W3C

- DRAFT -

Tracking Protection Working Group Teleconference

23 Oct 2013

See also: IRC log

Attendees

Present
+1.646.654.aaaa, eberkower, +1.646.827.aabb, dwainberg, Wendy, npdoty, MECallahan, Thomas_Schauf, WaltMichel, Peder_Magee, SusanIsrael, Carl_Cargill, dsinger, justin, GShand, Jeff, schunter, gshans, Joanne, Fielding, Jack_Hobaugh, vinay, Chapell, Adamp, sidstamm, Chris_IAB, moneill2, LeeTien, hefferjr, Bryan_Sullivan, ChrisPedigoOPA, hwest, [Microsoft], kulick, WileyS, adrianba, Brooks, BerinSzoka, +1.203.563.aacc, Amy_Colando, MattHayes
Regrets
johnsimpson, ninja, walter
Chair
schunter, justin, CarlCargill
Scribe
Joanne, GSHans

Contents


<trackbot> Date: 23 October 2013

<npdoty> trackbot, start meeting

<trackbot> Meeting: Tracking Protection Working Group Teleconference

<trackbot> Date: 23 October 2013

<eberkower> np for once I am getting an early start :-)

<npdoty> volunteers to scribe?

<Chris_IAB> just joined

<justin> Agenda for the call: http://lists.w3.org/Archives/Public/public-tracking/2013Oct/0300.html

<justin> No.

<eberkower> I cannot.

<eberkower> I have carpal tunnel wrist bands on

<justin> Alan is not on IRC.

<npdoty> scribenick: Joanne

<justin> zakin, who is on the phone?

Schunter - five agenda items, update on plan by Justin, inpurt from others, processing issues to stay on plan

Justin: constructive feedback on how group should move forward based on polling results. Options 3&4 had most support. some support for option 3.5 - some thing in compliance that need to be defined (e.g. def of tracking, parties)
... charis working to come up with best path forward. can't please everyone but come up with path that represents most views
... appreciate feedback and want to be responsive
... try to close down issues to move forward. still figure to structure plan going forward. move to Carl

<justin> Or questions about what I just said!

Carl: looking for additional feedback. last week was helpful though disconcerting(sp)
... same rules as last week - positive statements to help move forward. 3 mins for people to speak
... for those that did not speak last week. takers???
... completed agenda item in record time

Issue-5

Justin: Next Issue 5

<schunter1> http://www.w3.org/2011/tracking-protection/track/issues/5

<schunter1> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Definition

<dsinger> (recently, it was more like a tennis match between Roy and myself!)

Matthias: last week started with agressive timeline. people submitted definitions and which draw least objections. Convergence is starting - hope for consensus soon.

David: tennis match report. :)

<fielding> http://lists.w3.org/Archives/Public/public-tracking/2013Oct/0287.html

David: Roy did provide some links. Not quite understanding each other. Asking for others to pitch in to help get head around the points being made

<Zakim> dsinger, you wanted to point out that Roy replied to that...

Roy: looking for definition to cover what user wants to turn off

<dsinger> Roy, we addressed that ages ago when we explicitly said that first parties are allowed to track

Roy: users don't expect sites to stop working when DNT is on. Wants definition to reflect what users are looking for with DNT off

<moneill2> +q

Roy: that's my goal but need more input from others in WG

<npdoty> I think our wiki doesn't have Roy's shorter version, (which I also haven't been following closely)

<Chris_IAB> I support Roy's premise

Carl: need more input in order to move towards consensus

<bryan> I agree that tracking not include things that are necessary for personalization especially on 1st parties or content that the user assumes is part of the 1st party experience e.g. socnet widgets.

<fielding> Tracking is the observation of a particular user's browsing activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Matthais: pushed out call for objections. Would prefer consensus

<Chris_IAB> are there clear versions of each that can be posted here?

<Chris_IAB> clean versions, sorry

David: wouldl like non-normative text associated with definition like option 4 so non-technical people can weigh in

<schunter1> Mike ONeill proposes Roy's new text + Rob's non-normative explanation.

