SV_MEETING_TITLE -- 03 Jun 2013

<jackhobaugh> zakim 347.aaaa is jackhobaugh

<johnsimpson> Apologies. may not be ably to stay on call for entire period….

I can scribe

<tlr> Scribe: Chapell

Apologies for scheduling issues...

TLR: Key points of agreement at lunch at F2F
... how can we make progress re: whether we can include specific #'s
... can we find a way forward on language on retention

<WileyS> Key question: What is the delta between what we would include in consumer disclosures and what information Dan and team are looking for?

<WileyS> Key question: What data is being used to develop arbitrary retention timeframe defaults that fit all business models globally?

TLR: level set re: lunch discussions. Where are we now?
... pieces that we agreed on were: 1) third parties must provide public transparency re: retention for permitted uses
... 2) open question re: specificity of transparency. We did not drill down on this at f2f
... 3) Some agreement that there could be different retention periods for different Permitted Uses

4. Post retention period, data is destroyed or otherwise rendered anonymous

scribe: Disagreement re: proposals that for each permitted use, the spec SHOULD included a specific #.
... eg retention period for XXXXX would be YYYYY.
... disagreement re: what information is publicly available.
... Discussion of what is actually happening in the marketplace. What additional information could be shared among the group that could help find a path forward.

<Chris_IAB> Yes

<WileyS> Works for me

<dan_auerbach> yes

scribe: TLR believes we talked about two different things: 1) info that would be included in public statements of retention periods vs. 2) additional information that is required to give advocates comfort about industry practices

did I miss #3?

<WileyS> The idea that was floated by Aleecia was a "SHOULD" requirement

scribe: 3. info that in some shape or form may end up in the spec (e.g., typically the retention period for XXXXX is YYYYY --- ZZZZZZ

dan_auerbach: transparency requirements

<WileyS> Any information shared in this forum is public.

<tlr> any information in this call is public correct

dan_auerbach: talking past each other a bit... lets get enough information so that we can make an intelligent decisions re: retention periods

<WileyS> tlr, I mean more broadly at the W3C in its entirety

<tlr> Shane, I'll come to that :)

<WileyS> Its a statement, not a question

dan_auerbach: if we all agree that Permitted Use AAA should be retained for up to BBBBBB, then we can discuss transparency

<WileyS> Reasonable based on what data? Do we have enough representation from all business models globally to make those decisions?

dan_auerbach: more concerned with setting retention limits

<WileyS> +q

WileyS: said this on the email chain. Public forum - any info we share here is info we share with consumers.
... what is the delta between what is shared in w3c vs what is shared wtih consumers?
... why would the working group get more confidential info what is available to the public?

<Chris_IAB> WileyS, I would guess that you shouldn't share anything her, that should be shared under NDA

<Chris_IAB> here

TLR: different discussion between experts here than might be provided to consumers at large

WileyS: Are people on this string truly experts in ad operations and data collection?

TLR: More sophisticated audience here than accross consumers generally.

<Chris_IAB> WileyS, I consider myslef an expert :)

<WileyS> I'm not sure if anyone from industry would trust an NDA in this area.

<WileyS> That hard information has already been provided

JohnSimpson: Willing to have a broad overview of principles of transparency. But his impression is that he was getting hard numbers from industry.

<WileyS> Detailed use cases is what I'm assuming is meant by "hard information"

<Chris_IAB> yes, sorry

JohnSimpson: wants this working group to focus specificly on details around specific permitted uses.

<Chris_IAB> got dropped

Dwainberg: Designing a disclosure for companies to make in PP vs trying to design specific retention limits. Sees these are two seperate tracks. David favors transparency over setting specific data retention limits.
... is there more to "granular disclosure" than "We retain XXXXX for YYYYY for this use."

<Chris_IAB> seems simple enought to me

DanAurebach: culture of sharing very little. Simplicity is good, but doesn't want to use this as a cookie cutter formula. But some companies should disclose more.

Dwainberg: How do we realize Dan's goal?

<WileyS> Dan, how is this different than the information you're requesting?

DanAurebach: Concerns about granularity of disclosures... "We're using this info for financial logging" which might not be clear enough.

<Chris_IAB> don't we define the permitted use already?

<johnsimpson> Q/

Chapell: Why aren't we letting regulators determine whether granularity of disclosures is sufficient?

<dan_auerbach> Shane, it may not be

<dan_auerbach> different

ChrisM: We defined the Permitted Uses and then companies would say they hold XXXX data for YYYY period for ZZZZ User. Companies are saying that they are using data for this period of time for this Permitted Use that is already defined.

<dan_auerbach> but for the public, using tech-specific words and descriptions may not make sense

DavidWainberg: suggests some granularity of data.

<dan_auerbach> since most people don't even know what an IP address is

Dwainberg: probably a reasonable middle ground re: disclosures.

