W3C

- DRAFT -

Tracking Protection Working Group Teleconference

17 Jul 2013

See also: IRC log

Attendees

Present
npdoty, +31.65.141.aaaa, rvaneijk, +1.212.768.aabb, rachel_n_thomas, +1.646.654.aacc, eberkower, +1.202.587.aadd, Fielding, +1.678.492.aaee, Yianni, +1.202.344.aaff, +31.62.125.aagg, SusanIsrael, RichardWeaver, +1.202.347.aahh, +1.202.345.aaii, jackhobaugh, +1.916.212.aajj, Chris_IAB, +1.202.331.aakk, BrianH, Brooks, +1.303.492.aall, paulohm, Joanne, Peder_Magee, BerinSzoka, +1.646.827.aamm, Bryan_Sullivan, JeffWilson, +1.650.595.aann, +1.202.331.aaoo, +1.203.563.aapp, +44.186.558.aaqq, Mike_Zaneis?, WileyS, +1.408.836.aarr, moneill2, [Microsoft], Chris_Pedigo, jchester2, hefferjr, +1.646.666.aass, JoeHallCDT, kj, +1.301.365.aatt, [IPcaller], +1.609.258.aauu, efelten, +1.650.365.aavv, dwainberg, adrianba, vinay, Nielsen, Aleecia, Chapell, +43.198.8aaww, +1.650.787.aaxx, kulick, [FTC], Keith_Scarborough, hober, hwest, +1.202.587.aayy, Dan_Auerbach, +49.431.98.aazz, ninjamarnau, +44.142.864.bbaa, +1.215.480.bbbb, AdamPhillips, Jonathan_Mayer, Amy_Colando, +33.6.50.34.bbcc, vincent, +1.415.627.bbdd, johnsimpson, +1.650.787.bbee, peterswire, laurengelman, +1.202.257.bbff, robsherman, +1.510.501.bbgg, +49.625.796.39.bbhh, +1.202.257.bbii, +1.415.863.bbjj, LeeTien, jules_polonetsky
Regrets
Chair
peterswire
Scribe
Yianni, hwest

Contents


<trackbot> Date: 17 July 2013

<BrianH> zakim 202.345

<Chris_IAB> Just joined from 202

<Mike_Zaneis> 202.344.aamm

<Chris_IAB> 212-380

<Chapell> 646 666 is chapell

<Yianni> Yes, i can do that

<kulick> 408.836.aarr is me

<Yianni> scribenick: Yianni

Peter: Greetings everyone, thank you for being on the call
... we are going to do our business on the agenda
... Nick, did change proposal get updated on the website

Nick: not yet

Peter: the text that went out earlier to day by Kathy Joe and me, I'm going to ask you to find the email from me
...9: 48am Eastern time
... Issue-25 text to be discussed on today's call

<Chris_IAB> link?
...9: text that has been subject to a lot of work in the last few months
... Kathy there was an email by Rob van Eijk with clarifying questions

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0418.html
...9: could you point us to what you had said in answer to Rob's questions

<hwest> Ready to scribe!

<npdoty> scribenick: hwest

peterswire: Clarifying question will be helpful to have up
... rvaneijk has engaged extensively with kathyjoe on Audience Measurement

kathyjoe: Two questions. In the AM data, is the same ID attatched to the retargeted ad across sites

<peterswire> if someone could post rob's questions to the list, that would be great

<rvaneijk_> I just posted some more clarifying questions to the list

<rvaneijk_> http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0420.html

Is that written up somewhere/ I missed half of it, sorry

<rvaneijk_> Thanks Kathy

<susanisrael> *heather, it is on the list

<rvaneijk_> Peter these are fine answers.

peterswire: rvaneijk_ , can you give us any response to whether your concerns were addressed on clarifying questions?

<rvaneijk_> problems with micro

rvaneijk_: Thanks to Kathy, answers on the mailing list do answer the concerns that I had
... Posted additional questions to the list, if we have time

peterswire: rvaneijk_, your questions may be shorter to address. Goal is to see whether AM is ready to go to base text by consensus today.
... Does opt out provide collection limitation?

kathyjoe: It would, in line with text we've posted. Tried to make use case as narrow as possible. Industry opt out along those lines.

<npdoty> Kathy's responses to Rob's initial questions (with formatting fix): http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0421.html

kathyjoe: Two levels of info required. That's why we want something explaining to consumers what data is collected and why, and how it's used.
... Principle of transparency
... Would design platform to allow people to see what data is collected and who received, other piece is a way to signal it on the sites so that people can see that that is present.
... Brings awareness to the usage.
... Users may be aware of advertising but not this measurement

rvaneijk_: Regarding second question, if we grant a permitted use, and the user also has an opt out, which trumps?

<eberkower> Opt out cookie rules

kathyjoe: I don't know that we've gotten into those details, but if someone has said they want to opt out of that use, we would expect that would be the opt out

peterswire: Possible to move forward on this even if DNT is delayed?

kathyjoe: I know that earlier discussion was that this transparency would help the industry
... I think group felt that this could go forward in any case

peterswire: Other concerns?

rvaneijk_: Does the opt out as envisioned have collection limitation?

kathyjoe: Yes.