<wseltzer> bryan, how do we learn users' assumptions about widgets?

Roy: Rob's text is oppostie of Roy's text. Intro will need to explain whole concept.

<susanisrael> I like Roy's approach and I agree that Rob's non-normative text does not align with that.

<vinay> Rob's non-normative text doesn't account for the multiple distinct contexts. Rob's non-normative text suggests that 1st party analytics/optimization is within scope of tracking.

<vinay> I can't support Rob's non-normative text

Matthias: Roy's proposed text has some traction in the goup.

<susanisrael> if you want non-normative text to amplify Roy's definition, we should offer on the list non-normative text that is consistent with Roy's proposed definition

Jack: some folks sitting on sidelines waiting to see what direction we're going in. Need more discussion across all the options

<bryan> To make it "user comprehensible", we need to explain what "the context in which it occurred" means, e.g. if the user is using a site that includes socnet widgets and the overall experience is part of what the user would assume to be "the context", then sharing across those parties is allowed.

Jack: good discussion between Roy and David. Some people have stop participating on public list and need more robust discussion

Justin: this is that discussion. any way we go forward will require the tracking definition
... if alternative you want to propose - now is the time

<kulick> Just to be clear, which of Roy's proposal are we talking about? There are two listed, proposal (1) and proposal (5), at http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Definition.

Jack: alternatives have been proposed. Example Alan has proposed an option

<susanisrael> i was talking about proposal (5), which i understood to be the basis for this discussion. Fielding, was that wrong?

Justin: wants to include Alan's proposal in the discussion. Now is a good time to discuss Alan's option

<justin> It hasn't.

<Brooks> I don't see Alan's proposal

<wseltzer> bryan, would you then suggest that the socnet widgets maintain distinct contexts for each site on which they interact?

<kulick> susan, i thought (5) as well, but after some of the discussion I thought there might be some ambiguity

<npdoty> fielding, would we need new definitions for "observation" "browsing activity" "contexts" ?

Alan: not sure if my proposal has made the Wiki
... privacy perspecitive some the distinctions around ownership/contract are abritary (sp)

<susanisrael> kulick, I thought roy respoded that it was (5)

<justin> http://lists.w3.org/Archives/Public/public-tracking/2013Oct/0301.html

<kulick> susan, okay thx

<fielding> We are not going to stop just because people have not commented on the public discussion. If it were a private discussion, Jack would have a valid point, but the folks who have not expressed a specific objection are rightly assumed to not have a strong objection (one way or another) until they do respond.

Alan: I need to jump in less than 5 but seems proposed definition didn't make the table

<susanisrael> fielding, were you now discussing proposal (5)

Matthias: look at Roy's definition and provide input on how to improve to meet your requirements. One proposal - lets work on improving that

<fielding> npdoty, we need a definition of context, could use one for browsing activity, but observing is just English

Alan: I did that. Started with Roy's definition and added a couple of things

<bryan> wendy, I think that may be an implication, unless the cross-site presentation of data (e.g. by the socnet widget as used in other 1st parties) is a wanted feature that the user knows about

<wseltzer> bryan, thanks, that's helpful

<fielding> Alan's proposal is a definition of context

Nick: want to talk to Alan today around addressing tracking, party

<justin> fielding, right.

Matthais: doesn't want party redefined in 3-4 palces

Alan: tracking definition heavily weighed towards third parties

<dwainberg> To be clear, this is Roy's proposed definition that we're discussing, right?

<dwainberg> Tracking is the observation of a particular user's browsing activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

<Thomas_Schauf> sorry, mute myself

Nick: Suggest Alan's text is about context towards Roy's version 1 (hopefully I got that right)

<npdoty> I suggest that we add Alan's proposal as related to proposal 1 (Roy's related to contexts)

<npdoty> fielding, would you be supportive of Alan's change? if so, perhaps we can consolidate more

<justin> Not sure we need to say that visiting a site is implied consent to track . . .

<susanisrael> npdoty, i thought we were discussing roy's proposal (5) as an update to (1). Fielding is that correct?

