See also: IRC log
<wseltzer> Draft minutes from day 1
<wseltzer> Greg's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/norcieDigimarketing.pdf
<inserted> scribenick: oyiptong
greg: https a baseline for
security
... mixed content is harmful. 20% of advertisers do not support
https
... mixed content attack: australian voting site
... https supported, but 3rd party javascript used an outdated
version of TLS vulnerable to FREAK attack
<wseltzer> greg: FREAK attack, renegotiation to export crypto -- crypto weak enough to give to our enemies in the '90s
greg: votes for the australian
voting websites coud've been modified
... best practices: 1) use HSTS 2) use certificate pinning 3)
use TLS not SSL
... data breaches due to failure to implement https may be seen
as unfair businesspractice under FTC's section 5 authority
<wseltzer> greg's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/norcieDigimarketing.pdf
<wseltzer> USEMP Velti slides: http://www.w3.org/2015/digital-marketing-workshop/slides/USEMP-VELTI-privacy-aware%20digital%20marketing.pdf
<wseltzer> tmichalareas: USEMP vision for privacy-aware digital marketing
<wseltzer> http://www.usemp-project.eu/
tmichalareas: identified a number
of issues around privacy on the internet
... should be developing tools for feedback and control by
users
... economic awareness: provide feedback and control to the
user about the value of the data they share
... there should be transparency about how they are being
targeted
... vision: should be possible to know what personal data is
accessible, who is requesting this data and for what
purpose
... vision: should be possible to know what the value the data
has, should be able to opt-in/out to 3rd parties and to access
the derived data (inferences/classifications) relating to
his/her profile
... there should be new business models generated where the
user is on the receiving end of a financial transaction about
their data
... could use DNT to reject ads. interest graph is computed
locally by the browser, new targeting happens locally by the
browser, ads use this interest graph
<inserted> scribenick: wseltzer
oyiptong: I have code for you, we
worked on this
... but challenges: how do you expose to the user what they're
about to share
... how do you change as user interests change?
... how do you prevent advertisers from combinig this info with
data they already have?
gnorcie: contractual options
oyiptong: many people don't like
the contractual hammer
... also, it's hard to audit
tmichalareas: deployment model
for smart ads could be data never leaves the browser
... we're going to run a pilot in the next year
BradHill: if you give info to everyone from the browser, you're still sharing with everyone
tmichalareas: if you only share transaction ID
oyiptong: it's very hard to implement client-side decision-making without sharing data
<oyiptong> reza: additive suggestion, requires a standard. many tried it, it has tremendous potential
reza: lots of promise in local computing of preferences, connections to schema.org,
stevez: how do you deal with someone who doesn't own a computer; doesn't own a phone; or uses multiple browsers?
tmichalareas: perhaps we start with simple case, separate interest graphs per-browser
stevez: I can record that I purchased something, so I don't keep getting ads for it
BrendanIAB: I've heard several
points at which this tech was designed to be inserted:
extension, proxy
... but the way to derive value from data is to prevent others
from accruing it
... so it's antagonistic to business models
... it's not exactly friendly
... once you establish buisiness relationships, you have
behavioral data in one place, demographic data in another
... so you have to send your proprietary behavioral algorithms
to an untrusted client
... and/or send non-behavioral data to the client, which you
might be prevented from by contract, privacy risk
tmichalareas: it seems we're near a tipping point now regarding tracking
gnorcie: issue of consent, opt-out
<oyiptong> greg: consent is important for tracking
<oyiptong> greg: fingerprinting/super-cookie are OK in europe, but users need a way to opt out
BrendanIAB: companies that are circumventing ad-blocking are seeing higher click-through and conversion rates
Dutta: RTB 2.3 should require TLS on all communications
marktorrance: tipping point for us as DSP was when a major supplier switched to HTTPS (YouTube)
bhill2: RTB spec is IAB's; there
are hard latency requirements, and also technical work that can
improve the server-server communicaitons
... there should be an equivalent of istlsfastyet for those
measurements and tunings
marktorrance: how could
client-side targeting work? At Rocket Fuel, we have 10k ads at
one time
... we're not going to preload all of those
... and if we don't preload, act of requesting some will leak
informaiton
... so we're going to be on the current system for a while
yet
... rich areas for W3C in standardization, taxonomies, product
data
keiji: Thanks!
