W3C

- DRAFT -

Tracking Protection Working Group Teleconference

03 Jul 2013

See also: IRC log

Attendees

Present
+49.172.147.aaaa, +31.65.141.aabb, npdoty, +1.215.480.aacc, rvaneijk, +1.202.347.aadd, WaltMichel, +1.202.262.aaee, jackhobaugh, Thomas, Wendy, +972.8.979.aaff, jchester2, +1.609.258.aagg, +1.202.478.aahh, +49.172.147.aaii, omertene, efelten, dwainberg, +1.646.654.aajj, PaulGlist, eberkower, +1.323.253.aakk, schunter, +1.813.732.aall, +1.202.257.aamm, +1.202.478.aann, rachel_n_thomas, +1.202.697.aaoo, Aleecia, +1.303.746.aapp, +1.202.587.aaqq, [Microsoft], paulohm, +1.301.365.aarr, dsinger, BerinSzoka, +44.186.558.aass, Keith_Scarborough, sidstamm, Brooks, +1.202.603.aatt, +1.646.278.aauu, adrianba, [CDT], Rigo, Peter_4As, +49.431.98.aavv, +44.186.558.aaww, mecallahan, ninja?, +1.571.213.aaxx, RichardWeaver, ninjamarnau, Suzanne?, johnsimpson, +1.650.365.aayy, Chris_Pedigo, Chapell, Jonathan_Mayer, +1.202.787.aazz, Peder_Magee, moneill2, BillScannell, +49.211.600.4.bbaa, TS?, peterswire, Craig_Spiezle, [FTC], mike_zaneis?, +33.6.50.34.bbbb, vincent, +1.202.587.bbcc, Jules_Polonetsky, +1.650.595.bbdd, lauren?, [Apple], hober, +1.202.257.bbee, [Facebook]?
Regrets
Chair
peterswire
Scribe
justin, mecallahan

Contents


<trackbot> Date: 03 July 2013

<WaltMichel> 215 is WaltMichel

<mecallahan> zakim aamm is mecallahan

<moneill2> zakim. [IPCaller] is me

<justin> scribenick: justin

<Chapell> zakim aauu is chapell

peterswire: How the call will go --- lots of people have vacay
... This call will help identify and talk through issues, but opportunity to revisit on next call.
... Two key deadlines in my emails this week.

<jmayer> +q

peterswire: Noon next Tuesday: perfecting amendments to DAA approach.

<dsinger> I am getting a sense of whiplash. Are we working off the old compliance document, the June draft, or the DAA? Does the DAA even have a redline, let alone reasons for change, offered?

<jchester2> Say this again. When is the deadline for comments to the DAA draft. Are you saying one week only, to review everything and resubmit?

peterswire: A week from Friday, [interference] is deadline for opinions on which should be base text: June draft or DAA?
... Likely a chair's opinion on that by end of July.

<jchester2> +q

<jmayer> I would like to ask a clarifying question about procedure, please.

peterswire: Today's call --- let the DAA present their package.

<dsinger> I don't want the DAA to talk about it, I want them to write it down

peterswire: DAA sees all these amendments as linked together, so they should be considered together.

<jchester2> I agree with David. We need to discuss this now, Peter. You are rushing througn a process here.

<efelten> I would like the DAA to explain the rationale for their de-identification approach, in writing, as a start.

peterswire: Want input from rvaneijk and [someone else] on unique identifiers, de-ID, Yianni's language on branded first party in third-party context.

<jchester2> Can someone tell Peter there are people on the que.

zaneis: I'm happy to walk through industry proposal.

peterswire: maybe skip de-id as that's been discussed before.

<jmayer> Peter, when is the appropriate time to clarify the procedure you just walked us through?

<efelten> We have not discussed the DAA's de-id proposal before.

<peterswire> i expect to return to procedure before the end of the call

<jchester2> I hope that the FTC and the EU are noting the lack of good process here, esp for the NGOs.

<efelten> Who participated in writing this draft?

zaneis: We only had a week to pull this together.

<jmayer> Thanks, Peter.

<johnsimpson> who participated in writing the draft, please?

zaneis: Take a look at what W3C is trying to achieve --- reach consensus on implementable standard.
... Keys are "consensus" and "implementable"

<dsinger> do we have (a) a redline or (b) explanation of what was changed, the degree (major, minor, editorial) and the rationale?

<aleecia> For the record, I object to the following three things: (1) our starting points are either what the co-chair wrote, or what DAA has in mind, rather than our group consensus starting point. (2) We have no text from DAA; slides are not a substitute. (3) We are not even allowed to discuss these issues.

<peterswire> A copy of the DAA proposal with changes highlighted is here:

<peterswire> http://lists.w3.org/Archives/Public/public-tracking/2013Jun/att-0466/NAI-DAA-DMA_June_26_draft_compared_to_June_22_Tracking_Compliance_and_Scope_copy.pdf

zaneis: trying to figure out what we can get 100s of companies to agree to.

<tlr> redline: http://lists.w3.org/Archives/Public/public-tracking/2013Jun/att-0466/NAI-DAA-DMA_June_26_draft_compared_to_June_22_Tracking_Compliance_and_Scope_copy.pdf

zaneis: Sorry that we didn't follow exact protocol --- want to explain why we did what we did with more specificity.