<npdoty> should we do that for the other permitted uses? users should also have an option to go industry sector by industry sector to obtain opt-out cookies?

dwainberg: Can someone explain the difference between how data is collected under this PU and other PUs? Having a hard time understanding the delta between the final state of AM data and other PUs

peterswire: June draft as base test, series of minimization and other requirements for all PUs. This would fall under those.
... And then additional series of promises in connection with activities that would take advantage of AM use
... Would be subject to industry self-reg org as discussed this mornign

<dan_auerbach> apologies, I got on the call late, would someone be kind enough to repost Ed's questions?

dwainberg: This allows data collected and associated with unique IDs?

peterswire: That's my understanding

<npdoty> Ed's email: http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0419.html

efelten: There are two questions. One, notion of pseudonymization in the text. What does that mean, different than de-id?

<eberkower> http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0420.html

peterswire: I think that in this case pseudonymization has meaning in EU context.
... Well developed understanding in that structure.

<justin> My understanding is that pseudonymization is designed to prevent linking to traditional PII. Deidentification is designed to prevent linking to PII or device.

<moneill2> +q

kathyjoe: Struggled with that a bit given three-state discussion.
... Trying to describe the outcome, but not describe the technical means.
... Not named or gov identifier. Can't say who that person is.

<johnsimpson> apologies, horrible LAS traffic….

<Lmastria_DAA> self regulatory programs that allow user-based opt out and transparency sound very good and are very effective ... happy to share more info so that we all recognize what protections are already in market and providing effective, enforceable choice

kathyjoe: Distinguish between users, but don't need to know who they are.

efelten: Ambiguous what unique identifiers are ok and aren't.

kathyjoe: Trying to avoid that, since ad tech can change quickly. Want to define by the outcome.

<jchester2> We need the clarity Ed is proposing before we can consider the measurement proposal.

<npdoty> kj, would distinguishing individuals but not being linked back to a real person just fit with the definition of de-identified? that is, cannot be linked back to a user, user agent or device?

efelten: I need to know what "identify" means if I'm to implement.
... Second question, independant certification process? Why?

<rvaneijk> we need another word for pseudonymized, better is de-identified (ftc term)

kathyjoe: Build trust with users, especially if invisible. Main players right now could put together the basic platform, and others would be welcome to join. Need some sort of assessment whether orgs are applying the restrictions.

<npdoty> rvaneijk, do you think "pseudonymized" in the proposal would actually satisfy the "de-identified" definition? (if so, that would make things much easier)

peterswire: Points out that it says "a generally accepted org" not a specific one

efelten: [somethng] that actualyl match this text

<rvaneijk> no, on the contrary. pseudonymized is linkable, the Yellow state, for 53 weeks.

<BerinSzoka> feedback on the phone is REALLY bad

Sorry all, I cant hear

<johnsimpson> can't here

<Lmastria_DAA> 3rd party enforcement of self reg principles are a great idea and can bring about wonderful compliance...ask us about 19 public cases in 18 months

<Chris_IAB> can't hear as well

<johnsimpson> can't hear

<BerinSzoka> Folks, please mute yourself!

<jchester2> I hear it.

moneill2: Not sure this is well understood word in EU
... As I understand it, means something along the lines of unique identifiers

<rvaneijk> WP29 is working on an guidelines for anonimyzation. (as previously announced)

dwainberg: Not directly to AM issue, but related. In reading your explanatory document, you focussed on distinction between DNTrack and DNTarget.
... Want to understand principle behind to crafting PUs here

<aleecia> +1 to David's question

<Chris_IAB> it's an excellent question-- thanks David

<jchester2> Thank you Yanni. Maybe you are paid by the word or citation!

peterswire: Broad question, but will answer in connection with AM. In that regard, Yianni has put a huge amount of work in this week [thank you!]

<eberkower> Yes, thank you, Yianni

<npdoty> "tracking" in the June draft (and in most of our iterations on that definition) refers to retention (or collection) as well as use

<rvaneijk> Thanks Yianni !

peterswire: In terms of AM PU, number of things different from general questions in base text
... I have thought that KathyJoe and her group have worked very hard to engage on them

<jchester2> +q

peterswire: AM text for today starts with a number of safeguards that have led me to believe that it was a PU that would help contextual advertising to happen on the internet.
... There's been language about contextual ads being ok in the draft for a long time
... Knowing who goes to different contexts has been consistent on that
... Targetted on the content rather than the individual
... AM that we have in front of us as a first step could be related to de-id definition

<dan_auerbach> I'm hesitant to get on the queue since I came late, but I'm genuinely confused about *why* audience measurement is needed as a permitted use, as opposed to being under the blanket of de-identification (or green)

<jchester2> This isn't about contextual advertising really Peter---this is about evolving multiplatform measurement built in to a user/network behavior.

peterswire: But certainly not raw, no need to re-engage on full de-id def
... Must not be shared unless de-id
... Roughly speaking in the 'green' category
... Must be deleted or de-id ASAP, 53 week limit
... Must not be used for other purpose, including profile or alter user experience
... Clearly eliminates targetting
... For data in this use
... In addition, someone other than the company involved in regularity and transparency

<WileyS> Prescriptive timeframe that works for one company/business model - not a good direction for a generally applicable standard that will be applied to many companies and business models.

peterswire: We've had this for six months, the group has engaged. Procedurally, we should be able to decide whether to put into the base text.

<aleecia> Dan, I believe we haven't had your question answered directly, though Ed asked generally how it fits with other permitted uses. That said, it does look like there are some areas of overlap and some that are not.

