W3C

- DRAFT -

Tracking Protection Working Group Teleconference

08 May 2013

See also: IRC log

Attendees

Present
+49.172.147.aaaa, [Apple], +49.172.147.aabb, dsinger, +49.172.147.aacc, bilcorry, +49.172.147.aadd, moneill2, schunter, Jonathan_Mayer, +33.6.50.34.aaee, vincent, Rich_Schwerdtfeger, +1.917.318.aaff, +1.215.480.aagg, Chapell, WaltMichel_Comcast, Mark_Vickers, Bryan, MikeO, Bin_Hu
Regrets
Chair
SV_MEETING_CHAIR
Scribe
amyc, ChrisPedigoOPA, vinay, npdoty

Contents


<npdoty> trackbot, start meeting

<trackbot> Date: 08 May 2013

<npdoty> in the meantime, everyone is getting coffee

Introduction and Agenda

<npdoty> volunteers to scribe for the morning session?

<npdoty> scribenick: amyc

<npdoty> three cheers for amyc for scribing!

<npdoty> good morning everybody!

Peter: starting now, work must come from group, goodwill to getting work done
... turning over to Thomas for process, then first session about conversations from last night
... relates that some have asked for more text, looking for right mix; others may not have spoken up and may want to surface issues today

tlr: two points about process, important to have voices heard and issues on the table, also important that we make progress and don't let ourselves be stopped
... create space to make progress and path forward, this is driving agenda
... at end of day, getting back to writing spec, moving back from conceptual to textual level, and today will be bridge
... focus on topics on which we can make progress, other areas where we recite one anothers arguments
... agenda, start with broader group about conversations last night, topics for constructive conversations, then use that conversation to extract topics for breakouts
... with quick report outs to group
... hope that we will make progress, topics up to working group
... breakout rooms on screen, each is able to connect via phone

<JC> What happens at end of day? Where are we statement?

tlr: let's colelctively find out how far we can get

<wseltzer> JC, I see plenary both before and after lunch

Peterswire: asking what were caucases last night, asking for suggestions to put on board

rvaneijk: need to breakout before we can share, lots of developments

Aleecia: agrees with breakouts first, asking about Shane's proposal from EOD yesterday

swiley: Adrian put diagram together, but have not put together text, will take 30 minutes to work through diagram with Adrian

tlr: suggests breakout session for Shane's proposal

rvaneijk: shane's proposal still on table

tlr: everyone likely to want to know more about Shane's proposal, suggests that small group to prepare diagram and presentation on Shane's proposal

rvaneijk: advocates want time, suggests meeting separately and then reconvening

rigo: is Susan ready to work on audience measurement? could work on that

Susan: fine with that, Nielsen wants to participate too

dsinger: browser companies could work together too

tlr: audience measurements in Muir Woods, advocates going to Legoland
... Sausalito for Shane, browsers in Catalina

wseltzer: offers staff assistance with scribing

tlr: good idea to have scribes in rooms for reporting back

<peterswire> big basin and wmh are also available

<moneill2> zkim, [IPCaller] is me

<jmayer> If I recall, many participants will have departed by the afternoon session.

<moneill2> cannot hear

<vinay> havent started yet

<npdoty> scribenick: ChrisPedigoOPA

Peter: for this session, we're going to have readouts of breakout sessions

Reports from Breakouts

with action items

follow-on discussion, then move to next breakouts

<npdoty> order -- audience measurement, browsers, advocates, Shane, Justin

Order of presentations: 1) audience measurement, 2) browsers, 3) Shane, 4) consumer groups

Susan Israel: tried to understand EU law re audience measurement

tried to narrow scope

Rigo: agreed on "to calibrate and validate"

also agreed that audience measurement is focused on content, not on the user

susan: we know there are other concerns and more work needed

Susan - will work wiht DAA

Peter - next items?

Shane - issue exists for audience measurement

<npdoty> issue-25?

<trackbot> ISSUE-25 -- Possible exemption for research purposes -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25

Peter - will have concrete tasks for next two weeks

David Singer - representing the browsers now

<npdoty> we have generally used issue-25 for market research, with multiple proposals and pending review options

results from Browser breakout session

looked at DAA principles and compliance doc

users get a general improvement in collection/retention limits

principles good

details left to trade associations or regional orgs

discussed who turns on DNT

must be turned on by a user, not an ISP, router

not a default

<npdoty> explicit action, by the user herself

Puzzled over concerns about non-browser user agent

cool with "these documents are focused on general user agents and other UAs..."

what's a general UA?

<vinay> Was MSFT in the browser group? Are they okay with it not being set by default?

1 - can access the general browseable web

<inserted> 2 - has a preference interface that satisfies the requirements of the user to chose, 3 - can implement the TPE (notably the JS APIs etc.)

work on explanation page is underway

should reflect general principles

note that other trade associations have additional codes of conduct

with links to those standars

Overall, we liked the DAA document

Peter - next steps?