<aleecia> This is disrespectful to the group and to our time.

<johnsimpson> Who is "We"?

<jchester2> I concurr with Aleecia.

<jchester2> I concurr with Aleecia.

zaneis: Wanted it to be simple. And wanted to show how this effort would intersect with broader industry self-reg.

<aleecia> I am shocked that W3C is allowing this to happen without objection, when it violates every process we have had in place.

<efelten> I'll say it again: no justification has been offered for the DAA's de-identification *language*.

zaneis: Shane had done a lot of technical work on how deidentification might work in this space.

<dsinger> I feel I have spent the last two weeks working down one road, and now we're on a different one. How much are we supposed to tolerate this?\

zaneis: [interference]

<johnsimpson> It is not at all clear to me how Shane's slides relate the DAA document.

<aleecia> I have no faith that time I put into working on DNT is anything but a waste

<johnsimpson> I agree with David Singer

zaneis: When we say down to draft, we know there had been two approaches: (1) focusing on the DNT signal, and the user interface, what is appropriate response, etc.
... reality is that environment has changed since this group was created.

<aleecia> I have no faith that members of the TPWG are actually participating in this process. Rather, it appears to be a set of back-room discussions then brought forward for the fiction that the group is involved.

zaneis: We had thought this was all about DNT signals being sent by *browsers* --- now marketplace has progressed, we're seeing up to 20% of DNT flags for all internet users.

<aleecia> While I am entirely frustrated with meta conversations about process, let me document: this is not a process that leads to consensus decisions from members of the group.

zaneis: My members seeing 20-25% of user base sending flag. Early on, our position had been: perhaps the W3C could standardize the DNT signal, and we would treat that as an industry opt-out.
... That is no longer tenable.
... We expect DNT:1 signals to approach 50% in short-term.

<johnsimpson> you have 25 percent DNT flags because people do not want to be tracked.

zaneis: No longer want to try to distinguish between what DNT:1 signals are legitimate and which are not.

<jmayer> I also agree with David. We worked *very* hard to quickly compile issue-by-issue proposals and rationales, as the chairs requested. The stakeholders who declined to follow that constructive and substantive process are being rewarded with extra time and focus.

zaneis: Now, within industry, we've decided to take a different approach, and focus on deidentification. Hope that could be a way to make consensus.
... Yes, we had fought tooth and nail on the default and UI issue, and we're now willing to take those off the table in the name of progress. Now the question is what level of deidentification is appropriate and implementable. We want to have that discussion.

<ninjamarnau> I don't see a reason to see a reason than other change proposal to june draft. Broken down issue by issue with justification and discussion. I am completely opposed to use the DAA proposal as a basis to find consensus.

zaneis: The industry approach trying to get a meaningful DNT standard. And then the DAA would pick up the W3C standard and require its members to publicly assert compliance thereto.
... BBB would then enforce against our member companies.

<aleecia> This not only does harm to the idea we might reach a group decision on Do Not Track, for the first time I seriously question the legitimacy of W3C as an organization to perform multi-stakeholder work.

zaneis: We thought that only by putting all that stuff together, that was the only want to present this to the group.

<johnsimpson> Who is "we" the Mike keeps referring to. Who drafted the DAA document??????????

zaneis: And that could lead to implementation in the ecosystem and enforceability.

<efelten> Can we please talk about the content of the proposal?

<johnsimpson> This is a filibuster.

<peterswire> yes

zaneis: Would like to see this group work on permitted uses, to limit the permitted uses in the DAA code. Like market research --- we're willing to try to adopt that language and be informed by that.

<jchester2> The Better Business Bureau is a member of the DAA--not really an effective body on privacy: http://www.bbb.org/us/interest-based-advertising/

zaneis: This is not a Grand Bargain. This is a way to get consensus [?]
... We've gotten criticism that this doesn't advance privacy. We disagree --- the enhancements to de-ID, etc. are a way to get real progress for consumers.

peterswire: Let's skip to clarifying questions. Thanks for background.

<aleecia> These all sound like lovely goals for DAA to work on internally, and I support those goals. But this is not a W3C DNT spec.

<npdoty> I thought the DAA proposal still kept the same UA requirements, on when to send the flag at all

peterswire: Who is the "we" here?

zaneis: It's a broad industry submission. Specifically, presented by DAA,IAB, NAI, DMA, and the DAA trade associations representign the whole supply change: ad nets, publishers, agencies, &c.

<aleecia> I think I missed which TPWG members were involved.

<aleecia> Seeing as that's the group we're in.

<jmayer> I'd also like to get back to substance. Perhaps we could start with the questions that Thomas so helpfully compiled? http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0005.html

zaneis: They all support this in principle.

<johnsimpson> Can we please have specific names?

zaneis: Comcast, Yahoo! and a few others put their names to it.

<johnsimpson> Are any of them members of the working group?

<aleecia> Were there ANY other TPWG members involved?

<jmayer> -q

peterswire: Let's get back to normative text --- thomas could you help us with the questions you put out to the list?

