Tracking Protection Working Group Teleconference

22 Oct 2014

See also: IRC log


Fielding, npdoty, hefferjr, Wendy, +31.65.275.aaaa, walter, Carl_Cargill, rvaneijk, kulick, Chris_Pedigo, justin, moneill2, eberkower, WileyS, vincent


<trackbot> Date: 22 October 2014

<fielding> I didn't make any progress this week, sadly

<npdoty> scribenick: kulick

justin: next week TPAC for W3C meeting, so no call next week

2 TPE issues

<justin> issue-262?

<trackbot> issue-262 -- guidance regarding server responses and timing -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/262

issue 262

scribe: we talked about DNT signal when passing on outside of browser/client
... nick sent something last night

<justin> Nick's proposal: http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0082.html

npdoty: you might be talking to alot of servers and not know in advacnce

<WileyS> +q

npdoty: we already have a signal... we might be able to use
... tk headers might not be good for 24 hrs
... very small change to cache response headers
... we can respond to commeter about using ?

shane: 2nd part of nick
... 's email covered whther bid recp can use and Nick felt couldnt be use
... (paraphrasing) nick brought up race condition, shane feels it is edge case

<npdoty> wileys is referring to a separate email, my response about recent knowledge: http://www.w3.org/mid/F6D11A37-A720-4DD6-916E-013F64DC2FE3@w3.org

<fielding> agree with Nick's summary; basically, we just need to say that the Tk response's TSV applies to the current request and the resource-specific tracking status resource would have to be specific to the winning bidder

shane: we can solve vast majority and could find acceptable solution to very high edge case

<moneill2> +q

<WileyS> Changing their DNT setting wouldn't change the UGE

npdoty: some cases where svr has more accurate info where exception... there are also cases where users change DNT settings... not sure which are more likely... i was trying to get across that users would lose confdence if they kept getting signals back related to the signal

<WileyS> Nick, are you saying their is a "special mode" that invalidates all previously provided UGEs?

<walter> WileyS: do you foresee usage of UGE in a DNT:0 situation?

<walter> ah, ok, I get your point

<WileyS> Walter, no need for a UGE in a DNT:0 situation.

vincent: unclear to meif these are data processors or service provider

<npdoty> WileyS, I could imagine a UA that gave me a setting for a private browsing mode, where it would always send DNT:1, even while DNT:0 is configured for some servers

<npdoty> I personally would use that mode when researching medical issues, for example

vincent: not clear how it is going to work

justin: huh?

<WileyS> Nick, UGE trumps DNT:1 - even in a "private mode"

vincent: bidders might not prov response at same time... are they SPs?

<WileyS> Nick, we've not created a DNT signal that trumps all previous UGEs

justin: ad network is not a data processr, but a SP

<vincent> no they are not even SP

<vincent> and I don't hink justin said that either

<justin> vincent, right I don't think they are service providers.

<npdoty> Wileys, an advantage of storing DNT:0 in the user agent is that the user can control them, and decide not to keep the exception at all times

<walter> kulick: ad network _is_ a data processor

mike: the ad exchg to respond would have to have a memory of the user

<walter> kulick: but I would agree that they are attributable to the 1st party

<WileyS> Nick, we're storing the UGE with the UA - that's the point.

(sorry botu that... thx walter)

justin: what are implications of that?

<walter> but it proves the problem of the 1st/3rd party distinction

mike: i dont think shane's is an answer
... wrt dynamic response... how does it calc it?

