IRC log of w3cdnt on 2011-04-28
Timestamps are in UTC.
- 12:55:05 [RRSAgent]
- RRSAgent has joined #w3cdnt
- 12:55:05 [RRSAgent]
- logging to http://www.w3.org/2011/04/28-w3cdnt-irc
- 12:55:08 [Zakim]
- Zakim has joined #w3cdnt
- 12:55:08 [karl]
- karl has joined #w3cdnt
- 12:55:13 [tlr]
- rrsagent, make record public
- 12:55:19 [tlr]
- Agenda: http://www.w3.org/2011/track-privacy/agenda.html
- 14:02:39 [tlr]
- tlr has joined #w3cdnt
- 14:11:47 [karl]
- karl has joined #w3cdnt
- 14:15:13 [wseltzer]
- wseltzer has joined #w3cdnt
- 15:24:47 [Zakim]
- Zakim has left #w3cdnt
- 15:35:01 [tlr]
- tlr has joined #w3cdnt
- 16:34:27 [karl]
- karl has joined #w3cdnt
- 16:46:25 [adrianba]
- adrianba has joined #w3cdnt
- 16:46:31 [alissa]
- alissa has joined #w3cdnt
- 16:46:46 [dsinger]
- dsinger has joined #w3cdnt
- 16:47:17 [jmayer]
- jmayer has joined #w3cdnt
- 16:47:39 [iandavey]
- iandavey has joined #w3cdnt
- 16:48:00 [jmorris]
- jmorris has joined #w3cdnt
- 16:48:41 [dsinger]
- Someone should say something about how frank we can be here, and, um, how much privacy we get!
- 16:48:41 [hannes]
- hannes has joined #w3cdnt
- 16:48:43 [sjschultze]
- sjschultze has joined #w3cdnt
- 16:48:47 [karl]
- karl has joined #w3cdnt
- 16:51:00 [adrianba]
- Express a preference and see what happens
- 16:51:01 [wseltzer]
- each will be tracked per the limits of his or her proposal
- 16:51:29 [jmayer]
- one vote for what happens in princeton stays in princeton
- 16:51:49 [rigo]
- rigo has joined #w3cdnt
- 16:51:59 [karl]
- RRSAgent, pointer?
- 16:51:59 [RRSAgent]
- See http://www.w3.org/2011/04/28-w3cdnt-irc#T16-51-59
- 16:52:10 [stpeter]
- stpeter has joined #w3cdnt
- 16:52:23 [stpeter]
- anyone here? :)
- 16:53:14 [Neutrino]
- Neutrino has joined #w3cdnt
- 16:53:42 [Neutrino]
- Neutrino has left #w3cdnt
- 16:53:47 [tlr]
- tlr has joined #w3cdnt
- 16:54:15 [asoltani]
- asoltani has joined #w3cdnt
- 16:54:16 [asoltani]
- woot
- 16:54:42 [ng]
- ng has joined #w3cdnt
- 16:55:17 [ianp]
- ianp has joined #w3cdnt
- 16:55:22 [karl]
- what do you think this button would do if you click on it? [Do Not Track]
- 16:55:58 [dsinger_]
- dsinger_ has joined #w3cdnt
- 16:56:02 [lowenthal]
- lowenthal has joined #w3cdnt
- 16:58:01 [jeff]
- jeff has joined #w3cdnt
- 16:59:54 [W3C_]
- W3C_ has joined #w3cdnt
- 17:00:06 [W3C_]
- W3C_ has left #w3cdnt
- 17:00:29 [sudbury]
- sudbury has joined #w3cdnt
- 17:04:37 [rpacker]
- rpacker has joined #w3cdnt
- 17:05:17 [dsinger_]
- dsinger_ has joined #w3cdnt
- 17:06:41 [fuogo]
- fuogo has joined #w3cdnt
- 17:07:09 [calatalee]
- calatalee has joined #w3cdnt
- 17:08:00 [karl]
- karl has joined #w3cdnt
- 17:08:28 [karl]
- ScribeNick: karl
- 17:08:30 [tlr_]
- tlr_ has joined #w3cdnt
- 17:08:30 [karl]
- Topic: 1st Intro session
- 17:08:35 [karl]
- AleeciaMcDonald: People have different expectations
- 17:08:35 [karl]
- ... people think that there is a third part
- 17:08:42 [karl]
- ... Many people also think that it would be the fault of the browser company.
- 17:08:42 [karl]
- ... Click¬hing changes: 51% unsurprised, 49% browser company
- 17:08:42 [karl]
- ... Do Not Track represents an expectation gap. People think being tracked online.
- 17:08:44 [karl]
- ... There are different options to address the expectations gap.
- 17:08:48 [karl]
- ... Ease of adoption is reversed to ease of use
- 17:08:50 [karl]
- speakerB: I'm from Evidon.
- 17:08:52 [karl]
- ... what's a user supposed to think.
- 17:08:59 [karl]
- ... Everything is fine OR it is very dangerous
- 17:08:59 [karl]
- ... polarized opinions.
- 17:09:00 [karl]
- ... Tools are also being very binary. The DNT UI is a YES/NO
- 17:09:03 [karl]
- ... The flowchart is a bit more complicated there are many options.
- 17:09:24 [rigo]
- Jonathan Mayer, stanford, Universality vs Simplicity?
- 17:09:42 [rigo]
- AC: built in some controls and extensibility
- 17:09:51 [rigo]
- ... to add controls
- 17:10:23 [rigo]
- AK: privacy nuanced issue, so some granularity needed
- 17:11:17 [rigo]
- .. we do ghostery on third party scripts, some users complain that another script should be stopped and we don't block it, sometimes a subjective decision
- 17:12:07 [rigo]
- AM: 3 things fighting, capture preferences to being able to keep it simple is important. in sharp contrast to privacy being simple
- 17:13:25 [rigo]
- FHirsch: user not understanding, dangerous to believe that users can be educated. We don't want to re-educate user
- 17:13:32 [rigo]
- .. need to honor context
- 17:14:17 [rigo]
- LC: some standards have educated people, but didn't lead to solution
- 17:15:04 [rigo]
- JC, Microsoft: universal and persistent is against browser as they are neither. Whitelist of people that I allow to track
- 17:15:04 [karl]
- karl has joined #w3cdnt
- 17:15:24 [karl]
- ... our privacy is very contextual.
- 17:15:28 [karl]
- speakerNokia: Users do not necessary what is going on.
- 17:15:30 [karl]
- ... it would be challenging to try to educate the users.
- 17:15:34 [rigo]
- AC: DNT can be in the operating system, but practical is that user expect that to be in their browser
- 17:15:49 [s-mon]
- s-mon has joined #w3cdnt
- 17:15:50 [karl]
- speakerB: there is a tradeoff
- 17:15:50 [karl]
- chair: the nutrition community has educated the users.
- 17:15:50 [karl]
- ... it didn't happen in one night.
- 17:15:50 [karl]
- Jesse (microsoft): Ability the users have their own sets of controls. I do not track by default but I trust this company.
- 17:15:52 [karl]
- Aleecia: Starting with keep it simple, and extend if possible.
- 17:16:04 [jmorris]
- s/Jesse/JC/
- 17:16:17 [lowenthal]
- karl, try switching to one of the others
- 17:16:27 [rigo]
- Harlan Yu: list of properties, do not think simplicity is ad odds with granularity
- 17:16:35 [fjh]
- fjh has joined #w3cdnt
- 17:17:49 [lowenthal]
- puvisitor and csvapornet are both available for visitors
- 17:19:23 [rigo]
- AM: users are confused by conflicting messages. Important that we are sure that when we violate user expectations, we should be aware and know that we would have to re-aducate millions of people
- 17:19:34 [lowenthal]
- Apparently we shouln't do what users want and expect? I disagree: when you make a simple statement, and everyone understands that statement, you should comply with that.
- 17:19:55 [karlushi]
- karlushi has joined #w3cdnt
- 17:20:33 [karlushi]
- ... how do we continue to use and build upon and reducing the creepiness
- 17:21:08 [lowenthal]
- rigo, if this is a venue for minutes, it's not going to be a great backchanel. why not use a piratepad instead?
- 17:21:20 [karlushi]
- AC: they do not even know that it is happening
- 17:21:28 [karlushi]
- ... the model was happening before years
- 17:21:38 [stpeter]
- rigo: there's audio in the physical room -- is it being recorded?
- 17:21:40 [karlushi]
- ... they were few complaints.
