IRC log of dnt on 2017-04-24

Timestamps are in UTC.

16:00:08 [RRSAgent]
RRSAgent has joined #dnt
16:00:08 [RRSAgent]
logging to http://www.w3.org/2017/04/24-dnt-irc
16:00:10 [trackbot]
RRSAgent, make logs world
16:00:10 [Zakim]
Zakim has joined #dnt
16:00:12 [trackbot]
Zakim, this will be TRACK
16:00:12 [Zakim]
ok, trackbot
16:00:13 [trackbot]
Meeting: Tracking Protection Working Group Teleconference
16:00:13 [trackbot]
Date: 24 April 2017
16:01:11 [Bert]
present+
16:01:26 [Bert]
RRSAgent, make minutes v2
16:01:26 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/04/24-dnt-minutes.html Bert
16:02:01 [Bert]
chair: schunter
16:02:22 [mikeoneill]
mikeoneill has joined #dnt
16:03:08 [Bert]
regrets+ David Singer
16:03:24 [aleecia]
aleecia has joined #dnt
16:03:56 [aleecia]
schunter asks: is shane back? answer seems to be no.
16:04:16 [rvaneijk]
Screenshots sent to the mailing list: https://lists.w3.org/Archives/Public/public-tracking/2017Apr/0035.html
16:04:30 [aleecia]
schunter: discuss content & tech resolution. next step is texts and (?)
16:04:51 [aleecia]
… 30 minutes, quick discussion of what changes and why
16:05:01 [aleecia]
… then we discuss accept the change or not
16:05:09 [aleecia]
… can go through call for objects process again
16:05:17 [aleecia]
… any ?
16:05:24 [aleecia]
… hearing none, gets started.
16:05:37 [aleecia]
rvaneijk: can be heard :-)
16:05:44 [aleecia]
… using screenshots seen dlist
16:06:06 [aleecia]
… makes it easier to distringuish resources and legal grounds
16:06:31 [aleecia]
… looked at two groups of actors. first, Rubicon, real time with network partners
16:07:03 [aleecia]
… central Rubicon in big yellow, surrounded by nodes in the ad exchange
16:07:32 [aleecia]
… in disucssion, would they rely on consent or not? come back to.
16:07:58 [aleecia]
… the nodes that are still yellow in the center, resources that through referer header are pulled in and lead to analytics data for the ad exchange network
16:08:26 [aleecia]
… header relations between resource and where the js is called from, originally a referer header or a location hearder if the request was redirected
16:08:32 [aleecia]
… any ? on the rep of the image?
16:08:38 [aleecia]
(trying to find it still!)
16:08:53 [aleecia]
rvaneijk, same graph but different group of actors
16:09:28 [aleecia]
Rubicon is now in grey, the other nodes in green
16:10:10 [aleecia]
rvanejik, API call with UID sent to sync unique id in background, which is the rubicon ad exchange in real time
16:10:20 [aleecia]
… the cookie synching allows trading of uid’s.
16:10:28 [aleecia]
… core of the arguement is here, around legal grounds.
16:10:45 [aleecia]
… calling for specific information in the tracking status resource to distinguist different type of actors
16:10:54 [aleecia]
… have the controler array to identify itself
16:11:26 [aleecia]
… same party array, all resources could be listed if there’s an agreement signed or resources owned by controller itself (if you host on amazon type of resource (?)
16:12:10 [aleecia]
… calling for: try to differentiate. out of band consent is important, can call for persmission for all parties as out-of-bad-consent
16:12:30 [aleecia]
… but the networks are not listed on the publisher’s network and cannot rely on the out-of-band-consent of the publisher
16:12:52 [aleecia]
… propose distinugishing between parties that are needed to make the real time ad exchange work, and parties that are not
16:13:13 [aleecia]
… what is the extent of control of the publisher, do they have an agreement. or these resources are themselves (different)
16:13:18 [aleecia]
… would help transparency
16:13:31 [aleecia]
… will help parties that cannot rely on out of band consent
16:14:01 [wileys]
wileys has joined #dnt
16:14:11 [aleecia]
… proposal: enhance status resource with new, “other party” (name tbd) to enable publisher to list all resources they can identify that they want to ask for consent from user
16:14:37 [aleecia]
?: can you explain in a transaction, how to distinguish between site=wide and (?)