<Zakim> npdoty, you wanted to respond about service provider

npdoty: maybe they are the same

<WileyS> An "Ad Exchange" then communicates to "Ad Networks" - just so we're all clear

npdoty: the end user is copmm with ad server... servers are comm'ing with other servers

<vincent> but they are still sharing the data with several entites

npdoty: whoever wins bid needs to send response value

<WileyS> In many transactions the bid winner never communicates with the UA

<WileyS> The Ad Exchange simply serves the ad if they're holding the creative

justin: bid losers wouldnt be able to signal anything?

npdoty: yep

mike: (scribe fail)

<WileyS> The ad network has the user's identity through cookie mapping

<npdoty> yeah, the contents of the request are forwarded along, as I understand it

<npdoty> ... which would include cookies and URL parameters

<walter> which is problematic indeed

justin: clear division of value4s trying to be addressed, likely to go CfO
... want to give another week to find compriomise

<WileyS> My concern is that everyone doesn't appear to be very clear on how an Ad Exchange works.

justin: folks invited to respond to proposals



<vincent> will the cfo be on the tehcnical solution or the fact that ad-exhcange can propagate teh signal when they receive DNT:1?

<walter> WileyS: I'm very willing to be educated on that topic, and so are others I presume

rvaneijk: anyway to differientiate targeted v. non targeted ad?

<WileyS> The Ad Exchange doesn't know - and there isn't a signal to pass that information on to the Ad Exchange by the bid winner today (something we're working on in the AdChoices Metadata working group)

justin: (scribe fail)

<npdoty> justin: tracking is not identical to whether a particular ad is targeted

<WileyS> All Ad Exchanges all support all forms of ad serving

rvaneijk: if one sets DNT, they dont want targeting, therefore, trying to understand at protocol level if distinction can be made

<moneill2> +q

<Zakim> npdoty, you wanted to comment on what our options are

<WileyS> contextual, retargeting, profiling, demo, etc.

npdoty: wrt to auctions... i want to understand the caching of tk headers
... are all options represented currently?

mike: if ad ex doesnt pass uniq id for that user
... that would be fine wrt DNT
... the key is
... is the ad exch allow to pass downstream uniq user id

<WileyS> It needs to pass an ID to support even basic ad serving (zero targeting)

justin: if no uniq, does fall under tracking
... (scribe fail)

<WileyS> Ad networks need to retain some information even for basic billing and security purposes

<npdoty> right, in theory, you could pass only the URL, stripped of any identifiers/cookies/etc, to other servers and certainly not be tracking

vincent: 3rd proposal, if ad exch gets DNT:1


<vincent> sure

<npdoty> WileyS, but for the exchange model, is the ad exchange retaining data for more than just the purposes of the fulfilling ad or ad network

roy: note: our conv last week was related to response had to be valid for 24 hrs
... tk_respnse header field would be for current response only

<WileyS> Nick, no - there are strict contractual controls which only allow the bid winner to retain data for the purpose of processing.

roy, is that accurate?

<WileyS> Will do

justin: Shane, please provide your objections to Nick's proposal... please write it up for digestion for folks

<npdoty> WileyS, great. so I think we are good with the service provider definition as is.

<WileyS> Sure

rvaneijk: Shane, can I re-input it for later this week?

justin: anyone else on this issue?

<fielding> close enough … Nick and I talked about the 24-hour issue last week after the call and decided that making the Tk header field indicate only for the current request would be sufficient for Shane's use case

justin: roy, please iterate on nick's proposal, shane please send your obj
... hard issue, we have more work to do on this one
... close on most of remaining issues

<justin> issue-266?

<trackbot> issue-266 -- automatic expiration of a tracking preference exception via API parameter -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/266

justin: some discussion about issue 266
... any objections to mike's suggestion to add parameters in?

<WileyS> As long as they aren't mandatory. They won't ever be used (not voluntarily)

justin: any objs if params arent used if they go away

<npdoty> WileyS, I think the suggestion is that it would be an optional parameter.

justin: pls dscribe nick

<WileyS> "At risk" means that if no one implements the feature then it will be removed from the standard

npdoty: when going to call for implementation... if no one imps feature and we called feature at-risk, then we would remove
... this would happen before proposed recommendation

mike: want to hear from browser companies

<npdoty> +1, getting feedback from browsers would be useful. as would feedback from sites that would want to use it

