chrome doing this

David: Mozilla too

Chris: are Chrome folks part of this?

David: they chat sometimes

Heather: I haven't been involved but would like to be

David: within the limits of producing a quality result we're not fussed about who helps
... more coffee soon, water too, if on the phone identify you or we drop you - get on IRC. we've had one journalist already.
... warm in here, working on that too

<npdoty> everyone on the phone right now is identified

Peter: part III of this session with Stu. Talk more about item 6, more technical 6c is tomorrow
... Stu with support from others will now tell us about their thinking on item 6
... DNT off by default is actually *unset* not off by default

Stu: yes
... important that DNT is unset by default

<npdoty> I believe David was referring to Mozilla's page here: https://www.mozilla.org/en-US/dnt/

Stu: focus for now on browsers
... not to necessarily exclude other UAs, but let's start there to move forward

<npdoty> but Chris was referring to the paragraph in Chrome's chrome, the third image here: http://howto.cnet.com/8301-11310_39-57546359-285/how-to-enable-chromes-do-not-track-option/

Peter: on the list of topics tomorrow, discussion of browsers v. other UAs.
... for today, when you hear "browser" pretend you're hearing "UA"if you want to.
... we'll discuss that more tomorrow

Stu: choice settings in the settings panel

<npdoty> draft framework pdf link is here: http://lists.w3.org/Archives/Public/public-tracking/2013Apr/att-0298/one_pager_framework_as_distributed.pdf

Stu: concept we think we're talking about is click to setting, click to activate. Two clicks in the browser context
... would like consistent or standard, not through installation
... third, technical measures along with non-tech, important to limit abuse
... make sure it's the consumer making the choice and no one else.
... spoken about tech measures and if they're feasible. Open question.
... Some measures can help, not sure there's a solution there.
... There are legal and policy that can help
... Need to talk through specifics, and that's a critical item for DAA and companies I've been speaking with.
... brief & neutral language was in DAA's announcement at the WH
... very similar to what David just discussed.
... 1. limits collection and use, 2. some data may still be collected and used with description, 3. if affirmatively consents won't limit collection & use from that entity -> convey to users
... be clear to consumers what is, and what itsn't happening
... more user friendly language, we should be able to come up with something simply and neutral, understandable to consumers
... all come down to, consistency in the messaging, same place, same setting
... consumers all have messaging
... think that's a simple and readily available way to do it
... this is simple, straight-forward, easy and meaningful. Everyone should be able to coalesce around

Peter: thanks. Spoken with browser companies. Range of views, but Alex - we talked a little before. Any reaction from Mozilla?

Alex: A lot of what's here is very reasonable
... consistent with what we're trying to work toward
... consistent about default being unset and providing information to users
... have three-state settings. Comfortable not being part of first-run or install wizard
... find reasonable and focused on informed choices.
... concerned about technical mechanisms for extensions and add-ons that are common in FF experience, open to the discussion

Sid: would could discuss a little more.
... concerned with items 1 -3 in a digestible way that's not a wall of text
... if we can work through that, it sounds reasonable

Peter: before v. after the jump -- if we're making progress in other ways, can perhaps move some of that

Alex: we would be supportive of actual user testing
... what they react well to, what they don't, what's confusing to them
... want to improve the current wording on three settings
... real value to putting this out and working with actual users to make sure they understand in the choices they think they're making
... if this group is willing to be iterative, we're willing to be a partner and work through it

dsinger: very similar to Mozilla, not sure how to work it out, but will give it a good try
... learning experience for parts 1 -3 in a fairly new field for online privacy

<Wileys> Alex and Sid - would you consider changing the "Let Sites Track Me" option to "Allow sites that provide me free content to pay for their services by anonymously targeting personalized ads to me." This is a more balanced approach to providing fair information in the "step 1" before the "learn more" step 2.

dsinger: puzzled by tech and non tech measures, not sure how to do that
... fine place to move ahead

Adrian: consent experience disucssion, agree we need to see how people respond to this
... don't want to describe something that constrains future innovation
... not sure we'll complete all the work needed while writing the specs
... don't want to close off avenues to continue to innovate.

<sidstamm> Wileys, what about the use cases of "tracking" that aren't related to ads?

Adrian: agree we don't want huge terms & conditions with 20 multiple choice questions before you're allowed to use the setting.
... need easy to understand with a link for more info, in favor of that

jmayer: focused on substance, how about the process?

<BerinSzoka> +1 to Shane. I don't see how "Tell sites that I want to be tracked" can possibly be a fair way to present that choice.

<haakonfb> Opera has similar views/concerns as listed by the other browser vendors

jmayer: suppose a browser UI is seen as not acceptable, who decides and what remedies?

<Wileys> Sid, how many of those are there? Could those be explained in the "Learn More" - it appears the chief use case is the advertising one.

jmayer: websites with self-help, or external?
... or you always have to honor?

Peter: one point, Adrian's point is a good reason to have functional criteria rather than 2013 technology. Write to be more tech neutral, will talk more later.

