W3C

- DRAFT -

Tracking Protection Working Group Teleconference

01 May 2017

See also: IRC log

Attendees

Present
mikeoneill, fielding, walter, schunter, dsinger, wileys, rvaneijk, fwagner, Brendan
Regrets
Chair
SV_MEETING_CHAIR
Scribe
schunter

Contents

<walter> fwagner: you may want to mute

<fwagner> now better ?

https://github.com/w3c/dnt/issues?q=is%3Aopen+is%3Aissue+milestone%3ATPE-CR-April-2017

<walter> now it's fielding's turn to be noisy :-)

<fwagner> :-)

https://github.com/w3c/dnt/issues/13

<fielding> talking about "doNotTrack property should be derived from EventTarget"

<walter> in Javascript every variable is mutable...

<fielding> I don't have a strong push for a function -- just a question on which is more appropriate

Since the function has no parameters it indeed does not seem to make a big different.

<fielding> I would prefer that we have one attribute for the global default DNT setting and a separate method to retrieve the current DNT string for this document origin.

<fielding> dsinger: concerned about the temporal scope for the DNT value: how often do you need to check the value?

<wileys> It won’t be possible. We’ll only honor the original signal coming in the header

<wileys> Too difficult to continual check back and then change processing mid-stream on a page load

<fielding> yes, designing these features for the sake of an extension manager is different from designing them for the sake of sites trying to comply

<walter> The thing is, from a purely legalistic viewpoint, consent has to be withdrawable at any time

<walter> from a practical point, I think it is worth cutting some corners here

<wileys> I believe you can fairly defend completing a page load if the original header said DNT:0 and honor the DNT1 change on the next page load

<walter> wileys: and the other way around

<walter> ?

<wileys> Agreed

<dsinger> right, I can see a lifetime that lasts for the time a page is open.

<wileys> But trying to change mid-page seems very dificult

<walter> but yes, I would consider that a defensible position for web pages. For web-services it's more complicated.

<wileys> And we have OS controls for Apps so this isn’t needed there

<wileys> Just close the browser

<wileys> +q

<walter> I would support that answer

<walter> if you do recurring interactions through a persistent process

<walter> it is reasonable to check for changes in the DNT with the same frequency you have those interactions

Proposal: DNT;0 lasts as long as the page lasts. If some processes have a longer life-time, they have to regularily check the DNT status and need to be able to change their behavior if the DNT value has changed.

<wileys> Agreed in either direct DNT 0 or 1 - basically the initial value holds true throughout the lifespan of the UA interaction with the end user

<walter> schunter: How about: if you do polling for web helper processes, AJAX-calls, what have you, you must poll for DNT changes too?

ackschutner

Corner cases: Polyfill? Web-workers?

<Brendan> +1 they're edge cases

<walter> Brendan: they're not edge cases for apps etc, but I can live with it being pushed to a later revision

<walter> the basic question to me is, how much of a change is it to have an event handler or a variable for that?

Points I like to get a text proposal for:

<walter> if it is a lot, push it to a later revision

<walter> I can also live with it being a variable for now, and it become an event handler at a later stage

1. the initial value holds true throughout the lifespan of the UA interaction with the end user

<walter> that is survivable change-wise

2. Event API is fine

3. If anything lasts longer than the UA interaction/page, it need to regularily check the DNT status

<fielding> https://github.com/w3c/dnt/issues/9

<fielding> but then we have to spend a year trying to reach agreement on those definitions

<wileys> Why is this needed?

<wileys> +q

<rvaneijk> Google Analytics could go under Same Party, if the processor agreement was signed

<fielding> what is the user going to do with the information "this call you just made thinks you were in a first party context" given that the browser has NO IDEA whether it is making a first party or third party request. Remember, "first party" is defined by ownership and control, not domain name

Parties say T or N or C

Scenario 1: Widget

Site says T (because 1st party)

Third party says T (because it has no consent)

Widget says C (because it has a direct relationship)

Scenario 2: Google (1st party) was misused as a third party

- Google says T (it believes it is 1st party)

- Site says T because it believes it is 1st parties

<fielding> https://lists.w3.org/Archives/Public/public-tracking/2017Apr/0053.html

<fielding> Shane is talking about the above message

<fielding> Thinking of this from the site implementation perspective (AEM), I think it is very unlikely that enterprises want browsers to differ in their processing of site elements based on an invisible list found within the TSR of a live site.

<wileys> Again - this conversation is outside the scope of the DNT signal (Privacy Badger, AdBlock Plus, etc.)

Requirement 1 "truthful reporting": If a user-granted exception is present, then browsers should tell the site what third parties received DNT;1 (or were blocked or otherwise hindered).

<fielding> Keep in mind that tools like AEM already contain management of links that prevent unintended subresources being inserted in any page.

Requirement 2 "blocking unauthorized third parties": Blocking all third parties not in the list.

Discussion: If a publisher has a site-wide exception, is the UA allowed to send some third parties DNT;1

<wileys> The tech spec already defines what a site-wide exception means

<fielding> I don't understand. We don't have "reciprocal transparency" now, nor are we likely to get it soon given that browsers would consider it to be a privacy violation.

<wileys> Says the person who just interrupted the conversation

<wileys> Disagree - we’re discussing UGE - not OOBC

<wileys> This should not change

<wileys> Next week it is…

<walter> wileys: sorry if that went too far

<fielding> trackbot, end meeting

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/05/01 17:07:28 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: mikeoneill, fielding, walter, schunter, dsinger, wileys, rvaneijk, fwagner, Brendan
Present: mikeoneill fielding walter schunter dsinger wileys rvaneijk fwagner Brendan
No ScribeNick specified.  Guessing ScribeNick: schunter
Inferring Scribes: schunter

WARNING: No "Topic:" lines found.


WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 01 May 2017
Guessing minutes URL: http://www.w3.org/2017/05/01-dnt-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report
[End of scribe.perl diagnostic output]