W3C

- DRAFT -

Tracking Protection Working Group Teleconference

05 Feb 2014

See also: IRC log

Attendees

Present
Regrets
ShaneWiley, LeeTien, JohnSimpson, WaltervanHolst, WileyS, walter, johnsimpson
Chair
schunter, justin, carlcargill
Scribe
dsinger, moneill2

Contents


<trackbot> Date: 05 February 2014

<ninja> trackbot, status?

<schunter> Hi Ninja!

<moneill2> akim, [IPCaller] is me

<Chris_IAB> I just dialed in

<npdoty> trackbot, start meeting

<trackbot> Meeting: Tracking Protection Working Group Teleconference

<trackbot> Date: 05 February 2014

<ninja> trackbot, start meeting

<trackbot> Meeting: Tracking Protection Working Group Teleconference

<trackbot> Date: 05 February 2014

<npdoty> scribenick: dsinger

<moneill2> i can take over after david

<npdoty> scribenick: moneill2

ok

ISSUE-239 Announcement of consensus

issue-239

<trackbot> issue-239 -- Should tracking status representation include an array of links for claiming compliance by reference? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/239

matthias: we seem to have reached consensus

<ninja> http://www.w3.org/wiki/Privacy/TPWG/Proposals_on_status_URL_array_for_compliance_regimes

matthias: no objections received

<dsinger> issue-239?

<trackbot> issue-239 -- Should tracking status representation include an array of links for claiming compliance by reference? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/239

<schunter> http://www.w3.org/wiki/Privacy/TPWG/Proposals_on_status_URL_array_for_compliance_regimes

<npdoty> editors, I believe this text is already in the draft

matthias: 1 or compliance regimes can be claimed, implicitly also w3c regime

<Chris_IAB> trying to catch up after being away… how did the past couple of working group polls net out?

<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#rep.compliance

<dsinger> ACTION: dsinger to check that the compliance array is in the TPE spec [recorded in http://www.w3.org/2014/02/05-dnt-minutes.html#action01]

<trackbot> Created ACTION-435 - Check that the compliance array is in the tpe spec [on David Singer - due 2014-02-12].

matthias, action on dsinger to make sure text in doc

matthias, next item 1st & 3rd party elements

<npdoty> ninja, can you grab pointers to meeting minutes for Chris_IAB?

Confirmation of scribe and caller-identification

ISSUE-241: Distinguish elements for site-internal use and elements that can be re-used by others (1/3)

matthias: CfO next

<schunter> https://www.w3.org/wiki/Privacy/TPWG/Proposals_on_elements_for_1and3_party_use

matthias: we have 4 proposals , too many
... can we reduce num proposals to 2 & 3

<justin> The question is does anyone support the old version from last public working draft?

<schunter> Proposal 2 and proposal 3 should be renamed to proposal 1 and proposal 2.

npdoty: only 2 & 3 are relevant

matthias: 2 proposals remove prop 1

<fielding> "usage in third-party contexts" is not going to work with other WG decisions

kulick: need to understans, both allow for 1st or 3rd party

<npdoty> kulick, even with Proposal 3 (silence), it could be done, we just wouldn't have a common definition/signal yet

matthias: , p2 is define it in TPE, p2 not defined in TPE but may be in TPC

<Chris_IAB> schunter, would it be possible to have the proposal owners present their proposals on this call, before we move to Cfo?

<fielding> ditto what Matthias just said --- the only difference is that proposal 2 has a definition in TPE

matthias: if tpc have different rules, this is how to declare

<robsherman> +q

dsinger: , its not just TPC could indicate useful info in TPE

<Chris_IAB> hard to hear Roy… echoey

<JackHobaugh> Roy, you are cutting out.

<kulick> didnt get all of that

fielding: i suggest other contexts other tahn 3rd party

<fielding> will irc

<JackHobaugh> no echo, but Roy's VoIP appears to be somewhat clipped.

