15:57:07 RRSAgent has joined #dnt 15:57:07 logging to http://www.w3.org/2014/10/22-dnt-irc 15:57:09 RRSAgent, make logs world 15:57:09 Zakim has joined #dnt 15:57:11 Zakim, this will be TRACK 15:57:12 Meeting: Tracking Protection Working Group Teleconference 15:57:12 Date: 22 October 2014 15:57:13 ok, trackbot; I see T&S_Track(dnt)12:00PM scheduled to start in 3 minutes 15:57:23 npdoty has changed the topic to: 22 October: http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0081.html 15:57:31 regrets+ wileys, dsinger 15:57:34 T&S_Track(dnt)12:00PM has now started 15:57:42 +Fielding 15:59:22 +npdoty 15:59:43 +hefferjr 15:59:58 +Wendy 16:00:13 + +31.65.275.aaaa 16:00:20 +[IPcaller] 16:00:31 schunter has joined #dnt 16:00:32 Zakim, IPcaller is me 16:00:32 +walter; got it 16:01:06 kulick has joined #dnt 16:01:19 justin has joined #dnt 16:01:29 zakim, who is on the phone? 16:01:29 On the phone I see Fielding, npdoty, hefferjr, Wendy, +31.65.275.aaaa, walter 16:01:30 ChrisPedigoDCN has joined #dnt 16:01:35 +Carl_Cargill 16:02:01 Zakim, aaaa is rvaneijk 16:02:01 +rvaneijk; got it 16:02:03 +kulick 16:02:11 +Chris_Pedigo 16:02:31 +justin 16:02:40 moneill2 has joined #dnt 16:02:46 WileyS has joined #DNT 16:02:50 vincent has joined #dnt 16:03:02 eberkower has joined #dnt 16:03:04 I didn't make any progress this week, sadly 16:03:25 +[IPcaller] 16:03:26 scribenick: kulick 16:03:36 zakim, [IPCaller] is me 16:03:36 +moneill2; got it 16:03:48 justin: next week TPAC for W3C meeting, so no call next week 16:03:59 +eberkower 16:04:02 2 TPE issues 16:04:06 issue-262? 16:04:06 issue-262 -- guidance regarding server responses and timing -- pending review 16:04:06 http://www.w3.org/2011/tracking-protection/track/issues/262 16:04:08 issue 262 16:04:14 Zakim, mute me please 16:04:14 eberkower should now be muted 16:04:46 ... we talked about DNT signal when passing on outside of browser/client 16:04:51 +WileyS 16:05:03 ... nick sent something last night 16:05:21 +vincent 16:05:26 Nick's proposal: http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0082.html 16:05:27 npdoty: you might be talking to alot of servers and not know in advacnce 16:05:43 +q 16:05:47 ... we already have a signal... we might be able to use 16:06:06 ... tk headers might not be good for 24 hrs 16:06:23 ... very small change to cache response headers 16:06:31 regrets- wileys 16:06:37 ... we can respond to commeter about using ? 16:06:37 ack wiley 16:06:52 shane: 2nd part of nick 16:07:24 ... 's email covered whther bid recp can use and Nick felt couldnt be use 16:08:14 ... (paraphrasing) nick brought up race condition, shane feels it is edge case 16:08:30 wileys is referring to a separate email, my response about recent knowledge: http://www.w3.org/mid/F6D11A37-A720-4DD6-916E-013F64DC2FE3@w3.org 16:08:32 q+ 16:08:34 agree with Nick's summary; basically, we just need to say that the Tk response's TSV applies to the current request and the resource-specific tracking status resource would have to be specific to the winning bidder 16:09:05 ... we can solve vast majority and could find acceptable solution to very high edge case 16:09:59 +q 16:10:08 Changing their DNT setting wouldn't change the UGE 16:10:18 WaltMichel has joined #DNT 16:10:36 npdoty: some cases where svr has more accurate info where exception... there are also cases where users change DNT settings... not sure which are more likely... i was trying to get across that users would lose confdence if they kept getting signals back related to the signal 16:10:38 Nick, are you saying their is a "special mode" that invalidates all previously provided UGEs? 16:10:39 WileyS: do you foresee usage of UGE in a DNT:0 situation? 16:10:47 ack vincent 16:10:47 ah, ok, I get your point 16:11:00 Walter, no need for a UGE in a DNT:0 situation. 