David: whether you think first parties remembering things about you is tracking. there are limits on what first parties can do with the data. don't think we can include all inclusions, expcetions in the defintion of tracking

<susanisrael> Justin, I agree, I think that overcomplicates it rather than simplifying it.

<fielding> npdoty, no, I don't consider Alan's definition of context to be consistent with regulatory notions expressed by WH and EU

David: 2 concerns with Roy's defintion. Not sure what multiple contexts are. Need to explore what is not tracking based upon what is not remmbered about a particular users

<fielding> susanisrael, we are currently discussing the simplified version we discussed in email … I should update the wiki

<susanisrael> fielding, thanks. I think that's proposal (5) rather than proposal (1).

<fielding> no, (1) simpler

<dsinger> specifically, I want to explore what personal data is not 'tracking'

Matthias: how do we move forward? what I see - not sure we can reach consensus the easy way. agress with David in the need to define the words. call for obections with the 8 definitions

<dsinger> I think getting thoughtful comments on a few, from everyone, would be helpful

<dsinger> No more than one from each author?

<justin> I think there is a way to accord fielding's and chapell's. But I don't think that fielding's and dsinger's are reconciliable.

<bryan> can we get a poll (actual user poll is preferred) on the understandability of the definitions?

Carl: still gives us 7-8 definitions. Can we condense down to a couple to choose from

<fielding> yes

DAvid: I can reduce mine. Thinks Roy can do the same.

<npdoty> is there any major difference between (3) and (4)? dsinger and rvaneijk

<bryan> if we hope to achieve "comprehensibility to anyone that uses the web" as I think we should, we need actual user feedback on the definitions

<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Definition#Proposal_.283.29:_No_change_from_text_in_02_October_2013_ED

David W: some support for Roy's direction. there are a couple dependencies where the group is waiting to see what direction the group heads in.

<Chris_IAB> Agree with David W., we are currently in "no man's land"

scribe: my proposal is we hold with Roy's as a leading contender. discuss other concepts to see how they shake out then come back to tracking

<ChrisPedigoOPA> +q

<dsinger> would like to point out that once we say something is not 'tracking', it appears to be no longer our concern

<Chris_IAB> q please

<npdoty> I don't think anyone is suggesting that "tracking" must be defined in such a way that every permitted use has to be described entirely, right?

<bryan> Justin, the problem is that there is no single "user" and no single perception of "tracking" across all users

Justin: storngly disagrees there are dependcies here. some folks indicate this is what the group should have done in the beginning. we are going to define tracking and close out this issue

<schunter1> Proposal: Add non-normative language saying something like "while this definition aims to define tracking rather broadly, certain forms of tracking that this definition includes may later be declared permissible in the subsequent sections of this document." (or so)

<fielding> The definition of tracking determines the semantics expressed by the protocol, which HTTP says is half the protocol.

<justin> We've been discussing this language for a month.

Chris IAB: agree with David W. good point around defining tracking up front. why rush to close this out so quickly. context does apply.

<justin> And by "a month," I mean three years :)

Matthias: wants to stick to the plan. Sees David W's concern.

<dsinger> I agree with Matthias (see proposal 7)

<npdoty> I think we have had a couple of discussions on this topic over the past couple years :)

David W: rather than going to a vote. Put this definition up as a placeholder so we can move on to other things and come back to it.

<Chris_IAB> this definition is THE most import dependancy

Justin: closing out dependencies is always open issue and we are ware that things may chnage as we move forward

<Chris_IAB> Justin, it does need to get resolved, but resolved well-- let's not rush the process just to rush the process-- let's do the work well

Matthias: close this issue, then if we get new info we need to reopen

<susanisrael> I think it is possible to reference the fact that there are permitted uses for which "tracking" is allowed even though they would otherwise fall within the scope of the definition of tracking.

<Brooks> Is consensus required here? Or can we have least strong objection to 7 proposal take the day?

Matthias: can't keep all issues open indefinitely.

<npdoty> Peter had previously used a "pending review stable" status, but it's also true that we can re-open closed issues as need be

<Chris_IAB> why is it that the poll result/direction can be kept open indefinitely, but we have to rush to close tracking today???