<fielding> yes, everything else is okay

<JackHobaugh> I am muted at my phone

<fielding> or "other controllers' contexts"

matthias: do you mean 1 is first party, 3 is everything else?

Chris_IAB: could we all proposers are on call, so they can present them?

matthias: nick can summerise his again

robsherman: does not need CfO

<fielding> To clarify what I meant to say, the "usage in third-party contexts" part of proposal 2 does not match definition of context. Saying "other contexts" for 3 would be better.

robsherman: idea is to preserve 1 and 3 qualifiers, important to have them

<npdoty> how about "usage as a first-party" and "usage as a third-party"? to avoid "context" altogether, if we're defining that term in a different way

<dsinger> given the confusion over the meaning of 'context' I agree to remove it from the third party defn

robsherman: phrase "other contexts" not meaningful

<fielding> npdoty, fine as well (note that I still don't want these definitions in the spec, I just want to make them less bad)

Chris_IAB: try for consensus first before CfO

robsherman: maybe we can resolve this with Roy offline

<Chris_IAB> robsherman, good idea :)

<dsinger> If Roy is OK after his edit, I am OK with it

<npdoty> we've discussed it a couple times now, yeah? are there suggestions for getting those positions to agreement?

matthias: do we have this in general for all TPCs or for each

<fielding> I still would prefer that it not be in TPE at all. I am just trying to get the text to the point where either decision would not conflict with other WG decisions.

<robsherman> The suggestion was that we modify the text proposal to address Roy's concern, and if we can address his concern there is no need for two proposals.

<dsinger> yes, it's architectural, but the TPE needs to make sense and provide uniformity of signalling, by itself'

<npdoty> I've changed to "usage as a * party" in the wiki

<Chapell> +1 Chris_IAB

Chris_IAB: have to have a solid line between the documents, maybe most contentios bits should be in TPC
... its about how to send signals

<bryan> +1 - The TPE is about the protocol, not the intent or adherence to the semantics

matthias: how do we reach consensus?

<npdoty> do we mean "edits" like the usage/context thing?

Chapell: can live with Roy's proposal, will participate id OK with them

<npdoty> I believe the updated text is:

<npdoty> While different compliance regimes can define requirements and uses of certain qualifiers, and a particular compliance regime might not require the use of qualifiers for particular activities to be permitted, the following qualifiers have the defined, descriptive meanings.

<npdoty> "1": the resource is designed for usage as a first party

<npdoty> "3": the resource is designed for usage as a third party

<Chris_IAB> there are two things we probably shouldn't conflate: the definition itself, AND where that definition exists (TPE vs Compliance) -- we should be careful to separate the issues accordingly

<robsherman> +q

Chapell, can you type that in I missed it

npdoty: can set up a call tomorrow to see how we can combine

<Chapell> I (and I believe others - some of whom are not on the call today) would object to the use of 1st party / 3rd party definitions anywhere. in Compliance or TPE. Not looking to necessarily debate this point here and now, but Matthias had indicated that 'nobody' was objecting to that langauge, it was a question of 'where it goes'

<Chapell> So, for the record... I am objecting

Chris_IAB: we must not conflate where def is and what signal describes

<npdoty> we already have a definition. this text doesn't create new definitions.

<justin> chapell, The group has already settled on definitions on party, first party, and third party. Those issues are closed.

<fielding> Chris_IAB, this discussion is about use of a term in TPE. If the term exists in TPE, it will be defined in TPE.

Matthias: only about 1 & 3 in TPE

<Chapell> Justin, npdoty, that's fine... but lets not confuse the decision of the chairs with group consensus on an issue

Matthias: or leave it to TPCs

<Chris_IAB> QUESTION: does anyone see a world where the TPE would be deployed APART from a compliance document? If not, then we can comfortably move definitions into compliance docs. Arguments to that logic?

<fielding> I did look at it. It does not address my concerns.

robsherman: befor we should go forward Roy and me should talk

<justin> Chris_IAB, The TPE defines the parameters of the DNT signal. To the extent elements of that signal need to be defined, TPE must define them.

