15:59:34 RRSAgent has joined #dnt 15:59:34 logging to http://www.w3.org/2017/08/21-dnt-irc 15:59:49 moneill2 has joined #dnt 16:00:25 the webex link says the meeting is cancelled 16:00:59 https://mit.webex.com/mit/j.php?MTID=m97f5fec14b837f72dfa 16:01:01 6049836dbffe2 16:01:37 https://mit.webex.com/mit/j.php?MTID=m97f5fec14b837f72dfa6049836dbffe2 16:02:02 Bert has changed the topic to: https://mit.webex.com/mit/j.php?MTID=m97f5fec14b837f72dfa6049836dbffe2 16:02:04 schunter_ has joined #dnt 16:02:31 fielding has joined #dnt 16:02:34 trackbot, start telcon 16:02:37 RRSAgent, make logs world 16:02:37 Zakim has joined #dnt 16:02:38 Meeting: Tracking Protection Working Group Teleconference 16:02:38 Date: 21 August 2017 16:02:59 wileys has joined #dnt 16:03:11 present+ dsinger 16:03:28 agenda: http://www.w3.org/mid/ad0c4afc-b6fb-dd46-8d2a-2a08bb36e85a@schunter.org 16:03:29 Unable to connect just yet - need to recover account - one second (we switched to @oath domain last week so its causing havoc with these types of accounts) 16:03:36 I tried the info at the link that Bert posted. 16:03:42 present+ moneill2 16:03:44 Webex says "meeting cancelled or ended". 16:04:25 this one works: https://mit.webex.com/mit/j.php?MTID=m97f5fec14b837f72dfa6049836dbffe2 16:04:31 at has joined #dnt 16:05:20 Just managed to join by manually entering meeting ID and password. 16:05:24 thanks! 16:06:32 present+ 16:07:00 present+ 16:10:25 zakim, list participants 16:10:25 As of this point the attendees have been dsinger, moneill2, Bert, fielding 16:10:33 present+ Alan, Matthias, Shane 16:10:38 same-party you mean? 16:10:45 I don’t recall ever linking the exception API to the well-known resource 16:11:42 q+ 16:13:18 q+ 16:14:01 but that has the caller making the assertion of same-party in a way that can’t be audited/tracked/etc. 16:14:20 q+ 16:15:11 +q 16:15:39 is someone goint to scribe? 16:15:46 s/goint/going/ 16:16:00 Bert? could you? 16:16:05 q- 16:16:11 Scribenick: bert 16:16:22 Thx! 16:16:41 I think that Mike is right, you have to open browsing contexts for those sites, and they can then register the exceptions 16:16:43 Topic: Shane's issue about multiple site exceptions in one API call 16:16:48 We are talking about https://w3c.github.io/dnt/drafts/tracking-dnt.html#exception-javascript-api-store 16:17:05 ack mo 16:17:43 (Discussion about whether this was in an earlier version. It appears it was not. Discussion about whether a site is allowed to set exception for other domain at all.) 16:18:18 ack wi 16:18:43 Shane: [...] get consent as user visits each domain, iframes. 16:19:05 schunter_: We don't want to break same-origin policy. 16:19:15 ... I'd like to close this doscussion. 16:19:39 Next issue: Notification of exception registrations from 3rd parties to 1st parties 16:19:43 ... I think we decided earleir we wouldn't allow such mutliple registrations. 16:19:47 do we have this on the issues list? 16:19:51 ... Shane, OK? 16:19:59 Shane: For now, yes. 16:20:29 ... It is harder. We'll come back in the future with more data. 16:20:56 yes, the section suggests that the browser save that information along with the exception data 16:21:10 ... Some sort of freedom outside of same-origin, so yahoo,com and flickr.com can share a policy. 16:21:34 schunter_: Can maybe add a new call later, keeping backwards compat. 16:22:06 shane: This is sort of counter to natural adoption curve in internet. 16:22:18 schunter_: Your second issue: 16:22:35 q+ 16:22:49 shane: 3rd parties registering exceptions. Would like a way to discover that that has occured. 16:23:28 moneill2: Agree there should be a way to report, because the 3rd party can cause legal problem for 1st. 16:23:54 ... I suggested we just have an indication from 1st party whether they allow it to happen. 16:24:16 ... Some flag sayiung this 3rd party is allowed to register an exception. 16:24:51 q+ 16:25:03 shane: Say Tumblr.com displays adds in a news feed. We dont' want a 3rd party to register an exception at that point, in an iframe. 16:25:20 ... We can't technically stop them, We would like to be informed. 16:25:36 dsinger: iframe is a top-level context? 16:26:10 moneill2: can have some flag that says *.domain can set an exception. 