<Chris_IAB> let's pick a direction for the working group, and then move forward on solid footing

<susanisrael> * wseltzer, agree that a strawman is progress

Carl: agrees with fellow charis. This has bane of the existance of the group - no definitoon of tracking. I think we should have a smaller number of options - 1, 2, or 3. Hear from Roy and David on their proposals

<justin> Chris_IAB, I'm just saying there is no way to describe this process as rushing!

<schunter1> Next week, I would like to identify a single (strong) candidate for consensus or else have a smaller number that will be used in a call for objections.

<Chris_IAB> justin, disagree

Carl: can we work for five more minutes to work on closing the item

<npdoty> dsinger, I think wiki proposals 3, 4 and 7 are all closely related

<dsinger> I don't agree with the "multiple sites" because I don't know what it means for an individual collector

Chris P: I agree with tow points that have been made. Need definition that is not overly technical. We are trying to address tracking in multiple contexts.

scribe: value in Roy's approach in defining what we are trying to stop. Think we can narrow down to 2-3 options. Footnote for the excpetions of certain types of tracking

<WileyS> David, it appears most agree with the multi-site context. Where are we losing you from an "individual collector" perspective? This is about context. If its a single collector and they collect/use in the same context, then I don't see the issue.

David: spend next few days condensing definitions down to 2-3. then be in shape to go to objections. hope ot get consensus.

<justin> I think we can iron this out over the next couple of days --- at least getting the options out there.

<WileyS> David, that's fine - let's move to least objection as it appears most are on the side of Roy's definition.

<kulick> I agree

<moneill2> +1

<Chris_IAB> not agreeing without having more discussion, is potentially a disaster-- kicking the can down the road won't solve the problem folks

<dsinger> To WileyS: if ad sites and analytics sites can remember everything that *they* see in *their* context about me, what exactly (if anything) has been turned off?

<npdoty> I see: 1) Roy w/ contexts; 2) no definition; 3) retention of non-de-identified; 5) retention of non-de-identified from multiple parties

Matthais: do we agree on some non-normative lang that we define this broadly and clearly say why it is broad and some forms of tracking are permitted

<bryan> I think it's important that a notion of context (as perceived by the user) be a facet of the definition, and not just an an adjunct defined by the TCS spec

<WileyS> David - in a service provider role? Or each site is siloed into its own bucket (similar to a service provider outcome)? In either case, the data is not being co-mingled across contexts.

<kulick> how many docs can be partially read to have full understanding, though

<npdoty> implementers will need to read more than a sentence to correctly implement in any case, I think

Chris P: does not support broad definition of tracking. doesn't help someone who is trying to comply. narrow definition tells implementer what we are trying to solve for

<fielding> It is critical, IMO, that the user is not misled when they ask for DNT and we say that we will honor that request.

<WileyS> Agree to who just spoke - an over broad definition of tracking will cause us significant issues downstream

Matthias: permitted uses should not be part of definition.

<justin> schunter, now THIS is a dependency, let's address subsequently.

<kulick> we cannot get around some normative text to explain

<Chris_IAB> justin, when will W3C issue their final decision on the poll? Why is that decision still dragging, three calls later? how about we get that cleaned up, so people can participate in a known context?

Chris P: we generally agree we are trying to put some restrictions around tracking acrosss multippel unrelated sites

<dsinger> no, we do NOT have consensus

<susanisrael> schunter, why can't definition reference that there are permitted uses

<bryan> "relation" as in "multiple unrelated sites" is a user perception, and not universal

Justin: this isi the dispute between Daviid and Roy

<fielding> which is clearly covered by my definition

David: fundamental question arund third party collecting data about me acrosss multiple sites in its own context

<justin> agree with fielding, that is covered by the definition.

David: multile sites need context is we are going to use it

<WileyS> As long as it can't link the experiences what is the harm? This is no different than a service provider outcome. The user appears as different users in each context.

<fielding> we are only defining what is TRACKING here, not what people are allowed to do

<moneill2> e.g. referer header

David: should be careful of an overly restricted definition

<npdoty> dsinger, would you accept something like (5) which says collection of data across multiple parties?

