16:00:08 RRSAgent has joined #dnt 16:00:08 logging to http://www.w3.org/2017/04/24-dnt-irc 16:00:10 RRSAgent, make logs world 16:00:10 Zakim has joined #dnt 16:00:12 Zakim, this will be TRACK 16:00:12 ok, trackbot 16:00:13 Meeting: Tracking Protection Working Group Teleconference 16:00:13 Date: 24 April 2017 16:01:11 present+ 16:01:26 RRSAgent, make minutes v2 16:01:26 I have made the request to generate http://www.w3.org/2017/04/24-dnt-minutes.html Bert 16:02:01 chair: schunter 16:02:22 mikeoneill has joined #dnt 16:03:08 regrets+ David Singer 16:03:24 aleecia has joined #dnt 16:03:56 schunter asks: is shane back? answer seems to be no. 16:04:16 Screenshots sent to the mailing list: https://lists.w3.org/Archives/Public/public-tracking/2017Apr/0035.html 16:04:30 schunter: discuss content & tech resolution. next step is texts and (?) 16:04:51 … 30 minutes, quick discussion of what changes and why 16:05:01 … then we discuss accept the change or not 16:05:09 … can go through call for objects process again 16:05:17 … any ? 16:05:24 … hearing none, gets started. 16:05:37 rvaneijk: can be heard :-) 16:05:44 … using screenshots seen dlist 16:06:06 … makes it easier to distringuish resources and legal grounds 16:06:31 … looked at two groups of actors. first, Rubicon, real time with network partners 16:07:03 … central Rubicon in big yellow, surrounded by nodes in the ad exchange 16:07:32 … in disucssion, would they rely on consent or not? come back to. 16:07:58 … the nodes that are still yellow in the center, resources that through referer header are pulled in and lead to analytics data for the ad exchange network 16:08:26 … header relations between resource and where the js is called from, originally a referer header or a location hearder if the request was redirected 16:08:32 … any ? on the rep of the image? 16:08:38 (trying to find it still!) 16:08:53 rvaneijk, same graph but different group of actors 16:09:28 Rubicon is now in grey, the other nodes in green 16:10:10 rvanejik, API call with UID sent to sync unique id in background, which is the rubicon ad exchange in real time 16:10:20 … the cookie synching allows trading of uid’s. 16:10:28 … core of the arguement is here, around legal grounds. 16:10:45 … calling for specific information in the tracking status resource to distinguist different type of actors 16:10:54 … have the controler array to identify itself 16:11:26 … same party array, all resources could be listed if there’s an agreement signed or resources owned by controller itself (if you host on amazon type of resource (?) 16:12:10 … calling for: try to differentiate. out of band consent is important, can call for persmission for all parties as out-of-bad-consent 16:12:30 … but the networks are not listed on the publisher’s network and cannot rely on the out-of-band-consent of the publisher 16:12:52 … propose distinugishing between parties that are needed to make the real time ad exchange work, and parties that are not 16:13:13 … what is the extent of control of the publisher, do they have an agreement. or these resources are themselves (different) 16:13:18 … would help transparency 16:13:31 … will help parties that cannot rely on out of band consent 16:14:01 wileys has joined #dnt 16:14:11 … proposal: enhance status resource with new, “other party” (name tbd) to enable publisher to list all resources they can identify that they want to ask for consent from user 16:14:37 ?: can you explain in a transaction, how to distinguish between site=wide and (?) 16:15:03 rvaneijk: publisher identifies all the resources, all the nodes. Mike’s example of LA Times, 335 resources 16:15:24 3 tiers of parties: same-party, new website-helpers, and everyone else. 16:15:54 Shane: 300 listed in Yahoo’s privacy center, can have contracts with that many parties. i think you’re trying to state a site-wide exception cannot exist, disagree. how does a UA distinguish between your case and site-wide? 16:16:14 … not listed as same party, since they’re 3rd party. does not require all 3rd parties be enumerated. 16:16:23 … would be those domains under publisher’s (?) 16:16:23 q+ 16:16:42 rob: in EU need to enumerate. makes it hard to automate. 16:17:10 shane: not a requirement by law. this is only one technical option and could Break The Entire Standard 16:17:17 rob: trying to improve over cookie wall 16:17:19 q? 16:17:23 q+ 16:17:35 shane: consent is the same as a cookie wall. not all publishers can identify all actors 16:17:52 (cannot tpe as fast at they can argue) 16:18:10 shane: a publisher *can* know 3rd parties and this proposal breaks that 16:18:26 rob: transparency not control. additional object, why would it break the model 16:18:36 schunter: echo 16:18:59 This list can be accomplilshed MANY ways 16:19:07 Does not require DNT to support this outcome 16:19:14 fielding has joined #dnt 16:19:19 … rob is saying, he believes under EU law you have to list everyone who’s collecting data. Shane, saying no, stie-wide exception is enough. Rob is saying we can implement both options. 