<efelten> Mike identified DAA, DMA, IAB, Yahoo, and Comcast as supporters of the proposal.

<aleecia> But not a single person.

<efelten> Also NAI.

<aleecia> I have no idea if Yahoo means Shane, or not

<aleecia> &c

thomas: I heard you speak about the broad consistuency --- you mentioned DAA, IAB, and DMA?

zaneis: Yes, certainly them and others, along with some companies.

thomas: Can the companies say that for the record?

<johnsimpson> We need the companies?

<Jules_Polonetsky> zakim 202/587 is Jules Polonetsky

thomas: I sent a set of questions on July 1 that did not draw an answer. Here are the questions, the first from efelten:
... What is the difference between deidentified and delinked, and where does delinked ever get used in the document?

zaneis: Shane has walked though a lot of these use cases, and last week on a group call.
... One example is the Red/Yellow/Green proposal. And I think there is flexibility here.

<efelten> Nobody has offered a justification for the proposed *language*.

<johnsimpson> Shane showed a bunch of slides. There is no clear way that the slides relate to the prosed text.

zaneis: [interference]

<jchester2> -q

thomas: Agreed, there are a lot of names for all those states. The real question is what in the proposal is different between de-id'd and delinked.

<johnsimpson> you document doesn't to that

zaneis: We presented a deidentification *principle* and then identified examples of what would work. But meant to allow a fair amount of flexibility of how to get to that principle.

<jchester2> +q

zaneis: Think of the deidenification language as the normative, and think of Shane's examples as non-normative.

peterswire: Is delinked every used in the document?

<efelten> Shane's PowerPoint doesn't answer this question.

zaneis: There are different use cases. I don't have Shane's PPT in front of me, and I'm not qualified to get into the operational issues. Everyone's on vacay!

<johnsimpson> Not even clear what requires de-identified data..

<jmayer> I'd like to understand the deidentification principle. We can get to the technical implementation after.

<npdoty> it's used "after there are no remaining permitted uses ... data must be de-identified and de-linked"

thomas: I looked at this specific point --- I tried to find where delinked used. In the permitted uses, you have delinked show up once. Just on retention. Seemed inconsistent with other parts of the doc.
... Two q's: (1) What is difference between two states, and (2) Where are de-ID and delinked used?

rachel_n_thomas: This is very clearly laid out in the document
... This discussion is best had with the technical adops folks are available.

<efelten> If it's clear in the definition text, then somebody should be able explain it to us.

peterswire: More questions. In the June draft, there was language that there should be no unique IDs is reasonably available [not to use?].
... why not leave in spec?

<moneill2> basically DAA says "no"

zaneis: We don't know what's "reasonably available." Cookies have been the building block for a long time. We don't have a sense of what people want or mean, so we couldn't commit to a theoretical mechanism. We don't understand what's being asked of us.

<dsinger> can someone tell me what the legal threshold of 'reasonable' means? Is this commercially reasonable efforts? best efforts?

<jchester2> Privacy is what is being asked.

zaneis: Rather than focus on certain technologies, we wanted to have a broad definition of tracking. Shouldn't matter if it's cookie based or statistical identification.

<moneill2> tracking is unique ids

peterswire: What about permissibility of retargeting?
... Under the DAA code, is that allowed --- for site B to use behavior from site A?

zaneis: Not comparing apples to apples. Difference between DAA program and DNT with 50% opt out.
... That retargeting practice is likely not allowed if DAA opt-out.
... Generally accepted but not a lot of case law.

<jmayer> On privacy-preserving technologies, researchers have offered to collaborate with DAA member companies for years. The companies have declined. Any lack of understanding is, at this stage, attributable to willful ignorance.

zaneis: But without getting into specificity of Shane's proposal, some of that might be allowed if the data is really deidentified first.

<rigo> is it possible to single out without being associated to connected to a specific user, computer, device? Text is unclear to me. Text is unclear IMHO. See the letter of Dix who says "erase last segment of the IP address". IMHO non normative text should examplify what all this text means

zaneis: More about a data hygiene practice. DAA program though would still exist.
... which would probably opt you out of retargeting.

<efelten> So the DAA text proposal would allow retargeting?

<moneill2> "safe" tracking

peterswire: So the industry proposal seems more like a data hygiene proposal. So you'd turn on DNT:1 to opt for data hygiene, and then go to DAA to opt out of what you allow opt out of.

zaneis: That's right.

<npdoty> that's a useful clarification, as I hadn't understood from the normative language that re-targeting and other profiling was consistent with DNT: 1 in the proposal

<Chapell> tlr, i think i was dropped

rvaneijk: I tried to bring delinking into Shane's proposal, and to explain where we differ in our views.
... We need a good definition of deidentification --- trying to get to the gold standard: FTC's "do not collect" language!