16:15:03 [aleecia]
rvaneijk: publisher identifies all the resources, all the nodes. Mike’s example of LA Times, 335 resources
16:15:24 [schunter]
3 tiers of parties: same-party, new website-helpers, and everyone else.
16:15:54 [aleecia]
Shane: 300 listed in Yahoo’s privacy center, can have contracts with that many parties. i think you’re trying to state a site-wide exception cannot exist, disagree. how does a UA distinguish between your case and site-wide?
16:16:14 [aleecia]
… not listed as same party, since they’re 3rd party. does not require all 3rd parties be enumerated.
16:16:23 [aleecia]
… would be those domains under publisher’s (?)
16:16:23 [walter]
q+
16:16:42 [aleecia]
rob: in EU need to enumerate. makes it hard to automate.
16:17:10 [aleecia]
shane: not a requirement by law. this is only one technical option and could Break The Entire Standard
16:17:17 [aleecia]
rob: trying to improve over cookie wall
16:17:19 [schunter]
q?
16:17:23 [schunter]
q+
16:17:35 [aleecia]
shane: consent is the same as a cookie wall. not all publishers can identify all actors
16:17:52 [aleecia]
(cannot tpe as fast at they can argue)
16:18:10 [aleecia]
shane: a publisher *can* know 3rd parties and this proposal breaks that
16:18:26 [aleecia]
rob: transparency not control. additional object, why would it break the model
16:18:36 [aleecia]
schunter: echo
16:18:59 [wileys]
This list can be accomplilshed MANY ways
16:19:07 [wileys]
Does not require DNT to support this outcome
16:19:14 [fielding]
fielding has joined #dnt
16:19:19 [aleecia]
… rob is saying, he believes under EU law you have to list everyone who’s collecting data. Shane, saying no, stie-wide exception is enough. Rob is saying we can implement both options.
16:19:33 [aleecia]
… everybody who’s not a first party is still getting data should be listed
16:19:42 [aleecia]
Shane: saying, how does the browser manage this?
16:20:42 [aleecia]
… if a publisher says, i have a site-wide exception, provides in the TSR and does not fill out Rob’s field, what does the UA do? is this an optional field, and if optional, how does a browser handle populated or not? Rob is attempting to push more requirements on the browser and trying to avoid that
16:20:59 [aleecia]
schunter: anything the browser should do with this or just record it?
16:21:22 [wileys]
But that is for the browser to decide - not Rob
16:21:50 [aleecia]
rob: browser discussion leads to ad blocking. one hand, browser not block anything. other hand, block everything except what’s consented. middle ground between ad blocking options is a consent-based middle ground that DNT can address
16:22:13 [aleecia]
… browsers handling this info is out of scope for us. providing this info allows browsers to not break (ad networks?)
16:22:14 [wileys]
+q
16:22:41 [aleecia]
… in order to let programatic ads survive rather than be blocked by default, this missing property allows browsers to
16:23:14 [aleecia]
schunter: same party gets DNT:1 everyone else blocked, but with additional field those guys not blocked because friends of the publisher, so get special treatment
16:23:44 [aleecia]
wileys: confounding two topics. ad blocking would not occur if all parties have consent or valid processing basis, but that’s not true.
16:24:46 [aleecia]
… on the issue of allowing a transaction to occur, if a publisher states site-wide exception, they understand the expanse of that permission, browser should do nothing more than register when the exception occurred. can confirm after to make sure contracts and lists in place, but all browser does is send dnt:0 for the same-party domain
16:24:58 [aleecia]
… this is how we developed the standard.
16:25:12 [aleecia]
schunter: let’s keep ad blocking out now.
16:25:28 [aleecia]
… browser can only send dnt:0 for everything listed in same party area and the like
16:25:59 [aleecia]
wileys: and all parties under, all domains under xyz.com should get a dnt:0 if registered a site-wide exception. that’s how we built it to date.
16:26:25 [aleecia]
schunter: i think rob doesn’t want to change that. if not sub-sites of yahoo, like the rubicon thing, the other nodes would not get a dnt:0
16:26:57 [aleecia]
wileys: but my list could be on a web page.