<susanisrael> fielding are you talking about the issue of referencing the fact that there are nonetheless permitted uses? (then explain what they are elsewhere)

Chris P: what is we had footnote around permitted uses section

David: Option 7 addresses this

<npdoty> +1 to ChrisPedigoOPA, in any case, we should advise implementers to read relevant sections of the spec

<fielding> Yes, if someone wants to add a requirement that has nothing to do with tracking, then I will not implement it -- that should be clear as well.

<scribe fingers are getting tired>

<GSHans> I can take over.

<justin> scribenick: GSHans

<fielding> what "user"?

<Zakim> dsinger, you wanted to respond to Chris

Dsinger: Have asked what 3d party sites are allowed to collect. Fundamental point we need to understand.

Schunter: Empty the list, then move on to next issue.

Bryan: It's important that user perception of this def be pretty solid. There is no single user or perception or relation or context. We have to do the best we can & make sure that every def is tried outside the bubble. Context will be a key aspect. On a social network, might perceive that whatever you do will be shared via widgets.

<npdoty> bryan, I think the question of user education is separate, for what it's worth; we don't have to educate users purely by asking them to read our spec

<dsinger> no, "there are restrictions on sharing"

<justin> dsinger, I think dwainberg is talking about use here.

dwainberg: 1) DSinger's concerns go to the def of context. 2) In DSinger's text for prop 7, implies that first party can use outside of first party context. Possibly not what he means to say, so need to discuss context. Not so much about parties. Parties can make things confusing.

<JackHobaugh> One thing is apparent in this discussion: many of these terms are related and it is difficult to use undefined terms, such as "First Party" in the forming of another definition. All definitions need to be addressed simultaneously and in an iterative approach.

<dsinger> ok, can work with the word context for sure

<bryan> nick, if we are depending upon definitions that users can understand (which we should), we need to validate those definitions with actual users - otherwise who are we serving here?

<npdoty> dwainberg might be suggesting a rewording of (7) among other things

Schunter: On list, having examples of what same v. diff context will be helpful.
... next issue is issue 10.

<justin> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions

<dsinger> justin, I think use outside my 'context' is nessarily sharing, isn't it?

<npdoty> bryan, I really like the idea of validating definitions with users and testing any education we propose

Carl: Anyone who has a strong objection should interject before we close.

<justin> disnger, I don't think that's right. I think dwainberg is worried about first parties using their own data in a third-party context.

<dsinger> to Justin, OK, got that

<justin> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions

<dsinger> agree I would much prefer true understanding and consensus

Brooks: When you have seven defs and what you want is consensus, strong objections doesn't get you to consensus.

<bryan> wendy, I think we should attempt both implementer and user understanding. i think implementers will be inherently able to understand user-understandable definitions.

<JackHobaugh> +1 to Brooks point

issue-10 party

<npdoty> Brooks, I think we can consolidate 3, 4 and 7 (different iterations on a single idea)

<fielding> the wiki proposals cover party, first party, and third party

Justin: Have sent change proposals on parties. There's 9 here, not quite right - needs to be pared down. We only have a small handful of options. On the last call, felt like there was consensus to use Roy's provided text. No one disagreed on the call. It's a distillation of first party/third party. There are two forks from his definitions. "Firstness" v "thirdness": almost universal agreement that his defs are OK.

<fielding> was about my rationale, not my change proposal

Lee: There can be multiple first parties in some situations. My disagreement was about what Roy's explanation assumed a search engine to be a first party in a context that it wasn't.

Justin: Is there anyone else who agrees with Lee that Google should not be a first party when someone clicks on a link in their service?

<WileyS> If the link is provided within the context of their service then it should be 1st party.

Justin: Alternatively Lee, if you want to provide text to address that, and if there's support for that, we can take it to Call for Objections.

<bryan> is that question the same as a link shortener being a 1st party?

<WileyS> Lee, could you give an example of a service you feel this wouldn't be appropriate for?

<justin> bryan, no, that's different.

<dsinger> puzzled. if I visit Google and do a search, and click on a result, Google is the first party for that click, and the destination becomes a first party as the link loads. what am I missing?

