W3C

- DRAFT -

Tracking Protection Working Group Teleconference

16 Jul 2014

See also: IRC log

Attendees

Present
npdoty, Carl_Cargill, Jack_Hobaugh, Fielding, hefferjr, ChrisPedigoOPA, dsinger, +1.202.370.aaaa, robsherman, justin, +1.646.654.aabb, eberkower, RichardWeaver, WileyS, +1.917.934.aacc, [FTC], vinay, moneill2, +1.323.253.aadd, kulick, Chris_M, Jeff, Brooks, Chapell, vincent
Regrets
schunter, wseltzer
Chair
SV_MEETING_CHAIR
Scribe
JackHobaugh

Contents

<trackbot> Date: 16 July 2014

<npdoty> any volunteers to scribe today? should be short and straightforward

I will scribe

<npdoty> scribenick: JackHobaugh

justin: 4 issues to discuss today and a bit of data minimization per Roy

issue-203 use of "tracking"

<dsinger> issue-203?

<trackbot> issue-203 -- Use of "tracking" in third-party compliance -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/203

justin: to start - how we will use term tracking compliance document. see email to list

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance

<npdoty> justin's summary email http://lists.w3.org/Archives/Public/public-tracking/2014Jul/0036.html

justin: here is what I think they do: David suggests - don’t use outside of permitted uses. Roy: mostly just signaling back to the user what you are actually doing.

<Chris_M> Just joined the call

<fielding> and that signal comes with corresponding requirements

justin: to comply with TCS - respond back with T and then limitations as per the TCS
... In TPE there is qualifier field - is it proposing tha the qualifiers are in TCS?

fielding: yes, it would be defined in TCS
... don’t disagree with Nick’s point that we can agree with certain baseline of requirements.

justin: what else woudl be needed to be added to TCS? Do we need to provide syntax for signaling in TPE? What else do we need to do?

fielding: we would just define the qualifers.

npdoty: copy over qualifiers indicating permitted uses.

<dsinger> I thought we’d define the restrictions in this section, but I don’t mind deferring the actual restrictions to the qualifiers

<npdoty> ACTION: doty to add qualifiers in an appendix to TCS [recorded in http://www.w3.org/2014/07/16-dnt-minutes.html#action01]

<trackbot> Created ACTION-454 - Add qualifiers in an appendix to tcs [on Nick Doty - due 2014-07-23].

dsinger: I guess that works, but it is supposed to be functional.

<Chris_M> just dialed back in

npdoty: I think we do have requirements now prohibiting collecting and shared use. I thought David’s point was to narrow.
... we can specify more concretely in the qualifiers.

justin: is the next step for you to port over the qualifiers?
... are we saying in the TCS that to conform you need to solve the limits within the TCS?
... probably makes sense for nick to bring over the qualifiers.

npdoty: have to bring over the qualifiers. May need clarification on different tracking statuses.

<npdoty> more actions for me, yay!

justin: makes sense. try to do that. can’t work out on the phone. send to list.

<npdoty> ACTION: doty to update TCS to correspond to specific tracking status values [recorded in http://www.w3.org/2014/07/16-dnt-minutes.html#action02]

<trackbot> Created ACTION-455 - Update tcs to correspond to specific tracking status values [on Nick Doty - due 2014-07-23].

<npdoty> action-455: re issue-203

<trackbot> Notes added to action-455 Update tcs to correspond to specific tracking status values.

justin: any question on this section in general?
... none

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_link_shorteners_and_ID_providers

Justin: moveing onto link shorteners

<npdoty> action-455: also, take a pass at the issue-203 suggestion of narrowing to "tracking"

<trackbot> Notes added to action-455 Update tcs to correspond to specific tracking status values.

issue-97 link shorteners

justin: two issues: one link shortners exist. disagreement in the group.
... some say just trying to get to the stuff.
... we should try to merge two proposals
... rephrasing of Mike and Walter’s proposals
... Nic added explanatory language

dsinger: regarding Mike’s text. sometimes given a link and don’t know where it is going.

<ShaneWiley> Then don't click

dsinger: don’t know they will end up at NYTimes.
... torn about this one.

<Zakim> dsinger, you wanted to discuss the ugly case where the only thing the user is aware of, when they click, is a shortener?

<ShaneWiley> Don't all tools allow a user to hover (non-mobile use case) to discover the link destination?

