IRC log of dnt on 2017-03-27

Timestamps are in UTC.

15:58:18 [RRSAgent]
RRSAgent has joined #dnt
15:58:18 [RRSAgent]
logging to http://www.w3.org/2017/03/27-dnt-irc
15:58:20 [trackbot]
RRSAgent, make logs world
15:58:20 [Zakim]
Zakim has joined #dnt
15:58:22 [trackbot]
Zakim, this will be TRACK
15:58:22 [Zakim]
ok, trackbot
15:58:23 [trackbot]
Meeting: Tracking Protection Working Group Teleconference
15:58:23 [trackbot]
Date: 27 March 2017
15:58:39 [rvaneijk]
rvaneijk has joined #dnt
15:58:50 [schunter]
schunter has joined #dnt
15:59:15 [Bert]
present+
15:59:20 [fielding]
fielding has joined #dnt
15:59:28 [Bert]
RRSAgent, make minutes v2
15:59:28 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert
15:59:52 [Bert]
RRSAgent, pointer?
15:59:52 [RRSAgent]
See http://www.w3.org/2017/03/27-dnt-irc#T15-59-52
16:00:46 [Brendan]
Brendan has joined #dnt
16:01:01 [Bert]
agenda: http://www.w3.org/mid/d428f3b8-4691-13ea-cb8b-e7124b63ee62@schunter.org
16:01:06 [Brendan]
I can't join audio until 30 minutes into the call due to conflict
16:01:19 [Brendan]
Should I leave IRC until I am able to join audio?
16:02:43 [Bert]
previous meeting: http://www.w3.org/2017/03/20-dnt-minutes.html
16:02:53 [Bert]
RRSAgent, make minutes v2
16:02:53 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert
16:03:34 [Bert]
Brendan, no need to leave IRC
16:04:44 [fielding]
agenda is at https://lists.w3.org/Archives/Public/public-tracking/2017Mar/0013.html
16:10:22 [mikeoneill]
Q+
16:10:35 [rvaneijk]
q+
16:10:46 [aleecia]
aleecia has joined #dnt
16:10:47 [fielding]
q+
16:10:51 [schunter]
Discussion 1: Should TSR be extensible?
16:10:55 [rvaneijk]
q-
16:10:56 [schunter]
ack mike
16:10:57 [rvaneijk]
q+
16:11:19 [schunter]
- Mike: Fields for EU should be there (or extensible to be there).
16:11:34 [schunter]
Mike: Informed consent requires certain information to be available via TSR
16:14:07 [schunter]
Mike: JSON is extensible anyway. We pre-define some fields with a TPE-defined semantics.
16:14:19 [schunter]
Additional fields can be introduced.
16:14:27 [schunter]
Mike: data-controller SHOULD be provided
16:14:59 [schunter]
ack field
16:15:35 [schunter]
Roy: Existing implementation is already fully extensible. Compliance regimes can introduce and require new fields.
16:16:31 [schunter]
Roy: TSR is not exposed during consent dialogue - only page is seen by user (note: We require the site to explain to a user what he is consenting to). The page calls the API to store the consent.
16:16:47 [schunter]
+schunter
16:16:55 [schunter]
q+ schunter
16:19:44 [aleecia]
This is hardly a push to redo P3P
16:19:58 [aleecia]
It may or may not be useful, but this is not P3Pesque
16:20:07 [schunter]
ack rv
16:21:02 [schunter]
ack schun
16:21:56 [schunter]
Rob: Extensibility useful
16:22:16 [schunter]
Rob: If DNT is used to obtain consent, then additional data is required to make it legally valid.
16:22:38 [aleecia]
So I’m hearing: we would be supporting EU compliance, which is why we rechartered. I’d like to understand how important this change would be.
16:24:21 [aleecia]
Ok, “I tried to implement and had a hard time” is pretty good information to add, IMHO
16:25:31 [mikeoneill]
Q+
16:27:14 [aleecia]
q+
16:27:15 [schunter]
Rob: EU compliance regime could define additional fields that are required to be added by the site.
16:28:42 [schunter]
Rob: Browser requirement: Allow user to revoke consent. Should allow users to review the TSR (=source of truth that is independent of the claims of the web-site)
16:29:28 [fielding]
It is always worthwhile to discuss implementation experience, but that starts with implementing the protocol as defined (or at least within proximity). I don't want to see the TSR become extremely large just to support a tool that isn't even part of the consent dialog.
16:30:53 [fielding]
q+
16:31:50 [schunter]
ack mike
16:31:53 [schunter]
ack alee
16:32:34 [schunter]
Aleecia: URLs can point to specific anchors for specific information pieces.
16:34:23 [rvaneijk]
Well phrased by Aleecia. Extensible yes, but additional fields as options. Not required fields.
16:34:31 [schunter]
Aleecia: URL should point to user-readable text; User agent should retain the URL and re-display it on request.
16:35:16 [schunter]
==> Policy URL would be mandatory.
16:35:28 [schunter]
q?
16:35:44 [schunter]
ack field
16:36:42 [aleecia]
presumably human-readable has more nuance and is designed for users to read. Less P3P-like than the TSR. :-)
16:38:40 [rvaneijk]
An advantage of the TSR that it can even be called in pre-flight.