<fielding> dan_auerbach, your own text would forbid the collection of data via a persistent identifier unless it is covered by a permitted use

peterswire: All the general PU protections otherwise in the text.

<rvaneijk> For the minutes, a permitted use under DNT will NOT make it legally compliant in the EU. That is a seperate thing.

peterswire: Folks who have been uncomfortable have reached a level of comfort.

dwainberg: So our principle is that no targeting is allowed, but collection is allowed with appropriate protections

<Lmastria_DAA> come talk to us about privacy protections, choice and transparency as well as use limitations, safeguards and adoption across US and EU

peterswire: "No targeting" may be interpreted incorrectly, but DNT changes the way that targeted ads are permitted.

<jchester2> there's noise on the line.

peterswire: [something] related to the unique id discussion
... Saying no targeting is not the intent here, I think

npdoty: Follow up on efelten . KathyJoe said that it would be valuable to have an oversight or certification org.
... Lots of members of the group have worked on that kind of thing. Not sure we need that in the text in particular.
... Would be great for AM orgs to do that, but is that necessary for the meaning of the signal?

<Lmastria_DAA> so, is w3c picking which business models it supports

<aleecia> (If it is required, we should wait for it to exist before we take up this issue)

<WileyS> So 3rd party audit is required per the DNT standard?

kathyjoe: Most of the companies within this area are part of another group. AM and research are trying to say we're not doing the same function. It's a different function and not well known.

<jmayer> I'm struggling to see how this proposed text remedies privacy risks. The "pseudonymized" approach is *identical* to the yellow state that the chairs just rejected.

kathyjoe: This is part of the necessary education, to make transparent to the user.
... That's why we put it in the normative text.

<rvaneijk> Kathy, if you tell people audience measurement is WEB ANALYTICS, everybody understands it

ninjamarnau: Still reluctant about AM PU. Don't see a reason to do AM on users which send DNT1 and not AM on de-id data or based on users' exceptional consent [is that right?]
... Let's not confuse de-id and pseudonymization

<npdoty> thanks for the response, Kathy, I have been thinking that transparency and trust is certainly valuable but that it's unlikely that users are going to read the full Compliance spec

ninjamarnau: Can be used to discriminate whether you know their name or not

<moneill2> +q

ninjamarnau: Measurement is 'unique visitors'. If you can't say you have unique visitors, you don't have a currency/business
... But how long do you need it?

<johnsimpson> Agree with Ninja

<jchester2> I agree with Ninja as well.

<Marc_> I'm am confused by Peter's statement today that saying "no targeting is not the intent here" when the document the co-chairs issued says "The June Draft...would turn off ad targeting..."

peterswire: Important piece of this is promise to start with opted in panels with full consent, but info for PU is used to calibrate the panels

<johnsimpson> Why can't you calibrate with users who don't have DNT:1?

<Lmastria_DAA> hmmmm...who has use limitations against adverse determinations? oh, yes. DAA

jchester2: Thanks for your work, all. This can't go to base text. It's not about contextual, you need to look at measurement in contemporary forms.

<moneill2> I agree with Ninja also, if you just need to detect unique visitors the identifier should last no longer than needed for that purpose

jchester2: Really about interactions of individuals with content in cross-platform way.

This group has made advances, but many questions left.

<jmayer> moneill2, why use an identifier at all if all you're doing is unique-ing visitors?

scribe: Panel users given inducements to give up their privacy
... I think we need another week, at the very least

<moneill2> jmayer, only if you need it. I agree it could be done in localStorage or something

<jmayer> moneill2, can you think of a time you would need it?

<johnsimpson> Suppose audience measurement is NOT adopted as a permitted use. What collection and retention activities would be prohibited that are necessary for audience measurement purposes?

<dan_auerbach> fielding -- apologies was writing an email -- why are unique identifiers needed for *all* users

<dan_auerbach> ?

<moneill2> jmayer, hours only

<dan_auerbach> elections can be predicted when only 1% of the vote comes in

aleecia: Echoing some point. Need more time with text to understand it. I am going to echo Nick, pointing to an external body that doesn't exist is a problem in a standards text, since this needs to be testable.
... That strikes me as non-normative text.
... This needs to live without the notion of something external that we can't control.

<aleecia> Must be pseudonymized before statistical analysis begins, such that unique key-coded data are

<aleecia> used to distinguish one individual from another without identifying them

<WileyS> Dan - depends on volume - election predictions are often wrong at lower volumes (and cause news groups to have to amend their predictions as more data comes in)

<jmayer> moneill2, why IDs at all? Why not use localStorage for short term, too?

<johnsimpson> Why if industry offers an opt-out, can't DNT be the opt out?

aleecia: Finally, on substance, text pasted - re-iterate long standing objection with replacing one random number with another random number.

<jchester2> +John

<moneill2> jmayer, yes that would be better

aleecia: That doesn't move the ball forward.

<dan_auerbach> +q

aleecia: We have talked about whether a headcount of users who have turned on DNT is reasonable.

<Chris_IAB> btw, would like to remind folks that we are working on a SPEC, not a standard-- standards established through widespread adoption

<fielding> dan_auerbach, you asked the question of why it is proposed as a permitted use instead of out of scope, and that is why. I don't have any insight into the need for calibration, but it has been explained suffiiciently to make a decision and move on.

aleecia: This is a challenge to this PU, lots to get me confortable with this PU
... This seems to violate proportionality
... On the other hand, understand that measurement is extremely important to business
... Want some way that we can do this better - open challenge. Is there a way to do this without measuring everyone who doesn't want to be, but allows business function?
... Want longer on this text.

peterswire: Reaction to org in non-nrom?

kathyjoe: That's a reasonable comment.