<moneill2> +q

dsinger: worried about nefarious devices

<npdoty> I think HTTP redirect or Javascript redirect aren't materially different, which I did try to note in the example

justin: can’t get to every single edge case but could offer more clarity.

fielding: we need to ask ourselve what is the privacy concern.
... this is solved by the definition of tracking.
... without regard to first or third party.

justin: is it evident through context?

fielding: the definition of tracking - DNT:1 - it is either tracking or it is not tracking. Can reach an agreement with the user or qualify under a permitted use.
... can limit retention of user identity.

<ShaneWiley> Any link a user knowingly clicks on is "within context" as the user made a concious choice to interact with that link and the in most cases the exact URL is easily discoverable.

fielding: fact that first party or not is not applicable here. what is the effect on the user. is it tracking or not.

justin: still some confusion in the group

<fielding> ShaneWiley, it is always going to be within a context -- but that is not the same context as the destination link unless the shortener is owned by the same owner of the destination.

moneill: subset of tracking. can be a way to get around third-party cookies. Should be mentioned. needs text.

<Zakim> npdoty, you wanted to respond to fielding on context

npdoty: what might be confusing is that clicking on the link may create a new context?

<Zakim> dsinger, you wanted to ask Roy about parties

justin: the edge question is the intermediaries

<ShaneWiley> Roy, since the user clicked on the link knowingly they entered that context directly - making it a first party to the transaction. This isn't about hidden 3rd parties where user's don't directly interact - this is about direct interaction.

dsinger: but TCS handles first and third parties differently. should we remove those distinctions in the TCS?

<npdoty> (that is, rather than redefining context, there seems to be a difference between clicking on a link on a site and a service that redirects)

fielding: right, I have requested that change. it is across different contexts.

justin: may not be that hard to make these changes.
... should tackle as part of Issue 203
... maybe this is a subset but can be addressed at same time.

<robsherman> +q

ChrisP: oppose removing first and third party distinctions
... having the distinction is important for clarity. link shortners are an edge case.

<ShaneWiley> +1 to Chris - this began with focus on 3rd parties (invisible to end users) and we're now moving to a much more nuanced position that will be openly argumentative on where the rules apply

justin: first and third party distinction have been part of this since day one. not just about the link shortners.

<robsherman> -q

<moneill2> ChrisPedigoOPA, its not just link shortners, any domain redirection

<fielding> I have to reiterate that TCS has not made progress exactly because this has been a blocking factor since Day 1.

robsherman: having this discussion since the beginning of the group. we keep having this discussion. should focus on link shortners and not upend the entire spec.

<Brooks> If you decide not to do something and the problems from that decision keep resurfacing, isn't that exactly when you should revisit?

npdoty: action items?
... have attempted to change language to refer to party’s given action.
... have more changes to make regarding narrowing of tracking.

<robsherman> Just to clarify the scribing of my point — Most of us agree that the first party/third party distinction has been inherent to our discussion since the beginning of the group, and we've decided that's a distinction we want to preserve. A few people have recently re-raised the question in the context of various issues, and I'm suggesting that we recognize as a working group that we've already resolved the first party/third party question and not try to kee[CUT]

fielding: i would expect those sections to just be retitled. the point here is to make progress. tried to describe way to make progress like we did in the TPE. hope to not be held back by first party and third party decision.

<dsinger> I proposed dropping the first/third distinction a long time ago, and I did not succeed

justin: don’t think there is a fundamental disagreement about who the rules apply to. This is really a question of symantics.

<moneill2> across multiple domains is a lot clearer and easier to understand

<dsinger> the problem is that the question “is the link shortener a first or third party?” hinges on whether there is a distinction

ChrisP: we are now blowing up into a global conversation about radical changes. not needed. It is about what the user expects. let’s focus on the link shortener.

<npdoty> yeah, focusing on issues is useful

justin: Roy, do you want to put together langauge for issue 203?

fielding: ok

<npdoty> yeah, issue-203 (which we just discussed) is probably more relevant

<moneill2> ok

justin: Walter/Mike can you take a look and see if there is a middle ground?

<fielding> action fielding to propose text for wider changes around issue-203

<trackbot> Created ACTION-456 - Propose text for wider changes around issue-203 [on Roy Fielding - due 2014-07-23].

npdoty: what about existing text?

<dsinger> we also have Ian Fette’s very old text

justin: some may want existing text.

<npdoty> SWiley, did you want alternative text, or the existing text?

<SWiley> I need to review again

<npdoty> okay, thanks SWiley, here's the wiki page: https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_link_shorteners_and_ID_providers

justin: identify providers issue. no one has really jumped on this issue to provide text. not going to make anyone do that. invitation to do so.
... will keep that issue open a little bit longer.

deidentification

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Deidentification

<SWiley> As I think this is an unnessary corner case, it appears current text is best (does not address OpenAuth/OpenID)

justin: moving onto deidentification.
... resorted the proposals into 4. Was 3 with a new proposed earlier today.