<fielding> My concern is that we DO NOT need "first party" and "third party" in TPE.

Matthias: while we have 1st & 3rd parties, if nobody uses them the defs go away

<dsinger> we don't use the term 'tracking' either

<Chris_IAB> justin, you need only define what a signal is, not what it means

<fielding> dsinger, what spec are you reading?

matthias: maybe in complaince regime

<justin> Chris_IAB, No, that is not correct. The group has defined what the signal is intended to convey. That issue is closed.

dsinger: if TPCs dont need 1 & 3 signal, they dont need to require them

<Chris_IAB> justin, anyway, the TPE is not deployed in a silo by itself

<ninja> Chris_IAB, this may be true for the server side. But the user is not able to choose a compliance regime. So a basic setting of scope and meaning of his DNT;1 or 0 signal is useful.

dsinger: anxious that 1 & 3 signal was not machine testable

<Chris_IAB> justin, I continue to disagree with this approach… it's too much of a slippery slope

<fielding> honestly, dsinger, that is absurd

dsinger: we dont need tracking in the TPE either

<schunter> IMHO we do since we have a signal "0" Not tracking

<fielding> tarcking="N"

<npdoty> fielding, is there a constructive way that you can express that concern to dsinger?

<fielding> tracking="N" is a functional part of the spec

dsinger: signal important in own right for user

<Chapell> Chris_IAB for some reason, the chairs seem intent on porting many definitions as possible - over the objections of many within the group

<fielding> DNT:1 is a signal within the spec

matthias: By end of week we decide if to forward to CfO

<justin> Chris_IAB, No one is telling you what to do in response to the DNT signal. That's what a compliance regime determines.

Chris_IAB: TPE must have an assiciated TPC for implementation, docs then become one

<npdoty> Chris_IAB, the group, based on issue-239, made a decision to not make normative references to the Compliance document and its definitions

matthias: TPE defines user prefs, sites use TPC to decide what they do

<npdoty> ... which is why we've been spending time on removing references, and making sure the terms are defined

Chris_IAB: we made decision to bifurcate

<JackHobaugh> i am muted

<schunter> I would not call CDTs input noise, though ;-)

justin: its an optional field, you dont have to use it (in TPC), but group has made decision

<schunter> Jack: IMHO you caused some echo.

Chris_IAB: there is a conflict

<JackHobaugh> I am muted locally.

<JackHobaugh> I have been for the duration of this call.

justin: pput your objection down in CfO

<Chapell> Justin: I don't understand how one might offer a different interpretation of first and third party given the significant history there.

<justin> jackhobaugh, is there something you want to add?

matthias: i would like to woork twds CfO, Roys proposal claer, prop1 needs more work

<dsinger> I think we should edit proposal 1 in line with Roy's suggestion, as the authors of it seem OK with that

<JackHobaugh> I get that, feel free to mute me at your end.

<npdoty> dsinger, indeed, I've made that edit

matthis: next issue 240

<schunter> http://www.w3.org/wiki/Privacy/TPWG/Proposals_on_the_definition_of_context

<fielding> issue-240?

<trackbot> issue-240 -- Do we need to define context? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/240

ISSUE-240: Do we need to define context?

<npdoty> ACTION: doty to follow up with 241 proposers (dsinger, fielding, robsherman at least) to finalize proposals / see if consensus is possible [recorded in http://www.w3.org/2014/02/05-dnt-minutes.html#action02]

<trackbot> Created ACTION-436 - Follow up with 241 proposers (dsinger, fielding, robsherman at least) to finalize proposals / see if consensus is possible [on Nick Doty - due 2014-02-12].

<npdoty> action-436 due February 7

<trackbot> Set action-436 Follow up with 241 proposers (dsinger, fielding, robsherman at least) to finalize proposals / see if consensus is possible due date to 2014-02-07.

fielding: trying for def give clarification of what user means, from their perpective, slightl dif from prop 5
... prop5 relies on def of parties

<npdoty> prop 1 adds "common data controller" and "group identity"

fielding: my def considers separate branding diff contexts

<JackHobaugh> Roy, could you explain why you replaced "share" with "with"?