Lee: What i'm unclear on is where in the spec this is dealt with. Most of our text on what's a 1P is the scope. Coming from more of a telecom perspective where the telco is usually treated as an intermediary. Unsure in this context how it works.

<bryan> the service provided by a link shortener is equivalent to the service provided by google IMO. Users are well aware (generally) of the role of shortener services, esp with twitter

Justin: Will go through to find the history on this to work out the issue (re: telcos).
... Other issue left: what is a party? Two paths here. Roy's definition - distillation over the last few years' work. Also the version that Alan did based on David's comments, that contractual relations can make someone a first party.

<WileyS> Contracts don't make sites the same party...

<npdoty> "Whether a party is a first or third party is determined within and limited to a specific network interaction."

David Wainberg: One other issue with definitions of 1P and 3P. In existing editor's draft, statement in 3P definition that makes party-ness limited established and limited to a specific network definition. This points to the context issue again. The context of where the data is collected or used. Party-ness is ephemeral.

Justin: General agreements on that. There are disagreements re: use. You're saying that Roy's language is diff from existing editors text?

Wainberg: Some disagreement.

Justin: ROy's def does include contextual language.

<npdoty> I think there is agreement with the editors' draft text that parties are defined per interaction

<npdoty> "Within the context of a given user action, "

Wainberg: doesn't make clear that party-ness ends and has to be re-established.

<npdoty> that would be a strange reading of "within"

Justin: but "within", not "starting with".

<dsinger> notes we have a problem (pointed out by Roy and others) that 'network interaction' is badly defined right now

Wainberg: Would like it to be more explicit.

<fielding> or "For the data collected in a given network interaction, .." ?

<npdoty> any objections to adding the editors' draft sentence in addition to the "within" clause?

Wainberg: Need to be explicitly clear - probably not disagreement, more wordsmithing.

<dsinger> (where network interaction or transaction is an HTTP request and matching response?)

Justin: Jack had submitted an amendment to editor's text on affiliate lists. Language would be: affiliates must be available on each page (e.g. via link or click) - doesn't need to be on every single page.
... General agreement that that was reasonable. Also language that we had discussed two calls ago that perhaps we could make clear that it needs to be in priv poly.

<npdoty> ChrisPedigoOPA and amy had suggested similar language about making the affiliate list an example rather than a specific requirement

Justin: Jack, would you be oK with other TPE language saying that privacy policy is OK?

Jack: Have to give that some thought.

<npdoty> JackHobaugh, do you think that Chris and Amy's proposal also addresses your concern?

<fielding> I suggested it be removed, or at least moved to the section on first party. A third party does not have pages.

Chris: Have noted objections on having to link on every page. Concerned re: providing list of all affiliates. Is that helpful for consumers?
... Consumers may be more aware of brands than corp entity.
... Transparency more important - common branding or discussion of affiliate sharing. That language mirrors FTC language. Consumers can be educated in different ways.

<dsinger> I can't see any other definition for 'network transaction' than request-response; servers don't know about 'pages' (only the site author, and even then not always)

Chris: Language is in Wiki Proposal #2.

Roy: Want to remove this from definition since these are reqs you can apply after you have a party status. Some 3d parties don't have pages. Having them have a definition that defines add'l requirements on what/where you link doesn't make sense. Would make sense in the tracking status response. Would rather have that discussion somewhere else from definition.

Justin: TPE requires 3d parties to have information in places other than priv pol'y?

Roy: Requires Tracking Status Response or in policy linked by document.
... Link could go to someone else's site.
... Not part of the definition of party. Don't think we can have a single requirement that applies to everyone.
... Could be done in transparency.

<Zakim> npdoty, you wanted to suggest "easy discoverability" as a qualifier on transparency

<WileyS> +1 Nick - agree with "easily discoverable"

Nick: Could amend "transparency." Thinking was that "easy discoverability" was a good concept. Can we include that even if we don't say specifically affiliate lists in a single click.

Chris: Probably OK to do "easy discoverability". Want to go away from that every page required to have a link, or that you even need a list - would prefer flexibility on consumer education.

