W3C

- DRAFT -

Tracking Protection Working Group Teleconference

11 Jun 2014

See also: IRC log

Attendees

Present
Regrets
Chair
SV_MEETING_CHAIR
Scribe
moneill2

Contents

<trackbot> Date: 11 June 2014

<JackHobaugh> not yet - soon

<Nielsen__Raymond_> Yes

<Nielsen__Raymond_> Thanks

<Chris_M> just joined the phone call

<Chris_M> big crowed today ;)

<sidstamm> apologies all, I'm en route and having phone/irc connection difficulties

<justin> scribenick: moneill2

<sidstamm> +regrets sidstamm

<justin> http://lists.w3.org/Archives/Public/public-tracking-comments/2014Jun/0000.html

<justin> : last call ending next tuesday, WP29 has commented 6 issue

justin: will come back with process how to deal with comments

Service Providers

<wseltzer> issue-206?

<trackbot> issue-206 -- Service Provider name and requirements -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/206

<wseltzer> issue-49?

<trackbot> issue-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/49

justin: a service provider could act to conwey data between contexts?

fielding: key is what party are they when data is used
... whether they are service provider does not change the situation.

justin: a service provider may be acting for hundreds of contractee
... maybe best deal with the issue when we talk about 219

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_in_Third_Party_Context

justin: no real movement on context separation
... cfo next week on 219

<wseltzer> issue-219?

<trackbot> issue-219 -- Limitations on use in a 3rd party context of data collected in a 1st party context -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/219

justin: nobody has jumped on censuss proposal
... other issue is data append

Data Append and First Parties

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_First_Party_Compliance

justin: 5 proposals but only 2 main ones
... table 219 for time being, maybe we can reach a consensus

ChrisPedigoPA, data append far too broad for DNT. Data might have been collected with consent

<WileyS> +1 to who is speaking - Data Append has nothing to do with cross-site data collection

<amm> Allowing data append = loophole large enough to destroy the standard.

johnsimpson: my proposal would stop third party would append to first party

+q

<Chris_M> agree, data append seems out of scope for DNT

<WileyS> If data append is sourced from data with user consent or public data - how could DNT logically apply?

<Chris_M> +1 to WileyS, that's right

<Chris_M> I feel like we are trying to boil the privacy ocean here...

<amm> Data append is not with user consent

<amm> I most assuredly not not consent to the price of my home and my address being appended to Amazon's data about me

<Chris_M> you don't need consent for public data

<Chris_M> how about City Hall data?

<wseltzer> Chris_M, depends on the jurisdiction...

<Chris_M> wseltzer, US :)

<WileyS> amm - that is a legal question - not one for this working group.

<amm> If we are allowing user choice around tracking, perhaps we should allow users to make choices... Rather than be surprised.

<amm> By no means

<rvaneijk> @ChrisM, depending on what you do with public data, you may still need valid consent, even explicit consent depending on the use

<wseltzer> Chris_M, we're on the *World* wide web :)

<amm> We're not talking about what happens to non-DNT users, which is a legal issue

<fielding> I suggest that Vinay's text is editorial, as is Mike's (though I prefer Vinay's text). Neither is about Data Append. John's proposal was about data append.

<Chris_M> wseltzer, I have always advocated for a JURISDICTIONAL approach to DNT compliance-- we need to respect laws in each jurisdiction; W3C should not aim to regulate over existing laws and codes IMHO

justin: the real issue is data append

<rvaneijk> @Chris_M, interoperability is an important aim IMHO.

justin: cfo should be about data append

<amm> Presumably DNT:1 means something more than "we follow the minimum as established by law," or there would be no diff between DNT:1 and DNT:0.

wendy, one issue on data append under 170, and another under 219

<Chris_M> rvaneijk, in order to get global interoperability that doesn't step on some country's laws, that forces us to abstract to a common denominator that generally works in each jurisdiction (respects their laws/codes), but then probably does not go as far as the advocates want here.

<fielding> issue-219?

<trackbot> issue-219 -- Limitations on use in a 3rd party context of data collected in a 1st party context -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/219

<fielding> issue-170?