<npdoty> fielding, would you say that context in your Proposal 1 is a strict subset of party in Proposal 5?

kulick: is second sentence needed?

<npdoty> second sentence: " A context represents a typical user's expectations regarding the boundaries of a commonly branded Web site (i.e., what makes it distinct from sites with a different group identity) independent of the technology, domain names, or parties operating that site via one or more origin servers. "

fielding: cant understand it without second sentence, prefer to keep it

matthias: compremise - mark sentence sentence as a note

<fielding> okay on marking it as a note

<fielding> that any *implementer* would understand

<JackHobaugh> I would like to request that M2 be extended a week because we have only had since 3 am today to consider Roy's revised proposal.

<ninja> dsinger, would you be able to take over scribing?

kullick: typical users knowledge not improved by 2nd sentence, complex environment that users might not understand

matthias: 2nd sentence as non-normative note

<npdoty> kulick, does that help your concern?

fielding: dont like non-normative para, happy for note at beginning of sentence

<kulick> npdoty, did roy just say add a note to the beginning of the sentence?

<kulick> i would want to understand what the note was

<fielding> I just updated the wiki

<kulick> i do think it would improve it, just not certain i could say i am good with it right now

<npdoty> kulick, the proposal from schunter / fielding was to mark the second sentence as a note

<dsinger> do we need to re-open the "definition of tracking" and change it to say "it's whatever the compliance regime(s) stop you doing when you say you don't track"?

Chris_IAB: cant see TPE being implemented without TPC, slipeery sloper, unzipped them then now zipping back up, certain TPC hampered

<fielding> … to add "Note that a context" where "A context" was at the beginning of sentence 2

<ninja> scribenick: dsinger

<kulick> roy, i see the update. i dont think it makes a difference from what was there before, but I appreciate your willingness to find a compromise

<scribe> scribenick: dsinger

<justin> Again, Chris_IAB, the decision has made to define tracking in the TPE. That is closed. The only question is whether to add more flavor around the idea of context to clarify what tracking means. However, the TPE does not prescribe what exactly you need to do in response to that request not to be tracked.

<justin> Just trying again to clarify the distinction between the two documents.

<npdoty> +1 to dsinger, does the signal just mean something completely different based on who you're talking to? how should a UA explain that?

mschunbter: proposal 5?

<justin> npdoty, dsinger, no the signal is defined within TPE. Closed issue.

chrispedigo: proposal 5: not so different from Roy's. From implementers perspective may be easier to understand. Also for a corporate entity. Tried to keep simple
... tried to link back to defn of party, so that where transparency is needed, it's more discoverable,

<fielding> would it be better as "Note that this definition of context is intended to represent …"?

<Chris_IAB> justin, you'll remember that I didn't really agree with your closing stance on whether to include a definition of Tracking in the TPE, for every reason we are now encountering (slippery slope). I don't think I was alone.

also more support for consumers

scribe: happy to take questions

moneill2: proposal 4: associates a context with a data controller, an entity that the user is expecting is collecting or could collect
... single data controller defines a context
... if multiple domains are used, then they are in teh same-party array of the WKR, so it's clear that they are udner the same controller

matthias: if we compare with Roy, replaces group identity with branding, reqs the same privacy, and requires discoverability thru the same-party array
... do it's more restrictive in that it introdices requirements

moneill2: yes

mschunter: comments?

npdoty: Matthias already touched on: how important is common branding? Essential? Easily discernable? Discoverable?

moneill2: OK by me, check with Rob?

npdoty: in this case, are they mergable

?

moneill2: yes, probably so. let me check with my co-authors

<fielding> My proposal now reads: A context is a set of resources with a common data controller and a group identity that is easily discoverable by a user. Note that this definition of context is intended to represent a typical user's expectations regarding the boundaries of a commonly branded Web site (i.e., what makes it distinct from sites with a different group identity) independent of the technology, domain names, or parties operating that site via one or more origin

<fielding> servers.

mschunter: Roy, one is the language on group identity (maybe not a big deal), and a question for Mike is whether the same-party needs to be required; then there is the common privacy policy. Roy, what about these?

