See also: IRC log
<jackhobaugh> zakim 347.aaaa is jackhobaugh
<johnsimpson> Apologies. may not be ably to stay on call for entire period….
I can scribe
<tlr> Scribe: Chapell
Apologies for scheduling issues...
TLR: Key points of agreement at
lunch at F2F
... how can we make progress re: whether we can include
specific #'s
... can we find a way forward on language on retention
<WileyS> Key question: What is the delta between what we would include in consumer disclosures and what information Dan and team are looking for?
<WileyS> Key question: What data is being used to develop arbitrary retention timeframe defaults that fit all business models globally?
TLR: level set re: lunch
discussions. Where are we now?
... pieces that we agreed on were: 1) third parties must
provide public transparency re: retention for permitted
uses
... 2) open question re: specificity of transparency. We did
not drill down on this at f2f
... 3) Some agreement that there could be different retention
periods for different Permitted Uses
4. Post retention period, data is destroyed or otherwise rendered anonymous
scribe: Disagreement re:
proposals that for each permitted use, the spec SHOULD included
a specific #.
... eg retention period for XXXXX would be YYYYY.
... disagreement re: what information is publicly
available.
... Discussion of what is actually happening in the
marketplace. What additional information could be shared among
the group that could help find a path forward.
<Chris_IAB> Yes
<WileyS> Works for me
<dan_auerbach> yes
scribe: TLR believes we talked about two different things: 1) info that would be included in public statements of retention periods vs. 2) additional information that is required to give advocates comfort about industry practices
did I miss #3?
<WileyS> The idea that was floated by Aleecia was a "SHOULD" requirement
scribe: 3. info that in some shape or form may end up in the spec (e.g., typically the retention period for XXXXX is YYYYY --- ZZZZZZ
dan_auerbach: transparency requirements
<WileyS> Any information shared in this forum is public.
<tlr> any information in this call is public correct
dan_auerbach: talking past each other a bit... lets get enough information so that we can make an intelligent decisions re: retention periods
<WileyS> tlr, I mean more broadly at the W3C in its entirety
<tlr> Shane, I'll come to that :)
<WileyS> Its a statement, not a question
dan_auerbach: if we all agree that Permitted Use AAA should be retained for up to BBBBBB, then we can discuss transparency
<WileyS> Reasonable based on what data? Do we have enough representation from all business models globally to make those decisions?
dan_auerbach: more concerned with setting retention limits
<WileyS> +q
WileyS: said this on the email
chain. Public forum - any info we share here is info we share
with consumers.
... what is the delta between what is shared in w3c vs what is
shared wtih consumers?
... why would the working group get more confidential info what
is available to the public?
<Chris_IAB> WileyS, I would guess that you shouldn't share anything her, that should be shared under NDA
<Chris_IAB> here
TLR: different discussion between experts here than might be provided to consumers at large
WileyS: Are people on this string truly experts in ad operations and data collection?
TLR: More sophisticated audience here than accross consumers generally.
<Chris_IAB> WileyS, I consider myslef an expert :)
<WileyS> I'm not sure if anyone from industry would trust an NDA in this area.
<WileyS> That hard information has already been provided
JohnSimpson: Willing to have a broad overview of principles of transparency. But his impression is that he was getting hard numbers from industry.
<WileyS> Detailed use cases is what I'm assuming is meant by "hard information"
<Chris_IAB> yes, sorry
JohnSimpson: wants this working group to focus specificly on details around specific permitted uses.
<Chris_IAB> got dropped
Dwainberg: Designing a disclosure
for companies to make in PP vs trying to design specific
retention limits. Sees these are two seperate tracks. David
favors transparency over setting specific data retention
limits.
... is there more to "granular disclosure" than "We retain
XXXXX for YYYYY for this use."
<Chris_IAB> seems simple enought to me
DanAurebach: culture of sharing very little. Simplicity is good, but doesn't want to use this as a cookie cutter formula. But some companies should disclose more.
Dwainberg: How do we realize Dan's goal?
<WileyS> Dan, how is this different than the information you're requesting?
DanAurebach: Concerns about granularity of disclosures... "We're using this info for financial logging" which might not be clear enough.
<Chris_IAB> don't we define the permitted use already?
<johnsimpson> Q/
Chapell: Why aren't we letting regulators determine whether granularity of disclosures is sufficient?
<dan_auerbach> Shane, it may not be
<dan_auerbach> different
ChrisM: We defined the Permitted Uses and then companies would say they hold XXXX data for YYYY period for ZZZZ User. Companies are saying that they are using data for this period of time for this Permitted Use that is already defined.
<dan_auerbach> but for the public, using tech-specific words and descriptions may not make sense
DavidWainberg: suggests some granularity of data.
<dan_auerbach> since most people don't even know what an IP address is
Dwainberg: probably a reasonable middle ground re: disclosures.
