15:53:25 RRSAgent has joined #dnt 15:53:26 logging to http://www.w3.org/2014/07/16-dnt-irc 15:53:27 RRSAgent, make logs world 15:53:27 Zakim has joined #dnt 15:53:29 Zakim, this will be TRACK 15:53:29 ok, trackbot; I see T&S_Track(dnt)12:00PM scheduled to start in 7 minutes 15:53:30 Meeting: Tracking Protection Working Group Teleconference 15:53:31 Date: 16 July 2014 15:53:54 npdoty has changed the topic to: July 16 agenda: http://lists.w3.org/Archives/Public/public-tracking/2014Jul/0035.html 15:54:10 agenda+ issue-203 use of "tracking" 15:54:19 agenda+ issue-97 link shorteners 15:54:23 agenda+ deidentification 15:54:46 agenda+ issue-210 interaction with existing controls 15:54:58 JackHobaugh has joined #dnt 15:56:37 eberkower has joined #dnt 15:57:18 T&S_Track(dnt)12:00PM has now started 15:57:25 +npdoty 15:57:43 regrets+ wseltzer, schunter 15:57:57 regrets+ dsinger 15:58:07 +Carl_Cargill 15:58:35 +Jack_Hobaugh 15:58:54 fielding has joined #dnt 15:59:57 ChrisPedigoOPA has joined #dnt 16:00:15 +Fielding 16:00:30 +hefferjr 16:00:33 robsherman has joined #dnt 16:00:42 dsinger has joined #dnt 16:00:58 kj has joined #dnt 16:01:04 +[Apple] 16:01:12 +ChrisPedigoOPA 16:01:19 zakim, [apple] has dsinger 16:01:19 +dsinger; got it 16:01:34 + +1.202.370.aaaa 16:01:39 zakim, aaaa is robsherman 16:01:39 +robsherman; got it 16:01:40 regrets- dsinger 16:01:57 +justin 16:01:57 + +1.646.654.aabb 16:02:01 any volunteers to scribe today? should be short and straightforward 16:02:10 I will scribe 16:02:18 scribenick: JackHobaugh 16:02:18 Zakim, aabb is eberkower 16:02:18 +eberkower; got it 16:02:28 Zakim, mute me please 16:02:28 eberkower should now be muted 16:02:29 +RichardWeaver 16:02:31 vinay has joined #dnt 16:02:36 justin: 4 issues to discuss today and a bit of data minimization per Roy 16:02:41 Richard_comScore has joined #dnt 16:02:42 +WileyS 16:02:42 + +1.917.934.aacc 16:02:56 Ari has joined #dnt 16:02:58 Zakim, take up agendum 1 16:02:58 agendum 1. "issue-203 use of "tracking"" taken up [from npdoty] 16:03:05 +[FTC] 16:03:10 zakim, aacc is vinay 16:03:10 +vinay; got it 16:03:15 issue-203? 16:03:16 issue-203 -- Use of "tracking" in third-party compliance -- open 16:03:16 http://www.w3.org/2011/tracking-protection/track/issues/203 16:03:17 justin: to start - how we will use term tracking compliance document. see email to list 16:03:21 https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance 16:03:27 +[IPcaller] 16:03:29 zakim, [IPCaller] is me 16:03:29 +moneill2; got it 16:03:31 Chris_M has joined #dnt 16:03:54 + +1.323.253.aadd 16:03:59 +kulick 16:04:10 justin's summary email http://lists.w3.org/Archives/Public/public-tracking/2014Jul/0036.html 16:04:19 +??P42 16:04:21 justin: here is what I think they do: David suggests - don’t use outside of permitted uses. Roy: mostly just signaling back to the user what you are actually doing. 16:04:30 ShaneWiley has joined #dnt 16:04:33 Just joined the call 16:04:33 q? 16:04:44 Zakim, ??p42 is Chris_M 16:04:45 +Chris_M; got it 16:04:55 Zakim, who is on the phone? 16:04:55 On the phone I see npdoty, Carl_Cargill, Jack_Hobaugh, Fielding, hefferjr, [Apple], ChrisPedigoOPA, robsherman, justin, eberkower (muted), RichardWeaver, WileyS, vinay, [FTC], 16:04:58 ... moneill2, +1.323.253.aadd, kulick, Chris_M 16:04:58 [Apple] has dsinger 16:05:03 and that signal comes with corresponding requirements 16:05:05 justin: to comply with TCS - respond back with T and then limitations as per the TCS 16:05:07 jeff has joined #dnt 16:05:12 +Jeff 16:05:16 Brooks has joined #dnt 16:05:32 +Brooks 16:05:40 justin: In TPE there is qualifier field - is it proposing tha the qualifiers are in TCS? 16:05:56 fielding: yes, it would be defined in TCS 16:06:05 q+ 16:06:22 fielding: don’t disagree with Nick’s point that we can agree with certain baseline of requirements. 16:07:07 justin: what else woudl be needed to be added to TCS? Do we need to provide syntax for signaling in TPE? What else do we need to do? 16:07:18 fielding: we would just define the qualifers. 