- 17:21:47 [karlushi]
- ... but once people realize
- 17:21:51 [karlushi]
- ... they freak out
- 17:22:04 [karlushi]
- ... The goal is to make incremental improvements
- 17:22:17 [karlushi]
- ... even if not everyone is understanding it in the first place.
- 17:22:29 [karlushi]
- ... And then creating step by step, accountability
- 17:23:41 [karlushi]
- Peter: about the education problem
- 17:24:32 [karlushi]
- ... what really needs to happen to protect the consumers body.
- 17:24:33 [rigo]
- stpeter, I don't know, we have to ask wendy
- 17:24:40 [stpeter]
- tlr needs to install http://lightheadsw.com/caffeine/
- 17:24:48 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:24:57 [ianp]
- not really sure what impetus data collectors would have to design their systems to honor "Do Not Track" headers. Higher development cost and screws with the business model
- 17:25:24 [stpeter]
- ianp: the threat of regulation
- 17:25:30 [karlushi]
- speakerB: There is a subset of educated users who don't care and some users who don't understand.
- 17:25:56 [karlushi]
- Aleecia: in lab studies, the 20 years old complaint that they are not informed.
- 17:26:09 [karlushi]
- ... they follow the behavior of their parents.
- 17:26:20 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:26:34 [karlushi]
- ... "if the parents are on facebook, it must be safe"
- 17:26:46 [karlushi]
- ... Facebook issue with read write web
- 17:27:21 [karlushi]
- ... People have a complete confusion, they do not understand what is happening.
- 17:27:29 [karlushi]
- ... media coverage is good, it is helpful.
- 17:27:40 [karlushi]
- ... education in schools would be good.
- 17:27:43 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:28:16 [stpeter]
- this sounds like we're trying to educate people again...
- 17:28:29 [karlushi]
- AC: You don't design a product thinking that the product features will be used by everyone
- 17:29:05 [karlushi]
- speakerB: there are some products you can use being uneducated.
- 17:29:19 [karlushi]
- AC: the Web
- 17:29:21 [stpeter]
- tlr: you could put the IRC channel on screen :)
- 17:29:34 [tlr]
- stpeter, we were looking for a way just now to not blind the people in the front
- 17:29:42 [tlr]
- unsolved problem for the moment
- 17:29:50 [karlushi]
- s/tlr:/tlr,/
- 17:29:59 [stpeter]
- tlr: understood
- 17:29:59 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:30:07 [karlushi]
- aleecia: asking users is not the only thing to do.
- 17:30:10 [stpeter]
- tlr: move the table forward slightly?
- 17:30:16 [karlushi]
- ... It is useful and important.
- 17:30:19 [karlushi]
- s/tlr:/tlr,/
- 17:30:26 [tlr]
- stpeter, yeah - something like that
- 17:30:33 [tlr]
- we'll figure it out in the break
- 17:30:43 [karlushi]
- aleecia: education seems to be a very long process.
- 17:30:47 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:31:03 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:31:10 [karlushi]
- ... Find the gaps between expectations and try to fill them.
- 17:31:11 [rigo]
- AM: something to explain to the user, gap between what is expected and what is being built
- 17:31:52 [stpeter]
- this is Hannes Tschofenig speaking
- 17:31:54 [rigo]
- Hannes: in that complex environment you'll have different users will get upset anyway because of different context and culture
- 17:32:16 [rigo]
- AM: good data from Alessandro Acquisti
- 17:32:43 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:33:09 [karl]
- Thomas: Softwares had advanced settings
- 17:33:17 [karl]
- ... it is not a new problem
- 17:33:35 [karl]
- ... why not having advanced settings.
- 17:33:45 [AndroUser]
- AndroUser has joined #w3cdnt
- 17:33:49 [karl]
- speakerB: How do you draw the line?
- 17:33:51 [rigo]
- Thomas Nighthall CITP: some users want simple, some users wants nobs, lets have a default and add knobs and buttons
- 17:34:00 [karl]
- ... there are too many nuances under that.
- 17:34:27 [karl]
- s/... there/speakerB: there/
- 17:35:32 [karl]
- chair: the software vendors do not want to be responsible for the granularity
- 17:35:58 [karl]
- aleecia: it is easier to implement "pick your own" but less obvious for users.
- 17:36:20 [karl]
- ... It is not a technical problem it is a social problem.
- 17:36:46 [karl]
- AC: there is already a default, which is often what the company has agreed to get from you
- 17:37:30 [karl]
- rigo, W3C: we have to take into account, features on the server side
- 17:38:06 [karl]
- ... We should start simply and have guidances for engineers.
- 17:38:31 [karl]
- Ashkam Soltani: The pop up window was in Mosaic.
- 17:38:43 [karl]
- ... IE came up with a cookie blocker, disabled by default.
- 17:38:49 [stpeter]
- there are differences between what users say they do and what they actually do (AM) a
- 17:38:51 [karl]
- ... It created an ecosystem
- 17:38:56 [stpeter]
- (wow, lag)
- 17:39:19 [karl]
- ... if we go down the road of granular controls.
- 17:39:39 [karl]
- ... the system becomes so complex, the user doesn't have the ability to control what is happening
- 17:39:46 [karl]
- ... facebook went this way.
- 17:40:07 [rigo]
- rigo has joined #w3cdnt
- 17:40:28 [karl]
- Ian Fette, Google: Even with cookies, it is already a mess.
- 17:40:37 [karl]
- ... browsers do not agree on what it is.
- 17:41:01 [karl]
- ... but then if you look at Opera, Chrome, Safari, Firefox, IE, there is not one model
- 17:41:06 [rigo]
- ... nobody knows what a third parties is, send and set are dealt with differently
- 17:41:23 [karl]
- xxxx: there are a lot of architects in the room
- 17:41:28 [rigo]
- ?? AT&T: we want a solution
- 17:41:39 [karl]
- ... what are the top 3 users expectations
- 17:41:47 [karl]
- ... to trust what I'm being told
- 17:41:55 [karl]
- ... to control these
- 17:42:26 [karl]
- chair: what is in the top of your list?
- 17:42:35 [karl]
- AC: Control
- 17:43:16 [karl]
- speakerB: control is one of the aspects.
- 17:43:26 [karl]
- ... 3 points.
- 17:43:34 [karl]
- ... * transactional transparency
- 17:44:01 [karl]
- aleecia: make it stop
- 17:44:03 [adrianba]
- s/?? AT&T/Bryan Sullivan, AT&T/
- 17:44:13 [karl]
- ... 3 words instead of 3 priorities
- 17:44:31 [fjh]
- s/make it/just make it/
- 17:44:33 [karl]
- ... they want to make the tracking stop.
- 17:45:06 [karl]
- David Singer (Apple): "do you want your online activity be tracked for ever?" The way we ask is important
- 17:45:32 [karl]
- SpeakerB: make it stop, maybe, but how it is defined.
- 17:45:52 [karl]
- ... the issue is nuances.
- 17:46:14 [stpeter]
- "I told you to make it stop, and the Internet stopped working"
- 17:46:24 [karl]
- s/speakerB/Andy Kahl/
- 17:47:26 [karl]
- Topic: Session 1.2
- 17:48:18 [karl]
- RRSAgent, pointer?
- 17:48:18 [RRSAgent]
- See http://www.w3.org/2011/04/28-w3cdnt-irc#T17-48-18
- 17:48:49 [alissa]
- alissa has joined #w3cdnt
- 17:49:11 [AnnR]
- AnnR has joined #w3cdnt
- 17:50:20 [stpeter]
- karl: I would help minute, but the IRC channel is extremely lagged for me so my minutes would be useless
- 17:50:42 [karl]
- s/karl:/karl,/
- 17:51:06 [lowenthal]
- why not minute in a separate channel, leaving this one for discussion, karl?
- 17:51:10 [karl]
- stpeter, I have switched to csvapornet and it seesm a lot better
- 17:51:26 [karl]
- so anyone can enjoy
- 17:51:56 [karl]
- and make more comments :) though I'm not the master. tlr? :)
- 17:53:14 [rigo_]
- rigo_ has joined #w3cdnt
- 17:53:28 [stpeter]
- karl/quit
- 17:54:19 [tlr]
- There's some value to having the back channel conversation in the minutes. : For off-the-record remarks, use "/me ...".
- 17:54:42 [stpeter]
- stpeter has joined #w3cdnt
- 17:54:56 [stpeter]
- yes, csvapornet is much faster
- 17:55:01 [sudbury]
- sudbury has joined #w3cdnt
- 17:56:16 [karl]
- Topic: Part II - What types of tracking should be in scope?