<aleecia> The argument is that DNT will be too pervasive to be able to limit tracking, hence the move to "data hygiene." And maybe that's so. But that means we cannot get to consensus for Do Not Track. That would be extraordinarily unfortunate.

rvaneijk: I added a friendly correcting amendment that could get closer to that. Deidentification shouldn't just be around third parties down the line like service providers. This is my first proposal geraed at fixing def of de-id.
... My other proposals have been to fix either the 3 state or 2 state approach. I am agnostic as to which of those we should use.
... Article 29 is looking at this as well.
... My proposal for 3 state: Red data is linkable. Yellow data can still be linkable, but let's not call it deidentified.
... On the two state approach, there's a linkable stage and a deidentified stage.
... In the deidentified stage, you have to make sure that the data can't be linked back.

<jchester2> -q

rvaneijk: That's a short summary of the proposals I submitted: (1) fix def of deidentified. Let's not call hashes deidentified. The key needs to be the ability to link.

<aleecia> Perhaps there is a need for a different WG on "data hygiene," with a different charter, and likely different group members. It would move faster and better.

peterswire: Making sure I understand. Sounds like your neutral between 2 and 3 states. Other is that hashing doesn't get you to delinking.

<laurengelman> yes!

rvaneijk: Right.

<laurengelman> ty

<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Deidentification

<tlr> lauren, note you can do that yourself

Thomas_Schauf: Want to discuss about hashed identifiers can't be deidentified. If tied just to cookie, it's not tied to a particular user.

<laurengelman> yes. was abt too.

Thomas_Schauf: I like Roy's language that you need "justified confidence" (I tried to make more legalistic) that it can't be tied to a data subject ...

<moneill2> the cookie is stored in the user's device and can identify them.

Thomas_Schauf: without additional information without disproportionate time or effort. You can't identify the natural person , though there would be some sort of remaining list of undoing de-ID (government request) ...

<rvaneijk> Thomas, sorry, but we are not doing legal things here, it is a technical approach for a technical standard...!!

Thomas_Schauf: but for tracking purposes, not tied to real person.

peterswire: To help us clarify, previously we had had langauge similar to FTC and from Dan Auerbach.
... Do you see this proposal as similar to FTC/Dan, or could you clarify how it's different?

<npdoty> if the distinction is about connecting to a natural person, does that mean all existing uses of cookies that don't have real names attached are already "de-identified"?

Thomas_Schauf: I haven't looked at that recently, I was just working off of fielding's language.

<mecallahan> mecallahan now scribing

<scribe> scribenick: mecallahan

<efelten> npdoty, his proposed language says that the data *cannot* be attributed to a data subject.

justin: thought FTC /DAA language was sufficiently strong and allowed flexibility to accomplish to be the exisiting standard
... yellow standard not sufficiently robust
... under common understanding of tracking, still allow tracking in DNT! which is inappropriate

<efelten> Which state is "yellow" in the DAA proposal? Is de-identified yellow, or is de-linked yellow?

<npdoty> efelten, well, unless the data to make the connection to a real-name has distinct technical and organizational controls

justin: justin not wedded to DAA language but best alternative so far

peterswire: anything to be added?

<justin> efelten, deidentified is yellow under industry proposal.

peterswire: the queue on deid

<efelten> Thx

<justin> You could at least stop targeting :)

<rvaneijk> ok, then we are done.

zaneis: same statement as 2 years ago, it is impossilbe to stop tracking from a consumer perspective

<jchester2> +q

zaneis: we keep going down same worm hole, i hope in next 3 weeks, trying to be achievable and have substantive discussions

<aleecia> Well, no, this is important: if we cannot stop tracking users than we cannot have a consensus standard.

<johnsimpson> Are you saying you won't honor DNT?

zaneis: we narrowed the issues, inc issues we really care about

<jchester2> Rigo should ask Mike to explain, please.

<peterswire> close q

<aleecia> It is important to understand that. And I appreciate the honesty.

peterswire goes to queue re de-id, promises process discussions at end of call

<jchester2> Can Rigo place on the record why he thinks this is so, please.

<jchester2> -q

aleecia: keeping on de-id. if take unique ID and you replace with another randomly generated unique ID, bad for privacy
... if you change the link, that could be good for privacy
... only way to be viable is guidelines on how long they can be linked

<rvaneijk> in addition to ALeecia, WP29 is working on guidance on anonymisation techniques.

aleecia: that is minimum o fwhat Aleecia needs to be useful. otherwise privacy risks are the same.

<tlr> peter: we are asking for various submissions by this coming tuesday

<jchester2> Thomas--is the translation of what Rigo is saying is let DAA bury themselves

<jchester2> +q

<jchester2> Peter: You are now discussing process, yet didn't want to discuss process.

peterswire: w3c asking for subm ission by week from friday. in addition, there is written public record on these issues, chair will be mindful of that dialog/record, will look at record to make sure all issues addressed, not playing gotcha. [foresadow procedure]

zaneis asks to respond. he will go after the q.