16:26:45 This would only be the case where a third party iframe contains javascript that is executed. It can call the API to store a site-specific exception. This is not changed at all by the recent edits, other than being exposed vecause there is less text objuscation. 16:26:46 dsinger: Site setting exception has to match browsing context. 16:27:05 s/vecause/because/ 16:27:30 fielding: There is no chnage here. This is what the API did before. 16:28:42 ... Javascript can set any target it want. Relies on regulator checking that site follows rules. 16:28:52 q? 16:29:04 ... A site would do better just ignoring DNT in that case. 16:29:28 dsinger: [missed] 16:30:07 Shane: Worst they can do is set a site-wide exception. 16:30:27 dsinger: Why would advertiser expect a user to visit them as a top level site? 16:30:43 shane: Cn't they do web-wide then? 16:31:35 shane: Imagine an industry approach. They would need an iframe approach. 16:32:19 6.6.1 starting "For each of the targets in a web-wide exception" 16:32:21 ... I like roy's argument that there are many ways to exploit the standard. But as it is traceable, they're better off not doing it throught DNT. 16:32:22 Registering a site-wide for ‘myself’ (all you can do) when myself is an ad site seems useless; no-one visits ad sites. But registering a web-wide is a huge break; but they are asserting they have consent, and if they don’t, they have a glaring error (that;s noticeable) 16:32:30 q+ 16:32:36 ... So I'm good now. That closes the discussion for me. 16:33:02 moneill2: In the new conform call: Can't confirm a sub-somain, as you used to be able to. 16:33:41 fielding: Yes, that did chnage. Makes it easier to fingerprint the user. 16:34:03 ... could ask for a user's exceptions on sites you don't own. 16:34:37 moneill2: In the confirm call, site param is now ignored. 16:34:49 dsinger: Doesn't same-origin apply? 16:35:45 s/Makes it easier/Made it too easy/ 16:36:25 [Discussion about what the spec actually says.] 16:36:56 dsinger: Why doesn't the confirmn call exactly match the store call? Why did it change? 16:37:36 fielding: It allowed any party to make a query on any domain. I removed that. It now allows if a an exception exiosts on a specific site. 16:37:48 https://w3c.github.io/dnt/drafts/tracking-dnt.html#exception-javascript-api-confirm 16:37:57 dsinger: Previosuly you coul donly ask about your own site. 16:38:27 "To avoid revealing too much information about other sites, any value for site is ignored and the calling script's site domain is used instead for matching with stored exceptions." 16:39:02 schunter_: So a site can only ask for confirmations affecting its own site. 16:39:59 I agree that the old confirm call didn’t have text saying that CORS had to be respected. But I am not sure we have not introduced a different problem here. 16:40:00 moneill2: I think the only diff. is you can't do it on a subdomain. Why don't we allow that? You can set an exception on a sub-domain, whay can't you query it? 16:40:55 dsinger: Old text didn't say it explicitly that you have respects same-origin. 16:41:05 Confirm call now only allows "site=null" 16:41:13 (means site=origin) 16:41:23 store also allows "*" for web-wide 16:41:32 and cookie rules for sub-domains 16:41:46 q? 16:41:54 ack mon 16:42:56 I don't care either way, except I am not available to rewrite. 16:43:50 moneill2: I agree with roy's addition to web-wide. But what in 6.6.3. "any value for site is ignored" 16:45:12 schunter_: site param allows null and *. You cannot confirm if a web-swide exception exists. 16:45:16 The old confirm API is at https://www.w3.org/TR/tracking-dnt/#exceptions-javascript-api-ww-confirm 16:45:25 I think Mike is saying that the confirm call doesn’t match the store; the basic operation “do I still have this that I stored?” has to work 16:45:57 ... https://www.w3.org/TR/tracking-dnt/#exceptions-javascript-api-confirm 16:48:53 cases: site="*" 16:49:06 schunter_: storeTrackingException can set an excpetion for a sub-domain. trackingExceptionExists cannot query that same sub-domain. 16:50:19 Changes: 16:50:56 fielding: My concern about the previous API, whcih is still in /TR, is that it allowed qdiscovering info about other domains. 16:50:56 1. Say that it can only be called to query exceptions for the given origin 16:51:09 Two basic principles: the same-origin restrictions on confirm and store should be the same; and you should be able to confirm exactly what you thought you stored 16:51:26 i.e. ask the question: has my prior store been deleted or does it still stand? 