<npdoty> right, some companies might write smaller privacy policies for parts of their site

fielding: the problem is that privacy policies tend to be fungible, and apply to a set of resources, so requiring that they all update in lockstep or be identical is not always workable, even if they are aligned (on this question)

mschunter: example is IBM, that had a number of policies that had common elements but were not identical

<moneill2> +q

mschunter: Mike/Rob/Roy to explore a common proposal
... proposal 5? can we drop in favor of proposal 1?

<robsherman> +q

chrispedigo: I think this is a little cleaner for 1. Not opposed to Roy's as such. One is a difference about user expectations. There are different ways for a user to come to an expectation. One is common branding. Another is easily discoverable. There is a balance in the defn of party and value in using it. Please keep it as part of the discussion

mschunter: proposal 6

<kulick> +1 to leaving proposal 5

chris: I think these definitions belong in the compliance and not the TPE

mschunter: so we seem to have multiple proposals, heading towards call for objections

<schunter> Qß

moneill2: I cannot get hold of Rob, so I will get his input by next week, and talk to Roy

robsherman: we decided not to merge 5 and 1, right?

justin: yes, there is a logical difference between the two, no immediate plan to combine

mschunter: this was the last item on the agenda

justin: let's look at some outstanding issues quickly

issue-143?

<trackbot> issue-143 -- Activating a Tracking Preference must require explicit, informed consent from a user -- closed

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/143

AoB

justin: last week Shane brought up issue 143. maybe we should put into TPE a way to 'sign' the DNT signal. "set by Chrome", "set by Cisco", etc.
... issue was closed in Sunnyvale last year, the chairs of that epoch decided that there was no support for continuing discussion, and no proposals

<npdoty> issue-194?

<trackbot> issue-194 -- How should we ensure consent of users for DNT inputs? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/194

justin: we decided to merge it with the general idea in compliance, of how can you ensure that signals are validly sent

(issue 194)

scribe: absent new info, we are not interested in re-opening now, and given we want to get to last call, maybe testing will reveal a need to re-open
... but we need to hear idea of other issues we need to consider before last call
... we will be looking at 240 and 241 soon, and then we'll be done
... at some point the editors will need to implement the decisions that were made, and we'll be checking whether the result has errors or other questions we need to consider
... so if you see things that need pre-LC discussion, please raise ASAP

Chris_IAB: trying to catch up...there were some CfO call recently. Can you update? In one case the group was split, I think. Decisions?

<npdoty> I think ninja is keeping the home page up to date with http://www.w3.org/2011/tracking-protection/ links to decisions, explanations

chris_IAB: really want to know decisions, before I put input on further CfOs and issues

justin: any one in partic?

chris_IAB: all

<schunter> Nina: Do you have a summary/list of open CfOs?

justin: add-ons is due next week, and the requirement on exceptions after that

chris_IAB: what's the making of sausages like?

<ninja> schunter, Chris_IAB, Regarding Network interaction the chairs have determined Option B as group consensus - the written decision will go out this week

justin: we discuss, we cover multiple time zones, we have other jobs, and we want to make sure we follow all the lines of argument etc.
... on network transaction, we did make a decision, objections were less strong to (B), (The Roy definition), email later today
... we hear that you'd like answers sooner rather than later, tho we're not sure we see strong dependency

chris_IAB: on every decision and CfO we all need to check that we're consistent, and it takes time for us too.
... we feel left in w whirlwind sometimes!

justin: I hear you, I want to get these done. One will be sent out later today, and we'll have the other we hope this week, and we'll have answres on the call next week

chris_IAB: thx

ninja: to add to Justin: the last two CfOs, esp. the requirement to handle exceptions, is a tough decision, and we also reached out to the web accessibility WG to check on the use of Javascript. So, given strong objections, the chairs give it careful consideration

chris_IAB: whoa, reached out to anothe rparty to help you make a determination? shouldn't we know?