16:11:06 vincent: unclear to meif these are data processors or service provider 16:11:33 WileyS, I could imagine a UA that gave me a setting for a private browsing mode, where it would always send DNT:1, even while DNT:0 is configured for some servers 16:11:45 I personally would use that mode when researching medical issues, for example 16:11:55 ... not clear how it is going to work 16:12:05 justin: huh? 16:12:19 Nick, UGE trumps DNT:1 - even in a "private mode" 16:12:33 vincent: bidders might not prov response at same time... are they SPs? 16:12:42 Nick, we've not created a DNT signal that trumps all previous UGEs 16:12:51 justin: ad network is not a data processr, but a SP 16:13:03 ack mo 16:13:05 no they are not even SP 16:13:18 and I don't hink justin said that either 16:13:29 vincent, right I don't think they are service providers. 16:13:30 Wileys, an advantage of storing DNT:0 in the user agent is that the user can control them, and decide not to keep the exception at all times 16:13:32 kulick: ad network _is_ a data processor 16:13:35 mike: the ad exchg to respond would have to have a memory of the user 16:13:50 kulick: but I would agree that they are attributable to the 1st party 16:13:58 Nick, we're storing the UGE with the UA - that's the point. 16:13:59 (sorry botu that... thx walter) 16:14:30 justin: what are implications of that? 16:14:39 but it proves the problem of the 1st/3rd party distinction 16:14:43 mike: i dont think shane's is an answer 16:14:45 q+ to respond about service provider 16:14:55 ... wrt dynamic response... how does it calc it? 16:14:58 ack npd 16:14:58 npdoty, you wanted to respond about service provider 16:15:06 npdoty: maybe they are the same 16:15:26 An "Ad Exchange" then communicates to "Ad Networks" - just so we're all clear 16:15:32 ... the end user is copmm with ad server... servers are comm'ing with other servers 16:15:58 but they are still sharing the data with several entites 16:16:01 .... whoever wins bid needs to send response value 16:16:06 In many transactions the bid winner never communicates with the UA 16:16:27 The Ad Exchange simply serves the ad if they're holding the creative 16:16:39 justin: bid losers wouldnt be able to signal anything? 16:16:44 npdoty: yep 16:17:02 mike: (scribe fail) 16:17:03 The ad network has the user's identity through cookie mapping 16:17:17 yeah, the contents of the request are forwarded along, as I understand it 16:17:24 ... which would include cookies and URL parameters 16:17:31 which is problematic indeed 16:17:34 justin: clear division of value4s trying to be addressed, likely to go CfO 16:17:42 q? 16:17:44 ... want to give another week to find compriomise 16:17:53 My concern is that everyone doesn't appear to be very clear on how an Ad Exchange works. 16:18:08 ... folks invited to respond to proposals 16:18:13 speaker? 16:18:16 rob? 16:18:23 will the cfo be on the tehcnical solution or the fact that ad-exhcange can propagate teh signal when they receive DNT:1? 16:18:24 WileyS: I'm very willing to be educated on that topic, and so are others I presume 16:18:44 rvaneijk: anyway to differientiate targeted v. non targeted ad? 16:18:48 q+ on what our options are 16:19:02 The Ad Exchange doesn't know - and there isn't a signal to pass that information on to the Ad Exchange by the bid winner today (something we're working on in the AdChoices Metadata working group) 16:19:07 justin: (scribe fail) 16:19:31 justin: tracking is not identical to whether a particular ad is targeted 16:19:52 All Ad Exchanges all support all forms of ad serving 16:19:54 rvaneijk: if one sets DNT, they dont want targeting, therefore, trying to understand at protocol level if distinction can be made 16:20:09 +q 16:20:11 ack npd 16:20:11 npdoty, you wanted to comment on what our options are 16:20:17 contextual, retargeting, profiling, demo, etc. 16:20:57 npdoty: wrt to auctions... i want to understand the caching of tk headers 16:21:17 q+ 16:21:22 npdoty: are all options represented currently? 