<TS> Dan´s approach: Data can be considered de-identified if it has been deleted, modified, aggregated, anonymized or otherwise manipulated in order to achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular user, user agent, or device. Thomas´ approach: Data is considered de-identified when data that has been collected is altered or otherwise processed so that it can

jmayer asks question on de-id:

<TS> cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or when such attribution would require a disproportionate amount of time, expense and effort. Differences: Dan´s approach force us to define the word anonymize. The reasonable level of justified confidence is in my view pretty weak. The “German” idea is quite stronger as the link to

<TS> a data subject (user as a natural person) is prohibited per definition. And my proposal also reflects some remaining risk that such data could be linked and this reflects a debate we had in Cambridge in Feb 2013.

scribe: trying to understand/reconcile DAA proposal. how do the two pieces mesh? data should be able to reassocaited to user? yellow state we heard does not have those privacy properties. would the yellow states be de-id?

peterswire: shane uses the word deid to apply to yellow state
... under propsoed langauge is de-id, the normative language, and mike says cd be examples of implementing that cd be shane's appraoch/examples.

<rvaneijk> when yellow = de-identified, is where we disagree on the definition

<johnsimpson> mike you're breaking up

<jmayer> If I may, that didn't answer my question.

<rigo> the question is how much is allowed then under yellow state. If it is treated like "not personal data", then I personally do not find this acceptable

<npdoty> I think Jonathan's question is that the normative text doesn't seem to agree with what Shane has presented about real-time bucketing

jmayer: gets the notion that yellow and deid are supposed to lien up. but how are they supposed to line up?

<rigo> and agree with Aleecia that it is not convincing to replace one uniqueID by another

jmayer: i dont see how the text allows this.

look at point 1, "taken reasonable steps to ensure"... as we know from data science, in fact pseudonymous datA can be linked to a specific device.

scribe: does this text have a different meaning?

peterswire: it would be helpful if zaneis can answer in writing to jmayer's questions, on the list.

<efelten> I wonder if anybody on this call understands the DAA's proposed text.

peterswire: scribe did not get the question right, see, clarifications.

<aleecia> So to try earnestly to be productive, one way to get to "yellow" could be to specify hashing with a new key every month.

jchester2: questions on process/procedure. Jeff feels he is being railroaded.

peterswire promises 15 minutes re process at end of meeting

<johnsimpson> I do not understand the DAA text. The DAA reps clearly don't understand it.

<justin> aleecia, You are arguing into the wind, industry has said repeatedly they're not willing to put those sorts of numbers into text.

<aleecia> I know.

<johnsimpson> I had some questions that were never answered as well.

tlr: a little frustrated about lack of details to his questions, requests written responses to his Monday questions from DAA

<aleecia> But I'm trying to find a way, any way, to save this.

<jchester2> Yes, written answers and time for discussion on next week's call.

<moneill2> alleecia, so if you visit the same site within a month they can still track you?

<jmayer> Aleecia, that particular technical design would still not ensure that "the data cannot reasonably be re-associated or connected to a specific user" in a plain meaning.

<aleecia> Where "this" is Do Not Track

tlr: apprciate the context, but DAA has not answered the questions. seeking written responses.

<justin> If there's a way, that's probably not it.

<aleecia> jmayer, in some cases you are correct. In some it would help, maybe by enough

<johnsimpson> To whom do we address questions about the DAA proposal?

<peterswire> yianni -- please put URL into IRC for your 1st party/3d party language

<aleecia> tlr's fingers are used to mutt :-)

zaneis: quick rapup: DAA happy to provide detailed answers to jonathan's questions, and to Thomas;s. Aleecia's comment very helpful on when de linking occurs, and how do we get there, we need a conversation/discussion. that wd be productive.

<jchester2> DAA, please respond in writing to Rob's proposal. We need a public discussion on the issue he has raised.

<Yianni> http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0050.html

zaneis: DAA will provide comments when people get back, DAA will be diligent.
...re: jmayer question, how the stds marry up with shane's proposal. that is good disucssion too, lets have that disucssion. we are trying to not have too much non normative text, but if that helps clarify the picture, DAA open to doing that as well.

<dsinger> I think an informative document/annex would be a great step (mining the old compliance document, DAA text, and so on)

<tlr> thanks, and apologies, Peter, for talking over you.

<aleecia> I'm seeing three paths: (1) toss out the red-yellow-green approach. (2) tighten down what it means for data to become "yellow" which right now is nearly useless. (3) tighten down what can happen with data in "yellow" state, which right now is nearly everything, including serving targeted ads.

First in Third Context

<aleecia> I was working on (2)

peterswire: new topic, first party in 3rd party context
... yianni, can you explain new language/proposal.

<npdoty> Yianni's proposal is here: http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0050.html ; and other change proposals on this question: http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_First_Party_Compliance

yianni: dont know if a lot of agreement on the new proposed langugae, but looking for some agreement

<aleecia> Right now, we have a proposal for DNT that allows no less tracking than for users who do not send DNT:1

yianni: primary issues is transparency
... when first party uses infor in thrid party context, not transparency

<jchester2> Can you give some examples please of what kind of branding would be required?

yianni: this proposal wd allow clear branding so that the consumer wd know it was from first party, who "to blame"

<aleecia> I appreciate Mike's points -- and calm tone -- around what industry can willingly agree to. But it should be pretty obvious that if tracking stays the same with and without DNT:1, it's going to be hard to get others on board.

<dsinger> is a facebook 'like' button considered to be 'prominent branding'?

peterswire: language proposed would not allow first party to use data in 3rd paty context UNLESS there is some clear statement.