<dan_auerbach> I agree with David about reasonable middle ground

<WileyS> Dan, agree that language may change subtly for different audiences but its the core of the data you're requesting that appears to be the same to me

RonanHr: Re: granularity, it should be PII vs Non-PII

<dan_auerbach> I don't think PII is a super clear concept

<WileyS> +1 to Alan

<WileyS> And consumer advocates can ask the FTC to step in if they feel we're not being detailed enough

<dan_auerbach> why not just build trust with consumers, instead of relying on regulation?

Dan you are making a false distinction here

happy to have a discussion with you offline - or when I'm not scribing

<dan_auerbach> OK, well I agree with reasonable middle ground, and anyway I think this is not as crucial a topic to me

scribe: ChrisM: most companies already disclose the kind of information they collect in their PP. So why are we making an additional requirement here?

<dan_auerbach> +q

JohnSimpson: Right now, broad overviews of what data is being collected, but many PP don't specify the retention period.
... many companies are not addressing the retention period.

DanAuerbach: PP disclosures are not generally good. So status quo is not good.
... Privacy policies are too filled with legalese.

ChrisM: What industry is talking about doing is signing up to retention transparency, which makes privacy policies much better

<dan_auerbach> my response: yes, it's one step in right direction, but more could be done

ChrisM: operationally it is very difficult to draw the line.

@Dan --- always more can be done.... but this may not be the right forum

TLR: Suggestion: the agreement on the call today is that there should be some informationh for the data that may be collected. However, we don't have consensus on the level of detail.

<dan_auerbach> sure

<Chris_IAB> I feel like some are trying to back door P3P into DNT here

TLR: Next agenda item... information sharing within the group.
... one notion in Sunnyvale was that understanding better what actual retention periods are and how some of the Permitted Uses work in practice would be helpful for people to understand
... possible path forward?
... Does anyone on this call still beileve that they need this type of informaiton from industry?
... can we characterize the ask

dan_auerbach: this info is important, and wants to think everyone who has spoken with Dan. Many discussions going on off list.
... this gives a better view of what's going on so Dan and other advocates can better understand.
... no evidence around some of the Permitted Uses. Needs for info / evidence.
... specific example -- based upon discussions, Dan now understands financial logging and auditing much better and believes that those can be two seperate Permitted Uses.

<Chris_IAB> Dan_auerbach, is the purpose here for you to tell industry how to "better" do their business?

dan_auerbach: financial logging def has data retention limits but that too much information is being collected.
... granular detail allows someone like Dan to offer solutions to interested parties to folks who don't want to over collect and want Dan's advice

TLR: dialog between industry and advocates and researchers about ways to improve things is always a good thing.

<Chris_IAB> Dan, respectfully, shouldn't you offer your privacy consulting services 1-1 with interested companies?

TLR: For the purpose of this specific discussion, if there are ways to actually drive this group to a point where we can live with the result.

<WileyS> +1 Chris - we're here to build a standard - not to offer individual consulting services or ask business at large to rearchitect their businesses

TLR: there is a part of driving a better spec and a part of driving towards agreement -- not nec the same thing

<dan_auerbach> Chris, I agree that there are challenges to making progress in this forum

TLR: what are the ways to find compromise.

<dan_auerbach> but why not try to engage?

Dan_Auerbach --- you are trying to insert things into these discussions that are not appropriate for this forum.

<johnsimpson> Wasn't Dan's list of questions coming out of the meeting the request for what was deemed necessary data?

<Chris_IAB> Dan, I'm worried that in trying to get everything shared, you are going to sacrafice a reasonable DNT standard, that would represenent a huge step forward

<WileyS> John, that was a list of very confidential data - we're looking for the middle-ground that can be shared with Dan publically

<johnsimpson> Shane, what on that list can you sgare?

dan_auerbach: sees other examples: Security and Fraud as Permitted Uses could use lots of more detail. Frequency Capping is a clear permitted use.

<WileyS> John,

<johnsimpson> share/s/sgare

dan_auerbach: Financial logging and security are the two that have been keyed in on... however there may be others.

<WileyS> John, I sent an updated list to respond to Dan's that represented significant detail and would find that middle-ground. And I couched it as consumer discolures to help motivate companies to provide the data in this forum as they'd have to do this anyway once a standard is in place.

TLR: What are our blank spots as a result of this discussion being public

Chris_IAB: feels like a fishing expedition.

TLR: What are particular items that might help them or helps others to agree more easily on understanding the rationale for a particular objection.

dan_auerbach: strongly disagrees that the level of discussions that we've have has been too high level.
... agrees that getting info privacy consulting services is not the point of this forum.
... wants more information around security and financial auditing.
... more broadly, the level of discussion and exchange is soo small
... getting more info on why industry needs permitted uses would be helpful

DWainberg: thought the goal was not to justify the permitted uses. Rather, we were having a discussion on setting retention limits
... we are always going to be too short or too long on retention limits. Transparency gives us the ability to get a median range over time and to call out laggards
... re: Dan A's question. Very detailed. Difficult without a very clear and direct rationale, to get over the hurdles re: confidentiality and resource issues.

