16:10:09 RRSAgent has joined #dnt 16:10:09 logging to http://www.w3.org/2017/04/03-dnt-irc 16:10:11 RRSAgent, make logs world 16:10:11 Zakim has joined #dnt 16:10:13 Zakim, this will be TRACK 16:10:13 ok, trackbot 16:10:14 Meeting: Tracking Protection Working Group Teleconference 16:10:14 Date: 03 April 2017 16:11:12 Regulatory point: Minimum set of information that needs to be presented from data controller to user. 16:12:13 Scenarios: 1. Out of band; 2. Publisher collects consent for itsefl and others (=known third parties); 3. Real-time ad-bidding (=potentially unknown third parties) 16:13:14 Scenario 3 requires to push information in real-time (since the information is not known before bidding). 16:13:59 Today's agenda: https://lists.w3.org/Archives/Public/public-tracking/2017Mar/0039.html 16:14:40 Information: Identity of data controller; Purpose of collection; Retention 16:15:19 + potentially information how to revoke consent (may be via API or elsewhere) 16:15:27 present+ 16:16:30 present+ 16:17:38 q+ 16:20:28 The subrequests to specific domains on a page are known by the UA, including domains that are selected within auction frames that are unknown to the site. What is not known would be third parties that might receive data via the sites invoked. 16:20:53 q+ 16:23:49 ack Mi 16:27:07 ack f 16:29:10 q+ 16:32:48 ack mi 16:35:38 The feedback we received from the web applications folks is that the additional string information is a common security anti-pattern that serves only to obfuscate the actual sources. 16:38:44 vincent_ has joined #dnt 16:39:34 q+ 16:42:13 ack fi 16:42:24 q+ 16:45:39 q+ 16:46:06 ack fi 16:50:48 ack rvaneijk 16:54:20 Use case: Online ad auction with unknown parties (apriori) 16:54:45 - Question: What is the minimal information required (by GDPR) that those guys need to convey to the user 16:54:50 The only way that on-demand bidding works with privacy is to restrict data use (purpose) to a set of standard identified uses and have the user pre-allow a set of such uses for all bidders adhering to that standard. Identifying each and every party in advance of each consent decision will not work for bidding. 16:55:15 - Question: Is there anythig else that the browser (or badger) need to decide whether to call or block the resource. 16:55:33 - Question: Under what conditions would the browser send DNT;0 (instead of DNT;1) 16:57:17 vincent__ has joined #dnt 16:59:08 Important: Bidders who do not win must not retain the data. (by contract) 16:59:22 Our focus are the bidders that have won. 17:03:09 Next meeting, we need to have a discussion of security problems with existin API and https://w3ctag.github.io/security-questionnaire/ 17:03:35 zakim, who is attending? 17:03:35 I don't understand your question, fielding. 17:03:56 zakim, who is in attendance? 17:03:56 sorry, fielding, I do not recognize a party named 'attendance' 17:04:18 zakim, who? 17:04:18 I don't understand your question, fielding. 17:04:38 zakim, who is on the phone? 17:04:38 Present: fielding, MikeONeill 17:06:28 present+ schunter, vincent, rob, walter 17:06:41 zakim, who is on the phone? 17:06:41 Present: fielding, MikeONeill, schunter, vincent, rob, walter 17:07:28 present+ hadleybeeman, adrianba, at 17:07:33 zakim, who is on the phone? 17:07:33 Present: fielding, MikeONeill, schunter, vincent, rob, walter, hadleybeeman, adrianba, at 17:10:32 present+ Rob van Eijk 17:12:07 trackbot, end meeting 17:12:07 Zakim, list attendees 17:12:07 As of this point the attendees have been fielding, MikeONeill, schunter, vincent, rob, walter, hadleybeeman, adrianba, at, van, Eijk 17:12:15 RRSAgent, please draft minutes 17:12:15 I have made the request to generate http://www.w3.org/2017/04/03-dnt-minutes.html trackbot 17:12:16 RRSAgent, bye 17:12:16 I see no action items