16:21:42 ack mon 16:21:48 q+ 16:22:03 mike: if ad ex doesnt pass uniq id for that user 16:22:14 ... that would be fine wrt DNT 16:22:18 ... the key is 16:22:33 ... is the ad exch allow to pass downstream uniq user id 16:22:42 It needs to pass an ID to support even basic ad serving (zero targeting0 16:22:51 s/0/) 16:22:55 justin: if no uniq, does fall under tracking 16:23:05 ... (scribe fail) 16:23:18 ack vincent 16:23:20 Carl has joined #dnt 16:23:22 Ad networks need to retain some information even for basic billing and security purposes 16:23:46 right, in theory, you could pass only the URL, stripped of any identifiers/cookies/etc, to other servers and certainly not be tracking 16:24:03 vincent: 3rd proposal, if ad exch gets DNT:1 16:24:05 what? 16:24:07 sure 16:24:09 WileyS, but for the exchange model, is the ad exchange retaining data for more than just the purposes of the fulfilling ad or ad network 16:24:25 ack fielding 16:24:44 roy: note: our conv last week was related to response had to be valid for 24 hrs 16:25:03 ... tk_respnse header field would be for current response only 16:25:03 Nick, no - there are strict contractual controls which only allow the bid winner to retain data for the purpose of processing. 16:25:10 roy, is that accurate? 16:25:17 Will do 16:25:36 justin: Shane, please provide your objections to Nick's proposal... please write it up for digestion for folks 16:25:40 q? 16:25:47 WileyS, great. so I think we are good with the service provider definition as is. 16:25:54 Sure 16:26:02 rvaneijk: Shane, can I re-input it for later this week? 16:26:03 q? 16:26:17 justin: anyone else on this issue? 16:26:18 close enough … Nick and I talked about the 24-hour issue last week after the call and decided that making the Tk header field indicate only for the current request would be sufficient for Shane's use case 16:26:44 ... roy, please iterate on nick's proposal, shane please send your obj 16:26:57 ... hard issue, we have more work to do on this one 16:27:10 ... close on most of remaining issues 16:27:19 issue-266? 16:27:19 issue-266 -- automatic expiration of a tracking preference exception via API parameter -- raised 16:27:19 http://www.w3.org/2011/tracking-protection/track/issues/266 16:27:24 ... some discussion about issue 266 16:27:56 ... any objections to mike's suggestion to add parameters in? 16:28:08 As long as they aren't mandatory. They won't ever be used (not voluntarily) 16:28:20 ... any objs if params arent used if they go away 16:28:27 WileyS, I think the suggestion is that it would be an optional parameter. 16:28:36 ... pls dscribe nick 16:28:37 "At risk" means that if no one implements the feature then it will be removed from the standard 16:29:08 npdoty: when going to call for implementation... if no one imps feature and we called feature at-risk, then we would remove 16:29:21 ... this would happen before proposed recommendation 16:29:56 mike: want to hear from browser companies 16:30:03 +1, getting feedback from browsers would be useful. as would feedback from sites that would want to use it 16:30:04 I think the current plan is to add some expiration or max-use (delta seconds) values to the UGE interfaces in a way that won't effect the interface signature. 16:30:16 rvaneijk: imp not relevant for us, but that the toolbox retains such a feature 16:30:40 sorry correction 16:30:46 rvaneijk: imp not as relevant for us, but that the toolbox retains such a feature 16:30:56 justin: nick, thoughts on that? 16:31:28 npdoty: main issue is that it slows down procees to convergence 16:32:07 justin: (scribe fail) 16:32:39 ... other process might conflict with at-risk status 16:33:14 ... torn at at-risk status... maybe I should email for thots 16:33:45 rvaneijk: (bg noise... having trouble deciphering) 16:34:00 q? 16:34:05 if we expect no one will start implementing or try to use for a number of years, and we can't convince any browsers to implement it before then, I'm concerned about including it 16:34:12 thx npdoty 16:34:26 but if it's likely to see regulatory requirements and be useful, then I hope we can convince implementation (or some alternative) sooner, rather than later 16:34:29 justin: one more new issues that nick found 16:34:29 issue-267? 16:34:29 issue-267 -- registration of DNT/Tk header fields and ./well-known/dnt URI -- raised 16:34:29 http://www.w3.org/2011/tracking-protection/track/issues/267 16:34:34 ... issue 267 16:35:00 npdoty: it is a last call comment 16:35:04 schunter has joined #dnt 16:35:18 ... track header fields and URIs for standards... 16:35:39 need to follow process to share these 16:35:47 justin: when? 16:35:56 roy: whenever we want 16:36:05 ... once registered, can't un-reg 16:36:18 are we planning to change any of these names, though? 