David - browsers would like to have Q&A with those who wrote the DAA principles

in a breakout session

David - might need a general session instead

<npdoty> breakout sessions, about what it means, talk about user agent concerns

Dan Auerbach next from consumer groups

And Aleecia MacDonald

<npdoty> ... and more detail on the Draft Framework text, a little short

Dan - looked at de-id data

explored 3-state process

<npdoty> [we will try to type what's written on the paper board]

Raw data - Red

Red, Yellow, Green states

Red = raw

Red can be used for permitted uses - security fraud, debugging

Yellow - middle state

Green = fully deidentified data

Yellow - would include retention limits

Aleecia - retention limits

Aleecia - how do we set retention limits that work for consumer and industry groups

Aleecia - proposal: diff retention limits for each state

Green = forever

Red = short and proportional

Yellow = also proportional

Would use "should"

<tlr> aleecia: should, if not, then must explain in privacy policy

Next steps?

will wait until after Shane's proposal

There's a discussion in the room about where Shane's proposal is

Shane now at the mic

waiting....

waiting...

still waiting.....

<rvaneijk> data retention must be proportiate to the use in the red-yellow-green

Shane - my proposal also has 3 states

for de-id data

diagram presented

state 1 - raw data

raw data can be stored for permitted uses

transparency required

then a "fork"

one way hash key to remove any personal info

next step - remove IP and replace with broad geo data

next - cleanse URL

cleansing user names, names or clue to reverse engineer

next - look at side facts

anything that could help reverse engineer the record

i.e. date of birth

at the end of process, data cannot be reverse engineered

Goal is to build record that can never be reidentified

Rule 2 - you can never create a map between raw and de-id data

accountability is required

3rd step - re-hash the data but destroy the key

end with truly unlinkable data set

<npd> rather than these specific means, do we intend this as an example of the principles?

Justin Brookman now coming to the mic

Justin - Build on previous comments

market research: people don't need unique users across sites

need unique visitors to sites so can use 1st party cookies

may not need market research exception

will work with Susan and Rigo on market research

on de-id data

seems that we all agree on normative language

just need to work out details

Peter - two next sesssions

1) overlap between groups

2) browser discussion with DAA - could be breakout or general session

Peter - do people feel like they want to be in both rooms

?

decision to have two groups meet separately

two groups -

1) User Agent issues with DAA principles in Catalina Island

2) everybody else remains in big room for plenary session on de-id data

time for UA/DAA breakout will last 45 mins

break from 11:45 to noon, then another plenary session at noon

Getting ready for plenary session de-id data

Peter - beginning session on de-id data

Peter - a couple of goals

some overlap between various proposals

Dan - our sense of areas of agreement/disagreement

working to get Shane's slide up

rvaneijk - this idea is a follow up on a Cambridge proposal

may be similar to consumer group proposal

Dan - would there be a separate data stream where user profiles live?

Dan - retention limit for yellow state is a question

one way hash might not be the only way

Rob - shane and I agree that going from one state to another, there has to be processing involved

Shane - open question on user profile info

company could score a user's interest, but not the URL

data would be kept in aggregate

equation is altered if DNT:1 signal cannot be trusted

if DNT:1 can be trusted, then it could serve as an opt-out from profiling

Rob - question: would data be aggregated immediately?

Dan - is there a 3rd arrow for user profile info?

If DNT:1 signal is trusted, then no user profile info

If not, then user profile would be kept in aggregate

Shane - no more arrows

Peter - one way hashes or other techniques

Shane - yes, we could use many techniques to get to unlinked data

many way to get there

Dan - devil in details, but I think we agree that strong techniques must be used to get to de-id data

John Simpson - question: data retention for yellow state?

Peter - next steps for "whta is a strong enough technique"

Dan - non-normative text satisfies?

Shane and Dan will work on text

<tlr> ACTION: shane to work with Dan to follow up on defining the "yellow" to "green" transaction with strong enough measures [recorded in http://www.w3.org/2013/05/07-dnt-minutes.html#action01]

<trackbot> Created ACTION-402 - Work with Dan to follow up on defining the "yellow" to "green" transaction with strong enough measures [on Shane Wiley - due 2013-05-15].

Shane and Dan will be assigned an action item to define going from yellow to green state

David Singer - question about de-id

David - q: if de-id user revisits, can you append new data to de-id record

?

You can never create a map between raw and de-id data

David - de-id record will be added to and will grow over time

Shane - but this only happens for a short time because data will eventually move to 3rd state

Rob - de-id is not right term

Rob - data retention and purpose limitations need to be introduced

purpose limitations are permitted uses

Peter - is middle phase (yellow) pdeudonymous?

Shane - no

diff between yellow and pseudonymous is pseudonymous includes an id

red state is pseudonymous

Peter - what I heard

yellow is psuedonymous but also cannot be used for production

Rob - need to get away from using "de-identified" term

John Simpson - question: red is raw data or pseudonymous?