- 17:57:34 [tlr]
- tlr has changed the topic to: W3C Workshop on Web Tracking & User Privacy | Better wi-fi: csvapornet
- 17:57:38 [karl]
- hmmm social, security, privacy difficult mix
- 17:57:40 [dsinger]
- dsinger has joined #w3cdnt
- 18:00:29 [karl]
- tension in between laws and jurisprudence
- 18:01:56 [stpeter]
- karl: to paraphrase Kurt Goedel (who used to live in Princeton), "A completely secure system will be either inconsistent or incomplete, i.e., unable to solve certain problems."
- 18:02:30 [karl]
- s/karl:/karl,/
- 18:02:47 [stpeter]
- sigh, can't type o-umlaut in IRC :P
- 18:02:56 [sjschultze_]
- sjschultze_ has joined #w3cdnt
- 18:03:03 [karl]
- ö
- 18:03:16 [dsinger]
- Gödel?
- 18:04:50 [karl]
- http://search.twitter.com/search?q=%23w3cdnt&result_type=recent
- 18:05:48 [karl]
- tracking becomes creepy when it enables things we had not expected.
- 18:06:44 [karl]
- such as aggregation of data, being contacted in a context different from the one we shared a specific information.
- 18:07:03 [AnnR]
- AnnR has joined #w3cdnt
- 18:07:42 [wseltzer]
- Facebook says a company displaying on a page, or with previous relationship with user, should be able to track as 1st parties
- 18:09:18 [ianp]
- when does 1st party analytics tracking become 3rd party analytics tracking?
- 18:09:19 [karl]
- wseltzer, yup but there are levels. I'm happy that my coffeeshop remembers that I'm taking this coffee each time I go there in the morning BUT I would not be happy if they start to tell me what I do every week-end outside of the cafe context
- 18:09:39 [ianp]
- like is google analytics 1st party or 3rd party?
- 18:10:09 [wseltzer]
- karl, what if they tell the supermarket, who use it to offer you milk?
- 18:10:40 [karl]
- I would not like it
- 18:13:13 [karl]
- hey wseltzer how do YOU know, i'm drinking cafe latte ;) have you followed me? :p
- 18:14:17 [karl]
- tlr, do you want us to minutes slides or only discussions
- 18:14:27 [wseltzer]
- sophisticated coffe-behavior profiling :)
- 18:14:46 [wseltzer]
- s/coffe/coffee/
- 18:15:26 [rigo_]
- Hannes: first party or third parties, will be too complicated decisions, do we want to go down that road?
- 18:15:59 [rigo_]
- ... is the same definition useful for everybody, if regulators are happy or tech companies?
- 18:16:44 [rigo_]
- Omar: defer to paper from NTIA, need multiple stakeholders, need to take the economic impact of DNT into account
- 18:17:46 [rigo_]
- MMJ: should take into account what the users are concerned about, but should not boil the ocean
- 18:18:22 [karl]
- xxx: You want everyone to have common definitions
- 18:18:34 [rigo_]
- s/xxx/Ashkan/
- 18:19:12 [karl]
- Chris: there are California laws for forbidding grocery shops to get your driving license informatin.
- 18:19:28 [rigo_]
- ChrisHoofnagle: grocery cart is CA law. Do not call is also the right to opt out
- 18:19:49 [rigo_]
- ...missing that the lesson taken on what Aleecia said
- 18:20:02 [karl]
- MMJ: the consumers do not understand
- 18:20:15 [rigo_]
- MMJ: part of the issue: Should we start looking at the users as they do not understand
- 18:20:42 [rigo_]
- MMJ: we should take user expectation into account, but it is complicated
- 18:20:43 [karl]
- Aleecia: if you build something which violates the expectations, users will be very angry
- 18:21:34 [karl]
- Andy (Paypal): example of spam and being angry at false positive.
- 18:22:22 [karl]
- ... There are Basic users expectations
- 18:23:38 [dsinger_]
- Maybe a tautology, but an IP address is personal if you or anyone else can now or later associate it with me
- 18:23:58 [rigo_]
- Ashkan gives examples where tracking is done without need for the functionality of the technology
- 18:24:48 [karl]
- alan BlueKay: People might not want to track into vaccuum, but if services are provided in exchange of tracking, some users might want to do it
- 18:25:23 [rigo_]
- Omar: tracking does not happen in a vacuum, there is an economic context and needs balance
- 18:25:29 [sudbury]
- sudbury has joined #w3cdnt
- 18:26:17 [rigo_]
- Alissa: we can try to do better, not just only be the strict legal minimum, talks about the update of the cookie RFC
- 18:26:43 [karl]
- AC: "Having the policy before the technology" we have been thinking about it for years. The time is not right yet. There is a window of opportunities, we can already do things
- 18:26:46 [rigo_]
- Alissa: we have been on this for a long time, now is the time to move
- 18:29:05 [rigo_]
- Andy: fears overstating of tracking protection that interferes with security
- 18:29:11 [karl]
- Andy (Paypal): I'm willing to accept certain definitions of DNT. but what do I do when it comes to Paypal where we *need* to track. It doesn't make sense anymore
- 18:30:18 [alissa]
- cookie spec: http://www.rfc-editor.org/rfc/rfc6265.txt
- 18:30:27 [rigo_]
- Alissa: RFC 6265 was released just this week new cookie spec
- 18:30:34 [dsinger]
- dsinger has joined #w3cdnt
- 18:31:11 [rigo_]
- ??: CITP benefit of DNT is that it separates identification and login from tracking
- 18:31:19 [dsinger]
- dsinger has joined #w3cdnt
- 18:31:42 [rigo_]
- Tobie: personalizing content for you wouldn't work, we are in an existing relationship with customer
- 18:31:52 [tlr]
- s/Tobie/Francis/
- 18:32:03 [tlr]
- (Francis Larkin, not Tobie Langel)
- 18:32:28 [wseltzer]
- So Facebook wants our networked eyeballs, without opt-in to personalization
- 18:34:02 [rigo_]
- ashkan warns that certain definitions would advantage certain actors in the market
- 18:36:03 [karl]
- Andy (Paypal): in the case of 3rd party mashups, it is hard to understand. How should we track the logs for security reasons for example.
- 18:36:10 [rigo]
- andy: we don't know what DNT means, we don't know whether it allows to collect IP address
- 18:36:16 [karl]
- ... what kind of data, and what is used for matters a lot
- 18:36:47 [rigo]
- Bigram/Nokia: if user perceive that DNT doesn't work, he will blame the browser
- 18:37:47 [rigo]
- tools like spam protection does not give a false sense of security, DNT may do
- 18:38:10 [karl]
- http://www.slideshare.net/mikebrittain/metrics-driven-engineering-at-etsy
- 18:38:27 [rigo]
- Ashkan: sending preference to a site is an early thing. We need a feedback channel with an ACK
- 18:38:54 [karl]
- http://codeascraft.etsy.com/2011/02/15/measure-anything-measure-everything/
- 18:39:49 [rigo]
- Ian.Fette: we need to scope this down to something that people understand
- 18:39:50 [karl]
- ianfette (google): We need to scope that down to something users can understand.