<Wileys> Sid, as much as my proposed language doesn't FULLY cover all the details, it appears to be far more balanced to the "Tell Websites I don't want to be tracked" language.

Peter: Second, what would the process be.
... If tomorrow a browser did something outside what the standard said, it could do it.
... but then folks who obligated themselves to agree to DNT:1 wouldn't need to be under that.

jmayer: websites invididually?

pswire: DAA, BBB could relieve a site of the obligation under their codes

<fwagner> Shane, do expect that cookies would be described in the same way ?

jmayer: hypotethically microsoft

Stu: would integrate into DAA, enforceable by BBB and in many cases the FTC.

<Wileys> Fwager, look at UA preference choices for Cookies and you'll see even less description.

Stu: BBB viewed favorably and been around for many years. DMA more about companies into compliance

<npdoty> "Tell sites I want to limit third-party [collection|tracking] of my browsing"

Stu: BBB more as a public deterrent
... 19 cases, companies changing business practices

(Stu, please correct if I missed things there)

<jmayer> So Microsoft is OK with websites ignoring DNT: 1 from IE 10+?

<Wileys> Nick, more directly "Tell parties that support the websites I visit that I don't want to be tracked across websites."

npdoty: In audience measurement, have own opt-outs with neutral language. Is this an opportunity?
... would market research honor DNT:1 if they find the language neutral enough?
... during market research we heard neutral language is important, would this help?

<jmayer> I can't imagine that's right, especially given the recent round of advertising that "Your Privacy is Our Priority" in Internet Explorer.

Peter: think this is separate. Is about the sending of the signal.
... Not sure how it fits together.

Nick: thought Richard said the key thing for the opt out was describing how things work

<justin> jmayer, MSFT will receive feedback from the sites that reject their signals. I'm not sure they have made a statement about how they will treat those third parties.

Susan: I don't own the issue, but I understand Nick's question

<npdoty> thanks susan, for proving that I'm not crazy

Susan: offer to make the same neutral language

Peter: additional opt out to audience measurement?

RichardW: but we'd have audience measurement as a permitted use, this is moot. No opt out.

John: appreciate what David described as a neutral place, but very concerned about prescriptive attempt to dictate exact language in the UI

<BerinSzoka> +Q

<jmayer> Justin, does the framework allow browsers to turn to countermeasures if their DNT: 1 is ignored?

John: troubling from competitive point of view, potential anti-trust issues
... if DAA says you all must do this, that's troubling

Stu: should be clear, DAA isn't dictating what standard browsers follow. Just what the DAA would enforce against.

<justin> jmayer, I don't believe the framework addresses that either way.

Stu: browsers can determine what they do
... hope it would be consistent. Competitive concerns in many areas, not just here.

peterswire: I teach anti-trust.
... My own view is with history of standards and anti-trust, and more generally, felt satisfied we were in a comfortable place
... overall increase in user choice and higher equilibrium overall, this may be the highest and best answer for consumers
... complexity there, but have spent a little time on this, personal view without research

dsinger: guidelines about capability rather than design
... capable of informing the user. Don't get into check mark or being prescriptive. Leave room for innovation here and compete

<npdoty> maybe there's agreement on this separation: the standard would define what it means to comply with an expressed signal; sites can choose when to comply with a signal or when to disregard; DAA's self-regulatory program would bring enforcement on complying with signals at least under these set of conditions

dsinger: Not too worried from document from the DAA

John: document sounds fine

dsinger: every browser will get prickly if you start telling us how to design our products

Berin: Peter's ship and dock analogy.
... dock owners saying "hold on, you can't tell us we need security" but of course you can.
... the ship owners can say to the dock owners "you need a gate" so people don't free ride with a ship full of free goods
... this happens all the time in standards. Not unreasonable or anti-trust, saying otherwise is a distraction.
... we're here to cut a deal.

<Chapell> removed myself from que -- as it seems like both Berin and DavidSinger are in favor of guidelines

Berin: there won't be a deal without this language.
... this should not be about free riding, needs to work for both parties.
... John or browsers, if you think otherwise, I'd like to hear it _now_

Peter: there would need to be discussion around details

(yeesh, thank you thomas)

<justin> We've already agreed that we're not going to put rules on the ships' user interface . . .

Alex: more color about why browsers started talking a few months ago. Not a good situation if every browser tells a different story. Many users have multiple browsers, IE and work and another at home

<npdoty> maybe like using a common RSS icon for discovery of RSS feeds

Alex: from UX perspective, need some consistency. We could do something constructive by providing commonality, where it's located in the browser, very practical reasons to make this neutral
... we're already there
... believe this is the right direction to go. We could go into crazy by being too prescriptive, but don't think that's where we're headed

Rigo: same lines, standard setting has remedies to many problems in horizontal agreements
... be careful not to be prescriptive, mobile, internet of things, require innovative UIs
... but in P3P 1.1, as we learn how to use it, we expect a certain reaction from software, get into a loop and that's a good thing (iterative and learning?)
... don't want to get into do you want DNT? yes, are you sure, yes, are you really really sure, yes - not what we want

thomasSchauf: if browser settings only deal with unset, don't need to be detailed
... DNT at unset, then how to react to DNT unset is given
... have permitted use, non-permitted use, or legal requirements
... in the details, how to move on if we have DNT unset

<npdoty> I'm confused, I thought our specs didn't speak to how recipients to handle DNT unset

thomasSchauf: if users take the choice can say yes or no, can deal with audience data

can someone else help here?

