See also: IRC log
<trackbot> Date: 25 June 2014
chair+ Carl_Cargill
<eberkower> Thank you, Nick
<johnsimpson> thanks for talking to Zakim for me....
<johnsimpson> ii am not in good position do that, sorry
<scribe> scribenick: ninja
topic Last Call feedback
justin: We received feedback from
24 commenters
... team started to sort these and will have a call with
editors tomorrow to discuss them.
... Looking for input to tackle the technical once and then
bring them all to the group.
... Could take one or two more weeks.
<npdoty> the public list is archived, if you've been wanting to review them: http://lists.w3.org/Archives/Public/public-tracking-comments/2014Jun/thread.html
<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_in_Third_Party_Context
justin: Would like to make some progress on text proposals for TCS meanwhile.
<WileyS> Due date for responses?
justin: Hope I updated Walter's proposal in a way that everybody is happy. Last minute friendly amendments.
<WileyS> I ask as many people will be out on vacation next week in the US so we should move any deadlines to be after next week.
<WileyS> Could we please move that out one week?
justin: Answering Shane's comment: The open CfO on Issue 170 runs until next week.
<WileyS> Also question if we should hold a meeting next week - perhaps a straw poll.
<WileyS> +q
justin: Regarding the new CfO two weeks seems like sufficient time. But will discuss with other chairs.
WileyS: Next week many colleagues will take the whole week off.
<Chapell> chapell out next week
<vinay> I'm off next week as well
<johnsimpson> I think July 2 is deadline for current call for objection.
WileyS: If we have most of the WG unavailable it could make sense to skip the WG call. And push the CfO deadline.
<Brooks> may well be out
justin: Nothing against it. Will take it back to the Chairs to decide. But seems reasonable.
<kulick> i'm out
<kulick> np
justin: Strawpoll on who is missing the call next week.
<johnsimpson> not sure if can make next week, not clear uet.
<dsinger> I will be out the week after the 4th (MPEG meeting)
<WileyS> Up to 8 people either out or possibly out
justin: Back to context separation...
<npdoty> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_in_Third_Party_Context
<Chris_M> Sorry to be late, I just joined the call
justin: I think I managed to
combine all friendly amendments into one text proposals
(Walter, Alan, Mike)
... Alan, are you ok with this?
<Chapell> the updated language makes things clearer
justin: Seeing none angry on the queue
<moneill2> <justin>, thats fine
<johnsimpson> agree the updated language does what I want
justin: Mike did a third revision
including unique identifiers. I would rather keep this separate
in data minimization.
... Mike, are you ok with that?
Moneill2: Agreed.
<npdoty> nick and ninja will set up a Call for Objections on issue-219 to go out today
fielding: I would prefer if the part about “first party” would be less ambiguous
<walter> or in a a first party quality
<npdoty> I'm assuming editorial fixes (like, we typically use language like "third party to a given user action")
fielding, Could you type that. I was too slow?
<walter> if that isn
<Chapell> Can you post the updated text with Roy's proposal?
<walter> 't proper English, apologies
<justin> the third party MUST NOT use data gathered in another context about the user, including when that party was a first party.
<justin> the third party MUST NOT use data gathered in another context about the user, including data collected as a first party.
justin: typed the text suggested by fielding.
<fielding> yes, first one I think
<moneill2> looks fine to me
<npdoty> +1 to "that party was a first party"
<Chapell> first one seems clearer
justin: Agree with Nick that this
is an editorial issue.
... thanks for drawing attention to that.
<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_data_minimization
justin: Close the discussion on this now.
<fielding> oh, and that should be collected instead of gathered, since we have only defined collected
<npdoty> from mike: http://lists.w3.org/Archives/Public/public-tracking/2014Jun/0075.html
justin: Mike sent an email on 5:31 regarding unique identifiers.
<npdoty> I've changed gathered to collected on the wiki, which I believe is editorial (+1 to fielding's comment)
Moneill2: Broke it into two bits unique identifiers outside of permitted uses and storage in the browsers.
<dsinger> editorial: “the users explicit consent” -> “the user’s explicit consent"
justin: could be less controversial than I thought. So you don't want to prohibit unique identifiers for permitted uses.
<Brooks> isn't this more of limitation or what is permitted by permitted uses?
<Brooks> or qualification rather
<WileyS> +q
<dsinger> limited to the extent needed is already a general requirement on permitted uses
<Chris_M> the mode of tracking should be irrelevant for the DNT spec
Moneill2: The part about storage in the browser is intended to limit the use to the duration necessary for permitted uses.
<Chris_M> tracking can be used for a variety of permitted uses: security, site-user state maintenance (shopping cart, etc.)...