- 18:40:19 [rigo]
- ... "not track" is too generic, neither company nor user understands
- 18:41:13 [wseltzer]
- we'd do better with a narrower, descriptive name
- 18:41:18 [rigo]
- Omar: do not track is not very different from "do not track for behavioral advertisement"
- 18:41:51 [rigo]
- Askan: early in the process of definition of what tracking means
- 18:41:59 [rigo]
- ...that's why we are here
- 18:42:06 [dsinger_]
- My problem with behavioral ads is not the ads, it is the existence if the database about me that enables them
- 18:42:09 [rigo]
- ... have to balance security and privacy needs
- 18:43:11 [rigo]
- MMJ/Adobe remakes point that first party analytics are not "tracking" and not 3rd party advertisement
- 18:43:56 [rigo]
- FrankWagner: asking about purpose
- 18:44:15 [tlr]
- s/Omar/Alan/
- 18:44:16 [rigo]
- logfiles DNT should not mean that there are no logfiles anymore
- 18:44:22 [tlr]
- (Alan Chapell, on behalf of BlueKai)
- 18:45:02 [rigo]
- ... tracking is identification: Frank has seen this site and that site
- 18:46:07 [rigo]
- Ashkan: what if 123 looks at sites
- 18:46:15 [karl]
- ashkan: pseudonyms can be converted to real identity at a point
- 18:46:17 [rigo]
- Frank: this is psuedonym, you can identify
- 18:46:22 [npdoty]
- npdoty has joined #w3cdnt
- 18:47:19 [rigo]
- Jonathan: we should define DNT, even if it is hard to define
- 18:49:24 [rigo]
- AlanChapell: we need to understand the economic ramifications of DNT
- 18:49:50 [karl]
- (talking revolves around definitions of DNT)
- 18:50:57 [rigo]
- all: please be privacy invasive and share your minutes with the chairs or me (rigo@w3.org)
- 18:53:04 [npdoty]
- jmorris: we won't come to a final definition in this room, but can decide whether or how it should be done in a standards body
- 18:53:55 [fjh]
- jmorris: just because privacy situation is terrible doesn't mean that dnt may not progress better than early study of user understanding shows
- 18:54:07 [fjh]
- s/privacy situation/current web privacy status/
- 18:55:13 [rigo]
- Tim?? wait for next 2 years because technology isn't mature yet
- 18:55:52 [npdoty]
- Jules: we have one opportunity because of this dramatic title and movement by the browser vendors, we have an opportunity to do something useful even if it's small
- 18:55:53 [sudbury]
- sudbury has joined #w3cdnt
- 18:55:56 [rigo]
- JulesPolonetsky: fear we boil the ocean, we have the opportunity to accomplish something useful
- 18:55:58 [karl]
- xxx: there is an opportunity to accomplish something useful even if not perfect.
- 18:56:16 [rigo]
- ...can the panel agree that we can start from something robust at the button
- 18:57:27 [npdoty]
- Jules: what if we just use the starting point of Do Not Track referring to collecting data across multiple sites for behavioral advertising? could we at least agree on that?
- 18:58:20 [karl]
- Francis Facebook: There is a very thin line.
- 18:58:45 [Vincent]
- Vincent has joined #w3cdnt
- 18:58:59 [npdoty]
- Francis: I would be okay with that starting point as long as targeting by services you have a relationship with is exempted.
- 19:00:10 [ianp]
- i wonder what should be considered a reasonable expectation of privacy online?
- 19:00:28 [npdoty]
- Francis: a baseline definition would help with the user concern of interactions with companies they know nothing about
- 19:00:47 [karl]
- xxxx: As a user I'm freaked out when you are tracking across sites
- 19:01:01 [npdoty]
- Mary Hodder
- 19:01:16 [wseltzer]
- I have a separate Facebook browser profile, through Tor, that I use less and less because of FB's tracking
- 19:01:18 [karl]
- ... If users were able to track themselves it would improve.
- 19:01:39 [karl]
- ... Millions of data store (personal user store)
- 19:01:48 [karl]
- ... and then I can decide to share or not.
- 19:01:55 [karl]
- ... I can make the choice.
- 19:02:11 [karl]
- ... I want to be in control of what I do on the Web.
- 19:02:40 [karl]
- ... It is perfectly fine to be tracked by the owner of the site.
- 19:02:44 [fjh]
- s/xxxx/MaryHodder/
- 19:02:46 [karl]
- ... but not by third parties.
- 19:03:29 [ianp]
- yes it does karl
- 19:04:27 [tlr]
- [ one of the points in the Paypal paper is that same-origin and first party as a business are distinct ]
- 19:04:48 [npdoty]
- xxx (CITP): what if we just had usage limitations? you can keep the data for security purposes (and not count as tracking) as long as you promise not to use for other purposes
- 19:05:58 [npdoty]
- xxxx: it would be incredibly cynical if we ended up with the result that all the ads are dumbed down but just as much data is collected about us <applause>
- 19:06:29 [npdoty]
- Andy PayPal: but companies in that case won't have the incentive to collect
- 19:06:51 [dsinger_]
- S/xxxx/daveS/
- 19:08:07 [rigo]
- MMJ: in EU we are analytics and data processor, useful only in a European process for European laws
- 19:08:20 [npdoty]
- Hannes: what about the definition of terms, like data processor and data collector as defined in the EU?
- 19:09:25 [karl]
- Andy Paypal: People outsourced their processing or services. It doesn't help us.
- 19:10:51 [jmorris]
- jmorris has joined #w3cdnt
- 19:22:28 [ianp]
- ianp has joined #w3cdnt
- 19:27:51 [lowenthal]
- lowenthal has joined #w3cdnt
- 19:37:54 [npdoty]
- npdoty has joined #w3cdnt
- 19:41:18 [alissa]
- alissa has joined #w3cdnt
- 19:43:53 [dsinger]
- dsinger has joined #w3cdnt
- 19:44:18 [fjh]
- fjh has joined #w3cdnt
- 19:44:30 [rigo]
- rigo has joined #w3cdnt
- 19:44:43 [npdoty]
- Presenter: Alex Fowler, Mozilla
- 19:44:45 [rpacker]
- rpacker has joined #w3cdnt
- 19:45:17 [npdoty]
- AlexF: problem is that users' behavior is tracked without choice or control
- 19:45:39 [npdoty]
- ... felt like we had no choice but to act (explicitly called out by FTC)
- 19:46:34 [npdoty]
- AlexF: looked at a number of approaches
- 19:46:39 [npdoty]
- ... not happy with cookies or blocking
- 19:46:55 [npdoty]
- ... unintended consequences or burden on users (breaking experience)
- 19:47:14 [npdoty]
- ... blocking seemed anti-advertising, so looked for something else
- 19:47:26 [npdoty]
- ... 30 lines of code to implement it in Firefox 4
- 19:47:38 [npdoty]
- ... all parties who engage with it have the opportunity to do something with the header
- 19:48:05 [npdoty]
- ... as Aleecia pointed out, we were aware that we were going to get blamed if this didn't work
- 19:48:22 [tlr]
- tlr has joined #w3cdnt
- 19:48:24 [Vincent]
- Vincent has joined #w3cdnt
- 19:49:10 [npdoty]
- AlexF: starting to see sites modify their server-side operations to reduce tracking, or even looking at doing less on-page tracking when they see the header
- 19:49:39 [jeff]
- jeff has joined #w3cdnt
- 19:50:12 [npdoty]
- ... AP implemented it: one engineer took a couple of hours (as opposed to hundreds of sites that had to deal with cookies)
- 19:50:24 [tlr]
- ScirbeNick: npdoty
- 19:50:49 [npdoty]
- ScribeNick: npdoty
- 19:51:13 [npdoty]
- AlexF: Chitika now recognizes the DNT header instead of suggesting the Opt-Out Cookie
- 19:51:18 [tlr]
- ScribeNick: npdoty
- 19:51:50 [npdoty]
- AlexF: looking at some different user interfaces to signal that they're not tracking, or giving short notice to explain what you've been opted out of
- 19:52:15 [npdoty]
- Presenter: Jonathan Mayer, Stanford
- 19:52:28 [dsinger_]
- dsinger_ has joined #w3cdnt
- 19:52:46 [npdoty]
- jmayer: talk about the DNT DOM flag and the DNT response header
- 19:53:33 [npdoty]
- DOM flag could be as simple as a read-only navigator.doNotTrack property accessible by JavaScript
- 19:54:11 [npdoty]
- jmayer: JavaScript could still be aware of DNT even without a DOM header; like returning Do Not Track-aware JavaScript
- 19:55:03 [npdoty]
- ... a third party always has to check for the DNT HTTP header anyway
- 19:55:45 [npdoty]
- ... would the server log the request, for example (assuming that any definition has to include some conditions about logging)?