<fielding> I think the current plan is to add some expiration or max-use (delta seconds) values to the UGE interfaces in a way that won't effect the interface signature.

rvaneijk: imp not relevant for us, but that the toolbox retains such a feature

sorry correction

rvaneijk: imp not as relevant for us, but that the toolbox retains such a feature

justin: nick, thoughts on that?

npdoty: main issue is that it slows down procees to convergence

justin: (scribe fail)
... other process might conflict with at-risk status
... torn at at-risk status... maybe I should email for thots

rvaneijk: (bg noise... having trouble deciphering)

<npdoty> if we expect no one will start implementing or try to use for a number of years, and we can't convince any browsers to implement it before then, I'm concerned about including it

thx npdoty

<npdoty> but if it's likely to see regulatory requirements and be useful, then I hope we can convince implementation (or some alternative) sooner, rather than later

justin: one more new issues that nick found

<justin> issue-267?

<trackbot> issue-267 -- registration of DNT/Tk header fields and ./well-known/dnt URI -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/267

justin: issue 267

npdoty: it is a last call comment
... track header fields and URIs for standards...

need to follow process to share these

justin: when?

roy: whenever we want
... once registered, can't un-reg

<npdoty> are we planning to change any of these names, though?

justin: roy, can u remind us on your todo list?

roy: with new ones today, i have describe JSON formats

<npdoty> +1, we don't care :)

roy: no one in working group cares about these changes

<walter> +1

justin: anything else on TPE?


<justin> issue-24?

<trackbot> issue-24 -- Possible exemption for fraud detection and defense -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/24

scribe: now issue 24
... shane obj to graduated resp... he and david worked on some new lang.... nick was going to propose a merger of some lang he had objs to

npdoty: I have submited propose yet

justin: on isse 235 on auditability

Compliance issues

<npdoty> ACTION: doty to propose merger of security language [recorded in http://www.w3.org/2014/10/22-dnt-minutes.html#action01]

<trackbot> Created ACTION-462 - Propose merger of security language [on Nick Doty - due 2014-10-29].

justin: shane and amy mentioned not sure what it meant

<walter> Yes, I will do so

justin: asked walter to craft guidance lang
... want to share walter?

walter: i'll provide write up with general principles and current thinking

justin: okay

walter: more focused on gen principles and not prescriptive

<npdoty> walter, were you looking for non-normative examples? or normative requirements?

justin: good, but some specificity might be helpful to get meeting of the minds

<justin> issue-148?

<trackbot> issue-148 -- What does DNT:0 mean? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/148

justin: two more issues
... iusssue 148
... def of DNT:0

<walter> npdoty: I want to encapsulate some general EPD auditing principles or refer to them, but that takes some looking into global standards in that field

<npdoty> " When a user sends a DNT:0 signal, the user is expressing a preference to allow tracking. This recommendation places no restrictions on collection or use of data from network interactions with DNT:0 signals. Note, however, that a party might be limited by its own statements to the user regarding the DNT:0 setting. "

justin: nick sent some lang on this to the group... nick, care to describe?

<walter> npdoty: luckily I have some EDP auditors around at my day job

<fielding> http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0085.html

npdoty: please provide feedback.... took away personalization, just speaks to tracking and some statements related to UGEs
... I would appreciate review

<moneill2> npdoty, that text ok with me

<walter> Yes, I would support such language

justin: consent you give is limited by the offer presented

<scribe> ... pending review... raise concerns people

<npdoty> great.

UNKNOWN_SPEAKER: final issue 203

<justin> issue-203?

<trackbot> issue-203 -- Use of "tracking" in third-party compliance -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/203

UNKNOWN_SPEAKER: how to use tracking in the document
... stuck on ths for a while... roy proposed a considerable re-writting...

<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance

UNKNOWN_SPEAKER: not sure how to resolve... nick and roy are generally agreemd on what we want to accomplish... not agreeing on implementation of lang
... personally, I don't care

<moneill2> +q

UNKNOWN_SPEAKER: anyone within the group have strong feelings on this one?