<dan_auerbach> I agree with David about reasonable middle ground
<WileyS> Dan, agree that language may change subtly for different audiences but its the core of the data you're requesting that appears to be the same to me
RonanHr: Re: granularity, it should be PII vs Non-PII
<dan_auerbach> I don't think PII is a super clear concept
<WileyS> +1 to Alan
<WileyS> And consumer advocates can ask the FTC to step in if they feel we're not being detailed enough
<dan_auerbach> why not just build trust with consumers, instead of relying on regulation?
Dan you are making a false distinction here
happy to have a discussion with you offline - or when I'm not scribing
(:
<dan_auerbach> OK, well I agree with reasonable middle ground, and anyway I think this is not as crucial a topic to me
scribe: ChrisM: most companies already disclose the kind of information they collect in their PP. So why are we making an additional requirement here?
<dan_auerbach> +q
JohnSimpson: Right now, broad
overviews of what data is being collected, but many PP don't
specify the retention period.
... many companies are not addressing the retention period.
DanAuerbach: PP disclosures are
not generally good. So status quo is not good.
... Privacy policies are too filled with legalese.
ChrisM: What industry is talking about doing is signing up to retention transparency, which makes privacy policies much better
<dan_auerbach> my response: yes, it's one step in right direction, but more could be done
ChrisM: operationally it is very difficult to draw the line.
@Dan --- always more can be done.... but this may not be the right forum
TLR: Suggestion: the agreement on the call today is that there should be some informationh for the data that may be collected. However, we don't have consensus on the level of detail.
<dan_auerbach> sure
<Chris_IAB> I feel like some are trying to back door P3P into DNT here
TLR: Next agenda item...
information sharing within the group.
... one notion in Sunnyvale was that understanding better what
actual retention periods are and how some of the Permitted Uses
work in practice would be helpful for people to
understand
... possible path forward?
... Does anyone on this call still beileve that they need this
type of informaiton from industry?
... can we characterize the ask
dan_auerbach: this info is
important, and wants to think everyone who has spoken with Dan.
Many discussions going on off list.
... this gives a better view of what's going on so Dan and
other advocates can better understand.
... no evidence around some of the Permitted Uses. Needs for
info / evidence.
... specific example -- based upon discussions, Dan now
understands financial logging and auditing much better and
believes that those can be two seperate Permitted Uses.
<Chris_IAB> Dan_auerbach, is the purpose here for you to tell industry how to "better" do their business?
dan_auerbach: financial logging
def has data retention limits but that too much information is
being collected.
... granular detail allows someone like Dan to offer solutions
to interested parties to folks who don't want to over collect
and want Dan's advice
TLR: dialog between industry and advocates and researchers about ways to improve things is always a good thing.
<Chris_IAB> Dan, respectfully, shouldn't you offer your privacy consulting services 1-1 with interested companies?
TLR: For the purpose of this specific discussion, if there are ways to actually drive this group to a point where we can live with the result.
<WileyS> +1 Chris - we're here to build a standard - not to offer individual consulting services or ask business at large to rearchitect their businesses
TLR: there is a part of driving a better spec and a part of driving towards agreement -- not nec the same thing
<dan_auerbach> Chris, I agree that there are challenges to making progress in this forum
TLR: what are the ways to find compromise.
<dan_auerbach> but why not try to engage?
Dan_Auerbach --- you are trying to insert things into these discussions that are not appropriate for this forum.
<johnsimpson> Wasn't Dan's list of questions coming out of the meeting the request for what was deemed necessary data?
<Chris_IAB> Dan, I'm worried that in trying to get everything shared, you are going to sacrafice a reasonable DNT standard, that would represenent a huge step forward
<WileyS> John, that was a list of very confidential data - we're looking for the middle-ground that can be shared with Dan publically
<johnsimpson> Shane, what on that list can you sgare?
dan_auerbach: sees other examples: Security and Fraud as Permitted Uses could use lots of more detail. Frequency Capping is a clear permitted use.
<WileyS> John,
<johnsimpson> share/s/sgare
dan_auerbach: Financial logging and security are the two that have been keyed in on... however there may be others.
<WileyS> John, I sent an updated list to respond to Dan's that represented significant detail and would find that middle-ground. And I couched it as consumer discolures to help motivate companies to provide the data in this forum as they'd have to do this anyway once a standard is in place.
TLR: What are our blank spots as a result of this discussion being public
Chris_IAB: feels like a fishing expedition.
TLR: What are particular items that might help them or helps others to agree more easily on understanding the rationale for a particular objection.
dan_auerbach: strongly disagrees
that the level of discussions that we've have has been too high
level.
... agrees that getting info privacy consulting services is not
the point of this forum.
... wants more information around security and financial
auditing.
... more broadly, the level of discussion and exchange is soo
small
... getting more info on why industry needs permitted uses
would be helpful
DWainberg: thought the goal was
not to justify the permitted uses. Rather, we were having a
discussion on setting retention limits
... we are always going to be too short or too long on
retention limits. Transparency gives us the ability to get a
median range over time and to call out laggards
... re: Dan A's question. Very detailed. Difficult without a
very clear and direct rationale, to get over the hurdles re:
confidentiality and resource issues.
TLR: there is a different dynamic
in thinking about what goes into the spec text now. If we
understand the likely outcome of transparency discussions.