16:27:13 [aleecia]
… should be all domains under those registered under the first party domain
16:27:22 [aleecia]
schunter: but then who they are is unknown
16:27:36 [aleecia]
wileys: no requirement to list, is over-loading the TSR
16:27:55 [aleecia]
… could manage in our privacy centers, the well-known location could hold this. attempting to make it machine readable.
16:28:36 [schunter]
q?
16:28:42 [aleecia]
… some are www.adnetwork.com or adnetwork2.com, we’d have to list *all* of those on Rob’s proposal. if a domain is not listed, the brwoser should send dnt:1 even though a site-wide exception have been issued for the parent domain
16:29:11 [aleecia]
… ask the browser, or the publisher needs to ask the end user, trying to udnerstand the full scope of interactions in Rob’s structure, breaks many of the conventions we agreed upon
16:29:34 [aleecia]
rob: site-wide exception only goes as far as the parties can be identified up front, or else it’s a wild card
16:29:41 [aleecia]
… for unknown puposes
16:29:52 [aleecia]
… legal consent for ePriv (won’t allow that)
16:30:10 [fielding]
I thought our goal was to move the specificaton closer to actual implementations. It sounds to me like folks want to start over with a new API and a completely different consent mechanism based on imagined implementations. I won't argue that either is a better way forward, but I will argue that we can't do teh latter on this schedule.
16:30:24 [fielding]
s/ teh / the /
16:30:34 [aleecia]
… if there are restrictions on stie-wide limitations, if that could lead to compliance we wouldn’t need this discussion. but most publishers cannot identify all parties up front. and yes, browser needs to decide, can be conversation with user or automatically.
16:30:46 [fielding]
s/stie/site/
16:30:50 [aleecia]
… ability to express consent through browser settings is long established
16:31:12 [aleecia]
… dnt can do so much better than current cookie settings of 1st or 3rd party, doesn’t help publisher either
16:31:29 [aleecia]
wileys: have ability to manage individual cookies.
16:31:38 [aleecia]
… you didn’t rebuke anything i’ve stated.
16:31:56 [aleecia]
… pushes the browser into a legal position to arbitrate valid consent or not
16:32:31 [aleecia]
schunter: not so clear, Shane you believe site-wide consent is dnt:0 goes to everything on yahoo.com?
16:32:45 [aleecia]
wileys: everything underneath gets dnt:0, on purpose, today
16:34:00 [aleecia]
… requirement to list all 1st party, so yimg.net would be on our first party list. if user grants, yahoo takes on the legal responsibility that we request and record that exception, any 3rd parties we have relationships. Rob presumes websites are unable to do this so he’s adding a new option, but we’d break how the TPE works today for a presumed problem (that Shane disagrees exists)
16:34:29 [aleecia]
… there are many other solutions v programatically - trying to make 3rd party lists machine readable to put browsers in the
16:34:47 [aleecia]
schunter: don’t see how it breaks anything when it’s informational. don’t agrree with your argument
16:35:01 [aleecia]
shane: but if people populate it, then you put the browser in that position
16:35:12 [aleecia]
schunter: don’t think so. let’s do call for objections,
16:35:23 [aleecia]
? : annoyed by how this is being chaired
16:35:24 [fielding]
q?
16:35:31 [wileys]
Please speak
16:35:32 [aleecia]
… ignoring the queue
16:35:35 [schunter]
q?
16:35:44 [aleecia]
… shane saying outragous things about EU law
16:35:48 [wileys]
Go ahead Walter
16:35:59 [schunter]
ack wal
16:36:02 [schunter]
ack schunter
16:36:06 [schunter]
ack wil
16:36:18 [aleecia]
Walter: a few things. Shane is right about TPE so far, but that is because TPE so far is (unclear?)
16:36:32 [aleecia]
… site-wide exception makes perfect sense if server believes in permission before hand
16:37:00 [wileys]
That was why the site-wide exception was built in the first place - 1st parties themselves are not subject to DNT!
16:37:18 [aleecia]
… not out-of-band consent but specific permission needs specific consent (eu law)
16:37:30 [aleecia]
… fields that Rob proposes are a useful fit.