Nick: Worth trying easy discoverability.

<npdoty> ChrisPedigoOPA, I'm happy to work with you on a version of yours and Amy's text that includes "easy discoverability" while still having flexible implementation possibilities

Justin: General paths are pretty clear. Either contracts (alan and david's proposal), or ownership and branding/discoverability. First/thirdness we'll work out with Lee whether he wants to propose altneraitves to the intermediary issues.
... For at least one of these we'll have to have call for objections.
... Contracts concept: doesn't seem to be agreement at this point.

<WileyS> I've brought up the arguments many times. Suggest you go for consent (opt-in) or follow current law and merge organizations under a single legal entity.

Wainberg: What are the args against contracts? Under that model, we can provide notice and transparency in a conspicuous, up front way. Legally enforceable. If there's a requirement to have ownership rules, that's also feasible.

<WileyS> Multi-first party could be another option for you as well David.

Justin: That may be right, and I'm not objecting it. There was substantial disagreement with that on IRC last week, though, so cannot declare consensus. We'll ask people to make args re: objections.

<WileyS> Fully co-brand a site as AppNexus and Company X, common TOS, links to both company's privacy policy, etc.

Justin: Consumer groups objected on prior calls.

<npdoty> would WileyS or dwainberg have proposals on ways that might be amenable to more people?

<WileyS> Nick, my position is to oppose the concept of a simple contract creating a 1st party context.

<fielding> dwainberg, I think it would help if you included a common group identity along with the contract, since it currently doesn't indicate any user visibility

<dsinger> …thinks it is not wise to proceed with a definition that we know will attract strong opposition, even if the people aren't on the call

Carl: One of the roles of the chairs is to speak for those who aren't here but haven't withdrawn.

Justin: Matthias will take us through interplay b/w user-generated exceptions and out of band consent.

introducing other issues

<npdoty> issue-201?

<trackbot> issue-201 -- Interplay between UGE and out of band consent -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/201

<npdoty> issue-16?

<trackbot> issue-16 -- What does it mean to collect, retain, use and share data? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/16

Carl: Vinay's proposal for modification was accepted. Additional comments may or may not indicate a degree of acceptance.

<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Transience_Collection

<fielding> A party collects data if it receives data and either shares the data with other parties or retains the data.

<justin> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Transience_Collection

Carl: Strong objections to going with Vinay's proposal along with additional comments?

<kulick> "A party shares data if the party enables another party to collect, retain or use that data. "

Nick: Questiona bout share vis-a-vis trasnfer. Question re: different def of collection vs. retention.

<fielding> A party shares data if the party enables another party to collect, retain or use that data.

Jack: Question re: process.

<npdoty> it's useful to find out which proposals we need, or if we're generally in agreement

Carl: We can queue this for next week.

<justin> Yeah, it would nice to understand the exact sticking points here. Share vs transfer . . .

Carl: Open to hearing what people want to discuss and propose.

David Wainberg: Two points on this. 1) Dependencies issue. hard to nail down w/o knowing what work terms need to do wherever they appear in spec. have concerns with inclusion of sharing inside collect. Would rather see that separate. Esp where party may be passing data thru and not retaining.

Wainberg: There's text there now - EFF proposal. Key component of collects is "retain."
... Singer's def gets at that.
... Question was re: concerns on Vinay's edit>

<justin> aack dw

Carl: Trouble with concepts of sharing?

<npdoty> I think dwainberg thinks a party should be able to share data without collecting it

Wainberg: yes

<Zakim> dsinger, you wanted to point out the problem with 'network transaction'

<justin> Yes, but dwainberg also has a problem with the current editors' text on "collect"

David Singer: Def of network transaction is vaguely defined. We should knock this off as it's trivial. Should define as HTTP request in response. In request, know 1p v. 3p, etc. Otherwise, determination after network interaction is impossible to determine.

<justin> We can add the network transaction definition for next week. I thought about doing it for this week --- good idea.

<bryan> does "HTTP response" mean the final response, or include redirects

<npdoty> issue-228?