<peterswire> please close the Q

<npdoty> efelten, would moving the auditing organization out of normative text help your concern?

<fielding> hah!

<aleecia> <grin> at Roy

kathyjoe: for AM research, to deliver quality of results, will be the people who haven't turned DNT on, for statistical reliability you can't
... That's what the headcount is used for
... We did discuss that with jchester2 on the phone

<efelten> npdoty, yes, my question was about why the spec would require it. I totally understand the rationale for having non-normative text on this.

kathyjoe: Whether it's used to change ads in flight - it's not

<dan_auerbach> fielding, if it has been sufficiently explained, shouldn't we be able to answer basic questions about why it's needed?

Yianni or susanisrael - can one of you take over?

<Yianni> Heather I can take over

<npdoty> scribenick: Yianni

<susanisrael> tx yianni. Let me know if you need me to relieve you.

<hwest> Thanks, Yianni! You get a virtual superhero cape.

Kathy: people receiving audience measurement just want to know how many people saw the content
... saying how many people saw it, or exposure of content, is something that is neccesary for normal business online

<fielding> it has been explained -- it is needed to calibrate the panels. Whether that need is sufficient to justify the collection is a value judgement, not a question.

<aleecia> keeping a year to calibrate panels makes no sense to me

Kathy: so the retention period as well, someone is not going to go and demand audience measurement for print or something else
... there may be concerns about wording of pseudonymized, we welcome any improvements

<aleecia> this is why i'm fundamentally confused about what this tries to accomplish.

Kathy: we are not interested in a particular individual, no return path

Peter: going to q

jmayer: 2 questions. I understand calibrate. But I am less ure of validate and calculate

Peter: have Kathy respond in batch to all four questions

jmayer: 2nd question: this text is subject to separate textual provision of not using unique identifiers

<jchester2> Key question Jonathan raises re: June draft.

<susanisrael> jmayer, you are not following a person around the web, you are noting how many unique people visit a piece of content.

jmayer: when messing the two texts together, giving privacy preserving approached, this text in June draft would require a unique identifier?

<peterswire> sorry mike!!

<peterswire> mis-read the list

Auerbach: my question is about calibration, my understanding from sunnyvale, it was really not needed for calibration to have a unique id

<jmayer> susanisrael, the proposal would allow collecting a user's browsing history. That's what I mean by "following a person around the web."

Auerbach: people delete cookies commonly, and other techniques are used

moneill: I agree with Aleecia, you need a real good reason to allow
... I can see if it is a limited purpose, you could make a good case
... is the only reason to keep unique id is to detect unique visitors
... we could probably come up with a way to not keep a unique id for 53 weeks

<susanisrael> moneill, I believe that like financial and accounting uses, this facilitates the payment for content.

Fielding: I think we have discussed enough and can move to a decision
... no side will change with furthur discussion

<WileyS> How do you recommend determining uniques outside of an unique ID? Since # crunching occurs on the backend - at some point you need to pass something that defines uniques to the backend for aggregate reporting.

<WileyS> This is where client side storage (local store) fails

Fielding: the 53 weeks is not needed, data should be removed as soon as calibration occurs
... would be more on the order of 2 weeks, not 53 weeks

<npdoty> "Must be deleted or de-identified as early as possible after the purpose of collection is met" (53 weeks comes as a separate clause)

Fielding: what they consider a reasoable amount of time is not relevant for DNT:1 users

<jchester2> The 53 weeks is too long, and not needed for seasonal analysis for that duration.

<jmayer> To clarify, here are my two questions: 1) What do "validate" and "calculate" mean? Would they allow something like present web analytics? 2) How does this proposed text mesh with the text on limiting unique identifiers? If existing proposals for privacy-preserving audience measurement are inadequate, why?

Peter: Dan asked a question about we do not need that

<dan_auerbach> elections can be predicted with only 1% reporting

<vincent> jmayer, susanisrael couldn't we use a mechanism similar to what has been proposed fro "frequency capping": hashing <UID, visited_URL> ?

<jmayer> WileyS, this is technically trivial.

Peter: if DNT:1 is a low percent that is one kind of validation, if DNT:1 is 98% that could really pose a problem
... jmayer second question, fit with no unique identifiers

<jmayer> +q

Peter: have not spent time thinking about unique id for certain sorts of things, for counting unique visitors, I do not know how to count without some uniqueness

<jmayer> Then I would appreciate an opportunity to explain to the group, Peter.

<jchester2> Peter: It's clear that additional clarity is required.

<dan_auerbach> I think statistically, even if DNT percentage gets very high, it is still possible to do accurate calibration without unique ids

<aleecia> Roy -- If we are to adopt this, I would favor the general "only as long as needed for the task" with non-normative language of 2 weeks or fewer expected, and a requirement to disclose retention over 2 weeks with why it's needed. -- does this sound reasonable to you?