<jchester2> +q

<dsinger> to aleecia: yes, the major change to the definition of tracking is troublesome, and a major change of direction.

<npdoty> dsinger, I think a "Facebook" logo on a Like button might suffice

achapell: thanks to yianni. how does transparency work differently than in DAA code?
... DAA code is transparency model as well. is this AdChoices icon, or more?
... if about transparency, couldnt thrid parties take advantage of that as well?

Yianni: now first parties can collect all the data they want in first party context.
... as far as third party context, yianni doesnt see how 3rd parties can collect using this formula
... this proposal is about USE, not about COLLECTION
... this proposal is differnet from DAA collection and use icon/adchoices

<justin> This seems to require more branding than a mere icon.

chapell: how is DAA and Yianni prposal different?

<justin> If not, it should.

peterswire: recommends follow up off line.

Yianni: will think about what "prominent branding" examples/non normaative

jchester2: wants to know what prominent branding means.

yianni: prominent branding in spec rigfht now with multiple parties as well

<aleecia> Here is my concern. If browsers implement DNT as DAA proposes, it crosses deceptive practices, since it does not change tracking.

yianni: to think more about it

<moneill2> UAs should send cookies: to 3rd parties when DNT:1

<moneill2> *not*

justin: in the past, justin had been supportive of first data in 3rd context,

<peterswire> close q

justin: branding approach is a clever way to do that than unidentifed icon

<aleecia> The browsers could pull the feature completely, or could implement their own view of what DNT is, neither of which is a good outcome.

justin: one idea occurring is that if DNT1 can use first party data in 3rd context, need own 1st party opt out
... not sure good idea, but recommend considering it.
... if indicate a desire to not be tracked, the first party publisher should consider own opt out

<npdoty> -1 for creating another two-layer opt-out, if it makes people confused about DNT being an opt-out

<johnsimpson> +1 to Nick

chapell: larger issue: if w3c is going to take this approach, need to communicate what DNT means

<Zakim> rigo, you wanted to ask whether prominent branding would not lead to two first parties on the same site as proposed by Rob Sherman?

chapell: and large entities can do whatever they want.

<justin> npdoty, Yeah, I get the limitations, but at least there are first-party relationships in place, as opposed to market research industry.

<npdoty> Chapell, I think in the proposal that large parties couldn't collect data in a third-party context, the same way that other third parties couldn't

rigo: cant hear rigo
... as soon as good into "branding" issue, create two competing rule sets for similar use sets
... what happens w two parties on one side?
... give first party privilelges back in

<aleecia> +1

<Chapell> If DNT turns out to be: a) eliminating third-party tracking and b) large first parties can do whatever they want so long as they meet branding requirements --- then we have a requirement to disclose this in both our w3c docs and in the UA disclosure guidelines

<moneill2> +1

rigo: creates complexity within the rule set, destroys the clarity of hte rule set

peterswire: to the extent the standard is sets of rules around 1st party and different sets of rules around 3rd parties
... third parties express concern about 1st/3rd impact, disparate impact

<Chapell> I would be curious to understand what our colleagues who are regulators think about the potential anti-competitive impact of this approach

<Chapell> Ed? Rob?

<npdoty> Chapell, but you recognize that large first parties would face the same limits about collecting data in the third party context (for example, Facebook and Google collect data in third-party contexts now as well as in their first-party context), right?

peterswire: patrolling this line bw the 1st/3rd and related roles, quite important to consider
... which is why peterswire asked yianni to draft this proposal.

<jchester2> +q

Procedure

peterswire moving to procedure.

scribe: working w w3c staff, important end of july deadline.
... trying to get substantial sense of where we are by end of july
... last call may have some things left open

<Chapell> npdoty, i recognize that there migth be some limits on first parties under this standard - whether they are significant or not is an open question

scribe: end of july is basic sense of where we are heading.
... june draft a pretty good sense of what kind of standard june draft cd be.
... june daft is one direction.
... another path supported by a set of actors that have a lot of websites and eco participation, and working group participation, is DAA/Zaneis

that wd look different than june draft.

scribe: hopefully todays convo helps understand, along with answering questions

<jmayer> +q

<efelten> +q

scribe: head towards perfecting amendments by Tuesday on DAAA
... call next wednesday work through these issues
... point is, clarify the two basic directions

<dsinger> are you asking the group the question "should we take the DAA proposal as the baseline text?" (and dump the old compliance and the June draft)????

scribe: clarify reasons to support or not support,
... issues such as deid
... in nine days, submit objections on the record/written views on where we are
... the two choices before you are a strong record for a Chairs Decision
... that is basic approach

<johnsimpson> record for a chair's decision on what?

scribe: peterswire doesnt see a way to avoid such a Chairs Decision
... swire has record that has been created already.

<aleecia> I'll echo dsinger's question

scribe: the written response/next 9 days will also help.

<rvaneijk> DAA proposal should be broken down into the relevant issues and put on the wiki IMHO

jchester2: what kind of record will you have?

<rigo> +1 to rvaneijk

jchester2: how was the decision to have DAA draft presented as one of the two options?

<dsinger> do we have the 'why' for each change in the DAA draft?

jchester2: lots of efforts editing june draft, short time period.