Justin - same

Dan - let's not worry too much about term

important for EU

Dan - I care more about green state of data

Dan - industry wants flexibilty in yellow state and Dan wants data to get to green

Heffer - question about data flow from red to yellow

is it real-time?

Shane - could be real time

but need to keep for permitted uses

companies would want to move data to yellow so they can immediately begin to use for reporting/analysis

this data set would never be used to affect a real person

Peter - let's move to data retention

and next steps

Shane - two data retention periods

1 for permitted uses

solution is transparency by companies

also same transparency for moving to different states of data

Rob - need different retention periods for different permitted uses

also needs to be transparent

Shane - agree with principle of proportionately

Peter - seems to be agreement on transparency and proportionately

proportionality

Justin - the document already includes this

John - I thought Aleecia wanted normative retention limit for permitted uses

<dan_auerbach> that's right

and then she wanted transparency around diverging from retention limit

<dsinger> …rather, an 'if not otherwise justified' (should)

Aleecia advocated using "should" wrt to retention limits

Thomas - should language with specific retention limits could help with implementation

Peter - do we normative/non-normative/other?

Thomas - unclear

Peter - Ed Felten raised DAA code language

on de-id language

<johnsimpson> Q

Ed Felten thinks the DAA Multi Site definition of de-id data might work

<tlr> dan Auerbach: can live with DAA language for the green data

Dan - would prefer W3C language but not huge objection

Peter - consumer groups should look at whether they can live with it

Dan - important to have non-normative examples, which do not exist in the DAA code

<tlr> shane: DAA language going from red to yellow

DAA thinks their de-id language goes from red to yellow

David - if there is a data breach in red data, that is significant

yellow data breach is smaller risk

green data breach is insignificant

Shane - if we release yellow or green data, then there is little risk to user.

risk with yellow data is more about internal abuse

Shane - i.e. evil employee

Dan - I disagree. there is more risk with yellow data

Dan - need to focus on limits on yellow data

David - need to focus on principles

Peter - Ed Felten said something similar

would prefer to have principles in normative text with examples in non-normative

<MarkVickers> It's spec vs. best practices.

Peter - process going forward

Shane - I don't believe industry will be ok with "shoulds" on arbitrary retention limits

too many different business models

non-normative text might be ok

transparency applied to all data states is more important

Shane - only delta is the use of "shoulds" with transparency vs. always using transparency

Justin - proportionately doesn't provide an end point for use of data

there always seems to be another valid use

Peter - what do they use in the EU?

Rob - can use "legitimate business interest" test

in this case, you balance the size of the instrument vs the impact on the user

we don't say how long retention limits are

Peter - will break soon, five more minutes

Dan - really hate vagueness, want precision

Dan - favor Aleecia's approach of using shoulds

<rvaneijk> In European Union law there generally acknowledged to be four stages to a proportionality test, namely,[3] there must be a legitimate aim for a measure the measure must be suitable to achieve the aim (potentially with a requirement of evidence to show it will have that effect) the measure must be necessary to achieve the aim, that there cannot be any less onerous way of doing it the measure must be reasonable, considering the competing int[CUT]

Peter - have heard two positions here. Let's focus on next steps

<rvaneijk> https://en.wikipedia.org/wiki/Proportionality_%28law%29

Privacy advocates to look at DAA definition of de-id data

What do we need to do to outline red, yellow, green states

Justin - need normative text on this

Justin - ok with DAA definition, but need to clarify whether it applies to red-yellow or yellow-green

Justin - writing text on 3 states should be easy

Justin to draft

<tlr> ACTION: justin to write language on red / yellow / green [recorded in http://www.w3.org/2013/05/07-dnt-minutes.html#action02]

<trackbot> Created ACTION-403 - Write language on red / yellow / green [on Justin Brookman - due 2013-05-15].

Next steps on data retention?

John - are we talking about data retention for red state too?

Shane - would address retnetion for each state

Thomas - let's have a small group outline the differences or find a compromise

Thomas - 5 or 6 people precisely define open questions and/or find compromise

John, Dan, Shane, Walt, Justin, Rob, others?

5-10 minute break and then reconvene for one more session before lunch

readouts from breakout sessions after 10 minute break

<vinay> This session has two purposes: 1) get a lunch ticket from david -- take only 1; and 2) readouts from the two groups

<vinay> first is someone from the browser group

<vinay> ... but the browser group didn't delegate someone for the readout

<vinay> ... so we're going to start with hte readout from the other session

<npdoty_> scribenick: vinay

Report back from Breakouts

Peter: on the de-id issue, as you all saw, there was important convergence amongst the sides
... but there are still hard issues people need to work on
... dont want to overstate the convergance
... there's a group of 7 people tasked at taking a shot at next steps/work items
... one thing he's asked is for people to look at normative language in DAA code (which ed felton thought worth considering ...)
... if it turns out as good (or better), it may help since a lot of companies have already committed to complying
... there was also talk on drafting language on the 3 stages
... Justin took that action item
... the subgroup of 7-8 are meeting now
... Peter asking Wendy for a brief read out

TLR: Are we talking about a situation a bit more time is needed before we need a useful conversation in the group?
... what stage are we at?