<Chris_IAB> Peter, some of our members are already seeing 20-50% DNT

Peter: questions to Kathy, what does validate and calibrate mean, pseudonymized, 2 weeks vs. 53 weeks

<Chris_IAB> that train has left the station with default on DNT

Kathy: I think we have explained the process of opted in panels being a small percentage of users

<fielding> aleecia, yes, but I have no background in MR (and no implementations to check)

Kathy: we need to see if it is a representative sample

<jmayer> There are two privacy-preserving approaches that have been proposed. 1) Statistical inference from non-DNT users. 2) Privacy-preserving audience measurement (e.g. reporting unique views, but not a unique ID).

Kathy: that is what validate and calculate is about

<WileyS> Jonathan - we've had that conversation - its not trivial once you factor in the complexity of multiple reporting views. For example, a single identifier may be sliced hundreds of different ways so each of these would need to be represented on the client side for accurate outcomes.

Kathy: question, why cannot we do it like we do on tv? Problem is an infinite number of sites, hard to measure the long-tail
... if we didn't have audience measurement, we would only buy things from the largest site as far as media

Peter: I think we have talked about pseudonymized, what about Roy's question about 2 weeks

Kathy: we said you should not exceed, in some cases much shorter
... if a seasonal campaign, need to measure from one Thanksgiving to another

<fielding> again, this is only for calibration of the panel -- the panel data itself is kept longer.

Kathy: cannot see if it is more or less from one Thanksgiving to another

<jchester2> The information on next season's holiday online planning is already available. It's been pitched for the last 1-2 months at least.

<jmayer> WileyS, that's a conversation to take up on advertising reporting. That's not what's proposed here on audience measurement, so we need not address it.

Kathy: need to confirm that statistically it is sound, not the majority of campaign, need that for maximum period to be able to sell media

<johnsimpson> Is the permitted use only to calibrate panels?

<jmayer> If this is the intent of "validate" and "calculate", then we should write it. The present text is remarkably ambiguous.

<aleecia> Roy well noted, and yes, you are closer to it than I am. I'm trying to figure out how we can signal "as long as you need does not mean seven years" while addressing Shane's points on problems with inflexible hard stops for retention. I'm looking for some sort of flexibility for unforeseen, while not ending with David Singer's point that "research" starts to sound like ships doing "research" on whaling…

Peter: next procedurally is the following, I'm going to do two rounds of requets for information
... +1 means you want this permitted uses, -1 you prefer not to have it

<jmayer> Peter, could you please repeat this? Some static on the line.

<jchester2> Peter: There has been a request for members of the group to discuss this among ourselves and come back with questions. Why are you rushing this?

Peter: the second: separate poll of you oppose to the point that you cannot live with the text

<WileyS> Jonathan - there are different forms of Market Research than the singular one being discussed - the approach I've discussed is needed for many other models outside of this one.

<aleecia> can we not improve the text?

<efelten> Is the choice whether to accept a permitted use of this general type, or whether to adopt the specific proposed text as working text?

<jmayer> WileyS, we're talking about audience measurement here, not market research.

<WileyS> Jonathan - same thing for the most part

<peterswire> first round question: +1 or -1 on whether your view, all things considered, is to have this proposal put into base text

Peter: just to be clear: First round question +1 or -1 is whether your view all things considered is to have this proposal put into base text

<peterswire> second: "can't live with it" -- objection to consensus at that level

Peter: Second round if there is a bunch of support for it, whether you cannot live with it, objection to consensus at that level
... any questions about what I am asking

<peterswire> +1 put it into base text

<Chris_IAB> what is "it"?

Peter: +1 put it into base text

<aleecia> and this is for *this specific text*

<peterswire> -1 don't put it into base text

Peter: -1 don't put it into base text

<efelten> Chris_IAB, I think "it" is the proposed text.

<susanisrael> chris_iab, "it" is the am permitted use text

<peterswire> this specific text

<jmayer> WileyS, nope. Market research was moved into de-identified data.

Peter: that is this specific text today

<jchester2> Peter--this is a very flawed poll. It doesn't treflect the facts. I am disappointed in your resistance to gathering information for next week's call, when it's clear there is so much miunderstanding sti;;--inc. from the chair.

<eberkower> +1

<susanisrael> +1

<rvaneijk> -1

<Richard_comScore> +1

<hefferjr> +1

<kj> +

<dan_auerbach> -1

Peter: I am now asking to put in your vote

<johnsimpson> -1

<aleecia> -1

<hober> -1

<jmayer> -1

<jchester2> -1

<WileyS> +1 (if we support friendly amendments)

<moneill2> -1

<Ari> +1

<Chris_IAB> +1

<Chapell> -1

<robsherman> +1 (potentially with text tweaks)

<aleecia> Shane, it's just the text as it is :-(

<AdamP> +1

<dwainber_> -1

<ninjamarnau> -1

<vinay> +1 (with some tweaks)

<WileyS> Aleecia - I don't believe that is correct

<kulick> +1 (open for tweaks)

<susanisrael> wileys, I imagine friendly amendment would be accepted. Kathy has demonstrated openness to that

<WileyS> I believe some tweaking is still allowed

<aleecia> Ed asked, Peter answered

<jchester2> Peter--you need to weigh the results. The EU and privacy groups have weighed in against.

<WileyS> I didn't catch that then

<jmayer> Peter, could you please clarify whether amendments are allowed?

<ChrisPedigoOPA> +1

<peterswire> will there be friendly amendments allowed?