... summary of issues: deployment of HTTPS, local-side
targeting
khoya: Kazuhiro Hoya, Fuji Television Network
[slides will be available after]
khoya: Linear TV viewing is still strong
<keiji> khoya: Over 30Gbits/sec traffic for 7 sec traffic down the streaming service.
khoya: challenge, TV and other viewing devices don't have same tracking ID
<keiji> khoya: How to link devices with TV is issue.
khoya: TV in Japan has unique serial number that can be obtained in HTTP transaction
<keiji> khoya: TV has unique serial No., MAC, and old data broad cast tech is being used.
<keiji> khoya: 1 kb NVRAM data is used as cookie.
<keiji> khoya: Hybird TV service (2012-) use HTML5 and CSS.
<keiji> khoya: use Ureg/Greg 16kB each is used.
<keiji> khoya: How to aggrigate user data. Interactive Content, QR-code, HybridTV.
<keiji> khoya: Privacy is traumatized issues in Japan.
<keiji> khoya: Intrusive Agreement is another issue.
<keiji> khoya: Privacy Agreement Survey shows different kinds of terms and condition were preferd.
<keiji> khoya: Same Agreement is prefered for all broadcasters as umbrella.
khoya: umbrella agreement much
easier to get people's assent
... Toshiba's TV-Point service, joint project with CCC shoppng
point
... offers mileage points for logging of data
... non-exclusive agreement for 3d party use.
<keiji> khoya: CCC/T-point is used as user identifier on TV products from Toshiba with Non-exclusive agreement for 3rd party use.
khoya: caused problems.
... as broadcasters, we think the stare of the market should
improve
jinhong: Jinhong Yang, KAIST
<keiji> Jinhong: from KAIST presents Content Sharing on Mobile Browser
jinhong's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/PositionPaper_ShareTag.pdf
<keiji> jinhong: when we share a new on the website.
jinhong: share tag would trigger buttons for users' installed apps
<keiji> jinhong: proposed idea is to have icons to express services to share user data.
dezell: David Ezell, NACS
dezell's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/DigitalMarketingandPayments.pdf
<keiji> David: from NACS digital marketing and payment
dezell: about 153,000 retail
petroleum outlets, "convenience stores"
... in the US
<keiji> dezell: Review of NACS Industry Requirements
dezell: many of them single-store
operators
... digital marketing is really important to brick-and-mortar
stores
... also brands who distribute to convenience stores
<keiji> dezell: will talk on web payment.
dezell: Web Payments
<keiji> dezell: is co-chair of web payment IG.
dezell: mobile wallet, your
interface with lots of these technologies
... I'm looking for feedback for the Web Payments group.
<keiji> dezell: Things have changed marchandize have more channel to their customer.
<keiji> dezell: Transaction will become more complex, consumer-centric & safer.
dezell: about 153M transactions a day in C-stores; that's opportunities to interact with consumers
<keiji> dezell: consumer need to be kept impressing.
dezell: consumers don't want yet
another single-purpose app
... transaction of the future, you'll get dozens of offers;
consumer wants to know, what's the best deal?
... merchants are thinking "own the customer," and "reduce
costs"
<keiji> dezell: merchants want to own their costomer while costomer do not want multiple apps.
dezell: other considerations on
payments: what's a legal purchase, an offer, taxation,
additional payment methods (SNAP)
... Petroleum cards among the earliest credit cards, loyalty
programs
... Flash Foods, centralized loyalty program
... saved money by establishing own ACH program, that covered
the costs of loyalty program.
... digital marketing needs to be able to promote brands,
individual products, product categories, individual merchants,
payment service providers, and payment schemes
<keiji> dezell: Digital wallet app require digtal offers to answer their questions.
reza: Connecting digital to the physical world, outside interactions
<keiji> khoya: T-point is a point program on merchants is now used to link to TV watching behavior data for advertisement.
<keiji> dezell: Petro pyament now has point system with America express.
BradL: advertising displays at gas stations, why aren't they targeted?
<keiji> Satya: How TV can detect other devices in house?
<keiji> khoya: Now we do not have mechanism to link devices may use user ID application can be used.
<keiji> khoya: T-point may be used to like those costomer devices.
<keiji> Satya: Amazon has chash back now. Will digital wallet have such function?
<keiji> dezell: We are now developing use cases that may include such function.
bhill2: "tracking" is fundamental
to payments, reducing fraud
... long precedent of credit card companies selling data
offline
<keiji> bhill: Human tracking and payment is interesting topic what do you think linking those data to advertisement or selling those data.
dezell: MC agreement with merchants says, for any txn in which MC is a party, MC is the sole owner of the data. NACS concerned aobut that.