16:19:33 … everybody who’s not a first party is still getting data should be listed 16:19:42 Shane: saying, how does the browser manage this? 16:20:42 … if a publisher says, i have a site-wide exception, provides in the TSR and does not fill out Rob’s field, what does the UA do? is this an optional field, and if optional, how does a browser handle populated or not? Rob is attempting to push more requirements on the browser and trying to avoid that 16:20:59 schunter: anything the browser should do with this or just record it? 16:21:22 But that is for the browser to decide - not Rob 16:21:50 rob: browser discussion leads to ad blocking. one hand, browser not block anything. other hand, block everything except what’s consented. middle ground between ad blocking options is a consent-based middle ground that DNT can address 16:22:13 … browsers handling this info is out of scope for us. providing this info allows browsers to not break (ad networks?) 16:22:14 +q 16:22:41 … in order to let programatic ads survive rather than be blocked by default, this missing property allows browsers to 16:23:14 schunter: same party gets DNT:1 everyone else blocked, but with additional field those guys not blocked because friends of the publisher, so get special treatment 16:23:44 wileys: confounding two topics. ad blocking would not occur if all parties have consent or valid processing basis, but that’s not true. 16:24:46 … on the issue of allowing a transaction to occur, if a publisher states site-wide exception, they understand the expanse of that permission, browser should do nothing more than register when the exception occurred. can confirm after to make sure contracts and lists in place, but all browser does is send dnt:0 for the same-party domain 16:24:58 … this is how we developed the standard. 16:25:12 schunter: let’s keep ad blocking out now. 16:25:28 … browser can only send dnt:0 for everything listed in same party area and the like 16:25:59 wileys: and all parties under, all domains under xyz.com should get a dnt:0 if registered a site-wide exception. that’s how we built it to date. 16:26:25 schunter: i think rob doesn’t want to change that. if not sub-sites of yahoo, like the rubicon thing, the other nodes would not get a dnt:0 16:26:57 wileys: but my list could be on a web page. 16:27:13 … should be all domains under those registered under the first party domain 16:27:22 schunter: but then who they are is unknown 16:27:36 wileys: no requirement to list, is over-loading the TSR 16:27:55 … could manage in our privacy centers, the well-known location could hold this. attempting to make it machine readable. 16:28:36 q? 16:28:42 … some are www.adnetwork.com or adnetwork2.com, we’d have to list *all* of those on Rob’s proposal. if a domain is not listed, the brwoser should send dnt:1 even though a site-wide exception have been issued for the parent domain 16:29:11 … ask the browser, or the publisher needs to ask the end user, trying to udnerstand the full scope of interactions in Rob’s structure, breaks many of the conventions we agreed upon 16:29:34 rob: site-wide exception only goes as far as the parties can be identified up front, or else it’s a wild card 16:29:41 … for unknown puposes 16:29:52 … legal consent for ePriv (won’t allow that) 16:30:10 I thought our goal was to move the specificaton closer to actual implementations. It sounds to me like folks want to start over with a new API and a completely different consent mechanism based on imagined implementations. I won't argue that either is a better way forward, but I will argue that we can't do teh latter on this schedule. 16:30:24 s/ teh / the / 16:30:34 … if there are restrictions on stie-wide limitations, if that could lead to compliance we wouldn’t need this discussion. but most publishers cannot identify all parties up front. and yes, browser needs to decide, can be conversation with user or automatically. 16:30:46 s/stie/site/ 16:30:50 … ability to express consent through browser settings is long established 16:31:12 … dnt can do so much better than current cookie settings of 1st or 3rd party, doesn’t help publisher either 16:31:29 wileys: have ability to manage individual cookies. 