<npdoty> ... though maybe a global considerations document could help you understand your different legal requirements

thank you -

<susanisrael> npdoty, i am confused too

adrian: echo Alex,

<susanisrael> aleecia, I will scribe if you need to be spelled

adrian: consistency is good, problematic where too prescriptive

<npdoty> Thomas_Schauf, can you clarify here in IRC? susanisrael and I are a little confused about DNT unset -- don't we not have requirements in that case?

adrian: if exactly what the words must be is too much
... crosses the line

<susanisrael> aleecia, was that what you were asking? for new scribe?

<Wileys> Sounds like we're all in agreement - next issue?

Stu: maybe just have these three concepts

susan, i'm ok, just wasn't getting Thomas well

thanks though

<npdoty> +1, sounds like we have agreement, action item for normative text?

sorry for typos

<Thomas_Schauf> Firstly, DNT=unset is the default. So also browser manufactures should respect this default. So we need a clear language on the question: What happens if DNT signal is unset

Alan: sounds like agreement we need some baseline standards around disclosures, without too prescriptive including exact language

<susanisrael> aleecia, good, ok. Let me know if you need help

Alan: clarification: will group as whole take this up, or browser discussion?

(Thomas Schauf, we have clear answers there, happy to talk at break)

<peterswire> close q

David: no need for it to be exclusive, but let's not have a written-by-committee disaster at the end, and not take time away from main DNT work

<BerinSzoka> Remember the old joke: a camel is a horse designed by committee

<susanisrael> Maybe browsers can offer something, and others can then offer comments

David: would be happy for additional help

Alan: would love to be part

dsinger: nodes

<rigo> BerinSzoka, one of my favorite

<Thomas_Schauf> aleecia: sure, but not covered seems the legal questions (EU/US)

Increasing consistency is what we want to do. All browsers have a place we type things in, URL and sometimes search as well.

scribe: Mozilla is called awesome bar. Ours is unified search field or something.

Everyone knows what it is, you type things in and something happens.

<Wileys> Again - we're all in agreement on this topic - next???

Helps if browsers explain this in a consistent way. But it's ok Mozilla calls it the awesome bar, you can switch browsers and figure it out.

<Wileys> Or is everyone drawing this out to get to dinner without going to another topic? :-)

Thomas-can't scribe & chat, but we have this covered

Peter: agenda for tomorrow, summary today, where to go for beer
... tomorrow, Matthias & dsinger chair, technical measures in part 6 with TPE

<npdoty> we have issue-172 on this topic (explanatory text requirements for UAs), and already have a few proposed pieces of text on this from Shane and Jonathan

Peter: after lunch, John Callas (sp?) at 2 pacific
... well known security person, did a call with us. Follow up discussions with specific security issues in DNT realm. Update there with Q&A

(thanks wendy!)

Peter: will talk about unique ids and security

<rvaneijk> http://lists.w3.org/Archives/Public/public-tracking/2013Feb/0123.html

Peter: may well have follow up on financial auditing, subgroup working on that.
... afternoon, browser v. user agent and how we talk about it
... that's tomorrow. wednesday is whatever else we've parked and where are we now.
... today, talked about audience measurement.
... if audience measurement gets built in, at least compared to DAA code it's a limitation on collection
... prior critique is hard to see limitations, overall if we have do not collect as well as do not target, that addresses concerns from FTC
... could be an important step toward do not collect on something important
... second, dsinger agreement on common resource with browsers open to others
... third, Stu introduced points on the phone and we heard from browsers we are converging on item 6
... for Monday, if we're making progress on do not collect and progress on item 6, glimmers of good things here. Tomorrow, unique IDs and framework for addressing that over time.
... link in agenda to Dinner on your own, but meet for drinks at Firehouse Brewery, 111 South Murphy.

<npdoty> http://www.w3.org/2011/tracking-protection/sunnyvale/agenda.html

Peter: quick walk

<npdoty> http://goo.gl/maps/8AbZ3

<npdoty> adjourned.

<wseltzer> chair: Peter_Swire

<wseltzer> Meeting: Tracking Protection Working Group

Summary of Action Items

[NEW] ACTION: susan to propose text (with Rigo and Rob v.E.) on harmonizing audience measurement permitted use in EU context [recorded in http://www.w3.org/2013/05/06-dnt-minutes.html#action03]
[NEW] ACTION: weaver to look into data around the impact of audience measurement / changes to census calibration [recorded in http://www.w3.org/2013/05/06-dnt-minutes.html#action01]
[NEW] ACTION: weaver to work with ESOMAR folks on clarifying "otherwise support" in audience measurement proposed text [recorded in http://www.w3.org/2013/05/06-dnt-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2013-05-07 06:26:05 $