16:51:52 schunter_: fingerprinting risk. A nasty company could set a user-specific cookie. 16:52:23 ... But I'd then have to iterate through all user patterns. 16:52:27 s/cookie/cookie-like pattern/ 16:53:00 dsinger: web-wide excpetion now has targets, which it didn't have before. 16:53:18 I regret to say that we need a repeated security+privacy+TAG review, given the number of changes 16:53:26 schunter_: That is for next week. 16:53:30 Reminder, the issues list is at https://github.com/w3c/dnt/issues 16:53:39 I am not enough of an expert to be comfortable 16:53:48 We have no open issues on the draft, right now. 16:53:49 2. Add "*" and cookie rules as site options (similar to store) 16:55:16 1: Cross-origin restrictions must be documented for store and confirm 16:55:19 fielding: If there is something in the old API that I accidentally removed, let me know and I'll restore it. 16:55:38 schunter_: Who can write it? 16:55:39 Edits: 16:55:51 moneill2: I can write an edit and send to the list. 16:56:04 dsinger: We need a TAG review on this. 16:56:08 1. Explain that confirm and store must respect same-origin 16:56:13 …and a PING review 16:56:34 right, most of this work was just to get the API to the point where people might be willing to review. 16:56:40 2. Copy options for "site" parameter "*" and "cookie-like pattern" from store to confirm 16:58:02 "For each of the targets in a web-wide exception, a user agent MUST NOT store the duplets and MUST reject the promise with a DOMException named "SecurityError" unless the target domain matches both the document.domain of the script's responsible document and the document.domain of the top-level browsing context's active document [HTML5]. This effectively limits the API for web-wide exceptions to the single target domain of the caller." 16:58:11 dsinger: We seemed to have added the possibility to set multiple targets in a web-wide exception. But most of all I want a security & privacy review of the new API. 16:59:08 schunter_: If we wait for review, we push off the CR again. 16:59:30 dsinger: Can probably have the review during CR. For Bert to check with plh and others. 17:00:33 moneill2: Not allowing DNT:1 by default may upset DPA in Europe. But leave well-enough alone. 17:01:22 fielding: I wrote a section why DNT:1 is not set by default. It is just information, but it is needed, because multiple parties have said it is OK to set DNT:1 by default. 17:01:50 ... Not sure why that is. Is the spec not clear? Are people misleading legislators? 17:02:30 ... Section 10.1 is not supposed to say anything different from 5.1 17:02:55 moneill2: "5.2" 17:03:11 actually, 5.1 17:04:08 RRSAgent, make minutes v2 17:04:08 I have made the request to generate http://www.w3.org/2017/08/21-dnt-minutes.html Bert 17:04:17 we were talking about https://w3c.github.io/dnt/drafts/tracking-dnt.html#privacy.not-preconfigured 17:04:20 zakim, list participants 17:04:20 As of this point the attendees have been dsinger, moneill2, Bert, fielding, Alan, Matthias, Shane 17:05:20 RRSAgent, make minutes v2 17:05:20 I have made the request to generate http://www.w3.org/2017/08/21-dnt-minutes.html Bert 17:05:37 chair: schunter_ 17:06:49 s/doscussion/discussion/ 17:07:07 s/earleir/earlier/ 17:08:24 i/3rd parties registering exceptions/topic: 3rd Parties Registering Exceptions on 1st Party Sites/ 17:09:07 s/chnage/change/ 17:09:34 s/Cn't/Can't/ 17:10:08 s/throught/through/ 17:11:10 s/conform call/confirm call/ 17:11:32 s/chnage/change/g 17:13:02 s/if a an exception exiosts on a specific site./if an exception exists on the specific site./ 17:13:16 s/coul donly/could only/ 17:13:58 s/whay /why / 17:14:22 s/have respects/have to respect/ 17:15:00 s/web-swide/web-wide/ 17:15:30 s/excpetion/exception/ 17:15:42 s/whcih/which/ 17:15:56 s/qdiscovering /discovering / 17:16:20 s/excpetion/exception/ 17:17:49 s/We seemed to have added/We seem to have added/ 17:18:42 RRSAgent, make minutes v2 17:18:42 I have made the request to generate http://www.w3.org/2017/08/21-dnt-minutes.html Bert 17:20:01 previous meeting: http://www.w3.org/2017/08/07-dnt-minutes.html 17:20:04 RRSAgent, make minutes v2 17:20:04 I have made the request to generate http://www.w3.org/2017/08/21-dnt-minutes.html Bert 17:47:14 at_ has joined #dnt