16:39:10 [schunter]
Proposed Decision 1: When a user-granted exception is registered, user agent should retrieve and retain TSR info.
16:39:42 [schunter]
SHOULD
16:40:07 [fielding]
right, the TSR is designed for pre-flight checks. Note that the TSV and Compliance aray are what matters for that case, not human reading of JSON strings.
16:40:08 [aleecia]
Rob’s extension seemed light-weight & reasonable to support better UIs
16:40:25 [fielding]
s/aray/array/
16:41:49 [aleecia]
Leaves full control with the publishers, does not require redoing current privacy policies. Pretty simple. And makes for a cleaner web experience iff UAs want to adopt. If we don’t provide the mechanism, they’re kinda limited to just parsing the TSR without letting any context from publishers go through (unless we imagine users read privpols on their own…)
16:43:01 [fielding]
right now, {"tracking":"N"} is a valid TSR. It is meant to be very small, with defaults making use of what the UA already knows.
16:44:11 [aleecia]
…which is a great example of why the fields ought to be optional not manditory.
16:45:13 [at]
at has joined #dnt
16:45:18 [aleecia]
(i’m unpersuaded on the machine readable issues Mike is raising, perhaps I’m not getting full understanding yet, but it’s NLP all the way down no matter what so why bother)
16:46:31 [schunter]
policy-qualifiers contains in JSON with additional attribute-value pairs
16:47:06 [aleecia]
sure, a different compliance approach could make them MUSTs beyond our MAY
16:47:14 [fielding]
we are talking about https://github.com/w3c/dnt/issues/23
16:48:30 [aleecia]
so here was Mike’s version:
16:48:34 [aleecia]
{
16:48:34 [aleecia]
"policy": {
16:48:35 [schunter]
compliance is an array already
16:48:36 [aleecia]
"cookie_policy": "https://webresource.com/cookies" ,
16:48:37 [aleecia]
"privacy_policy": "https://webresource.com/privacy",
16:48:39 [aleecia]
"responsible_disclosure_policy": "https://webresource.com/security",
16:48:40 [aleecia]
"terms_and_conditions": "https://webresource.com/terms_and_conditions"
16:48:41 [aleecia]
}
16:48:42 [aleecia]
}
16:48:45 [fielding]
Again, this is sending more information for which there is no actual use case for reading the TSR. This is metadata that can be added to the privacy policy page.
16:49:24 [rvaneijk]
E.g., "compliance": [ "http://wetten.overheid.nl/BWBR0009950#Hoofdstuk11_Paragraaf11.1_Artikel11.7a", "http://wetten.overheid.nl/BWBR0011468/2016-01-01", "https://www.w3.org/TR/tracking-dnt/" ],
16:51:49 [aleecia]
That makes UAs unlikely to implement UIs
16:51:57 [aleecia]
q+
16:52:17 [fielding]
q+ on why we need to reduce that API anyway
16:53:02 [schunter]
ack alee
16:55:02 [schunter]
ack field
16:55:02 [Zakim]
fielding, you wanted to comment on why we need to reduce that API anyway
16:56:21 [mikeoneill]
+q
16:56:46 [aleecia]
that’s interesting! but not the problem i was trying to solve
16:57:08 [schunter]
Roy: The page that explains the consent and calls the consent API should contain all information. This URL may be recorded to document what has been consented to.
16:58:04 [aleecia]
this is much more involved than what i had in mind. i’m not opposed to what Roy suggests, it’s just a much bigger hammer
16:58:22 [aleecia]
all i was looking for was a way for the text the lawyers write to be presented to users in a standard way
16:58:23 [schunter]
Roy: The page is known already (no extra retrieval) and is the actual info that was displayed.
16:59:03 [rvaneijk]
q+
16:59:07 [aleecia]
if i agree to a thing, what did i agree to. seems basic. now that there’s no standard compliance approach, we should support conveying the information
16:59:24 [fielding]
I agree that should be basic.
17:00:38 [schunter]
Roy: All metadata for consent should rather be in the page that registers consent
17:01:10 [aleecia]
(& better implementations are great by me, if there’s a way to reduce overhead great, but having some way to know what you agree to seems crucial)
17:02:00 [fielding]
and the TSR is extensible, if that does turn out to be needed for a given compliance regime.
17:02:07 [rvaneijk]
q-
17:02:09 [aleecia]
Having five ways to do the same thing via different compliance docs is painful
17:02:38 [fielding]
which part of this is not painful ;-)
17:02:40 [aleecia]
We cannot anticipate everything, but out to have a good start
17:02:48 [Bert]
zakim, list participants
17:02:48 [Zakim]
As of this point the attendees have been Bert, schunter
17:03:07 [fielding]
present+
17:04:38 [Bert]
present+ Aleecia, MartinK, Rob, Mike, AlanT, Brendan
17:05:06 [Bert]
RRSAgent, make minutes v2
17:05:06 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert
17:05:42 [fielding]
present+ schunter
17:06:15 [Bert]
RRSAgent, make minutes v2
17:06:15 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert
19:15:08 [Zakim]
Zakim has left #dnt