Alan C: yes, a lot of progress has been made. Pretty wide consensus on what we're talking about when we say browser.

scribe: hope that there is some language in the near future to share iwth the group
... encouraged. one of the more constructive groups he's been on

Adrian: Spent bulk of time talking about a few points: 1) distinction between browsers and things that aren't browsers; 2) trying to get away from misunderstandings of what a user agent is/isn't

(we think about people browsing the web when we speak about browsers)

scribe: if we agree that a user must be involved in setting/clearing the DNT preference, those things that are not browsers that get in the way of setting DNT are automatically excluded
... as we see more devices get connected to the internet, we don't want to get bogged down with this
... more gray areas we need to think about. there's a line somewhere. We need to think clearly how we define that line
... and who decides who falls on what side of that line
... while we can agree that the device requring many steps (not sure I got this right) is out of scope, whereas FF is within scope.. There's a lot in between.
... there's some homework we need to do, but there is greater clarity
... second thing they talked about is who is responsible for ensuring that the signal sent from the browser is following the setting that the user set
... in the draft framework, point 6c
... some of what they talked about went back to the general principles (that we all agree this is something the user is involved in setting)
... from Adrian's perspective (and he thinks there is some support for this) that this is something we have to address over time
... can't tell right now how this setting may be attacked by different entities over time
... prefers not to think thru all attacks now because the attack may not be an actual attack used

Peter: here's procedurally what we anticipate
... when we break from this, the de-id group will gather
... there is an effort/task to write-up the browser meeting to accurately reflect next steps
... the idea is that the group decide the next steps
... request for the groups to report back next steps
... believe we're heading to a session at 2pm to have a short document that reflects the next steps
... to discuss how to describe it
... ex. we recommend: a) proceeding with this work; b) taking it back to x, y, and z.
... discuss how to proceed to move forward
... Yianni will be taking text (back on the room)
... susan will coordiante with yianni re: measurement; Wendy for brwosers; TLR for de-id

re-convene at 2pm

TLR: Suggest getting a large lunch table

David: we have the big tables in the back by the window reserved for us

TLR: Take the large table for de-id
... also, same question as before... are there other conversations that should be happening amongst subsets of the room between now and 2pm

Dan: We still haven't made progress on de-ids... i hope the lack of a breakout session isn't interpreted to mean it isn't important

break for lunch. start promptly at 2

<npdoty_> another 10 or 15 minutes, thanks; restart by 2:30

Afternoon

<npdoty_> scribenick: npdoty

<npdoty_> peterswire: apologies for the delay, slow in getting text from all these places

<npdoty_> ... while waiting on copies, I want to get a sense of the room on how today went

<moneill2> cant hear

<npdoty_> ... Dan wanted to make some comments on behalf of some privacy folks

<moneill2> I am getting no sound when I call in

<npdoty_> <interruption as ducks get into rows, and computers are found>

<welcome back>

<moneill2> I still cant hear

Wrap Up

<moneill2> ok now

peterswire: a number of issues where progress has been made
... want to thank you for stepping up last night and working today
... appreciated, because this is work should be doing
... anybody who wants to make opening comments from the day?

Lmastria_DAA: would echo peter's comments on constructive dialog today
... my sense is that there's been a fair amount of progress made today that wasn't made at other w3c events I've been at, so I'm grateful for that
... see a path forward, using the framework as a skeletal document that's how I see it at least
... we are committed to seeing if we can put flesh on those bones, a lot of hard work, frankly
... what we are committing to here is a lot of hard work, but if there is progress to be made, we are certainly supportive of moving forward in that direction

peterswire: I'm going to walk through the term sheet, an attempt to capture the work from this morning
... I'll read through it basically, chance for edits and chance to make points
... at the top, "At the close of our meeting... " "sufficient progress ... to merit moving ahead toward the Last Call deadline"
... audience measurement, specific changes to esomar text, from Rigo and Susan, "calibrate and validate", work with Rob and Jeff and DAA as well
... second topic concerns browsers, initial versions of our spec will address general browsers for the Web
... a few principles, vendor neutral
... Do Not Track should reflect user choice, anti-tampering to be considered

<Bryan> Link to paper being described?

peterswire: third part on de-identification, three-state as proposed by Shane, proportionality requirements and transparency and retention for those different states
... homework assigned to review the DAA language that may be helpful
... 4. retention periods remain an important issue: proportionality, transparency, no precise MUST limits
... 5. ongoing discussions of unique identifiers as a critical issue for advocates, inviting proposals to solve this problem
... super importance of this issue to many members of the working group, so may continue even beyond Last Call
... I've heard it a bunch of times, said it on Monday Tuesday Wednesday, that the ability to say that Do Not Track will mean in a simple thing to say to users is that no identifier cookies
... a couple minutes for Dan to give perspective

dan_auerbach: big thanks to the chairs, an incredible amount of work you've put in