16:31:38 … you didn’t rebuke anything i’ve stated. 16:31:56 … pushes the browser into a legal position to arbitrate valid consent or not 16:32:31 schunter: not so clear, Shane you believe site-wide consent is dnt:0 goes to everything on yahoo.com? 16:32:45 wileys: everything underneath gets dnt:0, on purpose, today 16:34:00 … requirement to list all 1st party, so yimg.net would be on our first party list. if user grants, yahoo takes on the legal responsibility that we request and record that exception, any 3rd parties we have relationships. Rob presumes websites are unable to do this so he’s adding a new option, but we’d break how the TPE works today for a presumed problem (that Shane disagrees exists) 16:34:29 … there are many other solutions v programatically - trying to make 3rd party lists machine readable to put browsers in the 16:34:47 schunter: don’t see how it breaks anything when it’s informational. don’t agrree with your argument 16:35:01 shane: but if people populate it, then you put the browser in that position 16:35:12 schunter: don’t think so. let’s do call for objections, 16:35:23 ? : annoyed by how this is being chaired 16:35:24 q? 16:35:31 Please speak 16:35:32 … ignoring the queue 16:35:35 q? 16:35:44 … shane saying outragous things about EU law 16:35:48 Go ahead Walter 16:35:59 ack wal 16:36:02 ack schunter 16:36:06 ack wil 16:36:18 Walter: a few things. Shane is right about TPE so far, but that is because TPE so far is (unclear?) 16:36:32 … site-wide exception makes perfect sense if server believes in permission before hand 16:37:00 That was why the site-wide exception was built in the first place - 1st parties themselves are not subject to DNT! 16:37:18 … not out-of-band consent but specific permission needs specific consent (eu law) 16:37:30 … fields that Rob proposes are a useful fit. 16:37:39 Walter - you are incorrect - 1st parties are not subject to DNT - they do not need consent on their own 16:37:56 … two cases, DNT for active consent, or a server with opt out on dnt:1 and why the server thinks it has an opt out 16:38:14 We REALLY need a web browser vendor on the call 16:38:31 … annoyed by the idea that browsers aren’t intermediaries, user chooses the browser. they provide infrastructure but not a part of the — ? 16:38:52 wileys: Walter wasn’t here at the start, DNT is for 3rd parties (aleecia notes: this is not true) 16:39:08 ?: first party was always a compliance spec things 16:39:10 q+ 16:39:17 q+ 16:39:32 wileys: site-wide exceptions were created to cover 1st parties 3rd parties. 16:39:42 … we’ve forgotten the purpose of a site-wide exception 16:40:04 … the responsibility of the 1st party is to have necessary mechanisms in place before they register a site-wide exception 16:40:37 I have to leave 5min earlier. 16:40:46 … once we introduce this next level of enumeration, keep your 3rd party list up to date in your TSR, even though you might have another party keeping your list of 3rd parties. yahoo lists an ad exchange lists all of their clients 16:41:11 … to get consent, give a link to the ad exchange, not this new overhead of managed lists that i don’t own 16:41:39 ? … when talking about consent for technical means, something specific, by extension you as a publisher want to prove after that there’s a trail 16:41:54 Walter: Consent will be required to be specific (=well-defined list of sites). 16:41:58 … can’t see how i can square specific consent with “using this ad exchange” for all the site-wide exceptions 16:42:16 … this is not actual consent 16:42:50 shane: now we disagree on specificity, limits on use, there are other ways to gain that consent. let the court’s decide. can’t presume the outcome and force the standard 16:43:07 schunter: we aren’t going to reach consensus in 5 minutes. call for objections as usual. 16:43:20 … don’t see doing another few calls since we are not converging 16:43:46 shane: gone for 3 weeks, on honeymoon, could get further with conversation but missed calls. i’m the only person on this call representing industry 16:43:58 … only folks on the call are consuemr advocates and regulators 16:44:11 (apple????) 16:44:16 (adobe???) 