<npdoty> walter: Mike's proposal would be explanatory language to add to the editor's draft
walter: I would support Mike's Proposal but might be too technical. Maybe Pending Review.
WileyS: Think Mike's proposal is too broad. Would like to draw in de-identification.
<Chris_M> not sure why we need talk about "device fingerprinting" in this spec?
<moneill2> +q
<walter> eh, points
WileyS: If you have no need for permitted use or timeframe has expired we need to take up de-identification.
<Zakim> npdoty, you wanted to ask if this is just an example of data minimization
justin: Valid point. Could also be valid under HiPAA standards.
<npdoty> "After there are no remaining permitted uses for given data, the data MUST be deleted or deidentified. "
<justin> fielding, thank you --- replaced gathered with collected
npdoty: The general requirement for permitted uses is data MuST not be stored longer than necessary.
justin: Mike' what do you think about Shane's point?
Moneill2: Even pseudonymous data is identifiable as it is linked to a specific device.
<npdoty> regarding the text, would Mike be supportive of using this as an Example rather than additional requirements?
Moneill2: Privacy friendly opt-out cookies don't include a user ID
justin: I think there is a distinction between pseudonymous data and de-identified data.
<npdoty> current definition on deidentified is present here: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#deidentified
Moneill2: If you collect a unique bit pattern this cannot be de-identified. Can of worms.
<npdoty> (we have an issue on that, but something like those requirements would make that definition)
justin: Suggest more high-level language. Ask Mike to take a look at section ? and see whether he wants additional text.
<WileyS> Opinion noted - lets move to CfO
<npdoty> for what it's worth, moneill2, it looks like Dan Auerbach's proposal was to be a general requirement to apply to all permitted uses, which would have been in this section of general requirements / minimization
walter: De-identification as anonymization is much much harder than we think it is.
<WileyS> Most Working Group members support the concept of de-identification. I would always argue companies shouldn't release de-identified data publically - to remove the NYC Taxi scenario
<walter> ninja: also, it should not be part of the conversation on minimal use in the context of permitted uses
<walter> ninja: it is put in as a get-out-of-jail-free card
justin: We have a separate issue on de-identification. So let's keep it apart.
<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_link_shorteners_and_ID_providers
justin: Ninja included some old text proposals on ID providers.
<walter> WileyS: what I argue is that the NYC taxi scenario was data that people thought was deidentified while it wasn't
justin: This is about the FB connect use case
<walter> justin: I thought I'd have more than one week for that proposal, sorry for that misunderstanding
justin: Two proposals from Ian
Fette and Rob van Eijk.
... Not sure if anyone wants to continue the discussion on
this.
<dsinger> I don’t see anything about link shorteners here
justin: Walter did you want to
suggest text on link shorteners? Maybe you could manage this
week?
... The sooner we get ideas for the group the better.
<walter> WileyS: basically data is only properly deidentified when you're comfortable publishing it, and probably not even then
<dsinger> I think we need a discussion document on identity providers. So, I logon to a newspaper site using my FB ID. Is FB a first party now?
<WileyS> Walter: we can agree to disagree
<WileyS> Collect and use - perhaps not share
<justin> ninja: I went through the old discussion threads on this. Shane seemed to agree that ID providers can anyway get permission to track despite being third-parties.
<walter> dsinger: am I an heretic for thinking that FB may be one during the login procedure?
<fielding> Can we separate the two? ID providers really has nothing to do with link shorteners. There should also be an issue about third party referral trackers.
<WileyS> OpenID requires direct user authentication with agreement to both terms and PP - so this will trump anything this group says
<dsinger> how can the identity provider NOT know that you are trying to logon to the newspaper?
<walter> fielding: agree, they are very different from link shorteners
justin: Yes, they could ask for permission.
<dsinger> I would like to split link shorteners and identity providers, yes
justin: fielding's request to separate is fair.
<dsinger> agree with Roy on the third also
justin: we grouped them as a number of edge cases. But there may be no text to merge them into one case.
<npdoty> they share a wiki page, but already have two different issues in the tracker
<dsinger> can we have a refresh/discussion piece on identity providers?
justin: Under Ian's proposal if you log on to NYT via Facebook, FB would be a first party.
<WileyS> +1 to David!
<WileyS> Duh
<Chris_M> that's right dsinger
justin: Under Rob's proposal FB would only authenticate and stay a third party
<npdoty> dsinger, there are proposals (like Persona/BrowserID) to enable signing on without telling the authorizer where you're signing in
dsinger: Don't understand the use-case. How can FB not know I log onto NYT.
<dsinger> thx Nick, that should be in the discussion piece. I (we?) need education and a refresh
<WileyS> If the Like button is on those pages, then yes
<Chris_M> maybe the question is: is FB a 1P or 3P in the case where their authentication tool was used
justin: If I authenticate via FB do they need to know every page I read?