<large applause>

<jchester> +q

dan_auerbach: appreciating that some progress was made today, but wanted to note that we punted on unique identifiers today, pushing harder issues further down
... can't do that indefinitely, and that's what you see here in bullet point 5
... without that, I think we should come to some agreement to disagree -- without a path forward, don't want to continue spinning our wheels indefinitely
... shouldn't signal that at Last Call we still have a shouting match, wouldn't want to have all these major issues undecided

peterswire: want to repeat, this has to come from you all, not from chairs and w3c staff
... when there's hard things, w3c process works best when we have people go off to hard issues and come back with smart proposals

johnsimpson: want to echo congratulations for chair and staff, I think possibly there's been incremental progress
... but what I have sensed is that we have stepped back to deal with high-level principles, sense of agreement may be because of high-level principles, as we all agree about transparency
... devil is in the details
... as was documented by the list of many still open issues
... may just be as a pessimist, I'm always being positively surprised
... not sure about reaching agreement by the end of July
... I've been committed to this and also been party to some outside talks that may or may not have made progress
... just might not happen, doesn't mean that we're bad people or that W3C is a bad place, just couldn't

jmayer: echo thanks to peter, thomas, nick and matthias remotely
... feeling of cooperation, glad to work with all of you, has genuinely been a pleasure
... but it's very difficult to see consensus or a path to consensus at this point
... have this parking lot over here (UAs and UIs, unique IDs, deidentification, )
... may have made some progress, but if we were this far apart before, we are this far apart now [with arms, showing only slightly closer]
... very imprudent if we got to Last Call deadline and then just pushed again

jchester: reiterate thanks to staff, chairs and colleagues
... have to address the issues in the parking lot
... I know for us we cannot go forward postponing the unique ID decision before the last call, it has to be a part and can be a part of the framework we address in the next few weeks
... without it I don't think we can make the progress

fielding: progress on this depends on the definition of tracking, willing to turn off anything if it's part of the definition of tracking, but not willing to turn off user identifiers for reasons that are not following a user across multiple sites
... reason is not that we want to track you, just don't want to inhibit innovation for non-privacy-concerns

<jmayer> My concern: there is a very high probability that we get to Last Call without consensus on the major issues, nor even a viable path to consensus on those issues.

fielding: if there are actual privacy concerns we'll address them

<Bryan> Can't hear the speakers well

susanisrael: if we define the scope of what we're trying to achieve in the Last Call is narrower than the list of tracking-related issues, can we address those in later versions?

dsinger: simple text change, remove "preference" before "interface"
... don't want to have an apparent preference for existing browsers

peterswire: serious heartache? -- no.

dsinger: ask the chairs and staff to go through issues and actions and orphan the ones that are no longer relevant.

peterswire: the chair welcomes that, now will do that now that we have some clarity

paulohm: thank you for welcoming in a stranger
... wanted to put a marker down rather than specific text

<jmayer> +q

paulohm: the room I think I had a lot of consensus about the general browsing interface, that was a big issue for Ed (and wasn't in the room)
... suggest brackets around the first sentence

dsinger: tried to put a word for the general principles, the name is just the definition of the general principles, not an additional requirement

<Zakim> dsinger, you wanted to suggest that the chairs and staff do a pass on the Compliance Issues and Action Items and propose a clean-up (many are 6 months old and might not be

<Zakim> johnsimpson, you wanted to address text

johnsimpson: appreciate your highlighting the issue of unique identifiers all week long
... my concrete proposal for the text, would remove "potentially structuring ongoing work past last call"

peterswire: see no strong objections to that?

lmastria: just want to point out for today, we can evaluate the problem and see what solutions there might be
... to commit ourselves to solve the problem period may be a step too far between now and Last Call
... don't want to prejudice one way or another, just be transparent about it

peterswire: is the problem "solve"?

<jchester> +q

<dsinger> …um, the working group decides whether to go to last call, not any individual participant. we may decide to get that industry review knowing we have a question open.

johnsimpson: if we can't find a way to solve that issue, I don't think we can go to Last Call
... I hope we can solve it, I've seen some hints in this room and other places, but I don't see how you go to Last Call with a major issue hanging out there

peterswire: I've heard caution from Lou about saying that this can be done by then
... the language of ongoing discussions doesn't define a certain outcome

johnsimpson: agree, the point I'm trying to make is that this is so important we can't go to Last Call without addressing it

jmayer: to PaulOhm, "general user agents" might rule out Operating Systems, which I don't think we want to

peterswire: can't speak to that particular meeting

jmayer: suggest that we account for user agents other than general purpose web browsers, stuff that we know about already
... in the interest of future proofing it would be a mistake to scope that down