wendy: given the W3C has an accessibility group, when someone raises an accessibility concern in comments, we ask 'is this something you want to take up?' and if they said so, we would have brought it back to the group. the response was that current screen readers can deal with JS so it was not a blocking issue, or we would have brought it back

justin: Mike has a couple of issues identified

moneill2: First: the idea, the cross-domain, single-origin problem. A site with multi domains (Yahoo and Yimg for example). Also the situation Roy alluded to, such as P&G with a single data controller but multiple brands. It's silly to have to ask the user multiple times (perhaps) if the user already thought they gave consent.
... the thought that it had to reflect the user's thought 'at the time' may be too restrictive. May want to re-arrange words to allow for that situation.
... also read that Shane warned not to use european legal words (data controller)

justin: making sure we don't say something we don't mean to say.

<npdoty> thanks for bringing this up, mike, even if I don't 100% understand it yet

justin: hopefully folks will look at the language and see what can be improved. Maybe editors can help? We may well find contentious
... the second is a new proposal, IMHO

moneill2: second: the whole issue of trust between sites and users. we have the WKR. Other data controllers can use it.

<npdoty> email from moneill2: http://lists.w3.org/Archives/Public/public-tracking/2014Feb/0009.html

justin: basically to allow sites that have Tracking behavior, to allow users to request deletion of past records to the extent possible
... we previously agreed that DNT did not apply to old records that are retained, only going forward

<npdoty> I could see it more promising as a separate initiative

<kulick> +1 on moving to version 2... this is a big issue and would require much discussion

<npdoty> ... particularly if servers are interested in a standard mechanism

justin: Shane responded that maybe this is a version 2 question. It does sound like a 'heavy lift' and hesitate to intro something so groundbreaking now
... mor on Mike's 2nd proposal?
... AOB?
... OK, we'll try to move to consensus or CfO on these two soon,
... then the CfO texts will be due, and the edits due, and we move to last-call status
... with that, thank you. We adjourn.

Summary of Action Items

[NEW] ACTION: doty to follow up with 241 proposers (dsinger, fielding, robsherman at least) to finalize proposals / see if consensus is possible [recorded in http://www.w3.org/2014/02/05-dnt-minutes.html#action02]
[NEW] ACTION: dsinger to check that the compliance array is in the TPE spec [recorded in http://www.w3.org/2014/02/05-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014/02/05 18:28:08 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/matthias, CfO/matthias: CfO/
Succeeded: s/matthias, can/matthias: can/
Succeeded: s/define/defined/
Found ScribeNick: dsinger
Found ScribeNick: moneill2
Found ScribeNick: dsinger
Found ScribeNick: dsinger
Inferring Scribes: dsinger, moneill2
Scribes: dsinger, moneill2
ScribeNicks: dsinger, moneill2

WARNING: No "Present: ... " found!
Possibly Present: Apple Ari Ari_ Brooks Bryan_Sullivan CDT Carl_Cargill Chapell ChrisPedigoOPA Chris_Pedigo DNT FTC GSHans IPcaller Jack JackHobaugh Jeff Justin Microsoft Mozilla Nina Ninja P10 P9 Peder_Magee Susan_Israel WaltMichel Wendy aaaa adrianba bryan cOlsen carlcargill chris chris_IAB chrispedigo dsinger dwainberg eberkower fielding hefferjr hober https inserted kj kulick kullick matthias matthis mecallahan moneill2 mschunbter mschunter npdoty robsherman schunter scribenick sidstamm susanisrael trackbot vinay wseltzer
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Regrets: ShaneWiley LeeTien JohnSimpson WaltervanHolst WileyS walter johnsimpson
Found Date: 05 Feb 2014
Guessing minutes URL: http://www.w3.org/2014/02/05-dnt-minutes.html
People with action items: doty dsinger

[End of scribe.perl diagnostic output]