<npdoty> SWiley, sorry, we get these issues confused sometimes. you don't want additional text on identity provider? or don't want additional text on link redirection?

justin: summary: first from dsinger: slightly restated what is in editors text. see text. Roy’s proposal: similar. see text in wiki.
... new proposal based on article 29 from vincent. see wiki text.

<fielding> I meant a particular user (device is only important if it indirectly identifies a user, in which case it is covered by this definition)

vincent: explanation from vincent.

<dsinger> to Roy: curious to know why your definition doesn’t use the defined term “tracking”

<npdoty> I thought typically we had referred to "user, user agent or device"

<fielding> dsinger, it was written a long time ago

<dsinger> ok, ditto

<dsinger> The trouble is that you if you can identify a device, you have a very low level of confidence that it cannot identify a user

justin: for a tracking cookie. it only ids a device. would that qualify as de-identified?

fielding: no

dsinger: if a device can be identified then no level of confidence a user cannot be identified.

justin: just not having PII will not be sufficient.

<fielding> add: "or that user's device" to my proposal

<npdoty> fielding, "user, user agent or device"?

justin: Jack’s proposal. summarization. similar to what HIPAA has today. see wiki text.

<fielding> npdoty, and that is why I did not add it originally -- the mechanism doesn't matter.

<Brooks> Justin are we now using the term cookie interchangeably with unique cookie?

<SWiley> Consistent ID but does not link back to operational systems

justin: may be similar to red/yellow/green tri-state approach.

<SWiley> One-way secret hash, for example. Key is secured and not accessable post processing.

<npdoty> Brooks, I think justin did mean a cookie with a unique identifier, which he had referred to earlier

<fielding> actually, never mind -- now I made my proposal ambiguous. I am backing out that change.

justin: questions?

<npdoty> there certainly are lots of cookies that wouldn't be relevant at all (like language pref)

justin: giving folks some time to think about these proposals.
... possible we will need to go to call for objections. is there any way to merge.

<Brooks> Agree - just want to be clear on that as I see triangulation being a question eventually

issue-210 interaction with existing controls

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Existing_Controls

justin: last issue for today. interactions between controls.
... how does the server sort out the signals. currently the TCS has a matrix.
... proposal simplifies this matrix. see text on wiki.
... C field can be used for out of band exceptions.

<dsinger> I think we should try to make the documents ‘stand alone’ and define general principles (as Amy does)

justin: questions on this issue or thoughts?

<npdoty> I'd be fine to just make Amy's change as suggested

<moneill2> fine by me

justin: will send note to list to see if anyone objects.

AOB

justin: Nick created issues from comments on TPE.
... hoping to have response from chairs starting next week if not within 2 weeks.
... thanks all. have good rest of week. will send follow-up emails.

Summary of Action Items

[NEW] ACTION: doty to add qualifiers in an appendix to TCS [recorded in http://www.w3.org/2014/07/16-dnt-minutes.html#action01]
[NEW] ACTION: doty to update TCS to correspond to specific tracking status values [recorded in http://www.w3.org/2014/07/16-dnt-minutes.html#action02]
 
[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-07-16 16:55:02 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/ShanWiley/ShaneWiley/
Found ScribeNick: JackHobaugh
Inferring Scribes: JackHobaugh
Default Present: npdoty, Carl_Cargill, Jack_Hobaugh, Fielding, hefferjr, ChrisPedigoOPA, dsinger, +1.202.370.aaaa, robsherman, justin, +1.646.654.aabb, eberkower, RichardWeaver, WileyS, +1.917.934.aacc, [FTC], vinay, moneill2, +1.323.253.aadd, kulick, Chris_M, Jeff, Brooks, Chapell, vincent
Present: npdoty Carl_Cargill Jack_Hobaugh Fielding hefferjr ChrisPedigoOPA dsinger +1.202.370.aaaa robsherman justin +1.646.654.aabb eberkower RichardWeaver WileyS +1.917.934.aacc [FTC] vinay moneill2 +1.323.253.aadd kulick Chris_M Jeff Brooks Chapell vincent
Regrets: schunter wseltzer

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 16 Jul 2014
Guessing minutes URL: http://www.w3.org/2014/07/16-dnt-minutes.html
People with action items: doty

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.
[End of scribe.perl diagnostic output]