Getting a pre-view will help us level set.
... right now, we're making the arguments (on both sides) in
the abstract.
... how do we ground these discussions in real detail.
<WileyS> Thank you David
DWAinberg: Lets draft the transparency questionnaire for public view.
Chris_IAB: defining the Permitted
Use around Fruad and Security is the right forum
(one-on-one)
... better for mutual understanding.
... There is a limit to what info ant company is able to
share.
... lets not make perfection the goal at the expense of a
reasonable and implementable DNT standard
TLR: if we have something that folks can live with is a huge win.
<Chris_IAB> agree with Thomas
TLR: if we look at what information the public dislcosures might include in more detail.
<WileyS> David - not Shane
TLR: there are two other pieces
to this discussion. The question: is there a way to help with
additional info sharing. Two ideas
... 1. if many companies are willing to share more info
privately than they are publicly... perhaps the DNT can
anonymize the data so each company doesn't get named.
<WileyS> I believe the specifics will be too difficult to anonymize to fully protect a company
<dan_auerbach> Shane, ironic, isn't it :) ?
2. Depending on what data is needed, perhaps we can make exception to our Public disclosure requirements at the W3C. We can have a side discussion that is not disclosable in public but available to W3C membership.
<WileyS> Not ironic - mixing apples and oranges
<johnsimpson> Both offers make sense to me...
<WileyS> Membership level is the same as public view
<WileyS> No real NDAs in place
How many members are in the W3C?
<WileyS> 400+
That might as well be public
<WileyS> Exactly
<paulohm> Gotta drop off.
Chris_IAB: We're talking about
huge public companies being asked to share large amounts of
proprietary info. The attorneys from many of these companies
are not going to be comfortable sharing this type of
information
... in the two years we've been here, we've all tried to share
what we can. If we're having a discussion not about sharing
more here.
<WileyS> Thomas, respectfully, those are not real options.
+1 to Shane and ChrisM
Even smaller companies that I work with are going to have trouble with this
WileyS: attempted to be transparent on the public list.
1. discosing to 400+ companies is not different than public disclosure.
2. Dan asked for long laundry lists of specifics. Over the past two years, we've gotten to a level of detail that was very high.
scribe: asking for details on back end systems is crossing the line.
<Chris_IAB> we are at almost 2-years of companies sharing what they can here
<dan_auerbach> i disagree about the posture of industry
scribe: it is possible that info is being asked for is never going to be provided.
<dan_auerbach> but in any case
Dan, can you explain what you mean?
<dan_auerbach> there is a third option, which is to just have one on one conversations
<dan_auerbach> instead of any public or quasi-public forum
<Chris_IAB> Dan, that's different
<WileyS> Dan, one-on-one conversations would still require NDAs and company's trust that the NDA would be honored
<Chris_IAB> IF a company want to share with you 1-1, they will
<dan_auerbach> yes, and many have
TLR: can see how a public disclosure may be impractical in some circumstances -- particularly as DNT is initially rolled out.
<Chris_IAB> Dan, agree that 1-1 conversations can be very useful, but respectfully, this is not the forum for 1-1 private conversations
hefferjr: won't disclose info that is not already publicly unless under NDA.
<dan_auerbach> i agree that this call is not the forum
WileyS: companies have an issue
wtih the likelihood of an NDA being honored.
... will the source of the request later use the information in
other ways.
<Chris_IAB> +1 to Chapell
Companies may decide to have discussions under NDA with advocates
However, if the goal is to take information provided on one-on-one basis via NDA and use it in a public forum... then you obviate the NDA.
<johnsimpson> Very disappointed that industry won't rely on W3C staff...
JohnSimpson: What is the nature
of your disappointment?
... We can't as a group provide assurances that the information
won't be used in this forum in ways that may harm companies
<johnsimpson> I thought the annonymization offer was a good way forward...
John. there is a high likelihood that the information may identify the company -- particularly given the level of the detail that is being requested.
<Chris_IAB> johnsimpson, respectfully, industry has annonymized much information (fhrough me, and other industry reps), but that never seems to be good enough, eh?
<johnsimpson> When will you circulate the summary
So nai staff can remove the Name of the company, but can't guarantee that individual companies won't be identified by nature of their particular models
ha! not NAI / W3C
<dan_auerbach> I've got to drop off, cheers
<Chris_IAB> dwainberg, ref P3P
<Chris_IAB> ;)
<Chris_IAB> can we get a little more notice for the next call please?
<tlr> chris, yes.
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Herrerj/RonanH/ Succeeded: s/DanAurebach/DanAuerbach/ Succeeded: s/share/shared/ Found Scribe: Chapell Inferring ScribeNick: Chapell WARNING: No "Topic:" lines found. Default Present: +1.202.347.aaaa Present: +1.202.347.aaaa WARNING: Fewer than 3 people found for Present list! WARNING: No meeting title found! You should specify the meeting title like this: <dbooth> Meeting: Weekly Baking Club Meeting WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 03 Jun 2013 Guessing minutes URL: http://www.w3.org/2013/06/03-dnt-minutes.html People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]