16:37:39 [wileys]
Walter - you are incorrect - 1st parties are not subject to DNT - they do not need consent on their own
16:37:56 [aleecia]
… two cases, DNT for active consent, or a server with opt out on dnt:1 and why the server thinks it has an opt out
16:38:14 [wileys]
We REALLY need a web browser vendor on the call
16:38:31 [aleecia]
… annoyed by the idea that browsers aren’t intermediaries, user chooses the browser. they provide infrastructure but not a part of the — ?
16:38:52 [aleecia]
wileys: Walter wasn’t here at the start, DNT is for 3rd parties (aleecia notes: this is not true)
16:39:08 [aleecia]
?: first party was always a compliance spec things
16:39:10 [aleecia]
q+
16:39:17 [schunter]
q+
16:39:32 [aleecia]
wileys: site-wide exceptions were created to cover 1st parties 3rd parties.
16:39:42 [aleecia]
… we’ve forgotten the purpose of a site-wide exception
16:40:04 [aleecia]
… the responsibility of the 1st party is to have necessary mechanisms in place before they register a site-wide exception
16:40:37 [schunter]
I have to leave 5min earlier.
16:40:46 [aleecia]
… once we introduce this next level of enumeration, keep your 3rd party list up to date in your TSR, even though you might have another party keeping your list of 3rd parties. yahoo lists an ad exchange lists all of their clients
16:41:11 [aleecia]
… to get consent, give a link to the ad exchange, not this new overhead of managed lists that i don’t own
16:41:39 [aleecia]
? … when talking about consent for technical means, something specific, by extension you as a publisher want to prove after that there’s a trail
16:41:54 [schunter]
Walter: Consent will be required to be specific (=well-defined list of sites).
16:41:58 [aleecia]
… can’t see how i can square specific consent with “using this ad exchange” for all the site-wide exceptions
16:42:16 [aleecia]
… this is not actual consent
16:42:50 [aleecia]
shane: now we disagree on specificity, limits on use, there are other ways to gain that consent. let the court’s decide. can’t presume the outcome and force the standard
16:43:07 [aleecia]
schunter: we aren’t going to reach consensus in 5 minutes. call for objections as usual.
16:43:20 [aleecia]
… don’t see doing another few calls since we are not converging
16:43:46 [aleecia]
shane: gone for 3 weeks, on honeymoon, could get further with conversation but missed calls. i’m the only person on this call representing industry
16:43:58 [aleecia]
… only folks on the call are consuemr advocates and regulators
16:44:11 [aleecia]
(apple????)
16:44:16 [aleecia]
(adobe???)
16:44:28 [fielding]
TPE is concerned with tracking, not parties; a first-party that uses tracking data is still subject to the DNT request, though they might ignore or limit the scope of DNT if the service being requested is expected by the user to involve tracking data.
16:44:54 [aleecia]
shane: ok, but they’re not ad side for other industry voices (in response to my mention of other cos)
16:45:26 [aleecia]
… little nervous where it’s very lopsided, lacks balance, trying to reestablish balance. mean no disrespect
16:45:44 [aleecia]
… would rather more discussion, rather than call for objections
16:46:02 [aleecia]
… will get other voices to participate
16:46:17 [aleecia]
walter: train here, must go
16:46:23 [aleecia]
… suggests more on the dlist
16:46:27 [fielding]
I am trying to stay editor-neutral, but I do represent Adobe here. I just don't have the background to know how Adobe's various products will implement DNT.
16:46:31 [aleecia]
schunter: ok, one more week
16:47:05 [aleecia]
rvaneijk: we announced the call on the list, members who are dormant can participate and know
16:47:18 [aleecia]
… we have process of announcement, allows everyone to speak if they want to
16:47:50 [aleecia]
schunter: see Shane’s point he wasn’t here. if no consenus by one more week, will do call for objections
16:48:08 [aleecia]
Roy: prepare text first, then we can discuss the texts
16:48:15 [aleecia]
(+1 on that from me)
16:48:19 [aleecia]
schunter: good point
16:48:22 [aleecia]
q-
16:49:04 [aleecia]
schunter: tracking status resource, sites have other parties, optional. don’t want to specify what browsers do.