16:07:27 ack npd 16:07:30 Chapell has joined #DNT 16:07:44 npdoty: copy over qualifiers indicating permitted uses. 16:07:48 I thought we’d define the restrictions in this section, but I don’t mind deferring the actual restrictions to the qualifiers 16:08:04 action: doty to add qualifiers in an appendix to TCS 16:08:05 Created ACTION-454 - Add qualifiers in an appendix to tcs [on Nick Doty - due 2014-07-23]. 16:08:13 -Chris_M 16:08:25 dsinger: I guess that works, but it is supposed to be functional. 16:08:45 q+ 16:08:50 +??P42 16:09:01 Zakim, who is making noise? 16:09:11 npdoty, listening for 10 seconds I heard sound from the following: 20 (13%), Carl_Cargill (4%), justin (58%), ??P42 (33%) 16:09:18 Zakim, mute ??p42 16:09:18 ??P42 should now be muted 16:09:19 +Chapell 16:09:19 vincent has joined #dnt 16:09:20 just dialed back in 16:09:27 ack npd 16:09:32 zakim, who is on the phone? 16:09:32 On the phone I see npdoty, Carl_Cargill, Jack_Hobaugh, Fielding, hefferjr, [Apple], ChrisPedigoOPA, robsherman, justin, eberkower (muted), RichardWeaver, WileyS, vinay, [FTC], 16:09:35 ... moneill2, +1.323.253.aadd, kulick, Jeff, Brooks, ??P42 (muted), Chapell 16:09:35 [Apple] has dsinger 16:09:36 +vincent 16:09:51 npdoty: I think we do have requirements now prohibiting collecting and shared use. I thought David’s point was to narrow. 16:10:13 npdoty: we can specify more concretely in the qualifiers. 16:10:23 justin: is the next step for you to port over the qualifiers? 16:10:47 -npdoty 16:10:48 justin: are we saying in the TCS that to conform you need to solve the limits within the TCS? 16:10:54 q? 16:11:22 justin: probably makes sense for nick to bring over the qualifiers. 16:11:23 +npdoty 16:11:43 q? 16:12:27 npdoty: have to bring over the qualifiers. May need clarification on different tracking statuses. 16:12:43 more actions for me, yay! 16:12:55 justin: makes sense. try to do that. can’t work out on the phone. send to list. 16:13:05 action: doty to update TCS to correspond to specific tracking status values 16:13:05 Created ACTION-455 - Update tcs to correspond to specific tracking status values [on Nick Doty - due 2014-07-23]. 16:13:11 q? 16:13:14 action-455: re issue-203 16:13:14 Notes added to action-455 Update tcs to correspond to specific tracking status values. 16:13:21 justin: any question on this section in general? 16:13:27 justin: none 16:13:28 -Brooks 16:13:31 https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_link_shorteners_and_ID_providers 16:13:36 Justin: moveing onto link shorteners 16:13:43 action-455: also, take a pass at the issue-203 suggestion of narrowing to "tracking" 16:13:43 Notes added to action-455 Update tcs to correspond to specific tracking status values. 16:13:46 Zakim, take up agendum 2 16:13:47 agendum 2. "issue-97 link shorteners" taken up [from npdoty] 16:13:53 justin: two issues: one link shortners exist. disagreement in the group. 16:13:55 +Brooks 16:14:07 justin: some say just trying to get to the stuff. 16:14:28 justin: we should try to merge two proposals 16:14:57 justin: rephrasing of Mike and Walter’s proposals 16:15:21 justin: Nic added explanatory language 16:15:38 q+ to discuss the ugly case where the only thing the user is aware of, when they click, is a shortener? 16:16:17 dsinger: regarding Mike’s text. sometimes given a link and don’t know where it is going. 16:16:27 Then don't click 16:16:31 dsinger: don’t know they will end up at NYTimes. 16:16:38 dsinger: torn about this one. 16:16:45 q+ 16:16:52 ack ds 16:16:52 dsinger, you wanted to discuss the ugly case where the only thing the user is aware of, when they click, is a shortener? 16:16:55 Don't all tools allow a user to hover (non-mobile use case) to discover the link destination? 16:17:40 +q 16:17:51 dsinger: worried about nefarious devices 16:18:12 I think HTTP redirect or Javascript redirect aren't materially different, which I did try to note in the example 16:18:18 justin: can’t get to every single edge case but could offer more clarity. 