<peterswire> call for objections

Peter: would there be friendly amendments allowed? I see people say this is important to their view
... we are now going to move to a call for objections on this

<peterswire> time to submit friendly or perfecting amendments

<fielding> note that the question was whether to include the text in the base document, not whether the issue is closed

<jmayer> Peter, what would be a "friendly" amendment? Shane, for example, would like this to include market research.

<aleecia> looks like about 14 + and 10 -, so yes, that's a split

<dan_auerbach> um, there are more -1s than +1s as I see it

<johnsimpson> Does this just allow audience calibration or other things as well?

Peter: time to submit friendly amendments, the friendly amendment will be due this Friday at 5pm Pacific

<peterswire> friendly amendments friday 5 p.m. pacific

<fielding> it is not a vote

<efelten> Still some uncertainty about what this text means.

<dan_auerbach> maybe we should be asking if there are objections to getting rid of the text, given the outcome of the first vote

<WileyS> Jonathan - I have a few text edits I would suggest would better respresent a broader application of what is being sought. What you call "it" is secondary to me.

<peterswire> write objections, with a poll, date for that will be determined after today's call

<jchester2> Peter--that is too short a time. NGOs certainly have a lot of work to do. You are rushing this through without due process on the issue.

Peter: then comments will be due, time to write objections, the data will be determined after today's call

<dan_auerbach> ah ok i suppose I miscounted

<jmayer> What happened to the second round of +1/-1?

Peter: we clearly have a spread of views with strong support and clear opposition, and some desire for friendly amendments
... thank you Kathy for the work your group has done

<aleecia> lol, so did i. but it's close to an even split, and as Roy points out, it's not a vote

Peter: looking at the agenda, the next item is security and fraud detection

Security and Fraud

<efelten> Wait, is there a decision?

Peter: there are 3 change proposals up on the list
... the first is a proposal from Chris Mejia

<aleecia> it would be good to scribe what comes next

<npdoty> efelten, Peter is asking for friendly amendments by Friday, to prepare for a call for objections

Peter: this was discussed last week, but Chris was out

<rvaneijk> I counted 12+, 11-

<aleecia> thank you, Nick

<efelten> ok, thanks

<Chapell> I believe the decision is that we'll have a round of objections similar to what we did last week and the chairs will ultimately decide whether this moves forward

Peter: the name of the other proposal as the DAA proposal, so we are not going to say that any more, maybe the advertising industry proposal or something like that

<rachel_n_thomas> Peter, it was an industry consensus proposal, so that would be a good term to use.

Peter: Chris do you want us to look at your proposal, or should we move on

<jmayer> Chapell, didn't Peter say earlier in the call that he is comfortable with the audience measurement text?

<Chapell> However, the process is not super clear - Peter may clarify down the road

Chris: sorry you caught me by surprise, I am not ready to comment

Peter: we are not going to do anything new on that, I should have emailed you before
... John Simpson has a text on graduated response

<Chapell> Jmayer, if so, then that may lean towards a favorable outcome for this as a permitted use

Peter: 2nd paragraph on graduated response, would it make sense for non-normative text

<fielding> www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security

John Simpson: I grabbed this text from something Roy had earlier drafted

scribe: captured the notion of graduated response, as I though was important

<jchester2> John S is breaking up somewhat.

<jmayer> Chapell, yes, exactly. That seems problematic for the legitimacy of the chair decision making procedure—the chair leading this issue has telegraphed his views.

scribe: In the first paragraph, did not catch up with Peter's email, I do think second paragraph could go as non-normative language

<fielding> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security#WD-style_text_.2B_Graduated_Response

Peter: relatively small differences in text from John and Roy, are you in a position, either John or Roy.
... John do you have comments on differences between editors draft and the first paragraph

<Chapell> jmayer, as I've raised on the mailing list, it seems odd to me that the recent decision was referred to as a working group decision when it was clearly the decision of the chairs

John Simpson: I believe the editors draft did not use deceptive

<npdoty> June draft had "proportionate" and didn't include "deceptive", were the other differences

scribe: I am comfortable with that, it does not need to be deceptive
... key is that I want to introduce the concept of graduated response

<peterswire> comment on john's language to add non-normative text

Peter: looking for comments on adding non-normative text on graduated response

jmayer: I'm trying to understand why this would be non-normative as opposed to normative. Why would we not say, when feasible you should use a graduated response

Peter: my own reading, a listing of examples is the sort of things that go into non-normative text

<npdoty> I think the "Data Minimization" section would already cover the minimization requirement

Peter: we are already in may world, the bindingness of normative text would not appear to apply, there is not a must

<npdoty> ... "graduated response" would be an explanation for this permitted use

jmayer: you can provide conditions on a may, when it is feasible you do graduated response

Aleecia: you can put qualifiers on a may, could have one line, if you do this, you have to follow notion of graduated response

<jmayer> For example, we might move the first sentence of the second paragraph up to the first paragraph.

Aleecia: the new text does look like an example
... from drafting, one line of normative, and the rest would go to non-normative

John Simpson: looking at text again, I think the idea of graduated response needs to be conveyed in a normative way

scribe: what Aleecia just said, when feasible, that should become normative, and the example would be non-normative. Comfortable with that.