16:44:28 TPE is concerned with tracking, not parties; a first-party that uses tracking data is still subject to the DNT request, though they might ignore or limit the scope of DNT if the service being requested is expected by the user to involve tracking data. 16:44:54 shane: ok, but they’re not ad side for other industry voices (in response to my mention of other cos) 16:45:26 … little nervous where it’s very lopsided, lacks balance, trying to reestablish balance. mean no disrespect 16:45:44 … would rather more discussion, rather than call for objections 16:46:02 … will get other voices to participate 16:46:17 walter: train here, must go 16:46:23 … suggests more on the dlist 16:46:27 I am trying to stay editor-neutral, but I do represent Adobe here. I just don't have the background to know how Adobe's various products will implement DNT. 16:46:31 schunter: ok, one more week 16:47:05 rvaneijk: we announced the call on the list, members who are dormant can participate and know 16:47:18 … we have process of announcement, allows everyone to speak if they want to 16:47:50 schunter: see Shane’s point he wasn’t here. if no consenus by one more week, will do call for objections 16:48:08 Roy: prepare text first, then we can discuss the texts 16:48:15 (+1 on that from me) 16:48:19 schunter: good point 16:48:22 q- 16:49:04 schunter: tracking status resource, sites have other parties, optional. don’t want to specify what browsers do. 16:49:13 Correct 16:49:17 … Shane’s proposal not to change the spec with additional fields 16:49:21 Walter has me nervous to speak up now 16:49:26 :-) 16:49:31 … two options, Rob, please send text for your proposal 16:49:35 ok 16:49:42 … no change is easy to write up :-) 16:49:45 wileys: Heh, I wish I had that power. But no, it wasn't about you. 16:50:05 Shane — CONGRATULATIONS! 16:50:10 oh, yes, that too! 16:50:15 I hope you had a great honeymoon! 16:50:46 Issue 35: Summary by Aleecia 16:51:06 To give users the ability to see what they agree to 16:51:17 One is to give the delta of what changes between dnt:0 and dnt:1 16:51:19 Suggest a way to find a user-readable description of what users consent to. 16:51:29 The other is to explain both dnt:0 and dnt:1 16:51:43 The idea is to have some hook in the text 16:51:47 DNT:0 = Privacy Policy — DNT:1 = Statement of what stops 16:52:15 I’m fine with this proposal on “what changes” under DNT:1 as a human readable (not machine) element 16:52:27 My understanding of the (Adobe) legal perspective is that we can only have one set of instructions that describes what we do in each case. Showing different text to different users is NOT an option. 16:52:35 q+ 16:52:39 I'm in favour of treating DNT:0 rather differently from DNT:1 16:52:43 they are too different 16:53:01 Matthias would like to push this out to the next release 16:53:16 aleecia thinks it makes more sense to deal with this now 16:53:24 Because we don't have a baseline 16:53:37 People need to know what they are agreeing to 16:53:49 This is the fallout of not having a compliance spec 16:54:26 Roy feels no difference between having a compliance spec or not 16:54:33 Aleecia wants to prevent a billion pop-ups 16:54:59 Consensus on a very low burden to do this 16:55:14 Matthias: so what you're suggesting is a best practice? 16:55:33 aleecia: not even related to multiple compliance specs, it is that the user should understand what changes 16:56:15 I meant that we have a Compliance array to provide a reference to how the site will comply to DNT. And we have a policy member that points to the text-for-all-cases. 16:56:26 Pop-ups are going to occur no matter what now - and will likely be more of a burden for users under ePR 16:56:52 q- 16:56:57 q- sch 16:57:04 will do so, then 16:57:05 bye! 16:57:20 wileys has left #dnt 16:57:46 present+ fielding 16:58:21 rrsagent, who is attending? 16:58:21 I'm logging. Sorry, nothing found for 'who is attending' 16:58:42 rrsagent, who is here? 16:58:42 I'm logging. Sorry, nothing found for 'who is here' 17:01:00 Zakim, who is here? 17:01:00 Present: Bert, fielding 17:01:02 On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot 17:02:00 present+ schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst 17:02:16 Zakim, who is here? 17:02:16 Present: Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst 17:02:19 On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot 17:03:27 present +swiley, moneill, rvaneijk, aleecia 17:04:04 present+ wileys 17:04:31 Zakim, who is here? 17:04:31 Present: Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst, wileys 17:04:33 On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot 17:04:43 scribe: aleecia 17:05:04 trackbot, status 17:06:26 trackbot, end meeting 17:06:26 Zakim, list attendees 17:06:26 As of this point the attendees have been Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst, wileys 17:06:34 RRSAgent, please draft minutes 17:06:34 I have made the request to generate http://www.w3.org/2017/04/24-dnt-minutes.html trackbot 17:06:35 RRSAgent, bye 17:06:35 I see no action items