<aleecia> +1 to rvaneijk as that is what we do

jchester2: we had a week, and now it sounds until Tuesday to respond to DAA draft.
... recommend structuring convo with appropriate specialists, etc., to have a good conversation.
... that issue (deid) alone could take 2 hrs.
... repeat question on decision on DAA draft as one of 2 options

petersiwre: his decision in consultation w w3c stafff.

<aleecia> The answer on how you reached a decision is that you reached the decision? I don't get that answer.

jmayer: having spent time on issue by issue on june draft, could we carry over hard work to the DAA draft?

petersiwre: every submission on change/rationale, statements, etc., so for lots of issues, recent, clear views of issues. that in many instances will be highly relevant

<jmayer> That didn't answer my question.

<aleecia> Peter is dropping out

petersiwre: hope that work will be highly useful for any decision on how to sum up/end work in july.

<tlr> aleecia, not here

<aleecia> tlr thanks

jmayer: asked for text responses to DAA proposal. will the existing text responses be sufficient, or do we have to generate a new fresh set of responses for DAA?

<dsinger> are you asking (a) 'should we take the DAA proposal as basis?' or (b) 'what changes would you want on the DAA text if we were to take it as basis?'

peterwire asked npdoty to answer

<justin> Do I have to document all the times I *didn't* object to language in the June draft?

npdoty: lots of proposals come through, w3c documenting.
... DAA might be a package that CANNOT be broken up, how they work togehter as a piece
... recommend addressing DAA as a package

<aleecia> Yet we've done that and have two drafts along those lines that we incorporated in a consensus document

efelten: proces going forward is chair decision on DAA v juen draft?
... and then after that what happens?

peterswire: chair's decision, then the group in its wisdom meets.

efelten: and then after that?

<aleecia> bad connection, recalling

efelten: what if switch to DAA?

<jmayer> +q

peterswire: fair question, hasnt worked it out fully yet.

<aleecia> could someone please augment scribing?

efelten: is there going to be opportunitiy to propose changes to draft?

<npdoty> I think most of the already documented change proposals would still apply

<jmayer> How can we hold an informed vote on the DAA proposal if we don't know the extent to which it can be revised?

peterswire: DAA would not be final standard, wd need additional work

efelten: text proposals would be considered or thrown out?

<npdoty> peterswire: even after a decision on either the DAA or the June draft, would still need to address the change proposals already documented

<rvaneijk> If the DAA proposal is a all or nothing package we might as well do a vote today

peterswire: DAA proposed package, there would be process to test that out, clarity about fundamentally after july

efelten: issue by issue?

peterswire: yes

<justin> So, first *perfecting* friendly amendments to DAA text, and then arguments on which text, and THEN we work through whichever draft. I think.

johnsimpson: chairs decision is on which of the two baselines?

peterswire: yes, and reasons given why elements are positive/negative.

johnsimpson: need formal explanations on DAA proposal.

<efelten> Yes, and "work through" means going area-by-area where we have had text proposals against the current draft.

johnsimpson: DAA is completely murky. who is part of the DAA team?

<efelten> (That's my understanding of what Peter said.)

peterswire: we had a scribed conversation and asked for help.

aleecia: quite a few issues about where we are

<jchester2> We need to know exactly who endorsed the DAA proposal and which ones have contributed to paying for Peter's work on DNT.

aleecia: as she understands, two paths: Chair draft, DAA soon to be final draft of proposal.
... two complete proposals which we had in a consensus draft, side by side.
... aleecia resubmitted text before deadline. why not considering that version?

<justin> ?

petersiwre: lots of people asking for lots of things.

aleecia: DAA proposal has trumped the consensus proposal that has been worked on for two years.

peterswire: ok.

<jchester2> So Peter made the decision to ignore the consenus proposal, I would like him to explain this in writing please, which should be distributed to the news media.

peterswire: we are not consdiering the consensus proposal at this time.

<johnsimpson> I don't see why the DAA gets standing for its proposal

aleecia: i appreicate that clarity that consensus proposal as off the table.

<dsinger> I believe that the 'old' consensus document is still a source of text, idea, issues, and history, no matter what basis we use going ahead

<tlr> +1 to David

jmayer: question about what the impact of selecting a baseline is?
... is it a document about w3c conversation/template for submitting issue by issue rationales?

or some impact of selecting a baseline on substative and procedural issues?

scribe: if there isnot consensus, does baseline trump? presumption of baseline stds?

<aleecia> Just to get this clear: Peter has just explained that my proposal to include consensus text from prior drafts, submitted on time, has been summarily discarded. The work of the group is discarded. Our options are DAA or Peter's own text, with no oportinities for other texts.

<tlr> aleecia, not discarded.

<aleecia> Thomas... please.

peterswire: the core points are picking a direction. beyond that, in DAA, there are specific issues in there. if DAA text were picked as baseline, there is an overall structure and logic.
... amendments tested to see if they make sense /logic to the DAA proposal.

<jmayer> Ok, so the suggestion is that certain amendments to the DAA document would be impermissible?

<jmayer> Which amendments, then?

peterswire: if june text, the amendments will also be considered.
... there are lots of proposed edits to June text.