<keiji> dezell: People are going to connect those data.
<keiji> dezell: I donot know what that means.
davidhumpherys: with credit card payments, my data is only as secure as the collection of merchants I've used. What are digital payments doing?
dezell: tokenization
<keiji> david: how digital wallet can manage trust of merchants.
<keiji> dezell: We are working on tokenization to protect security of payment.
<keiji> david: My data will still remain on the server side.
dezell: my definition of credential: a statement of fact
<keiji> dezell: we work on related issues in credential CG.
dezell: authentication asymptotically moves toward identity
<keiji> dezell: credential can be used to prove a fact.
<keiji> dezell: Authentication is used to authenticate credential that is my understanding that may not be accurate.
bhill2: non-binary approach, does my confidence exceed my risk
<keiji> wseltzer: differnet groups are using terms in different ways.
<keiji> ted: IP address is being used as unique identifire. Is it the best way?
<keiji> khoya: IP address is being shared among differnt users sometimes e.g. in huge apartment.
<keiji> khoya: It is not accurate so we are not using it as identifier.
<keiji> wseltzer: How meta-data work with share button on mobile e-mail apprications?
<keiji> jinhong: User can have applications works on their smartphone to handle user operation.
<keiji> dutta: Is there any way to link devices used by same user?
<keiji> khoya: There are no specific technology has been developed.
betehess: re share button, you
can use schema.org "share" action
... maybe need an API to register services
... but don't need new markup
<keiji> keiji: UPnP may help to detect other devices on local network.
<betehess> small clarification: schema:ShareAction doesn't seem to implement the same use-case, but that's the right approach
<betehess> link http://schema.org/ShareAction
[lunch]
dankaminsky: WhiteOps
... I like the Web!
... it's always up to date
... continuous integration
... that model has now won, to the point that Windows is
shipping like web pages
... Web pages just show up, you don't have to install an
app
... Don't need permission to write a page
... Independent broker, depends on
... 1) same-origin policy. You can run anything you want, so
long as it's on your own content
... 2) the web is mostly safe. If you don't like a site, close
it
<keiji> dankaminsky: Malvertising Trap should we block ads? It is not web.
<keiji> dankaminsky: Off-site navigation is a terrible design.
<keiji> dankaminsky: demonstration with slightly modified chrome.
[demo of ways to change page element visibility]
[multiply nested iframe]
<keiji> dankaminsky: You can modify appearance of web window freely.
[now, requestVisibility]
dankaminsky: either you're fully visible, or you're not visible and you know
<inserted> scribenick: keiji
dankaminsky: We take out image
object under layear of iframe.
... I am going to post the code to the chrome engineer
forum.
... We made output accessibility on top of existing
framework.
<wseltzer> dankaminsky: if you have input exclusivity and output visibility, we can start talking about the address bar, indications to user
<wseltzer> ... make it easier for users to interact with users in a trusted manner
dankaminsky: Messing address bar is dangerous. We are dangerous persons.
BradL: If widow come from other app does this still protect?
dankaminsky: My assumption is attack from same application(window).
Andre: If we have multiple frame come from same window what happen?
dankaminsky: It is
undefined.
... iframe is all around web being used various purposes.
BrendanIAB: Viewability can be access from parent window?
dankaminsky: Parent can know
their child works normal. We can detect attacks ageinst the
frames.
... timestamp is not moving.
mark: does filter still work on top of the frame?
dankaminsky: if it is unmodified it works.
<wseltzer> dankaminsky: you can do what you want in the iframe, it won't be affected by what else is sent
<wseltzer> marktorrance: much ad tech goes through multiple intermediaries. who should use ironframe?
<wseltzer> dankaminsky: nested ironframe needs to specced out
<wseltzer> marktorrance: what's the path forward? standards?
marktorrance: does this work only on chrome?
<wseltzer> dankaminksy: after 15 years, I finally joined a standards body
<wseltzer> dankaminsky: ancestorOrigins is part of the spec plan
dankaminksy: working with browser vendors and working for standardization as well.
<wseltzer> jwold: I'm going to demo Ad-ID, download XMP, add it to some assets
jwold: We have authentication
model id/password on https.
... we have concepts of groups and accounts.
... explains function of ad-ID management system.
... This works would be based on contract.
... I am making meta-data for ad-ID management.
<wseltzer> [demo of the Ad-ID metadata creation]
jwold: I made a demo how we can make systems to exchange meta-data with standardized way.
jworld: product ID can be stored but not associated with anything here.
wseltzer: we would like to discuss what would be next by reviewing what we had done this two days.
dezell: We may need to form IG or
CG.