- 19:56:13 [npdoty]
- ... finally, granularity would be very difficult because of script inclusion
- 19:56:45 [npdoty]
- ... that is, third-party scripts may run in the first-party DOM
- 19:56:50 [dsinger]
- dsinger has joined #w3cdnt
- 19:57:07 [npdoty]
- ... benefits of the DOM flag: can be hosted from a static HTTP server
- 19:57:21 [npdoty]
- ... does this matter? Akamai will let you handle headers, for example
- 19:57:44 [npdoty]
- ... benefit: users won't have to modify their server-side code, which might make it easier
- 19:58:14 [npdoty]
- ... cons of the DOM flag: granularity controls would lead to a fingerprinting risk
- 19:58:22 [npdoty]
- ... and browsers would have to implement one more thing
- 19:58:52 [npdoty]
- Presenter: xxx, Datran Media
- 20:00:08 [npdoty]
- Datran: consumers don't understand networks, haven't heard of them, don't have any reason to choose one over another
- 20:00:21 [npdoty]
- ... even I, an expert, have no reason to choose one network over another
- 20:00:31 [npdoty]
- ... instead we want to give consumers a choice at the brand level
- 20:01:33 [npdoty]
- ... can opt in to more customized ads, or opt-out of a particular marketer
- 20:02:23 [npdoty]
- Presenter: Adrian Bateman, Microsoft
- 20:02:49 [npdoty]
- adrianb: one question is what work should proceed at the W3C
- 20:03:00 [npdoty]
- ... want to have clear specifications to give to my engineering team so they know what to build
- 20:03:28 [npdoty]
- adrianb: three themes to think about
- 20:03:44 [npdoty]
- ... first, balance <laughter at dog photo slide>
- 20:04:04 [npdoty]
- ... users should have an opportunity to express a preference
- 20:05:06 [npdoty]
- ... people have said to start simple, and a header could be that simple step
- 20:05:19 [npdoty]
- ... second, choice -- that users should have control
- 20:05:38 [npdoty]
- ... tracking protection lists let users control exactly what requests are made on their behalf
- 20:05:57 [npdoty]
- ... a different part is the control to not send data to someone that they might not trust
- 20:06:10 [npdoty]
- ... anyone can create a list, or read a list and understand, creating an ecosystem
- 20:06:41 [npdoty]
- ... finally, innovation
- 20:06:59 [npdoty]
- ... interoperability is really important, and standards help with that, but we want everyone to be able to innovate over their business models
- 20:07:07 [npdoty]
- ... standards should be a platform, but we don't know what change there will be
- 20:07:55 [npdoty]
- Presenter: John Morris, CDT
- 20:08:16 [npdoty]
- jmorris: want to go back to the header not because of my particular preference but because of a connection to a broader concept
- 20:08:33 [npdoty]
- ... the idea of binding rules to data and having those rules followed
- 20:09:31 [npdoty]
- ... past efforts of these rules have met a number of pushbacks
- 20:10:12 [npdoty]
- ... first: no technical way to enforce the rules, no way for the browser to know
- 20:10:29 [npdoty]
- ... some engineering bodies were concerned since they couldn't know for sure, that there wasn't encryption, etc.
- 20:10:44 [npdoty]
- ... but there are other mechanisms that could work: law, markets, media hysteria
- 20:10:58 [npdoty]
- ... second concern: that UI is hard and confusing
- 20:11:22 [npdoty]
- ... answer: yes, UI is hard and confusing, but smart people can try to make this work for the user
- 20:11:39 [npdoty]
- ... third concern: that users will blame the browser (which we heard from Aleecia today)
- 20:12:08 [npdoty]
- ... but while there is a risk of that, the UI can imply not that Mozilla is in control but just that a preference is being expressed
- 20:12:25 [npdoty]
- ... fourth concern: a false sense of security / incomplete privacy is worse than no privacy
- 20:13:00 [npdoty]
- ... in security that might be true, but in the privacy realm protecting privacy some is desirable even if it's not complete
- 20:13:07 [AnnR]
- AnnR has joined #w3cdnt
- 20:13:16 [npdoty]
- ... finally: we're not sure this will work
- 20:13:26 [npdoty]
- ... but the status quo certainly isn't working
- 20:14:34 [npdoty]
- karl: incomplete privacy is only a problem because of the false sense of privacy, which might cause users to do even more online
- 20:15:10 [npdoty]
- jmorris: absolutely it's a risk, but if we don't try something people are going to be tracked (unless US passes baseline privacy legislation)
- 20:15:29 [npdoty]
- ... Mozilla is already trying to make this clear, do you trust the recipient?
- 20:16:16 [npdoty]
- Jules: it's actually an advantage that it's not a technical mechanism, because a signal allows for more finely nuanced controls
- 20:17:19 [npdoty]
- Datran: have to have a policy solution, because otherwise people will always attempt to bypass (the arms race)
- 20:17:48 [npdoty]
- adrianb: policy wonks need to go and figure this out, and I don't claim to be one of those people
- 20:18:13 [npdoty]
- ... as a service provider I need to know what to do with that signal, which is also a technical problem
- 20:19:06 [npdoty]
- Paul: have you done the analysis of economic implications? what kind of people will turn Do Not Track on? are they people who were clearing cookies anyway?
- 20:19:31 [npdoty]
- AlexF: we didn't want an anti-advertising approach
- 20:21:06 [npdoty]
- ... it's a short-term business model; we shouldn't say that therefore users are okay with it
- 20:21:40 [npdoty]
- Datran: if the tracking is so important to your business model, users can be required to opt back in
- 20:21:54 [npdoty]
- jmayer: Do Not Track is not going to blow up the entire Internet
- 20:22:23 [npdoty]
- ... a lot of the economics papers may not have rigorous methodology
- 20:22:30 [npdoty]
- ... http://donottrack.us/bib/
- 20:23:01 [npdoty]
- ... it's not a large portion of revenues, and only relatively recently (as of 2007), though it is growing
- 20:23:36 [npdoty]
- ... there are elasticities: you could just allocate the behavioral ads to the non-DNT user
- 20:24:17 [npdoty]
- ... how much more are advertisers willing to pay? what alternatives are there? how much better is it than contextual advertising?
- 20:25:07 [npdoty]
- ... for interest targeting you could also ask the user their interests, or use client-side [presumably an AdNostic reference]
- 20:26:14 [npdoty]
- asoltani: often technologists push policy to fix things and vice versa, I think it could be technology and policy working together
- 20:27:20 [npdoty]
- jmayer: enforcement, technologists could help detect violations of DNT even if browsers can't always do it all the time
- 20:27:40 [npdoty]
- Datran: yes, can attempt to detect even if they can't block
- 20:28:01 [npdoty]
- adrianb: technology and policy should definitely be connected/aligned, technologists should educate the policymakers, for example
- 20:29:13 [npdoty]
- wseltzer: how do users know that once they've set the preference and can then go on to browse more?
- 20:29:51 [npdoty]
- jmayer: we should try to build early consensus and a clear definition; we've been working on an interim definition until we get a definition from a standards body or regulatory body
- 20:30:17 [npdoty]
- wseltzer: what if we changed the name to something less certain than "Do Not Track"?
- 20:31:07 [npdoty]
- ianfette: I want to push back on this preference being a meaningful thing; not meaningful until we come to consensus on what tracking means
- 20:31:28 [npdoty]
- ... danger of scope creep; iterative approach would lead to uncertainty in the market
- 20:32:58 [npdoty]
- AlexF: the fact that you have an opt-out but wouldn't recognize the DNT header would really be a dangerous thing to say to your consumers
- 20:33:49 [npdoty]
- ... if we marketed this as "don't serve me targeted ads" it wouldn't have worked as well (for the AP, for example)
- 20:33:52 [AnnR]
- AnnR has joined #w3cdnt
- 20:33:59 [npdoty]
- ... some constructive ambiguity may be helpful
- 20:34:36 [npdoty]
- ... I would rather have those early experiments rather than scope it down
- 20:35:00 [npdoty]
- ianfette: isn't it impossible to determine that something is being violated before it's defined?
- 20:35:33 [npdoty]
- jmorris: agrees with ian; need clarity over whether a server log is taboo
- 20:36:19 [npdoty]
- ... but once we have a definition, we can start getting activists to find violations and we'll get news stories about it
- 20:36:44 [npdoty]
- AlexF: we've already seen some feedback based on auditing of the AP implementation
- 20:36:56 [npdoty]
- ... we're not doing this to stave off regulation or anything of that type
- 20:37:18 [npdoty]
- ... if this looks like it fails, we'll walk away from it, this isn't the last available option
- 20:37:52 [npdoty]
- jmayer: frustrated to hear that "I don't know what Do Not Track means"
- 20:38:20 [npdoty]
- ... saying I don't know is an abdication of your responsibility to help with the definition
- 20:38:29 [npdoty]
- from_the_audience: we're here!