16:36:28 justin: roy, can u remind us on your todo list? 16:36:49 roy: with new ones today, i have describe JSON formats 16:37:26 +1, we don't care :) 16:37:31 ... no one in working group cares about these changes 16:37:37 +1 16:37:48 justin: anything else on TPE? 16:37:50 q? 16:37:51 16:37:52 issue-24? 16:37:52 issue-24 -- Possible exemption for fraud detection and defense -- pending review 16:37:52 http://www.w3.org/2011/tracking-protection/track/issues/24 16:38:01 .... now issue 24 16:38:45 ... shane obj to graduated resp... he and david worked on some new lang.... nick was going to propose a merger of some lang he had objs to 16:38:56 npdoty: I have submited propose yet 16:39:10 justin: on isse 235 on auditability 16:39:13 Topic: Compliance issues 16:39:14 action: doty to propose merger of security language 16:39:14 Created ACTION-462 - Propose merger of security language [on Nick Doty - due 2014-10-29]. 16:39:32 ... shane and amy mentioned not sure what it meant 16:39:35 Yes, I will do so 16:39:42 ... asked walter to craft guidance lang 16:39:50 ack walter 16:39:51 ... want to share walter? 16:40:36 walter: i'll provide write up with general principles and current thinking 16:40:40 justin: okay 16:40:55 walter: more focused on gen principles and not prescriptive 16:41:24 q? 16:41:29 walter, were you looking for non-normative examples? or normative requirements? 16:41:31 justin: good, but some specificity might be helpful to get meeting of the minds 16:41:42 issue-148? 16:41:42 issue-148 -- What does DNT:0 mean? -- pending review 16:41:42 http://www.w3.org/2011/tracking-protection/track/issues/148 16:41:45 ... two more issues 16:41:50 ... iusssue 148 16:41:59 ... def of DNT:0 16:42:06 npdoty: I want to encapsulate some general EPD auditing principles or refer to them, but that takes some looking into global standards in that field 16:42:10 " When a user sends a DNT:0 signal, the user is expressing a preference to allow tracking. This recommendation places no restrictions on collection or use of data from network interactions with DNT:0 signals. Note, however, that a party might be limited by its own statements to the user regarding the DNT:0 setting. " 16:42:17 ... nick sent some lang on this to the group... nick, care to describe? 16:42:19 npdoty: luckily I have some EDP auditors around at my day job 16:42:45 http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0085.html 16:42:56 npdoty: please provide feedback.... took away personalization, just speaks to tracking and some statements related to UGEs 16:43:08 ... I would appreciate review 16:43:33 npdoty, that text ok with me 16:43:39 Yes, I would support such language 16:43:40 justin: consent you give is limited by the offer presented 16:44:01 ... pending review... raise concerns people 16:44:02 great. 16:44:06 ... final issue 203 16:44:09 issue-203? 16:44:09 issue-203 -- Use of "tracking" in third-party compliance -- open 16:44:09 http://www.w3.org/2011/tracking-protection/track/issues/203 16:44:14 ... how to use tracking in the document 16:44:35 ... stuck on ths for a while... roy proposed a considerable re-writting... 16:45:07 http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance 16:45:30 ... not sure how to resolve... nick and roy are generally agreemd on what we want to accomplish... not agreeing on implementation of lang 16:45:36 q? 16:45:39 ... personally, I don't care 16:45:45 +q 16:45:51 ack mo 16:45:54 ... anyone within the group have strong feelings on this one? 16:46:16 There are no restrictions on user IDs...? 16:46:25 mike: user ids, i prefer david's proposal b/c it retains user id restrictions, Roy's doesnt have this, right? 16:46:38 justin: i am confused by your statement 16:46:48 ... both relate to tracking data 16:46:58 ... both would include uniq ids 16:47:11 q? 16:47:11 ... not seeing the delta you are referencing 16:47:26 roy: (scribe fail) 16:47:45 mike: check out david's section (normative bit) 16:48:17 I don't think there's a difference, except for where that paragraph is located 16:48:38 ... my POV is the approach of having some personal data b/c has id and is going acrtoss contexts is a problem 16:48:50 "Outside the permitted uses and explicitly-granted exceptions listed below, a third party to a given user action MUST NOT collect, share, or associate with related network interactions any identifiers that identify a specific user, user agent, or device. For example, a third party that does not require unique user identifiers for one of the permitted uses MUST NOT place a unique identifier in cookies or other browser-based local storage mechanisms." 