Tracking Protection Working Group Teleconference

18 Jun 2014

See also: IRC log


Ninja, +1.646.654.aaaa, eberkower, Jack_Hobaugh, Chris_Pedigo, Chris_IAB, +1.323.253.aabb, npdoty, +1.303.954.aacc, Ari, kulick, walter, Alan_IAB, RichardWeaver, +1.408.536.aadd, vinay, justin, dsinger, Brooks, hefferjr, sidstamm, johnsimpson, WileyS, Peder_Magee, moneill2, Susan_Israel
carlcargill, wseltzer, susanisrael


<trackbot> Date: 18 June 2014

<Chris_M> just joined the call

<scribe> scribenick: npdoty

justin: 5 issues to go over today
... today is the end of the Last Call comments period
... chairs meeting to talk about how to sort through comments/objections/concerns

Data Append and First Parties - Announcement of CfO

justin: in the meantime, working on compliance issues (not all that many left)

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_First_Party_Compliance

justin: first-party compliance has been under discussion for a while

<ninja> Call for Objections starting today

justin: will go to Call for Objections starting today
... 1) vinay (susan israel, others): doesn't limit append
... 2) john simpson (mike): can't combine with other @@ data
... have delineated the options, which are now clear, send out for Call for Objections tonight
... we've been doing well in avoiding having to go to Call for Objections, but in some cases may be inevitable

<Chris_M> someone put us on hold

Context Separation

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_in_Third_Party_Context#Proposal_.282.29:_Prohibit_use_of_data_collected_as_any_type_of_party

justin: context separation we've been discussing a lot, we're close but wanted to check one more time whether there were changes or additional options
... the first would be no limitation at all on use of data that was collected as a first party
... Walter's proposal limits use of data collected from previous network interactions
... these proposals are pretty solidified now, but: ask questions, propose friendly amendments

Data Minimization

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_data_minimization

justin: third issue is data minimization

current section http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#data-minimization-and-transparency

<johnsimpson> Apologies,sorry about my phone. I screwed up..

justin: mike's proposal (additional revisions not yet on the wiki?) regarding persistent identifers

johnsimpson: status on issue-170? going to call for objections on that?

<moneill2> my skype conncetion is bad, I will ring back

justin: yes, different groups on that. options are now precise. will announce call for objections later today

johnsimpson: thanks.

justin: roy had objected to the technical language of mike's proposal, but neither fielding nor mike on the call at this moment, so maybe follow up on mailing list
... haven't heard additional proposals that would provide more flexibility. if you want to propose language, please feel free

<ninja> justin, I think Mike just re-joined the call

<moneill2> ninja, thanks

npdoty: issue-233 was a proposal from Jack to use language of minimized rather than limited

justin: might be editorial, can just go ahead with it.

<JackHobaugh> I don’t have any more to offer than what is already stated in Issue-233

npd: current language doesn't specify a type of party, so I don't think that would be a change

ChrisPedigoOPA: would be concerned about making it party-neutral

JackHobaugh: agree that "minimized" is just editorial. regarding party-neutral I think it already just talks about "a party" so I'm not sure why it was limited to third parties

justin: it's within Third Party Compliance section

JackHobaugh: could throw it open to the WG for suggestions

ChrisPedigoOPA: would be a simple change to add third-party if that's what it meant anyway

<justin> npdoty: This is about permitted uses, so it should be pretty clear that this only applies to third parties.

<Chris_M> AUS 1 NED 1

justin: nick could take a look again regarding textual ambiguity
... or if someone has a proposal to make it more clear, that would be welcome
... seems like we're all agreed on what's intended

<scribe> ACTION: doty to update data minimization section regarding minimized/limited and clarity about when it applies [recorded in http://www.w3.org/2014/06/18-dnt-minutes.html#action01]

<trackbot> Created ACTION-453 - Update data minimization section regarding minimized/limited and clarity about when it applies [on Nick Doty - due 2014-06-25].

walter: because we're talking about permitted uses, clear that it's a third party issue. proportionality of data use would make sense for first party even though we wouldn't interpret that as applying to first parties

<ChrisPedigoOPA> I'll propose some language

justin: would be great for first parties to apply minimization/proportionality, but discussion is about clarity of this section

Use of "tracking" in third party compliance

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance

justin: haven't talked about this in great detail, but came up via fielding on the mailing list
... have defined "tracking" but not really using it within TCS

<ninja> ISSUE-203: Use of "tracking" in third-party compliance https://www.w3.org/2011/tracking-protection/track/issues/203

<trackbot> Notes added to ISSUE-203 Use of "tracking" in third-party compliance.

justin: dsinger had a proposal about referring to "tracking information"
... fielding had a proposal to instead describe exactly which tracking status values should be used

<dsinger> yikes, I wrote this a year ago!

justin: is it possible to combine these two? or iterate?