16:49:13 [wileys]
Correct
16:49:17 [aleecia]
… Shane’s proposal not to change the spec with additional fields
16:49:21 [wileys]
Walter has me nervous to speak up now
16:49:26 [wileys]
:-)
16:49:31 [aleecia]
… two options, Rob, please send text for your proposal
16:49:35 [rvaneijk]
ok
16:49:42 [aleecia]
… no change is easy to write up :-)
16:49:45 [walter]
wileys: Heh, I wish I had that power. But no, it wasn't about you.
16:50:05 [aleecia]
Shane — CONGRATULATIONS!
16:50:10 [walter]
oh, yes, that too!
16:50:15 [aleecia]
I hope you had a great honeymoon!
16:50:46 [schunter]
Issue 35: Summary by Aleecia
16:51:06 [walter]
To give users the ability to see what they agree to
16:51:17 [walter]
One is to give the delta of what changes between dnt:0 and dnt:1
16:51:19 [schunter]
Suggest a way to find a user-readable description of what users consent to.
16:51:29 [walter]
The other is to explain both dnt:0 and dnt:1
16:51:43 [walter]
The idea is to have some hook in the text
16:51:47 [wileys]
DNT:0 = Privacy Policy — DNT:1 = Statement of what stops
16:52:15 [wileys]
I’m fine with this proposal on “what changes” under DNT:1 as a human readable (not machine) element
16:52:27 [fielding]
My understanding of the (Adobe) legal perspective is that we can only have one set of instructions that describes what we do in each case. Showing different text to different users is NOT an option.
16:52:35 [fielding]
q+
16:52:39 [walter]
I'm in favour of treating DNT:0 rather differently from DNT:1
16:52:43 [walter]
they are too different
16:53:01 [walter]
Matthias would like to push this out to the next release
16:53:16 [walter]
aleecia thinks it makes more sense to deal with this now
16:53:24 [walter]
Because we don't have a baseline
16:53:37 [walter]
People need to know what they are agreeing to
16:53:49 [walter]
This is the fallout of not having a compliance spec
16:54:26 [walter]
Roy feels no difference between having a compliance spec or not
16:54:33 [walter]
Aleecia wants to prevent a billion pop-ups
16:54:59 [walter]
Consensus on a very low burden to do this
16:55:14 [walter]
Matthias: so what you're suggesting is a best practice?
16:55:33 [walter]
aleecia: not even related to multiple compliance specs, it is that the user should understand what changes
16:56:15 [fielding]
I meant that we have a Compliance array to provide a reference to how the site will comply to DNT. And we have a policy member that points to the text-for-all-cases.
16:56:26 [wileys]
Pop-ups are going to occur no matter what now - and will likely be more of a burden for users under ePR
16:56:52 [fielding]
q-
16:56:57 [fielding]
q- sch
16:57:04 [walter]
will do so, then
16:57:05 [walter]
bye!
16:57:20 [wileys]
wileys has left #dnt
16:57:46 [fielding]
present+ fielding
16:58:21 [fielding]
rrsagent, who is attending?
16:58:21 [RRSAgent]
I'm logging. Sorry, nothing found for 'who is attending'
16:58:42 [fielding]
rrsagent, who is here?
16:58:42 [RRSAgent]
I'm logging. Sorry, nothing found for 'who is here'
17:01:00 [fielding]
Zakim, who is here?
17:01:00 [Zakim]
Present: Bert, fielding
17:01:02 [Zakim]
On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot
17:02:00 [fielding]
present+ schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst
17:02:16 [fielding]
Zakim, who is here?
17:02:16 [Zakim]
Present: Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst
17:02:19 [Zakim]
On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot
17:03:27 [fielding]
present +swiley, moneill, rvaneijk, aleecia
17:04:04 [fielding]
present+ wileys
17:04:31 [fielding]
Zakim, who is here?
17:04:31 [Zakim]
Present: Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst, wileys
17:04:33 [Zakim]
On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot
17:04:43 [fielding]
scribe: aleecia
17:05:04 [fielding]
trackbot, status
17:06:26 [fielding]
trackbot, end meeting
17:06:26 [trackbot]
Zakim, list attendees
17:06:26 [Zakim]
As of this point the attendees have been Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst, wileys
17:06:34 [trackbot]
RRSAgent, please draft minutes
17:06:34 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/04/24-dnt-minutes.html trackbot
17:06:35 [trackbot]
RRSAgent, bye
17:06:35 [RRSAgent]
I see no action items