paulohm: principle 1 about "general" Web, reserving the possibility that that might be an issue for Ed and the agency

dsinger: maybe I should explain why this is relevant ...
... in a closed garden, just a piece of software that loads its own help pages, we're just not concerned about you
... point 2, you have the ability for a user to express his choice, if you can't do that, we're not sure how to work with you because it's important that you can express a choice
... point 3, that you actually implement the protocol as designed, use the confirmation (in JavaScript), ask for and receive an exception
... all about how to scope to how to make the thing work, rather than limiting innovation
... the other concern was simply that we haven't spent a lot of time discussing different user agents in this room, and they might raise interesting questions

peterswire: there was a productive meeting around the things in Item 2, but don't have specific normative language
... would be having the normal process, proposing and objecting to and discussing normative text

paulohm: agree that we should discuss; I just think ed will want to say something about this and don't want him to give up any chance

peterswire: we make consensus on this text based on who we have in the room

<rigo> Edited wording from Susan & Rigo on point 1:

<rigo> http://lists.w3.org/Archives/Public/public-tracking/2013May/0048.html

paulohm: then I think we should talk now and I can try to represent him

tlr: jmayer expressed concern about future proofing, would it help to note an opening and interest in looking future-ward to other user agents

paulohm: if this has to be language we all agree on
... "can access the Web" would be principle 1
... 2 and 3 are still pretty limitative

<Chapell> "Can access the web" is extremely broad and cuts away at the spirit of what was discussed in today's one-off session

tlr: I think "Web" is something we all know what we mean by it

jmayer: how about just things that speak HTTP?
... there are things that speak HTTP, are Web APIs

<jmayer> +q

jmayer: I have additional points

<Chapell> I would suggest we wait to discuss #1 until Ed is in the room (also me)

aleecia: I could not support the document exactly as is, have to leave, can get there from here but maybe adopt on the next phone call

<dan_auerbach> +1 to aleecia on #1

aleecia: for example, on #1, we could after we have text determine whether audience measurement is a permitted use
... on #2, fine to have priorities on the agenda, I would have a problem to punt non-browser UAs beyond Last Call
... 4, wouldn't want to guarantee that we don't have MUSTs on time limits

<jmayer> another +1 that we still need to decide whether there's a permitted use for audience measurement for #1

aleecia: 5, just want a resolution on unique identifiers
... don't think Last Call in July, but I agree that it's worth continuing

adrianba_: if worst came to worst, I can live with Section 2, but I had a couple points to make:
... re "meaningful information" minor concern that we were being too restrictive about "settings and help" screens, I thought it was rather all of the user interface
... instead "provide meaningful interface to users
... but a minor point
... going back to the Web, general web, world wide web, "general browsable web" was my term which came from a past w3c meeting to distinguish between Web pages and services that are on the Web, browsed to by a browser
... my explanation of what I meant

<susanisrael> susan and rigo have put a link to a shorter version of point 1, more appropriate to the term sheet, above in irc http://lists.w3.org/Archives/Public/public-tracking/2013May/0048.html

<aleecia> reminder: DNT applies to more than HTTP

peterswire: suggest put back "general browseable web" for that meaning

<aleecia> SPDY is long since agreed to

paulohm: not services, but other things that might matter but don't count as "general browseable web"

adrianba_: fine with that, my comments are in the minutes

peterswire: you also said meaningful information to users, that was a text proposal change? adrianba: yes.

Lmastria_DAA: the way we began the week was the framework, the framework that it would be uniform inside settings as we think of them today, that's the origin

adrianba_: I understand that that's there for that reason, but I don't think that's what we came out of with agreement to
... we did not talk about scoping down the places in which this might be displayed
... if we're all saying is that we're only interested in pursuing conversation about text that's displayed in settings and helps screens

peterswire: what about "such as, settings and help screens" to give a familiar example, are you okay with that?

room: some yeses. lmastria: let me think about it, I'd to have to reconsider how it flows

<BerinSzoka> we can't read the screen. could we please increase the screen size and maximize the window?

<BerinSzoka> er, text size

peterswire: "with reference to user agents that can"

<aleecia> historically untrue

Lmastria_DAA: we've spent 14 18 more months on browser-based mechanisms, browsers as we thought of them about the desktop web
... a lot has changed since then, sure, there should be work done on mobile browsers and refridgerators
... let's scope to what we've really been thinking about

<aleecia> From very very early on we have talked about apps, mobile, SPDY.