Link shorteners/ID providers

justin: can discuss on the mailing list, rather than putting dsinger on the spot right now

<dsinger> yes, I think we can easily merge these two

<justin> https://www.w3.org/2011/tracking-protection/track/issues/97

(dsinger, I had preferred your original proposal; generally I like having the extra detail in this document to elaborate on our one sentence definition of tracking)

justin: link shorteners/trackers -- how does this apply to them? if I click on a bit.ly link, what kind of party is the provider to an interaction?

<dsinger> well, either the link shortener is the first and the final target a third, or vice versa? The user will not typically be aware of one of (a) that a link shortener is in use or (b) where the link shortener will actually go.

justin: I've previously argued that users are trying to get to the end page

<WileyS> Its very clear to a user they are about to click through their service if the URL is visible - nothing forces the user to click through to see their NY Times article.

justin: Ian Fette previously had suggested otherwise (perhaps supported by Shane)

dsinger: user is either unaware of where the link shortener goes to (clicked on bit.ly, don't know the end point)
... or alternatively, knows they're going to NYT (via anchor text) and wasn't aware of the link shortener

<WileyS> Crazy to me that people trust link shortners - but they are clearly the initial 1st party in the most common context

dsinger: informative text along these lines?

<moneill2> yest another thorny issue resulting from 1p/3p

<dsinger> yes, the 3rd/1st split might have been a mistake, but by the time we realized, the majority felt we were too far down that road

<justin> Well, it's about user intent, which isn't solved by just getting rid of 1p/3p distinction.

npdoty: when we discussed previously, I talked with some link shortener folks

<dsinger> the point of getting rid of 1st/3rd would be precisely to getthe unmeasurable user intent out of the normative requirements...

npdoty: more common cases will be first party/service providers for either the home site or the destination site
... link shorteners that are somehow in the middle (no relation to either end) would not be part of an intentional interaction

<WileyS> Agree on redirects

<WileyS> +q

ninja: this is also a part of a bundle of issues regarding identity providers. not sure it's the same on all redirects

justin: what other redirects did you have in mind?

<dsinger> yes, intermediate redirects are clearly neither what I clicked on nor where I thought I was going. They are easy

ninja: for example, if a site has several redirects across multiple parties, multiple link shorteners before arriving at a newspaper article

WileyS: search engine marketing companies are a common example here. clicking on a sponsored search result initially goes to the search engine; but sometimes an SEM before redirecting on to the advertiser
... in some cases that would be a service provider to the advertiser

<walter> I might

WileyS: but aware of some cases where it might be a traditional third party, ad network that combines that data across different advertiser endpoints

<WileyS> Not me

justin: someone to write text to explain these situations?

<moneill2> i could help walter

walter: don't think users are aware of the link shortener based on the URL

<ninja> justin, I will try to dig out your language

justin: might be old language (from me or others) on issue-97 you can find
... haven't discussed in a while, it would be good to get text proposals

<ninja> ISSUE-99: https://www.w3.org/2011/tracking-protection/track/issues/99

<trackbot> Notes added to ISSUE-99 How does DNT work with identity providers?.

npdoty: I'm not aware of the specific use case for identity provider

justin: if you're authenticated via a social network to a newspaper website

<walter> I can see that

<walter> As in, that makes sense

justin: if you're authenticating, seemed clear that would be a first-party involvement


justin: send some follow-up emails regarding proposals
... will send one Call for Objections later today

<Chris_M> where's the link for last call on TPE?

<johnsimpson> thanks

<Chris_M> thanks

justin: sounds like dsinger had possible updates on 203
... and walter to follow up regarding link shortening
... reminder, please get Last Call comments on TPE in today

<justin> ChrisM, provide comments to this email address: public-tracking-comments@w3.org

justin: thanks all

<ninja> justin, npdoty, I take the action on me to get the CfO out today


<justin> And here is the Last Call document: http://www.w3.org/TR/tracking-dnt/

Summary of Action Items

[NEW] ACTION: doty to update data minimization section regarding minimized/limited and clarity about when it applies [recorded in http://www.w3.org/2014/06/18-dnt-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-06-18 16:46:01 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Found ScribeNick: npdoty
Inferring Scribes: npdoty
Default Present: Ninja, +1.646.654.aaaa, eberkower, Jack_Hobaugh, Chris_Pedigo, Chris_IAB, +1.323.253.aabb, npdoty, +1.303.954.aacc, Ari, kulick, walter, Alan_IAB, RichardWeaver, +1.408.536.aadd, vinay, justin, dsinger, Brooks, hefferjr, sidstamm, johnsimpson, WileyS, Peder_Magee, moneill2, Susan_Israel
Present: Ninja +1.646.654.aaaa eberkower Jack_Hobaugh Chris_Pedigo Chris_IAB +1.323.253.aabb npdoty +1.303.954.aacc Ari kulick walter Alan_IAB RichardWeaver +1.408.536.aadd vinay justin dsinger Brooks hefferjr sidstamm johnsimpson WileyS Peder_Magee moneill2 Susan_Israel
Regrets: carlcargill wseltzer susanisrael
Found Date: 18 Jun 2014
Guessing minutes URL: http://www.w3.org/2014/06/18-dnt-minutes.html
People with action items: doty

[End of scribe.perl diagnostic output]