16:18:24 ack fielding 16:18:35 fielding: we need to ask ourselve what is the privacy concern. 16:18:58 Carl_Cargill has joined #dnt 16:19:04 fielding: this is solved by the definition of tracking. 16:19:22 fielding: without regard to first or third party. 16:19:37 q+ to respond to fielding on context 16:19:45 justin: is it evident through context? 16:21:33 q+ to ask Roy about parties 16:21:34 fielding: the definition of tracking - DNT:1 - it is either tracking or it is not tracking. Can reach an agreement with the user or qualify under a permitted use. 16:21:39 jeff_ has joined #dnt 16:21:49 fielding: can limit retention of user identity. 16:22:03 Any link a user knowingly clicks on is "within context" as the user made a concious choice to interact with that link and the in most cases the exact URL is easily discoverable. 16:22:19 fielding: fact that first party or not is not applicable here. what is the effect on the user. is it tracking or not. 16:22:33 ack mon 16:22:41 justin: still some confusion in the group 16:23:42 ShanWiley, it is always going to be within a context -- but that is not the same context as the destination link unless the shortener is owned by the same owner of the destination. 16:23:45 moneill: subset of tracking. can be a way to get around third-party cookies. Should be mentioned. needs text. 16:23:54 ack npd 16:23:54 npdoty, you wanted to respond to fielding on context 16:24:05 s/ShanWiley/ShaneWiley/ 16:24:30 npdoty: what might be confusing is that clicking on the link may create a new context? 16:25:41 ack ds 16:25:41 dsinger, you wanted to ask Roy about parties 16:25:43 justin: the edge question is the intermediaries 16:26:01 Roy, since the user clicked on the link knowingly they entered that context directly - making it a first party to the transaction. This isn't about hidden 3rd parties where user's don't directly interact - this is about direct interaction. 16:26:24 dsinger: but TCS handles first and third parties differently. should we remove those distinctions in the TCS? 16:26:57 (that is, rather than redefining context, there seems to be a difference between clicking on a link on a site and a service that redirects) 16:27:04 fielding: right, I have requested that change. it is across different contexts. 16:27:46 q+ 16:27:48 justin: may not be that hard to make these changes. 16:28:06 justin: should tackle as part of Issue 203 16:28:24 ack chris 16:28:25 justin: maybe this is a subset but can be addressed at same time. 16:28:31 +q 16:28:32 q+ to ask about action items here 16:28:42 ChrisP: oppose removing first and third party distinctions 16:29:11 ChrisP: having the distinction is important for clarity. link shortners are an edge case. 16:29:26 +1 to Chris - this began with focus on 3rd parties (invisible to end users) and we're now moving to a much more nuanced position that will be openly argumentative on where the rules apply 16:29:37 justin: first and third party distinction have been part of this since day one. not just about the link shortners. 16:29:52 -q 16:30:01 ChrisPedigoOPA, its not just link shortners, any domain redirection 16:30:23 I have to reiterate that TCS has not made progress exactly because this has been a blocking factor since Day 1. 16:30:47 robsherman: having this discussion since the beginning of the group. we keep having this discussion. should focus on link shortners and not upend the entire spec. 16:30:59 q+ 16:31:02 WileyS has joined #dnt 16:31:34 If you decide not to do something and the problems from that decision keep resurfacing, isn't that exactly when you should revisit? 16:31:51 npdoty: action items? 16:32:19 npdoty: have attempted to change language to refer to party’s given action. 16:32:45 npdoty: have more changes to make regarding narrowing of tracking. 