Lmastria_DAA: 1.1 can be for other things
... we're trying to scope appropriately to what our expectations have been all throughout

<aleecia> We agreed to put in terms of HTTP but not limit to, to make it easier to talk about

Lmastria_DAA: making that change, we are in effect trying to boil the ocean here

peterswire: strikes me as an important discussion, heard it expressed strongly by Paul Ohm and Lou, in different directions
... we're going to need to figure out what -- this paragraph could disappear or be shortened

PaulGlist: to not the lose good consensus building from the breakout session on this point, I suggest restoring "general browseable" before "Web" and pointing people to "other user agents warrant future study"
... there was an intention to scope the work to everything we know as current browser base

paulohm: [no longer channeling ed] I heard that we'll take those three bullets back and study what they mean
... felt like it was an incomplete agreement, not sure general browseable was the main thing that we're working on

aleecia: we have been talking from the very beginning about this, not just HTTP, yes this is mobile, yes this is apps, agreement from the beginning
... talk about it in terms of browsing the web, from the very beginning of this group, the consensus we had arrived at before some people in the room arrived, just want to make the history of that clears

peterswire: when there was an event with the FTC Chairman and the White House last year, there was an announcement of a browser-based choice mechanism
... we have real history that points both ways here, in good faith, those different histories are coming together here
... an effort to move to functional criteria, but there's an important part of work from people who are comfortable using browsers
... I had thought we had some agreement on that this morning

jchester: we did go beyond, lou said we do go back and talk to colleagues, talked about apps with browsers, acknowledged a broad range of browser use, talking about mobile app capabilities and you folks are very comfortable with and a norm with which people will interact

<justin> ?

adrianba_: what aleecia said about the text of the draft specs including things beyond the browsers is true
... the goal of the session today was to see where would we find agreement
... let's start right now by scoping the impact of things that we now are well-understood
... not limit the future implication
... scope this narrower than what we've talked about in the past
... of course there's the future, but we're trying to work on the current document right now

jchester: have a problem with 5, don't want to call it a "problem", rather "an issue we must address now"
... suggest: "We acknowledge we must address this now."
... a serious way that this be addressed in the next few weeks

<debate about consensus>

problem / issue / challenge ?

<amyc_> i think that there are limits to benefits of real-time editing term sheet when we are going to need to review normative spec text later

peterswire: I understood this as "we agree to work on these issues, not a final statement of answers"
... when we are scoping work, I would think we have a lot more room to say that we are going to work in this direction and at that point work out particular words
... I have a concern, partly about time that we won't have everyone in the room for all of this

<BerinSzoka> I can't live with this document as written. I need to see more Oxford commas before I can support it.

peterswire: shows a resurgence of some positional things that I don't think are @@@ productive
... underscore "the following specific tasks have emerged from this face-to-face", the task for this paper is to note that we have work to do and note that there's work to do, not agreement on final text
... it could be there are people who don't want to have text today
... we could discuss whether we should have text today
... I had hoped talking to many of you before that we had a close idea that this is what we're going to work on, that's what I saw our exercise as

<susanisrael> on point 5, can you say you invite proposals to address this issue, without then saying going forward, thus not determining whether we do it in the near or long term (as that is to be determined)

peterswire: there may be reasons why some of you don't want to have a position "we are going to work on"
... saying "we agree that this will be solved" seems different from "serious list of things we're going to talk about"
... "critical" is a quite strong word

tlr: what I heard is that jchester is fine with 5 now

fielding: we're talking about things out of this meeting

<BerinSzoka> could someone point out that the IRC screen isn't updating because the scroll bar isn't at bottom?

peterswire: you have not waived your ability to say that there are other issues in the spec
... we had a good conversation on browser stuff, everyone told me it was a good conversation and we can move forward
... we had a discussion on retention limits, green-yellow-red
... highlight a critical issue for advocates that advocates wanted to be highlighted
... is the group able to live with the document?

tlr: we have about five points here that are summaries of discussions today, by their nature imperfect
... an attempt to summarize the conversations we had; if the summary is inaccurate or if there are things we can't live with
... go through the individual paragraphs, and then talk about the top paragraph

peterswire: didn't post it online because we didn't want it to be attributed to people in the room without getting agreement

tlr: fine on 5? room: yes.

susan: rigo and I posted a link in IRC to a shorter version

http://lists.w3.org/Archives/Public/public-tracking/2013May/0048.html

<rigo> http://lists.w3.org/Archives/Public/public-tracking/2013May/0048.html

justin: whatever language we go with, we don't have agreement that a permitted use is necessary, I remain convince that we won't need this

rigo: you have an alternative suggestion, we have to figure out whether this address their issue

justin: Shane's proposal too, just want to make clear that not consensus that a permitted use will be needed

amyc: I think what Peter is saying is that for a lot of this stuff is something being discussed today, all of this end up as normative text where we can tweak and discuss normative text
... maybe have something in the first paragraph that everything is subject to our discussion and approval as a group

justin: fix spelling.

Wileys: many side conversations about living in the yellow vs. the red state

peterswire: substantive requirement in the current proposed text that it be pseudonymous

tlr: important point, we have it in the minutes, can live without it being in the document

<BerinSzoka> oxford commas!

tlr: other pieces in 1 that need to be in the document?

<justin> We could add the phrase ", as well as whether data must be deidentified for this use." to the last sentence.

Lmastria_DAA: I don't know if this helps, "term sheet" means a lot of stuff, perhaps a different phrasing might help

room: "work plan"?