... UI and web accessibility is important issue we should work
on.
BradL: we need to way to control user tracking like standard for script to announce its purpose.
ccc: feature like sandbox and UI are important.
reza: browser support is necessary.
alex: standard for data sharing scaling, social search may be needed.
Andre: topcs blocking, measuring, isolation etc may be need to disucss. Do not know where is the appropriate to discuss on those issues.
wseltzer: way to have more little data may be required.
chad: we need to distinguish bot
from others.
... Authenticity is important for anti-bot,
anti-malvertisement.
ddd: we need to identify good practices.
BrendanIAB: We have been talking
on giving users more choices but publishers do not have chance
to indicate their preferences.
... How site can express their preference may be needed.
dankaminsky: What kind of Internet/Web we would like to provide is the key issue.
BradL: security and performance are key issues.
chad: feedback for retargeting may be useful.
Amazon is trying to avoid to give feedback because that may leak user’s privacy.
bhill: : Amazon is trying to
avoid to give feedback because that may leak user’s
privacy.
... it is difficult to give feedback while protecting user’s
privacy.
dutta: We should think from what we want.
wseltzer: iron frame concept is
comming to W3C web app security working group. If you are
interested in you can participate.
... sandboxing is also things we may work on.
... Server side ad stitching and https (server-server) are
other topics need to be solved.
bhill: isolation and federated contents
dankaminsky: cross origin resouce integrity is hard to manage. Server side integration may work well.
BrendanIAB: responsibility issue (root of trust) have to be solved to have single stream of contents.
dankaminsky: I would like to think network channel and security channel separatedly.
keiji: client side (local) targeting is a topic many people are interested in.
Andre: Tracking interaction
BrendanIAB: IAB has API for ads on video
wseltzer: we may be able launch a
community group to identify needs of new standards.
... Web Payment activity may be related to your needs in some
aspect so we encourrage you to participate.
... linking local devices and users may be another required
feature.
... Web payment -> payment IG
... sanbox -> webApp sec wg
eee: security / Malvertising and data collection should be considered differently.
wseltzer: we need to
cooperatively work on these issues.
... user agent support for marketing -> CG
... permissions/requests -> WebAppSec WG(API) + permission
CG
;-) -> wseltzer
wseltzer: data sharing, sclaeing, social sarch, inter-op action -> scheme.org for marketing??
<wseltzer> wseltzer: Thanks to Chad and Nielsen for hosting in great facilities
<wseltzer> ... Thanks to Reza for co-chairing and Adobe's sponsorship
<wseltzer> ... and thanks to all participants and Program Committee
<wseltzer> [adjourned]
<wseltzer> trackbot, end meeting
<wseltzer> scribes: keiji, oyiptong, wseltzer
This is scribe.perl Revision: 1.140 of Date: 2014-11-06 18:16:30 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/is used/is prefered/ Succeeded: s/David/dezell/ Succeeded: s/sitll/still/ Succeeded: s/aaa/BradL/ Succeeded: s/mark:/marktorrance:/ Succeeded: s/bbb/BradL/ Succeeded: s/bill/bhill/ Succeeded: i|https a baseline|scribenick: oyiptong Succeeded: i|dankaminsky: We take out image|scribenick: keiji Succeeded: i|I have code for you|scribenick: wseltzer Found ScribeNick: oyiptong Found ScribeNick: wseltzer Found ScribeNick: keiji Inferring Scribes: oyiptong, wseltzer, keiji Scribes: oyiptong, wseltzer, keiji ScribeNicks: oyiptong, wseltzer, keiji WARNING: No "Present: ... " found! Possibly Present: Andre AshKalb BillScannell BradHill BradIAB BradL BrendanIAB Dutta Saravana Satya alex andremafei betehess betehess_ bhill bhill2 brad_at_trunica ccc chad dankaminksy dankaminsky david davidhumpherys ddd dezell eee gnorcie greg inserted jarrett jinhong jwold jworld keiji khoya mark marktorrance oyiptong reza scribenick scribes sel sjung skjung skjung_ stevez ted tmichalareas wisegirl wseltzer You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy Agenda: https://www.w3.org/2015/digital-marketing-workshop/agenda.html Got date from IRC log name: 18 Sep 2015 Guessing minutes URL: http://www.w3.org/2015/09/18-digimarketing-minutes.html People with action items:[End of scribe.perl diagnostic output]