16:48:53 justin: data min lang is agreed upon and close issue 16:49:14 ... (paraphrase) we've covered this in data min 16:49:14 None are reasonably available so that solves that issue... 16:49:24 ... roy are you proposing to elim that lang 16:49:27 roy: yes 16:49:45 justin: this is a long standing core issue... 16:49:58 that language ^ above is present in both proposals, though in different sections 16:50:12 ... this is resolved previously 16:50:53 mike: (scribe fail) 16:51:21 roy: i was thinking do not add thinks that you do not need 16:51:30 justin: do redundant? 16:51:41 justin: so redundant? 16:51:42 Have to drop a bit early - apologies (heading to the airport and its raining so may take longer that I hope) 16:51:43 roy: yes 16:52:00 -WileyS 16:52:09 justin: conceptually, you dont see a diff between yours and david's? 16:52:18 roy: no, there is a diff 16:52:42 ... not in david's b/c his scope is less 16:54:03 ... diff example: (paraphrase) can collect a cookie and not retain, therefore is not breaking DNT 16:56:04 ... accepting cookies (which could be an id) isn't necessarily mean there is tracking, but way it is wrtiten, this doesnt match 16:56:48 (scirbe is waiting for conclusion to paraphase etire conv) 16:56:52 q+ 16:57:18 ack npd 16:57:22 justin: I dont see diff, just need to convey clearly 16:57:50 npdoty: i dont see a big difference 16:58:01 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#data-minimization-and-transparency 16:58:01 ... there is something else in gen req section 16:58:22 npdoty: see 3.4.1.1 16:58:53 justin: do you see a delta between yours and david/nick's? 16:59:10 roy: most of mine is editorial... 17:00:02 ... my prim concern is the TPE has reqs around tracking dta and TCS has reqs around 1st and 3rd and imps dont know (for the most part) when they are 1st vs. 3rd party 17:00:23 ... if re-phrased as what I claim to be instead of what I am, that takes care of editorial disctintion 17:00:30 ... rest is readability really 17:00:53 ... making permitted uses applicable to all parties, with one exception (scribe missed bvery end) 17:01:04 justin: distinction appears to be meaningful 17:01:13 ... nick are you okay moving to that model? 17:01:28 ... do you agree with Roy's concern? 17:01:46 npdoty: useful to know it is mostly editorial 17:01:47 -Carl_Cargill 17:01:57 ... i am for consistency 17:02:34 ... i thot we already agreed on lang about i thot I was a 1st party... i dont see mneed to re-write, but if just editorial and we need to have clarity, then I have something to do 17:02:58 justin: i think is editorial, but want to hear from others and will harrass you on email to answer 17:03:21 rvaneijk: question about audeince3 measure -- whatis the status 17:03:29 -Chris_Pedigo 17:03:31 -justin 17:03:32 -rvaneijk 17:03:33 -eberkower 17:03:34 -hefferjr 17:03:34 -npdoty 17:03:35 justion: working on it and will have something in 2 weeks (next call) 17:03:36 -Wendy 17:03:37 -vincent 17:03:41 ... bye great folks 17:03:46 -Fielding 17:03:48 -moneill2 17:03:49 -walter 17:03:51 -kulick 17:03:51 T&S_Track(dnt)12:00PM has ended 17:03:51 Attendees were Fielding, npdoty, hefferjr, Wendy, +31.65.275.aaaa, walter, Carl_Cargill, rvaneijk, kulick, Chris_Pedigo, justin, moneill2, eberkower, WileyS, vincent 17:04:26 trackbot, end meeting 17:04:26 Zakim, list attendees 17:04:26 sorry, trackbot, I don't know what conference this is 17:04:34 RRSAgent, please draft minutes 17:04:34 I have made the request to generate http://www.w3.org/2014/10/22-dnt-minutes.html trackbot 17:04:35 RRSAgent, bye 17:04:35 I see 1 open action item saved in http://www.w3.org/2014/10/22-dnt-actions.rdf : 17:04:35 ACTION: doty to propose merger of security language [1] 17:04:35 recorded in http://www.w3.org/2014/10/22-dnt-irc#T16-39-14