16:32:52 ack fielding 16:33:06 Just to clarify the scribing of my point — Most of us agree that the first party/third party distinction has been inherent to our discussion since the beginning of the group, and we've decided that's a distinction we want to preserve. A few people have recently re-raised the question in the context of various issues, and I'm suggesting that we recognize as a working group that we've already resolved the first party/third party question and not try to kee[CUT] 16:33:21 SWiley has joined #dnt 16:34:06 fielding: i would expect those sections to just be retitled. the point here is to make progress. tried to describe way to make progress like we did in the TPE. hope to not be held back by first party and third party decision. 16:34:07 +WileyS.a 16:34:35 I proposed dropping the first/third distinction a long time ago, and I did not succeed 16:34:48 q+ 16:34:51 q- 16:35:15 justin: don’t think there is a fundamental disagreement about who the rules apply to. This is really a question of symantics. 16:35:36 ack chris 16:35:56 across multiple domains is a lot clearer and easier to understand 16:36:21 the problem is that the question “is the link shortener a first or third party?” hinges on whether there is a distinction 16:36:25 ChrisP: we are now blowing up into a global conversation about radical changes. not needed. It is about what the user expects. let’s focus on the link shortener. 16:36:42 yeah, focusing on issues is useful 16:37:30 justin: Roy, do you want to put together langauge for issue 203? 16:37:32 fielding: ok 16:37:33 yeah, issue-203 (which we just discussed) is probably more relevant 16:37:50 ok 16:38:05 q+ 16:38:10 ack npd 16:38:12 justin: Walter/Mike can you take a look and see if there is a middle ground? 16:38:24 action fielding to propose text for wider changes around issue-203 16:38:25 Created ACTION-456 - Propose text for wider changes around issue-203 [on Roy Fielding - due 2014-07-23]. 16:38:45 npdoty: what about existing text? 16:38:51 we also have Ian Fette’s very old text 16:38:54 justin: some may want existing text. 16:39:03 SWiley, did you want alternative text, or the existing text? 16:39:35 I need to review again 16:39:54 okay, thanks SWiley, here's the wiki page: https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_link_shorteners_and_ID_providers 16:39:56 justin: identify providers issue. no one has really jumped on this issue to provide text. not going to make anyone do that. invitation to do so. 16:40:04 q? 16:40:06 justin: will keep that issue open a little bit longer. 16:40:11 Zakim, take up agendum 3 16:40:11 agendum 3. "deidentification" taken up [from npdoty] 16:40:23 https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Deidentification 16:40:28 As I think this is an unnessary corner case, it appears current text is best (does not address OpenAuth/OpenID) 16:40:30 justin: moving onto deidentification. 16:40:57 justin: resorted the proposals into 4. Was 3 with a new proposed earlier today. 16:41:21 SWiley, sorry, we get these issues confused sometimes. you don't want additional text on identity provider? or don't want additional text on link redirection? 16:42:24 justin: summary: first from dsinger: slightly restated what is in editors text. see text. Roy’s proposal: similar. see text in wiki. 16:43:32 justin: new proposal based on article 29 from vincent. see wiki text. 16:43:58 I meant a particular user (device is only important if it indirectly identifies a user, in which case it is covered by this definition) 16:44:12 vincent: explanation from vincent. 16:44:18 to Roy: curious to know why your definition doesn’t use the defined term “tracking” 16:44:35 I thought typically we had referred to "user, user agent or device" 16:44:46 dsinger, it was written a long time ago 16:44:53 ok, ditto 16:45:19 The trouble is that you if you can identify a device, you have a very low level of confidence that it cannot identify a user 16:45:23 q+ 16:45:35 justin: for a tracking cookie. it only ids a device. would that qualify as de-identified? 16:45:38 fielding: no 16:45:46 ack ds 16:46:00 q- 16:46:04 dsinger: if a device can be identified then no level of confidence a user cannot be identified. 16:46:27 justin: just not having PII will not be sufficient. 