- 20:39:02 [npdoty]
- ianfette: I think a good scope would just be to limit to behaviorally-targeted ads and let's see if we can do something to address that
- 20:39:15 [npdoty]
- jmayer: and I think that's completely wrong
- 20:39:41 [npdoty]
- Gil_DoubleVerify: bad actors can always monitor users
- 20:40:00 [npdoty]
- ... it's hard to know that behaviorally-targeted ads are happening
- 20:40:34 [npdoty]
- ... the way we define "behaviorally-targeted as" it covers 80% of online advertising today
- 20:40:57 [narm]
- narm has joined #w3cdnt
- 20:41:10 [npdoty]
- Datran: even the definition of "behaviorally-targeted ad" is under dispute
- 20:41:26 [npdoty]
- Gil: I'm using the DAA definition, which includes retargeting
- 20:42:48 [npdoty]
- adrianb: with all this discussion of user expression of preferences, we shouldn't ignore the bad guys, which is why we proposed TPLs
- 20:43:19 [npdoty]
- ... not a perfect solution, but part of the toolset dealing with that situation
- 20:44:11 [npdoty]
- Andy_Evidon: I understand more now the pushback from this morning about defining tracking being difficult; there's just no simple definition
- 20:44:55 [npdoty]
- ... isn't it just as dangerous to say that a technological solution is a simple answer to this problem, when the problem isn't simple?
- 20:45:19 [npdoty]
- ... requires a granular, nuanced solution
- 20:46:11 [npdoty]
- jmorris: isn't the process of standardization 90% of the time trying to keep things simple by balancing all the tweaks that people want to add?
- 20:47:22 [npdoty]
- tlr: any solution will be imperfect, but we're trying to find a scope that's a good balance somewhere
- 20:48:13 [npdoty]
- rigo: if we don't continue this dialog, the pain for both sides will be even bigger. we have to compromise.
- 20:49:34 [npdoty]
- ... critics of P3P said that people could just ignore it, or just lie, but there are critics in the society and even in the US the legal system could address violations
- 20:49:58 [npdoty]
- aleecia: what did you mean in saying that it's bad to put power in the hands of the users?
- 20:50:31 [npdoty]
- Datran: just mean that we shouldn't give them too much power, like requiring access to content
- 20:51:01 [npdoty]
- xxx: how do you track support or lack of support? what kind of forensics do you use to determine that they don't honor the preference?
- 20:51:25 [wseltzer]
- s/xxx/Wu Chou, Avaya/
- 20:52:14 [npdoty]
- jmayer: we're working on enforcement stuff.
- 20:53:06 [npdoty]
- xxxx: it's a red herring to talk about bad actors; and the reputable companies won't violate the practice because if the database ever comes to light they'll get in so much trouble
- 20:53:35 [npdoty]
- ... whackamole problem
- 20:54:06 [npdoty]
- adrianb: isn't that like saying "security is a really hard problem"? if it makes a difference now, why is that a bad thing?
- 20:54:28 [npdoty]
- xxxx: why wouldn't they evade it? you've declared war.
- 20:55:15 [npdoty]
- adrianb: it might be reasonable that a site detects that a user doesn't see an ad and so decides not to show content
- 20:55:47 [npdoty]
- ... some market effects on choosing a good TPL
- 20:56:13 [npdoty]
- jmayer: response headers make it easier to measure
- 20:56:29 [npdoty]
- ... and you could start blocking domains/cookies if a site doesn't use a response header
- 20:57:05 [npdoty]
- ... could bring it under deceptive business practices for companies that respond with the header but don't follow it
- 20:57:57 [npdoty]
- ATT: Do Not Track is more a concern about recording of behavior, warehousing of that data, monetization in unexpected ways; today behavioral advertising is the most glaring instance, but won't be the only one
- 20:58:21 [npdoty]
- jmorris: +1, a good question
- 20:58:29 [fjh]
- +1
- 20:59:02 [npdoty]
- jmayer: some DAA members have already said that they'll continue to collect data under opt-out [scribe: did I get this right?]
- 20:59:27 [dsinger]
- dsinger has joined #w3cdnt
- 20:59:53 [npdoty]
- ryan_adobe: web sites could just do whatever they do with an opt-out cookie; seems like a dangerous policy since opt-out cookie policies vary between players
- 21:00:13 [dsinger]
- dsinger has joined #w3cdnt
- 21:01:31 [npdoty]
- AlexF: are we talking about danger to the user or danger to the business model?
- 21:03:19 [npdoty]
- Topic: Opt-outs, granular control and multiple mechanisms
- 21:03:58 [npdoty]
- Presenter: Frederick Hirsch, Nokia
- 21:04:15 [rpacker]
- rpacker has joined #w3cdnt
- 21:05:05 [npdoty]
- fjh: in DAP, we're discussing issues beyond minimization (like how data is used or retained) and beyond advertising
- 21:05:17 [jmayer]
- jmayer has joined #w3cdnt
- 21:05:26 [npdoty]
- ... accountability is an encompassing theme
- 21:06:05 [npdoty]
- ... benefits of defining a wire format -- enabling loosely coupled systems, evolution, simple testing
- 21:06:35 [npdoty]
- ... Do Not Track is interesting, but more generally we could convey user intent
- 21:06:59 [npdoty]
- ... how can we hold someone responsible if we don't have an opportunity to express our intent?
- 21:07:32 [npdoty]
- ... have to have a way to express preferences about re-use, etc.
- 21:07:47 [npdoty]
- Presenter: Harlan Yu, CITP
- 21:08:31 [npdoty]
- harlan: Microsoft's submission suggests a universal header and universal DOM property
- 21:09:13 [npdoty]
- ... but users may want to specify more granular cases, and we should assume that users will use it this way (as in the Abine extension)
- 21:09:39 [npdoty]
- ... Q: in which cases is the DNT header difficult to process on the server-side?
- 21:09:56 [npdoty]
- ... Q: how useful would a DNT DOM property be?
- 21:10:27 [npdoty]
- ... it's hard to get a DOM property to accurately mirror the DNT header
- 21:10:57 [npdoty]
- ... users may want to opt back in outside of setting the header
- 21:11:22 [npdoty]
- ... that option could happen outside of the browser setting, actually inline on the web page
- 21:12:00 [npdoty]
- ... dangerous because the browser might start showing the user that Do Not Track is in force, but many applications may consider the user to be opted back in, which would be difficult for the user to keep track of
- 21:12:26 [npdoty]
- ... response headers could include an ack, just to confirm that intermediaries aren't altering
- 21:12:44 [jmorris]
- jmorris has joined #w3cdnt
- 21:12:59 [npdoty]
- ... and a second bit could communicate back to the browser whether or not the preference is being respected
- 21:13:15 [npdoty]
- ... tell the browser I'm not respecting it because, for example, the user opted back in out-of-band
- 21:13:33 [npdoty]
- ... could get much more complex as to what the server responds, but worth discussion
- 21:13:43 [npdoty]
- Presenter: Wu Chou, Avaya
- 21:14:50 [npdoty]
- wuchou: face more complex issues in the enterprise, too complex for the DNT and TPL proposals
- 21:15:29 [npdoty]
- ... want to accommodate both user preferences and the enterprise's own tracking policies
- 21:15:52 [npdoty]
- ... should these rules be enforced on the Web proxy?
- 21:16:39 [npdoty]
- ... enterprise needs to be agnostic to particular browser implementation
- 21:18:21 [npdoty]
- ... layered combination of enterprise policies and user preferences
- 21:19:11 [npdoty]
- Presenter: David DeLuc, SIIA
- 21:20:42 [npdoty]
- DavidDeLuc: SIIA's approach to Do Not Track, certainly agreement to consumer's opting out of collection of some data, we all agree on that
- 21:21:09 [npdoty]
- ... industry-led, voluntary and enforceable -- I think there's a lot of agreement in the room on that
- 21:21:38 [npdoty]
- ... economic harm element: preserve the economic model
- 21:22:10 [npdoty]
- ... general agreement on carving out exceptions for the good stuff (analytics, fraud protection, etc.)
- 21:22:47 [npdoty]
- ... I wouldn't doubt it if behavioral ads were 3 times as effective
- 21:23:06 [npdoty]
- ... but the Web experience is importantly interactive
- 21:23:26 [npdoty]
- ... need a lot of education around how things work, so they don't get freaked out
- 21:23:43 [npdoty]
- ... people might actually like it if they realize that it's being used to help them
- 21:24:13 [npdoty]
- ... "I think Do Not Track is off track"
- 21:25:30 [npdoty]
- ... none of us want the Web to break
- 21:26:04 [npdoty]
- Presenter: Shane Wiley, Yahoo!