<trackbot> issue-170 -- Definition of and what/whether limitations around data append and first parties -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/170

<Chris_M> justin: not sure what you mean by "sneak around DNT" (please explain)

<WileyS> amm - DNT speaks to cross-site data collection across different contexts. It doesn't speak to Data Append. That's an entirely different topic and its going to needlessly slow down this working group to try to address it here. I could imagine a host of different technical and policy elements specific to Data Append as an isolated topic.

justin: no data append should be in 219

<amm> There is nothing even remotely illegal about protecting user privacy for those who request it.

justin: we need to make clear when DNT set no identifiers are shared

<Chris_M> hmmm, still a bit confused by "sneak around" (sorry to be obtuse)

<WileyS> moneill2 - identifiers are not "cross-site data collected across contexts"

justin: will make it more clear on list

<amm> DNT has fundamentally come to be about data sharing. Saying "no third party sharing unless we call it by a different name" is pretty goofy

<amm> Court house data is third party data

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_data_minimization

Data Minimization

<wileys> , identifiers make cross-site collection possibl;e

<amm> Without specifically allowing data append, it is out of what would be allowed

justin: data minimisation

<wseltzer> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_data_minimization

<WileyS> We've already been through this - unique IDs are necessary for a host of permitted uses: security, financial reporting, & frequency capping.

<WileyS> moneill2 - yes, and some cross-site data collection is permitted per the permitted uses

<fielding> , how upto date are thse proposals?

fielding: why

identifiers are what makes tracking possible, if DNT set dont use them

fielding: limitations on permitted uses fine, data minimisation wrong place

<fielding> I guess I would like to see arguments as to why the suggested changes improve Data Minimization, not random other topics in compliance.

<WileyS> Many permitted uses fail without a persistent, unique, anonymous identifier.

<amm> It's been a while. Did the idea of transparency go away?

<rvaneijk> I would not be in favour of short-term use of identifiers or allow for non-persistent identifiers. Uniques is what matters.

<WileyS> Probabilistic identifiers (digital fingerprints) are more often less persistent than deterministic identifiers

<WileyS> We will use digital fingerprints for security purposes

<rvaneijk> s/uniques/uniqueness/

<WileyS> We need every available tool to fight the bad guys

<amm> ;-) to Wendy

<Chris_M> browser "fingerprint" is ephemeral

<rvaneijk> It is not just the profile that is the object of concern, the automatic decision is IMHO as well enabled by unique identifiers.

<fielding> If you want to disallow certain identifiers, then just disallow them one at a time. Don't mix them all up under a bad definition.

<fielding> If you want to stop client-side storage, say that.

<fielding> If you want to stop browser fingerprinting, do that.

<amm> Rob, I'm not following all of what you're suggesting (and perhaps should take offline) but what do you mean by automatic decision?

wendy: are there place where we can be clear explaining the mechanism of tracking

<Chris_M> yeah, I might agree with wseltzer here, we should probably focus on the practice, not the mechanism

<wseltzer> wseltzer: trying to be technology-neutral in limiting "tracking" -- can we offer useful functional definitions, not mechanism of tracking/fingerprinting ?

justin: lets iterate on this

<Chris_M> there will always be new tracking mechanisms, yeah?

<amm> Jonathan's hopes not withstanding, I don't see a way to do away with high entropy identifiers in DNT. Reasonable time limits (note necessarily hard coded) and transparency seem like the way to go IMHO

<amm> Yes, I am basically agreeing with Shane but minus loopholes

<amm> Ooooh, didn

<amm> Didn't know there is global replace, nice

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-06-11 16:59:05 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/justin, /justin: /
Succeeded: s/justin, /justin: /
Succeeded: s/fielding, /fielding: /g
Succeeded: s/justin, /justin: /g
Succeeded: s/jsutin,/justin:/
Succeeded: i|<wileys|Topic: Data Minimization
FAILED: s/uniques/uniqueness/
Succeeded: s/justin, /justin: /G
Succeeded: s/johnsimpson, /johnsimpson: /G
Succeeded: s/wendy, /wendy: /
Succeeded: s/justn,/justin: /
Succeeded: s/fielding,/fielding:/G
Succeeded: s/fieldin,/fielding:/
Found ScribeNick: moneill2
Inferring Scribes: moneill2

WARNING: No "Present: ... " found!
Possibly Present: Alan Alan_IAB Aleecia Amy_Colando Brooks CDT ChrisPedigoOPA Chris_IAB Chris_M Chris_Pedigo Facebook Fielding IPcaller JackHobaugh Jack_Hobaugh MattHayes Nielsen__Raymond_ P5 Peder_Magee RichardWeaver Richard_comScore WaltMichel WileyS aaaa amm hefferjr hober https inserted johnsimpson justin kj kulick loan magee matt mecallahan moneill2 rvaneijk scribenick sidstamm trackbot vinay walter wendy wseltzer
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy


WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 11 Jun 2014
Guessing minutes URL: http://www.w3.org/2014/06/11-dnt-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.
[End of scribe.perl diagnostic output]