<johnsimpson> Document title: "Consensus Statement."

Lmastria_DAA: the second piece, maybe walking backwards a little, if we are as a group having some issues about putting too much language in one place or another, could we just bullet point rather than being so descriptive / detailed?

tlr: I think we are close to agreement on 2 out of the 5, then starting text and the title / then the entire thing

peterswire: any changes to 3? not live with?

Wileys: I think something a little clearer would be that two new action items were created
... 1) state the three-state in a principled way (tied to proportionality and retention limits)

<dsinger__> ...wants to get important people's input but notes the agenda runs to 5pm...

Wileys: Yahoo diagram stuff would be non-normative text and Dan's non-normative text of examples that would satisfy those principles
... Dan has agreed to build the transparency template

jmayer: on 3, use "three-state", a reference to Shane's proposal with one-way hashing -- three states in general, not just Yahoo! specific?
... not agreement that Shane's example would be sufficient

tlr: one approach would be that we take that model, alternatively, abstract one level up to principles and separate principles and implementation
... might just be an issue with non-grammatical rough version
... "possible approach"

jmayer: is this just agreement to a possible approach that many people disagree with?

<cross-talk>

wileys: just intended as a proposal

Lmastria_DAA: on #4, suggest we pull out the stuff about a template, not something I've heard about

<BerinSzoka> Anyone driving up to San Francisco? I'm looking for a ride

tlr: idea was that Dan would write down what he thought would be important pieces about transparency
... a work item rather than an agreement

peterswire: add "for consideration, by the group"

<dsinger__> ...would really appreciate it if people could express their own concerns and leave the chairs to do their job of determining consensus

Lmastria_DAA: the whole idea of a template is a little troubling, partly because of the surprise

<vinay> Berin - I wonder if you can ride one of Apple's shuttles up to SF. Might be a question to David

wileys: fine to remove it, but the work item will still happen

tlr: is the problem the word "template"? lou: yes.

peterswire: on 3 and 4, any other significant changes needed?

justin: suggest we take out the "not include MUST level limits", both incorrect given the current state, and aleecia's concern, and I suggest that we remove it

danauer: this is all part of a proposal, a new idea that we're exploring

justin: "agreement to examine" rather than just "agreement"

[resolved by moving up to 3, instead of 4.]

justin: just remove the clause, doesn't match other things

peterswire: is there anyone with major heartburn if we don't have it? we know in the minutes that it's a thought and we'll study it
... no other changes on 3

jmayer: there were two three-state proposals, Shane and Dan

danauer: "a three-state" and drop attribution room: general agreement.

paulohm: minutes reflect my understanding of what general browseable web
... general browseable web is a term used by w3c in other contexts
... to exclude devices that use http as a service
... and exclude things like dog collars.

tlr: web services in the WS* meaning

paulohm: jmayer also had objections

jmayer: if the only limitation is about dog collars, I don't care... but if it doesn't encompass Firefox OS, or iOS which have pervasive implementations, then I'm not on board

hober: we even used examples like embededd UI WebView

jmayer: in firefox os, you could have an app that received DNT

tlr: have a broad sense of view of the priorities is

jmayer: my understanding is that platforms like ffx os and ios would access the general web

<BerinSzoka> AMEN. Also, note, rush hour...

npdoty: I wouldn't be comfortable just based on a breakout discussion foreclosing work that we've already done in the documents and ruling out clients that don't have JavaScript, use screen readers, etc.
... fine with priorities, but wouldn't want to foreclose those technologies in the current version without having that full discussion

dwainberg: isn't this just a not-commitment-to-particular-text agreement towards what we'd be doing

<loud applause>

agreement that it's not specific restriction to terms, but general priority

<BerinSzoka> finally, I agree with John on something!

title of the document

johnsimpson: title should include "consensus"

<BerinSzoka> I don't mean to be rude, but why are we still talking?

jmayer: agree with Lou on revising title, noting "agreements" rather than "actions", suggest: "consensus conversation summary"

<susanisrael> General agreement on work plan?

"Consensus Action Summary", no one too bothered by that

no corrections/objections to the intro? none.

any objections to sending out the document?

johnsimpson: refer to people by full names.

dsinger: destroy bits of paper of the early versions

justin: "sufficient progress" -- is the progress really "sufficient"?

npd: sufficient just modulo to "merit moving ahead" not a general normative term

peterswire: thanks to David Singer for wonderful hosting

<loud applause>

adjourned.

<aleecia> do we have a pointer to the later draft? What did yinz agree upon?

Summary of Action Items

[NEW] ACTION: justin to write language on red / yellow / green [recorded in http://www.w3.org/2013/05/07-dnt-minutes.html#action02]
[NEW] ACTION: shane to work with Dan to follow up on defining the "yellow" to "green" transaction with strong enough measures [recorded in http://www.w3.org/2013/05/07-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2013-05-08 23:25:24 $