Roy: it is definitely non-normative right now, trying to draft text of a reasonable middle ground

<peterswire> close q

Roy: I do not believe it is possible to define graduated response, as an opt out of security
... I think it is already covered by what is neccesary for security

doty: maybe there is not much of a disagreement

<Chris_IAB> agree that if graduated response is in, it stay as non-normative (but I'm not a fan of the graduated response text)

doty: general principle limited to data for reasonably neccesary
... sometimes for security, a graduated response may be all that is neccesary
... I think it is fine to be non-normative, still have normative language of reaosnably neccesary

Roy: this was in Ian's description

<aleecia> as i recall Ian's text was pretty solid, but it's been a while

Roy: might want to perfect definition of graduated response

<npdoty> ACTION: doty to add definition from Ian about graduated response to appropriate change proposal [recorded in http://www.w3.org/2013/07/17-dnt-minutes.html#action01]

<trackbot> Created ACTION-426 - Add definition from Ian about graduated response to appropriate change proposal [on Nick Doty - due 2013-07-24].

Peter: this is an issue that has come up in various ways in Sunnyvale and previous times

<WileyS> I thought I had already demonstrated in Sunnyvale how a graduated response doesn't work well in the Security world (especially with respect to unique IDs)

Peter: Lets go ahead and do a vote

<fielding> WileyS, correct, which is why it says "When feasible, "

<npdoty> WileyS, there may be some security situations where graduated response isn't effective and some where it is

<jmayer> WileyS, I'm not sure what you mean. We invited a security expert, and he told us that unique IDs aren't needed.

<WileyS> Ed, okay

Peter: way I understood this, is the second paragraph was non-normative text, and Roy and Simpson had similar directions

<WileyS> Jonathan - I demonstrated to both the "expert" and the group that it wasn't.

Peter: first thing we have before us: whether to add non-normative text along the lines of john simpson language

<WileyS> Jonathan - we have many security "experts" at Yahoo

<fielding> the text where it says "(see <defn>)" is intended to be a cross-ref to the definition of graduated response supplied by Ian Fette

Peter: second thing, from jonathan and aleecia, want a sentence that adds graduated response to normative text

<aleecia> to be clear: i prefer a normative addition, but if needed can live with non-normative

<Marc_> Are we ending at 1:30 pm?

Peter: I think it is a yes, no to jonathan and aleecia, would you want to add normative text?

<npdoty> jmayer, aleecia -- would you be comfortable, as I suggested, with the normative minimization requirement (and not add a separate normative sentence on graduated response)?

Aleecia: imagining one sentence

<npdoty> ... could live with non-normative

<Chapell> Is there going to be a discussion on the chair's decision that came down on Tuesday? If not on today's call, when?

<WileyS> +1 to Alan - that's critical for conversation ASAP

jamyer: I prefer Lee's text to John's text, what are we going to do with Chris' text which is another direction

<aleecia> +1 to Alan and Shane

Peter: graduated response is separate from other security issues

<Marc_> +1 to Aleecia

<peterswire> lack of consensus on adding normative text

<aleecia> though with 8 minutes left, presumably we need more than today

Peter: we are going to ask for proposals for normative text from Aleecia or jonathan or others

<Chapell> Aleecia, I agree - 8 min is not enough. I'm asking for that to be added to next week's agenda.

Peter: we are going to ask for it to be in spirit of change proposals before it. Short addition of normative text

<jmayer> My proposal: move the first sentence of the second paragraph up to the first paragraph. Done.

<WileyS> Agreed - we can't add 30 mins to today with a bit more heads-up. Many of us have day jobs :-)

Peter: let me ask, reaction from broader group of non-normative text. WIll probably have a call for objections for adding a graduated response

<rvaneijk> Alan, Shane, we need to talk about NoGo as well today

Peter: what are the views of having non-normative text

<WileyS> Rob - not enough time - should have started with that conversation

<peterswire> +1 add non normative text, subject to perfecting language

Peter: +1 add non-normative text subject to perfecting language, such as Roys

<johnsimpson> Clarifying question?

<jmayer> A clarifying question: what do participants think the difference between normative and non-normative text would be?

<Chapell> rvaneijk, sorry, what do you mean re: NoGo

Peter: -1 would be do not add non-normative text about graduated response

<peterswire> -1 do not add non-normative text about graduated response

<aleecia> actually, i can see holding a normal call right now as people calm down and absorb the decision. but agree we need to talk it through, soon.

Peter: we have john's language on change proposal, question is to add or not non-normative text

<npdoty> +1

<hefferjr> +1

<aleecia> +1

<moneill2> +1

<rvaneijk> Chapell, controlled shutdown

<ninjamarnau> +1 (with option for normative text)

<Chapell> rvaneijk, ahhh, thanks

John simpson: are we considering the whole text as non-normative?

<jmayer> rvaneijk, could you explain what you mean?

<jmayer> +1

<jchester2> +1 (need to make it normative)

<rvaneijk> +1

Peter: +1 add text subject to polishing, -1 would be to not have in non-normative text

<dan_auerbach> +1

<rvaneijk> jmayer, we need to talk about how the group is to proceed, next week is self imposed deadline

Peter: taking language in John's change proposal, +1 you are in favor od adding text to non-normative text.

<johnsimpson> +1

Peter: have not seen any -1 yet

<jmayer> rvaneijk, what would you need to see for the group to proceed?

<fielding> +1, but the first paragraph is a normative change proposal

Peter: we are almost at time
... I do not see obejctions to non-normative text, that will be part of the base text

<rvaneijk> objection procedure

Peter: will take up more on the list

<npdoty> Topic: Wrap-up

Peter: I am going to briefly say where we are
... first thing, W3C staff, Matthias, and I need to talk more

<aleecia> to make sure we get that scribed: DECISION is to add John's non-normative text to the draft. presumably an action item against an editor is appropriate?