- 21:26:25 [npdoty]
- shanewiley: publishers must be able to engage with consumers in the discussion
- 21:26:40 [npdoty]
- ... consumers should have consistent tools across browsers
- 21:27:14 [npdoty]
- ... hybrid solutions should include CLEAR Ad and Do Not Track
- 21:27:46 [npdoty]
- ... Yahoo! believes that definition of track should be left up to policy focused groups, like CDT or self-regulatory groups
- 21:28:05 [npdoty]
- ... DNT opt-out should be OBA opt-out
- 21:28:30 [npdoty]
- ... users should be able to grant exceptions to DNT when it's turned on
- 21:28:44 [dsinger]
- dsinger has joined #w3cdnt
- 21:29:03 [npdoty]
- ... format would be based on domains (example.com) and could even subscribe to lists
- 21:29:18 [npdoty]
- ... publishers should receive a signal when a third-party on their page is blocked
- 21:29:42 [dsinger_]
- dsinger_ has joined #w3cdnt
- 21:30:26 [npdoty]
- hannes: are existing proposals mixing policy and technology, and should they?
- 21:32:23 [npdoty]
- wuchou: follow the enterprise proposal first, only without it should fall back on the user preference
- 21:33:34 [npdoty]
- ianfette: response header is interesting but need to think about these responses at more than just a single HTTP request/response
- 21:34:14 [npdoty]
- ... for example, at NYT.com the DNT request/response in question would actually come from the advertiser
- 21:35:33 [npdoty]
- BryanSullivan: the DOM flag should be on the window
- 21:35:52 [npdoty]
- fjh: work has been done by CDT in DAP on rulesets
- 21:36:19 [npdoty]
- xxx: I like the idea of a dialogue, because usually DNT sounds too inflexible, like an ultimatum
- 21:36:31 [npdoty]
- ... maybe a protocol that has multiple phases, negotiation, dialogue
- 21:37:08 [npdoty]
- shanewiley: we completely agree, publishers should be able to communicate the pros and cons of using their service
- 21:38:31 [npdoty]
- AndyPaypal: analogy to Caller ID, escalation about blocking caller ID, laws against spoofing caller ID, some sort of dialogue between the two about wanting to make an anonymous call
- 21:39:45 [npdoty]
- fjh: the phone company used to be a very centralized office, so the analogy may not be applicable
- 21:41:07 [npdoty]
- jmorris: push back on acknowledgement; 1) if there is an easy way for companies to declare that they are ignoring it, then they will simply do so and probably successfully avoid legal liability
- 21:41:44 [npdoty]
- ... 2) an ack means that law enforcement will only pursue violations that include an affirmative ack
- 21:42:33 [npdoty]
- harlan: but there are some scenarios where a user can opt back in, and then you get into a situation where the browser can't accurately report your status
- 21:43:07 [npdoty]
- alissa: +1 on jmorris
- 21:43:46 [npdoty]
- ... for people looking at negotiation, the more complicated the mechanism is, the harder it will be to define in policy-land
- 21:44:19 [npdoty]
- harlan: complexity is not ideal, but the out-of-band option may be unavoidable
- 21:45:47 [wseltzer]
- Is DNT Response an opportunity for user-provider dialog, or invitation to ignore user preferences?
- 21:46:05 [npdoty]
- shanewiley: the idea of the cookies was to respond with whether the option is respected or not and why [?]
- 21:46:34 [npdoty]
- ... exempt frequency capping, analytics, 1st-party advertising,
- 21:47:16 [AndroUser]
- shanewiley -> vinay goel. Shane is out this week.
- 21:47:19 [npdoty]
- jmayer: using postMessage to communicate that a 3rd-party received a DNT
- 21:47:34 [npdoty]
- s/shanewiley/vinaygoel/g
- 21:48:15 [karl]
- wseltzer, if the browser beeps all time the server replies "no no, we do not care about DNT", the user will remove the DNT preference.
- 21:48:19 [npdoty]
- jmayer: could put the opt-back-in control either in the browser or let sites do it themselves or...
- 21:48:57 [npdoty]
- ... or a middle way [long explanation that the scribe didn't understand]
- 21:49:11 [npdoty]
- vinaygoel: yes, that sounds very similar to Yahoo!'s proposal
- 21:49:31 [wseltzer]
- karl, and then we're back to the market failure in privacy
- 21:49:40 [npdoty]
- cjh: Do Not Call was not simple at all; Caller ID divided the privacy community as well
- 21:50:22 [npdoty]
- ... all sorts of industry showed up saying that we need an exemption, the justification being that they would lose money
- 21:51:02 [npdoty]
- ... what is the policy rationale for suggesting that Do Not Track == Do Not Track for OBA?
- 21:51:15 [npdoty]
- ... is it just that your particular business model doesn't work?
- 21:51:34 [karl]
- wseltzer, yup. We are running around a bigger issue, which is data aggregation or/and centralization.
- 21:51:44 [npdoty]
- DavidDeLuc: maybe that was just because it seemed simpler to define
- 21:52:51 [npdoty]
- vinaygoel: we need to start somewhere
- 21:53:16 [karl]
- wseltzer, issues also with Web sites using features services (such as maps, commenting systems, photos, etc), used on many sites, and then which are used for profiling.
- 21:53:32 [npdoty]
- ... start with something we've identified as a harm and something we can address
- 21:53:55 [wseltzer]
- karl, right. That suggests limiting dialog, to make it easy for a mass of end-users to express similar preferences easily,
- 21:54:00 [npdoty]
- harlan: the harm isn't online behavioral advertising, that's just the only visible case
- 21:54:01 [ianp]
- too bad nobody from wrapleaf is here
- 21:54:08 [wseltzer]
- then let regulators figure out the details.
- 21:54:44 [npdoty]
- xxx: when a company claims that they comply based on the icon, what level of compliance do they need to get that icon?
- 21:55:06 [npdoty]
- ... what level of compliance does a company commit to when they claim to respect DNT?
- 21:56:09 [lowenthal]
- karl, this channel is devoid of conversation because the aggressive minuting makes conversation uninviting
- 21:56:22 [wseltzer]
- lowenthal, just jump in!
- 21:56:59 [npdoty]
- David: this is a request that the user is making generally, but maybe this would be a good opportunity to explain why we're ignoring your preference (because I'm part of your enterprise, or because you've opted in somewhere else)
- 21:57:18 [lowenthal]
- wseltzer, but i'm not going to be keeping track, because so many of the messages are non-conversant
- 21:58:10 [wseltzer]
- I appreciate the notes, npdoty
- 21:58:17 [rigo]
- rigo has joined #w3cdnt
- 21:58:44 [lowenthal]
- npdoty, the notes are great, i'd just prefer if there were a separate forum for them, like a live document, or a different channel
- 21:58:49 [karl]
- npdoty, that was awesome!
- 21:58:54 [wseltzer]
- is granularity the route to divide-and-conquer the users?
- 22:01:13 [ianp]
- ianp has joined #w3cdnt
- 22:01:22 [tlr]
- tlr has joined #w3cdnt
- 22:08:50 [ianp]
- ianp has joined #w3cdnt
- 22:13:35 [alissa]
- alissa has joined #w3cdnt
- 22:13:51 [npdoty]
- npdoty has joined #w3cdnt
- 22:14:25 [npdoty]
- ScribeNick: alissa
- 22:14:32 [alissa]
- craig wills talking
- 22:14:43 [dsinger]
- dsinger has joined #w3cdnt
- 22:14:43 [jmorris]
- jmorris has joined #w3cdnt
- 22:14:52 [alissa]
- 1st party sites are leaking to third parties
- 22:14:58 [npdoty]
- npdoty has joined #w3cdnt
- 22:15:01 [alissa]
- sometimes explicit, sometimes implicit
- 22:15:20 [alissa]
- ... so it's not just about tracking, sites receiving private info
- 22:15:44 [alissa]
- ... how leakage occurs
- 22:15:53 [alissa]
- ... 1st parties embed info in URL
- 22:16:02 [alissa]
- ... page titles
- 22:16:13 [fjh]
- fjh has joined #w3cdnt
- 22:16:16 [rigo]
- rigo has joined #w3cdnt
- 22:16:18 [alissa]
- ... third parties masquerade as first parties (hidden)
- 22:16:50 [alissa]
- ... 1st parties pass info on to third parties (from forms)
- 22:16:52 [rpacker]
- rpacker has joined #w3cdnt
- 22:17:02 [alissa]
- ... how leaks can be prevented:
- 22:17:11 [alissa]
- ... if you block requests, there's no leakage
- 22:17:19 [alissa]
- ... opt-out cookies do not prevent leakage
- 22:17:34 [alissa]
- ... target to fix the problem should be first parties
- 22:17:55 [alissa]
- ... first parties can be better about avoiding leakage
- 22:18:02 [alissa]
- next speaker: Jens Grossklags
- 22:18:43 [alissa]
- ... disagreement about transparency as much as on definitional issues
- 22:19:19 [alissa]
- ... what info should be included in interface to user?