TLR: there is a different dynamic in thinking about what goes into the spec text now. If we understand the likely outcome of transparency discussions. Getting a pre-view will help us level set.
... right now, we're making the arguments (on both sides) in the abstract.
... how do we ground these discussions in real detail.

<WileyS> Thank you David

DWAinberg: Lets draft the transparency questionnaire for public view.

Chris_IAB: defining the Permitted Use around Fruad and Security is the right forum (one-on-one)
... better for mutual understanding.
... There is a limit to what info ant company is able to share.
... lets not make perfection the goal at the expense of a reasonable and implementable DNT standard

TLR: if we have something that folks can live with is a huge win.

<Chris_IAB> agree with Thomas

TLR: if we look at what information the public dislcosures might include in more detail.

<WileyS> David - not Shane

TLR: there are two other pieces to this discussion. The question: is there a way to help with additional info sharing. Two ideas
... 1. if many companies are willing to share more info privately than they are publicly... perhaps the DNT can anonymize the data so each company doesn't get named.

<WileyS> I believe the specifics will be too difficult to anonymize to fully protect a company

<dan_auerbach> Shane, ironic, isn't it :) ?

2. Depending on what data is needed, perhaps we can make exception to our Public disclosure requirements at the W3C. We can have a side discussion that is not disclosable in public but available to W3C membership.

<WileyS> Not ironic - mixing apples and oranges

<johnsimpson> Both offers make sense to me...

<WileyS> Membership level is the same as public view

<WileyS> No real NDAs in place

How many members are in the W3C?

<WileyS> 400+

That might as well be public

<WileyS> Exactly

<paulohm> Gotta drop off.

Chris_IAB: We're talking about huge public companies being asked to share large amounts of proprietary info. The attorneys from many of these companies are not going to be comfortable sharing this type of information
... in the two years we've been here, we've all tried to share what we can. If we're having a discussion not about sharing more here.

<WileyS> Thomas, respectfully, those are not real options.

+1 to Shane and ChrisM

Even smaller companies that I work with are going to have trouble with this

WileyS: attempted to be transparent on the public list.

1. discosing to 400+ companies is not different than public disclosure.

2. Dan asked for long laundry lists of specifics. Over the past two years, we've gotten to a level of detail that was very high.

scribe: asking for details on back end systems is crossing the line.

<Chris_IAB> we are at almost 2-years of companies sharing what they can here

<dan_auerbach> i disagree about the posture of industry

scribe: it is possible that info is being asked for is never going to be provided.

<dan_auerbach> but in any case

Dan, can you explain what you mean?

<dan_auerbach> there is a third option, which is to just have one on one conversations

<dan_auerbach> instead of any public or quasi-public forum

<Chris_IAB> Dan, that's different

<WileyS> Dan, one-on-one conversations would still require NDAs and company's trust that the NDA would be honored

<Chris_IAB> IF a company want to share with you 1-1, they will

<dan_auerbach> yes, and many have

TLR: can see how a public disclosure may be impractical in some circumstances -- particularly as DNT is initially rolled out.

<Chris_IAB> Dan, agree that 1-1 conversations can be very useful, but respectfully, this is not the forum for 1-1 private conversations

hefferjr: won't disclose info that is not already publicly unless under NDA.

<dan_auerbach> i agree that this call is not the forum

WileyS: companies have an issue wtih the likelihood of an NDA being honored.
... will the source of the request later use the information in other ways.

<Chris_IAB> +1 to Chapell

Companies may decide to have discussions under NDA with advocates

However, if the goal is to take information provided on one-on-one basis via NDA and use it in a public forum... then you obviate the NDA.

<johnsimpson> Very disappointed that industry won't rely on W3C staff...

JohnSimpson: What is the nature of your disappointment?
... We can't as a group provide assurances that the information won't be used in this forum in ways that may harm companies

<johnsimpson> I thought the annonymization offer was a good way forward...

John. there is a high likelihood that the information may identify the company -- particularly given the level of the detail that is being requested.

<Chris_IAB> johnsimpson, respectfully, industry has annonymized much information (fhrough me, and other industry reps), but that never seems to be good enough, eh?

<johnsimpson> When will you circulate the summary

So nai staff can remove the Name of the company, but can't guarantee that individual companies won't be identified by nature of their particular models

ha! not NAI / W3C

<dan_auerbach> I've got to drop off, cheers

<Chris_IAB> dwainberg, ref P3P

<Chris_IAB> ;)

<Chris_IAB> can we get a little more notice for the next call please?

<tlr> chris, yes.

- DRAFT -

SV_MEETING_TITLE
03 Jun 2013

Attendees

Contents

Summary of Action Items