15:58:18 RRSAgent has joined #dnt 15:58:18 logging to http://www.w3.org/2017/03/27-dnt-irc 15:58:20 RRSAgent, make logs world 15:58:20 Zakim has joined #dnt 15:58:22 Zakim, this will be TRACK 15:58:22 ok, trackbot 15:58:23 Meeting: Tracking Protection Working Group Teleconference 15:58:23 Date: 27 March 2017 15:58:39 rvaneijk has joined #dnt 15:58:50 schunter has joined #dnt 15:59:15 present+ 15:59:20 fielding has joined #dnt 15:59:28 RRSAgent, make minutes v2 15:59:28 I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert 15:59:52 RRSAgent, pointer? 15:59:52 See http://www.w3.org/2017/03/27-dnt-irc#T15-59-52 16:00:46 Brendan has joined #dnt 16:01:01 agenda: http://www.w3.org/mid/d428f3b8-4691-13ea-cb8b-e7124b63ee62@schunter.org 16:01:06 I can't join audio until 30 minutes into the call due to conflict 16:01:19 Should I leave IRC until I am able to join audio? 16:02:43 previous meeting: http://www.w3.org/2017/03/20-dnt-minutes.html 16:02:53 RRSAgent, make minutes v2 16:02:53 I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert 16:03:34 Brendan, no need to leave IRC 16:04:44 agenda is at https://lists.w3.org/Archives/Public/public-tracking/2017Mar/0013.html 16:10:22 Q+ 16:10:35 q+ 16:10:46 aleecia has joined #dnt 16:10:47 q+ 16:10:51 Discussion 1: Should TSR be extensible? 16:10:55 q- 16:10:56 ack mike 16:10:57 q+ 16:11:19 - Mike: Fields for EU should be there (or extensible to be there). 16:11:34 Mike: Informed consent requires certain information to be available via TSR 16:14:07 Mike: JSON is extensible anyway. We pre-define some fields with a TPE-defined semantics. 16:14:19 Additional fields can be introduced. 16:14:27 Mike: data-controller SHOULD be provided 16:14:59 ack field 16:15:35 Roy: Existing implementation is already fully extensible. Compliance regimes can introduce and require new fields. 16:16:31 Roy: TSR is not exposed during consent dialogue - only page is seen by user (note: We require the site to explain to a user what he is consenting to). The page calls the API to store the consent. 16:16:47 +schunter 16:16:55 q+ schunter 16:19:44 This is hardly a push to redo P3P 16:19:58 It may or may not be useful, but this is not P3Pesque 16:20:07 ack rv 16:21:02 ack schun 16:21:56 Rob: Extensibility useful 16:22:16 Rob: If DNT is used to obtain consent, then additional data is required to make it legally valid. 16:22:38 So I’m hearing: we would be supporting EU compliance, which is why we rechartered. I’d like to understand how important this change would be. 16:24:21 Ok, “I tried to implement and had a hard time” is pretty good information to add, IMHO 16:25:31 Q+ 16:27:14 q+ 16:27:15 Rob: EU compliance regime could define additional fields that are required to be added by the site. 16:28:42 Rob: Browser requirement: Allow user to revoke consent. Should allow users to review the TSR (=source of truth that is independent of the claims of the web-site) 16:29:28 It is always worthwhile to discuss implementation experience, but that starts with implementing the protocol as defined (or at least within proximity). I don't want to see the TSR become extremely large just to support a tool that isn't even part of the consent dialog. 16:30:53 q+ 16:31:50 ack mike 16:31:53 ack alee 16:32:34 Aleecia: URLs can point to specific anchors for specific information pieces. 16:34:23 Well phrased by Aleecia. Extensible yes, but additional fields as options. Not required fields. 16:34:31 Aleecia: URL should point to user-readable text; User agent should retain the URL and re-display it on request. 16:35:16 ==> Policy URL would be mandatory. 16:35:28 q? 16:35:44 ack field 16:36:42 presumably human-readable has more nuance and is designed for users to read. Less P3P-like than the TSR. :-) 16:38:40 An advantage of the TSR that it can even be called in pre-flight. 16:39:10 Proposed Decision 1: When a user-granted exception is registered, user agent should retrieve and retain TSR info. 16:39:42 SHOULD 16:40:07 right, the TSR is designed for pre-flight checks. Note that the TSV and Compliance aray are what matters for that case, not human reading of JSON strings. 