- 22:19:39 [alissa]
- ... what info is traded away and when
- 22:19:48 [alissa]
- what is the info used for?
- 22:20:03 [alissa]
- ... at what point can we claim to have achieved transparency?
- 22:20:28 [alissa]
- ... need to spend more time on this aspect
- 22:21:01 [alissa]
- ... few relevant research findings:
- 22:22:01 [alissa]
- ... material/immaterial tradeoffs: about how users trade off bundles of info about themselves, subject to different kinds of influences
- 22:22:19 [alissa]
- ... consumers have problems making decisions over time
- 22:22:43 [alissa]
- ... difficult to make a decision now about something that can change in the future
- 22:23:21 [alissa]
- ... again not talking about static decisions, but constant reaction and counter-reaction
- 22:23:49 [vincent]
- vincent has joined #w3cdnt
- 22:23:54 [alissa]
- ... in presence of enticing features like good recommendations, consumers' preferences can be shaped
- 22:24:18 [alissa]
- ... consumer choose dancing pigs over security risks every time
- 22:24:29 [alissa]
- ... oink
- 22:24:59 [alissa]
- ... DNT interface challenges:
- 22:25:13 [alissa]
- ... not same as do not call list
- 22:25:32 [alissa]
- ... calls are invasions in privacy at home when users engaged in unrelated activity
- 22:25:39 [alissa]
- ... different from web browsing
- 22:25:54 [alissa]
- ... web context is more problematic from a behavioral point of view
- 22:26:14 [alissa]
- ... DNT is just another privacy tool
- 22:26:38 [alissa]
- ... how do users define composite privacy metric across all these different privacy decisions?
- 22:27:13 [alissa]
- next speaker: Tom Lowenthal
- 22:27:27 [alissa]
- ... paper was about nonconsensual forms of tracking
- 22:27:43 [alissa]
- ... problem we've been talking about is very narrowly scoped
- 22:27:57 [alissa]
- ... situation where user and site both agree to comply with some set of requirements
- 22:28:06 [alissa]
- ... does not encapsulate vast majority of online interactions
- 22:28:13 [alissa]
- ... sites are motivated to ignore user requests
- 22:28:25 [alissa]
- ... users should rely on their browsers using effective technical measures instead
- 22:28:38 [alissa]
- ... browsers can implement counter-measures, have incentive to do so because they're competing for usrs
- 22:29:19 [alissa]
- ... rather than hoping for consensus, we should hope that browser vendors can actually try to minimize info available to services
- 22:29:38 [alissa]
- ... browsers should act as the agent of the user and do what the user wants even if user does not understand
- 22:30:03 [alissa]
- ... we've been talking about granular mechanisms based on headers/cookies
- 22:30:04 [jmayer]
- jmayer has joined #w3cdnt
- 22:30:11 [alissa]
- ... users will not understand these technical details
- 22:30:21 [alissa]
- ... browsers should ship with sensible defaults that users can change
- 22:30:33 [alissa]
- ... measures to include:
- 22:31:08 [alissa]
- ... act as an agent. user knows consequences of his actions -- which sites to share with, e.g.
- 22:31:43 [alissa]
- ... not just in realm of tracking, but other simple changes in browsers could be helpful, e.g., providing a shorter user-agent string
- 22:32:04 [alissa]
- ... doesn't impact usability but does impact privacy
- 22:32:17 [alissa]
- ... more effective privacy mode
- 22:32:39 [alissa]
- ... using more complex UI cues so users know which mode they're in, which elements on the page are getting their data
- 22:33:05 [alissa]
- ... certificate control: allowing broken certs should not be allowed
- 22:33:15 [alissa]
- ... sites should break in this case
- 22:33:42 [alissa]
- ... browsers have effective tools to help users control their information
- 22:35:40 [alissa]
- ???: Everyone hinting at personal data auditors.
- 22:36:04 [alissa]
- ... Have had meetings with IAB and national advertising association. They think they could create model where users opt out without any auditing. What they want is for us to reverse engineer when there is a problem. When we discover that, we would report it. No consequence other than getting kicked out of self-reg program if they're in the program to begin with.
- 22:36:12 [npdoty]
- s/???/MaryHodder/
- 22:36:12 [wseltzer]
- s/???/Mary Hodder/
- 22:36:23 [wseltzer]
- :)
- 22:36:25 [alissa]
- ... Terrible scenario to end up in.
- 22:36:28 [fjh]
- is the reason auditing is standard practice in the financial, corporate and other communities due to the need for dispute resolution information etc
- 22:36:48 [alissa]
- ... In your model for the W3C version of DNT, what does auditing entail?
- 22:37:16 [alissa]
- Tom: In my model users share minimal info to begin with. Don't want to have to audit them.
- 22:37:26 [alissa]
- Mary Hodder: What if data gets through anyway?
- 22:37:34 [alissa]
- Lorrie: We will discuss this tomorrow.
- 22:37:51 [alissa]
- Ian Fette: Take issue with characterization with last presentation.
- 22:38:04 [alissa]
- ... Browsers have been trying to solve this for awhile.
- 22:38:11 [alissa]
- ... We have incognito mode.
- 22:38:33 [alissa]
- ... The notion that we can have complex options page is not accurate. Fewer than 10% of users go to options, much less privacy page.
- 22:38:57 [alissa]
- ... If ypu try to go around ad industry, it's a big industry with large incentives. Some players are more ethical than others.
- 22:39:18 [alissa]
- ... When we make user-agent strings -- when Opera hit Opera 10, the number of sites that broke was huge.
- 22:39:35 [alissa]
- ... Not something browsers can hope to solve by themselves as a purely technical thing.
- 22:40:04 [alissa]
- ... Hundreds of ad networks are now offering a solution. Can argue merits of solution. But we're willing to talk about tracking and so on. Need participation from ad networks.
- 22:40:28 [alissa]
- Tom: Agree with many things just said. You guys are working hard. Incognito is good but still needs work.
- 22:41:11 [alissa]
- ... Users should know what incognito does do and doesn't do. Great feature. Loads of other steps that can be taken. Can't make it go away with settings pages. But sensible defaults would help. Sites will work it out if browser changes break them.
- 22:41:37 [alissa]
- Ashkan Soltani: Difficult to ask only the browsers to do things. Good incentives to circumvent, so there's an arms race.
- 22:42:31 [alissa]
- ... If you start doing all these things in the browser you start breaking things. If you go after only certain sites, asking browser to decide between sites. Have this for malware but for privacy we hit Jens' issue: consumer not good at making decisions in that case.
- 22:42:45 [alissa]
- ... Monopoly issues if Google starts blocking Facebook
- 22:42:49 [jmorris]
- s/ypu/you/
- 22:42:56 [alissa]
- ... Smart defaults necessary.
- 22:43:28 [alissa]
- Bryan Sullivan: On question of if sites will overcome browser changes that break functionality.
- 22:43:51 [alissa]
- ... Especially problematic in mobile with platform variation. Customization necessary even on desktop.
- 22:44:00 [alissa]
- ... Very dangerous to tinker with UA header.
- 22:44:41 [alissa]
- Rigo Wenning: With P3P tried to achieve sensible way to deal with cookies.
- 22:45:02 [alissa]
- ... If you call out the browsers to compete over tools, it may break things. Do we need more standardization so sites can adapt?
- 22:45:27 [alissa]
- Tom: Standards make this really useful. If we had better standards for pages we would have less variation, wouldn't need user-agent string.
- 22:45:36 [alissa]
- ... Standards good until they restrict innovation/competition.
- 22:45:58 [alissa]
- Jens: Relates to Ashkan's comment. What actually leads to situation where consumer or browser has decidable problem?
- 22:46:12 [alissa]
- ... More standards means set of options is reduced which helps to make decisions.
- 22:46:25 [alissa]
- ... Decision about tracking is not always a decidable problem.
- 22:46:34 [alissa]
- ... Need some heuristics at some point.
- 22:47:10 [alissa]
- ... Standards related to methods of auditing lead to other problems. Moral hazard paper by Ben Edelman -- only good actors seek certification.
- 22:47:24 [alissa]
- ... Deirdre Mulligan also notes race to bottom from certian kinds of regulation.
- 22:52:20 [AndroUser2]
- AndroUser2 has joined #w3cdnt