<aleecia> It might also have helped to have some notion that brand new approaches were invited, rather than changes to Peter's draft. That was not announced either.

peterswire: other options include consensus draft, or another option.

<aleecia> And it might have helped to have more than a week.


.peterswire: basic decision bw two paths.

<aleecia> The group *has* reached consensus on the draft I submitted, which is the entire point.


.peterswire: there are areas that are clearly different.

<aleecia> Yes, it had alternatives in it. But that was where the options were.

chair will try to write up reasonable decision, and then decide what to do next.

<jmayer> This still doesn't answer my question. We don't have clarity on the proposed decision.

<dsinger> If I had known that 'replace X with Y' was a reasonable change proposal, I might also have tried to write one (or get a team to)

scribe: end of july intended to be meaningful, not to be punt.

<aleecia> dsinger, +1

<jchester2> Peter, please place on the record--prior to your decision--the specific names of the working group members who have contributed to paying your salary and expenses. Thanks,

<dsinger> If this is intended to be derailing, it's succeeding. Thanks so much

<aleecia> though again would have needed more than 7 days

<johnsimpson> +1 to David

peterswire: 132pm, gone thorugh the queue. please read emails re work plan.

<aleecia> This is so painful

<jmayer> The proposal it to agree to a new baseline. With no clarity on what having a new baseline means.

end call.

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013/07/03 17:36:01 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/,/./
Succeeded: s/question/questions/
Succeeded: s/consumers [inaudible]/from a consumer perspective/
Succeeded: s/ThomasR/tlr: /
Succeeded: s/from DAA/to DAA proposal/
Succeeded: s/if a decision/after a decision/
Found ScribeNick: justin
Found ScribeNick: mecallahan
Inferring Scribes: justin, mecallahan
Scribes: justin, mecallahan
ScribeNicks: justin, mecallahan
Default Present: +49.172.147.aaaa, +31.65.141.aabb, npdoty, +1.215.480.aacc, rvaneijk, +1.202.347.aadd, WaltMichel, +1.202.262.aaee, jackhobaugh, Thomas, Wendy, +972.8.979.aaff, jchester2, +1.609.258.aagg, +1.202.478.aahh, +49.172.147.aaii, omertene, efelten, dwainberg, +1.646.654.aajj, PaulGlist, eberkower, +1.323.253.aakk, schunter, +1.813.732.aall, +1.202.257.aamm, +1.202.478.aann, rachel_n_thomas, +1.202.697.aaoo, Aleecia, +1.303.746.aapp, +1.202.587.aaqq, [Microsoft], paulohm, +1.301.365.aarr, dsinger, BerinSzoka, +44.186.558.aass, Keith_Scarborough, sidstamm, Brooks, +1.202.603.aatt, +1.646.278.aauu, adrianba, [CDT], Rigo, Peter_4As, +49.431.98.aavv, +44.186.558.aaww, mecallahan, ninja?, +1.571.213.aaxx, RichardWeaver, ninjamarnau, Suzanne?, johnsimpson, +1.650.365.aayy, Chris_Pedigo, Chapell, Jonathan_Mayer, +1.202.787.aazz, Peder_Magee, moneill2, BillScannell, +49.211.600.4.bbaa, TS?, peterswire, Craig_Spiezle, [FTC], mike_zaneis?, +33.6.50.34.bbbb, vincent, +1.202.587.bbcc, Jules_Polonetsky, +1.650.595.bbdd, lauren?, [Apple], hober, +1.202.257.bbee, [Facebook]?
Present: +49.172.147.aaaa +31.65.141.aabb npdoty +1.215.480.aacc rvaneijk +1.202.347.aadd WaltMichel +1.202.262.aaee jackhobaugh Thomas Wendy +972.8.979.aaff jchester2 +1.609.258.aagg +1.202.478.aahh +49.172.147.aaii omertene efelten dwainberg +1.646.654.aajj PaulGlist eberkower +1.323.253.aakk schunter +1.813.732.aall +1.202.257.aamm +1.202.478.aann rachel_n_thomas +1.202.697.aaoo Aleecia +1.303.746.aapp +1.202.587.aaqq [Microsoft] paulohm +1.301.365.aarr dsinger BerinSzoka +44.186.558.aass Keith_Scarborough sidstamm Brooks +1.202.603.aatt +1.646.278.aauu adrianba [CDT] Rigo Peter_4As +49.431.98.aavv +44.186.558.aaww mecallahan ninja? +1.571.213.aaxx RichardWeaver ninjamarnau Suzanne? johnsimpson +1.650.365.aayy Chris_Pedigo Chapell Jonathan_Mayer +1.202.787.aazz Peder_Magee moneill2 BillScannell +49.211.600.4.bbaa TS? peterswire Craig_Spiezle [FTC] mike_zaneis? +33.6.50.34.bbbb vincent +1.202.587.bbcc Jules_Polonetsky +1.650.595.bbdd lauren? [Apple] hober +1.202.257.bbee [Facebook]?
Found Date: 03 Jul 2013
Guessing minutes URL: http://www.w3.org/2013/07/03-dnt-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]