16:40:08 Rob’s extension seemed light-weight & reasonable to support better UIs 16:40:25 s/aray/array/ 16:41:49 Leaves full control with the publishers, does not require redoing current privacy policies. Pretty simple. And makes for a cleaner web experience iff UAs want to adopt. If we don’t provide the mechanism, they’re kinda limited to just parsing the TSR without letting any context from publishers go through (unless we imagine users read privpols on their own…) 16:43:01 right now, {"tracking":"N"} is a valid TSR. It is meant to be very small, with defaults making use of what the UA already knows. 16:44:11 …which is a great example of why the fields ought to be optional not manditory. 16:45:13 at has joined #dnt 16:45:18 (i’m unpersuaded on the machine readable issues Mike is raising, perhaps I’m not getting full understanding yet, but it’s NLP all the way down no matter what so why bother) 16:46:31 policy-qualifiers contains in JSON with additional attribute-value pairs 16:47:06 sure, a different compliance approach could make them MUSTs beyond our MAY 16:47:14 we are talking about https://github.com/w3c/dnt/issues/23 16:48:30 so here was Mike’s version: 16:48:34 { 16:48:34 "policy": { 16:48:35 compliance is an array already 16:48:36 "cookie_policy": "https://webresource.com/cookies" , 16:48:37 "privacy_policy": "https://webresource.com/privacy", 16:48:39 "responsible_disclosure_policy": "https://webresource.com/security", 16:48:40 "terms_and_conditions": "https://webresource.com/terms_and_conditions" 16:48:41 } 16:48:42 } 16:48:45 Again, this is sending more information for which there is no actual use case for reading the TSR. This is metadata that can be added to the privacy policy page. 16:49:24 E.g., "compliance": [ "http://wetten.overheid.nl/BWBR0009950#Hoofdstuk11_Paragraaf11.1_Artikel11.7a", "http://wetten.overheid.nl/BWBR0011468/2016-01-01", "https://www.w3.org/TR/tracking-dnt/" ], 16:51:49 That makes UAs unlikely to implement UIs 16:51:57 q+ 16:52:17 q+ on why we need to reduce that API anyway 16:53:02 ack alee 16:55:02 ack field 16:55:02 fielding, you wanted to comment on why we need to reduce that API anyway 16:56:21 +q 16:56:46 that’s interesting! but not the problem i was trying to solve 16:57:08 Roy: The page that explains the consent and calls the consent API should contain all information. This URL may be recorded to document what has been consented to. 16:58:04 this is much more involved than what i had in mind. i’m not opposed to what Roy suggests, it’s just a much bigger hammer 16:58:22 all i was looking for was a way for the text the lawyers write to be presented to users in a standard way 16:58:23 Roy: The page is known already (no extra retrieval) and is the actual info that was displayed. 16:59:03 q+ 16:59:07 if i agree to a thing, what did i agree to. seems basic. now that there’s no standard compliance approach, we should support conveying the information 16:59:24 I agree that should be basic. 17:00:38 Roy: All metadata for consent should rather be in the page that registers consent 17:01:10 (& better implementations are great by me, if there’s a way to reduce overhead great, but having some way to know what you agree to seems crucial) 17:02:00 and the TSR is extensible, if that does turn out to be needed for a given compliance regime. 17:02:07 q- 17:02:09 Having five ways to do the same thing via different compliance docs is painful 17:02:38 which part of this is not painful ;-) 17:02:40 We cannot anticipate everything, but out to have a good start 17:02:48 zakim, list participants 17:02:48 As of this point the attendees have been Bert, schunter 17:03:07 present+ 17:04:38 present+ Aleecia, MartinK, Rob, Mike, AlanT, Brendan 17:05:06 RRSAgent, make minutes v2 17:05:06 I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert 17:05:42 present+ schunter 17:06:15 RRSAgent, make minutes v2 17:06:15 I have made the request to generate http://www.w3.org/2017/03/27-dnt-minutes.html Bert 19:15:08 Zakim has left #dnt