Peter: in ideal world, we would have done, but we have been busy
... we will set down order of additional change proposals, path for additional change proposals, there is not a way to get to last call by the end of July
... next Wednesday, we will have a discussion about where we are and next steps
... we will provide more details on that

<npdoty> ACTION: brookman to add non-normative text on graduated response [recorded in http://www.w3.org/2013/07/17-dnt-minutes.html#action02]

<trackbot> Created ACTION-427 - Add non-normative text on graduated response [on Justin Brookman - due 2013-07-24].

<aleecia> fair enough.

Peter: there will be follow emails to list on all of those things
... emails to follow up on security point

<aleecia> (thanks Nick)

Peter: that will be the end of the call today

<Chapell> Peter, that sounds good re: next steps. I encourage you to have an open discussion on the chair's decision last week

Summary of Action Items

[NEW] ACTION: brookman to add non-normative text on graduated response [recorded in http://www.w3.org/2013/07/17-dnt-minutes.html#action02]
[NEW] ACTION: doty to add definition from Ian about graduated response to appropriate change proposal [recorded in http://www.w3.org/2013/07/17-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013/07/17 17:28:59 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/content/consent/
Succeeded: s/broadly/broader/
Found ScribeNick: Yianni
Found ScribeNick: hwest
Found ScribeNick: Yianni
Inferring Scribes: Yianni, hwest
Scribes: Yianni, hwest
ScribeNicks: Yianni, hwest
Default Present: npdoty, +31.65.141.aaaa, rvaneijk, +1.212.768.aabb, rachel_n_thomas, +1.646.654.aacc, eberkower, +1.202.587.aadd, Fielding, +1.678.492.aaee, Yianni, +1.202.344.aaff, +31.62.125.aagg, SusanIsrael, RichardWeaver, +1.202.347.aahh, +1.202.345.aaii, jackhobaugh, +1.916.212.aajj, Chris_IAB, +1.202.331.aakk, BrianH, Brooks, +1.303.492.aall, paulohm, Joanne, Peder_Magee, BerinSzoka, +1.646.827.aamm, Bryan_Sullivan, JeffWilson, +1.650.595.aann, +1.202.331.aaoo, +1.203.563.aapp, +44.186.558.aaqq, Mike_Zaneis?, WileyS, +1.408.836.aarr, moneill2, [Microsoft], Chris_Pedigo, jchester2, hefferjr, +1.646.666.aass, JoeHallCDT, kj, +1.301.365.aatt, [IPcaller], +1.609.258.aauu, efelten, +1.650.365.aavv, dwainberg, adrianba, vinay, Nielsen, Aleecia, Chapell, +43.198.8aaww, +1.650.787.aaxx, kulick, [FTC], Keith_Scarborough, hober, hwest, +1.202.587.aayy, Dan_Auerbach, +49.431.98.aazz, ninjamarnau, +44.142.864.bbaa, +1.215.480.bbbb, AdamPhillips, Jonathan_Mayer, Amy_Colando, +33.6.50.34.bbcc, vincent, +1.415.627.bbdd, johnsimpson, +1.650.787.bbee, peterswire, laurengelman, +1.202.257.bbff, robsherman, +1.510.501.bbgg, +49.625.796.39.bbhh, +1.202.257.bbii, +1.415.863.bbjj, LeeTien
Present: npdoty +31.65.141.aaaa rvaneijk +1.212.768.aabb rachel_n_thomas +1.646.654.aacc eberkower +1.202.587.aadd Fielding +1.678.492.aaee Yianni +1.202.344.aaff +31.62.125.aagg SusanIsrael RichardWeaver +1.202.347.aahh +1.202.345.aaii jackhobaugh +1.916.212.aajj Chris_IAB +1.202.331.aakk BrianH Brooks +1.303.492.aall paulohm Joanne Peder_Magee BerinSzoka +1.646.827.aamm Bryan_Sullivan JeffWilson +1.650.595.aann +1.202.331.aaoo +1.203.563.aapp +44.186.558.aaqq Mike_Zaneis? WileyS +1.408.836.aarr moneill2 [Microsoft] Chris_Pedigo jchester2 hefferjr +1.646.666.aass JoeHallCDT kj +1.301.365.aatt [IPcaller] +1.609.258.aauu efelten +1.650.365.aavv dwainberg adrianba vinay Nielsen Aleecia Chapell +43.198.8aaww +1.650.787.aaxx kulick [FTC] Keith_Scarborough hober hwest +1.202.587.aayy Dan_Auerbach +49.431.98.aazz ninjamarnau +44.142.864.bbaa +1.215.480.bbbb AdamPhillips Jonathan_Mayer Amy_Colando +33.6.50.34.bbcc vincent +1.415.627.bbdd johnsimpson +1.650.787.bbee peterswire laurengelman +1.202.257.bbff robsherman +1.510.501.bbgg +49.625.796.39.bbhh +1.202.257.bbii +1.415.863.bbjj LeeTien jules_polonetsky
Found Date: 17 Jul 2013
Guessing minutes URL: http://www.w3.org/2013/07/17-dnt-minutes.html
People with action items: brookman doty

[End of scribe.perl diagnostic output]