<trackbot> issue-228 -- Revise the Network Interaction definition -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/228

<fielding> HTTP request and its corresponding response(s)

<justin> dsinger: a network transaction is an HTTP request and its matching response. (or something like that)

DSinger: We did discuss differentiating collecting and retaining.

<npdoty> this may be simple; we have a proposal from JackHobaugh and revisions from fielding, and maybe they could quickly agree with dsinger

<bryan> what about persistent connections in which multiple responses may be received to a single request?

<fielding> 228 is a dup

Dsinger: Should keep separate in use, rather than merging in def.

<dsinger> I don't remember the issue number

<bryan> HTTP 2.0 is likely to change to concept of request/response or at least expand it\

Roy: We need a def of network interaction. I don't think it has anything to do with def of retention, other than clearly retention means beyond the current date, which is in any case a response.

<npdoty> bryan, I think fielding's "corresponding response(s)" is to address the multiple response

<justin> Agree with fielding, not sure they're dependencies, but we can queue up network transaction for next week in any event.

Carl: Agree with david's def?

<JackHobaugh> agree with Roy, most of the terms to be defined are related and cannot be defined in isolation and without regard to other dependent definitions.

<dsinger> that's fine

<bryan> corresponding can also include asynchronous push notifications that occur over time

David: We can knock this off and it will clarify other things.

<fielding> issue-217?

<trackbot> issue-217 -- Terminology for user action, interaction, and network interaction -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/217

Bryan: Not sure - concept of request & response is something that's evolving. Even with http 1.1, not necessarily a fixed thing.
... This can be a meta-transaction. Doesn't reflect the depth of possibility in interaction.

David: Don't think persistent connections don't come into it.

Correction: Don't think persistent connections come into it.

<sidstamm> apologies all, I have to drop off.

Number of requests received on persistent connection doesn't relate to user action.

<justin> We will queue this up for next week.

Justin: We will put this on for next week.

<fielding> Websockets is out of scope

<npdoty> per fielding, I think we can combine issue-217 and issue-228, for what it's worth

<fielding> (and only go to a first party)

<dsinger> would you like a summary of issue-201 sent in email?

<fielding> npdoty, yep

<npdoty> dsinger, I think that would be useful

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013-10-23 17:33:14 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/simler/simpler/
Succeeded: s/how/hope/
Succeeded: s/dependienceis (sp)/dependencies/
Succeeded: s/It defines/The definition of tracking determines/
Succeeded: s/relationship/context/
Found ScribeNick: Joanne
Found ScribeNick: GSHans
Inferring Scribes: Joanne, GSHans
Scribes: Joanne, GSHans
ScribeNicks: Joanne, GSHans
Default Present: +1.646.654.aaaa, eberkower, +1.646.827.aabb, dwainberg, Wendy, npdoty, MECallahan, Thomas_Schauf, WaltMichel, Peder_Magee, SusanIsrael, Carl_Cargill, dsinger, justin, GShand, Jeff, schunter, gshans, Joanne, Fielding, Jack_Hobaugh, vinay, Chapell, Adamp, sidstamm, Chris_IAB, moneill2, LeeTien, hefferjr, Bryan_Sullivan, ChrisPedigoOPA, hwest, [Microsoft], kulick, WileyS, adrianba, Brooks, BerinSzoka, +1.203.563.aacc, Amy_Colando, MattHayes
Present: +1.646.654.aaaa eberkower +1.646.827.aabb dwainberg Wendy npdoty MECallahan Thomas_Schauf WaltMichel Peder_Magee SusanIsrael Carl_Cargill dsinger justin GShand Jeff schunter gshans Joanne Fielding Jack_Hobaugh vinay Chapell Adamp sidstamm Chris_IAB moneill2 LeeTien hefferjr Bryan_Sullivan ChrisPedigoOPA hwest [Microsoft] kulick WileyS adrianba Brooks BerinSzoka +1.203.563.aacc Amy_Colando MattHayes
Regrets: johnsimpson ninja walter
Found Date: 23 Oct 2013
Guessing minutes URL: http://www.w3.org/2013/10/23-dnt-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]