<WileyS> There are no restrictions on user IDs...?

mike: user ids, i prefer david's proposal b/c it retains user id restrictions, Roy's doesnt have this, right?

justin: i am confused by your statement
... both relate to tracking data
... both would include uniq ids
... not seeing the delta you are referencing

roy: (scribe fail)

mike: check out david's section (normative bit)

<npdoty> I don't think there's a difference, except for where that paragraph is located

mike: my POV is the approach of having some personal data b/c has id and is going acrtoss contexts is a problem

<fielding> "Outside the permitted uses and explicitly-granted exceptions listed below, a third party to a given user action MUST NOT collect, share, or associate with related network interactions any identifiers that identify a specific user, user agent, or device. For example, a third party that does not require unique user identifiers for one of the permitted uses MUST NOT place a unique identifier in cookies or other browser-based local storage mechanisms."

justin: data min lang is agreed upon and close issue
... (paraphrase) we've covered this in data min

<WileyS> None are reasonably available so that solves that issue...

justin: roy are you proposing to elim that lang

roy: yes

justin: this is a long standing core issue...

<npdoty> that language ^ above is present in both proposals, though in different sections

justin: this is resolved previously

mike: (scribe fail)

roy: i was thinking do not add thinks that you do not need

justin: do redundant?
... so redundant?

<WileyS> Have to drop a bit early - apologies (heading to the airport and its raining so may take longer that I hope)

roy: yes

justin: conceptually, you dont see a diff between yours and david's?

roy: no, there is a diff
... not in david's b/c his scope is less
... diff example: (paraphrase) can collect a cookie and not retain, therefore is not breaking DNT
... accepting cookies (which could be an id) isn't necessarily mean there is tracking, but way it is wrtiten, this doesnt match

(scirbe is waiting for conclusion to paraphase etire conv)

justin: I dont see diff, just need to convey clearly

npdoty: i dont see a big difference

<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#data-minimization-and-transparency

npdoty: there is something else in gen req section
... see

justin: do you see a delta between yours and david/nick's?

roy: most of mine is editorial...
... my prim concern is the TPE has reqs around tracking dta and TCS has reqs around 1st and 3rd and imps dont know (for the most part) when they are 1st vs. 3rd party
... if re-phrased as what I claim to be instead of what I am, that takes care of editorial disctintion
... rest is readability really
... making permitted uses applicable to all parties, with one exception (scribe missed bvery end)

justin: distinction appears to be meaningful
... nick are you okay moving to that model?
... do you agree with Roy's concern?

npdoty: useful to know it is mostly editorial
... i am for consistency
... i thot we already agreed on lang about i thot I was a 1st party... i dont see mneed to re-write, but if just editorial and we need to have clarity, then I have something to do

justin: i think is editorial, but want to hear from others and will harrass you on email to answer

rvaneijk: question about audeince3 measure -- whatis the status

justion: working on it and will have something in 2 weeks (next call)
... bye great folks

<npdoty> trackbot, end meeting

Summary of Action Items

[NEW] ACTION: doty to propose merger of security language [recorded in http://www.w3.org/2014/10/22-dnt-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-10-22 17:04:40 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/0/)/
Found ScribeNick: kulick
Inferring Scribes: kulick
Default Present: Fielding, npdoty, hefferjr, Wendy, +31.65.275.aaaa, walter, Carl_Cargill, rvaneijk, kulick, Chris_Pedigo, justin, moneill2, eberkower, WileyS, vincent
Present: Fielding npdoty hefferjr Wendy +31.65.275.aaaa walter Carl_Cargill rvaneijk kulick Chris_Pedigo justin moneill2 eberkower WileyS vincent
Regrets: dsinger

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 22 Oct 2014
Guessing minutes URL: http://www.w3.org/2014/10/22-dnt-minutes.html
People with action items: doty

[End of scribe.perl diagnostic output]