<WileyS> Please read their privacy policy - if you are logged into Facebook then they recognize you against your registered persona on that page
justin: Does not work well with FB example
<WileyS> To turn this off, you simply log out of FB
<WileyS> DNT does not trump authentication
<Chris_M> what happens with the "keep me logged in" option in the FB authentication?
<dsinger> I think this is distinct from rules around the ‘like’ button. They are not linked; the question of whether the ‘like’ button can track me even if I am logged in should be separate
justin: That is how Twitter reacts to DNT currently via their widgets
<WileyS> A user has logged-in: they agree to Terms and a PP in doing so.
<npdoty> I suspect that none in the group would argue that when you authenticate with a party, you're engaged in a first-party interaction with them. the question just seems to be whether an authenticated session cookie to additional interactions should make those interactions first-party
justin: This is not meant as DNT trumps authentication or consent based on terms of service.
<moneill2> authentication is usually done via 1st partry cooki, not 3sr p elements on apages
dsinger: Whether the like button can track you is a different question.
<WileyS> Their Privacy Policy states they recognize you when you see the Like button on other sites. As you've choosen to login into Facebook, then you as the user understand this trumpts DNT
<moneill2> do not need fb like button for authentication to work
dsinger: ID providers need to know what you want to log on to.
justin: Agreed. Let us keep the separate.
<WileyS> Agreed - OpenID and OpenAuth don't require a page level widget
<Chapell> that begs the question, is there a state where FB is NOT a first party under this spec?
justin: Further work on the text proposals is necessary.
<npdoty> I think maybe we're getting into separate conversations about whether Terms of Service from other sites would count as express consent to override DNT.
<walter> WileyS: which won't fly in most civilised jurisdictions
<WileyS> If you're not logged-in, then FB is not a 1st party
<walter> (that was about the like button)
<walter> WileyS: even if you're logged in FB would be a 3rd party in my book
justin: To Alan's question: Rob's text proposal makes them a third party
<WileyS> Walter - the user has agreed to a different premise
justin: Question the terms of service and user information is sufficient for consent.
<walter> WileyS: no, the user hasn't. Under EU consumer law the user could not reasonably foresee this consequence and that line in FB's terms & conditions would be null and void
<Brooks> why does my login status on a different window impact my status with a like button when I go to a page which I don't know until after the fact has a like button?
justin: I will reach out to Rob to review his old proposal.
<vincent> WileyS, agree with walter, at most they have on OOBC (which should be revokable) but they still a third party
<WileyS> Walter, the Irish DPA disagrees with you :-)
justin: If folks are interested in pursuing this, please do so.
<walter> ninja: Rob is unavailable this week due to family circumstances
<walter> WileyS: the Irish DPA tends to consistently get trashed in the CJEU
<npdoty> +1 to Brooks on that point, although again I don't think that's the current issue :)
<walter> WileyS: it is the most useless DPA around
<WileyS> Walter: we'll again agree to disagree
wiki: https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance
<fielding> I was mostly offline last week
wiki: Authors have not have a
chance to review these old proposals yet.
... Let's take this offline hopefully won't be too
controversial.
... AoB?
<npdoty> dsinger has done some work to merge those two proposals, which we can take to the mailing list
<johnsimpson> thanks, bye
wiki: thanks everybody. Adjourned.
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/gatehered/gathered/ Succeeded: s/we/with/ Found ScribeNick: ninja Inferring Scribes: ninja Default Present: walter, moneill2, Ninja, WaltMichel, Jack_Hobaugh, Carl_Cargill, npdoty, Chris_Pedigo, +1.650.362.aaaa, +1.310.292.aabb, RichardWeaver, +1.646.654.aacc, WileyS, johnsimpson, eberkower, Max_Turn, MECallahan, vinay, justin, Brooks, kulick, Peder_Magee, dsinger, SusanIsrael, Chapell, Fielding, [IBM], Amy_Colando, [FTC] Present: walter moneill2 Ninja WaltMichel Jack_Hobaugh Carl_Cargill npdoty Chris_Pedigo +1.650.362.aaaa +1.310.292.aabb RichardWeaver +1.646.654.aacc WileyS johnsimpson eberkower Max_Turn MECallahan vinay justin Brooks kulick Peder_Magee dsinger SusanIsrael Chapell Fielding [IBM] Amy_Colando [FTC] Regrets: sidstamm schunter Found Date: 25 Jun 2014 Guessing minutes URL: http://www.w3.org/2014/06/25-dnt-minutes.html People with action items:[End of scribe.perl diagnostic output]