16:47:02 add: "or that user's device" to my proposal 16:47:37 fielding, "user, user agent or device"? 16:47:57 justin: Jack’s proposal. summarization. similar to what HIPAA has today. see wiki text. 16:48:35 npdoty, and that is why I did not add it originally -- the mechanism doesn't matter. 16:48:39 Justin are we now using the term cookie interchangeably with unique cookie? 16:48:53 Consistent ID but does not link back to operational systems 16:48:53 justin: may be similar to red/yellow/green tri-state approach. 16:49:19 One-way secret hash, for example. Key is secured and not accessable post processing. 16:49:29 Brooks, I think justin did mean a cookie with a unique identifier, which he had referred to earlier 16:49:41 actually, never mind -- now I made my proposal ambiguous. I am backing out that change. 16:49:42 q? 16:49:50 justin: questions? 16:50:01 there certainly are lots of cookies that wouldn't be relevant at all (like language pref) 16:50:10 justin: giving folks some time to think about these proposals. 16:50:34 justin: possible we will need to go to call for objections. is there any way to merge. 16:50:38 Agree - just want to be clear on that as I see triangulation being a question eventually 16:50:44 Zakim, take up agendum 4 16:50:44 agendum 4. "issue-210 interaction with existing controls" taken up [from npdoty] 16:50:46 https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Existing_Controls 16:51:04 justin: last issue for today. interactions between controls. 16:51:38 justin: how does the server sort out the signals. currently the TCS has a matrix. 16:52:03 justin: proposal simplifies this matrix. see text on wiki. 16:52:31 justin: C field can be used for out of band exceptions. 16:52:35 -RichardWeaver 16:52:38 q? 16:52:46 I think we should try to make the documents ‘stand alone’ and define general principles (as Amy does) 16:52:46 justin: questions on this issue or thoughts? 16:52:54 I'd be fine to just make Amy's change as suggested 16:53:09 fine by me 16:53:25 justin: will send note to list to see if anyone objects. 16:53:37 Topic: AOB 16:53:43 justin: Nick created issues from comments on TPE. 16:54:07 justin: hoping to have response from chairs starting next week if not within 2 weeks. 16:54:17 q? 16:54:25 -ChrisPedigoOPA 16:54:28 -hefferjr 16:54:29 -justin 16:54:30 -Brooks 16:54:30 -Carl_Cargill 16:54:31 -vinay 16:54:31 -npdoty 16:54:31 - +1.323.253.aadd 16:54:32 justin: thanks all. have good rest of week. will send follow-up emails. 16:54:33 -[FTC] 16:54:33 -Chapell 16:54:33 -eberkower 16:54:34 -[Apple] 16:54:34 -vincent 16:54:34 -Fielding 16:54:36 -??P42 16:54:36 -kulick 16:54:38 -robsherman 16:54:42 -moneill2 16:54:47 Zakim, list attendees 16:54:47 As of this point the attendees have been npdoty, Carl_Cargill, Jack_Hobaugh, Fielding, hefferjr, ChrisPedigoOPA, dsinger, +1.202.370.aaaa, robsherman, justin, +1.646.654.aabb, 16:54:51 ... eberkower, RichardWeaver, WileyS, +1.917.934.aacc, [FTC], vinay, moneill2, +1.323.253.aadd, kulick, Chris_M, Jeff, Brooks, Chapell, vincent 16:54:51 -Jack_Hobaugh 16:54:56 -WileyS.a 16:54:57 rrsagent, please draft the minutes 16:54:57 I have made the request to generate http://www.w3.org/2014/07/16-dnt-minutes.html npdoty 16:55:24 Zakim, bye 16:55:24 leaving. As of this point the attendees were npdoty, Carl_Cargill, Jack_Hobaugh, Fielding, hefferjr, ChrisPedigoOPA, dsinger, +1.202.370.aaaa, robsherman, justin, +1.646.654.aabb, 16:55:24 Zakim has left #dnt 16:55:27 rrsagent, bye 16:55:27 I see 2 open action items saved in http://www.w3.org/2014/07/16-dnt-actions.rdf : 16:55:27 ACTION: doty to add qualifiers in an appendix to TCS [1] 16:55:27 recorded in http://www.w3.org/2014/07/16-dnt-irc#T16-08-04 16:55:27 ACTION: doty to update TCS to correspond to specific tracking status values [2] 16:55:27 recorded in http://www.w3.org/2014/07/16-dnt-irc#T16-13-05 16:55:28 ... eberkower, RichardWeaver, WileyS, +1.917.934.aacc, [FTC], vinay, moneill2, +1.323.253.aadd, kulick, Chris_M, Jeff, Brooks, Chapell, vincent