12:55:05 RRSAgent has joined #w3cdnt 12:55:05 logging to http://www.w3.org/2011/04/28-w3cdnt-irc 12:55:08 Zakim has joined #w3cdnt 12:55:08 karl has joined #w3cdnt 12:55:13 rrsagent, make record public 12:55:19 Agenda: http://www.w3.org/2011/track-privacy/agenda.html 14:02:39 tlr has joined #w3cdnt 14:11:47 karl has joined #w3cdnt 14:15:13 wseltzer has joined #w3cdnt 15:24:47 Zakim has left #w3cdnt 15:35:01 tlr has joined #w3cdnt 16:34:27 karl has joined #w3cdnt 16:46:25 adrianba has joined #w3cdnt 16:46:31 alissa has joined #w3cdnt 16:46:46 dsinger has joined #w3cdnt 16:47:17 jmayer has joined #w3cdnt 16:47:39 iandavey has joined #w3cdnt 16:48:00 jmorris has joined #w3cdnt 16:48:41 Someone should say something about how frank we can be here, and, um, how much privacy we get! 16:48:41 hannes has joined #w3cdnt 16:48:43 sjschultze has joined #w3cdnt 16:48:47 karl has joined #w3cdnt 16:51:00 Express a preference and see what happens 16:51:01 each will be tracked per the limits of his or her proposal 16:51:29 one vote for what happens in princeton stays in princeton 16:51:49 rigo has joined #w3cdnt 16:51:59 RRSAgent, pointer? 16:51:59 See http://www.w3.org/2011/04/28-w3cdnt-irc#T16-51-59 16:52:10 stpeter has joined #w3cdnt 16:52:23 anyone here? :) 16:53:14 Neutrino has joined #w3cdnt 16:53:42 Neutrino has left #w3cdnt 16:53:47 tlr has joined #w3cdnt 16:54:15 asoltani has joined #w3cdnt 16:54:16 woot 16:54:42 ng has joined #w3cdnt 16:55:17 ianp has joined #w3cdnt 16:55:22 what do you think this button would do if you click on it? [Do Not Track] 16:55:58 dsinger_ has joined #w3cdnt 16:56:02 lowenthal has joined #w3cdnt 16:58:01 jeff has joined #w3cdnt 16:59:54 W3C_ has joined #w3cdnt 17:00:06 W3C_ has left #w3cdnt 17:00:29 sudbury has joined #w3cdnt 17:04:37 rpacker has joined #w3cdnt 17:05:17 dsinger_ has joined #w3cdnt 17:06:41 fuogo has joined #w3cdnt 17:07:09 calatalee has joined #w3cdnt 17:08:00 karl has joined #w3cdnt 17:08:28 ScribeNick: karl 17:08:30 tlr_ has joined #w3cdnt 17:08:30 Topic: 1st Intro session 17:08:35 AleeciaMcDonald: People have different expectations 17:08:35 ... people think that there is a third part 17:08:42 ... Many people also think that it would be the fault of the browser company. 17:08:42 ... Click¬hing changes: 51% unsurprised, 49% browser company 17:08:42 ... Do Not Track represents an expectation gap. People think being tracked online. 17:08:44 ... There are different options to address the expectations gap. 17:08:48 ... Ease of adoption is reversed to ease of use 17:08:50 speakerB: I'm from Evidon. 17:08:52 ... what's a user supposed to think. 17:08:59 ... Everything is fine OR it is very dangerous 17:08:59 ... polarized opinions. 17:09:00 ... Tools are also being very binary. The DNT UI is a YES/NO 17:09:03 ... The flowchart is a bit more complicated there are many options. 17:09:24 Jonathan Mayer, stanford, Universality vs Simplicity? 17:09:42 AC: built in some controls and extensibility 17:09:51 ... to add controls 17:10:23 AK: privacy nuanced issue, so some granularity needed 17:11:17 .. we do ghostery on third party scripts, some users complain that another script should be stopped and we don't block it, sometimes a subjective decision 17:12:07 AM: 3 things fighting, capture preferences to being able to keep it simple is important. in sharp contrast to privacy being simple 17:13:25 FHirsch: user not understanding, dangerous to believe that users can be educated. We don't want to re-educate user 17:13:32 .. need to honor context 17:14:17 LC: some standards have educated people, but didn't lead to solution 17:15:04 JC, Microsoft: universal and persistent is against browser as they are neither. Whitelist of people that I allow to track 17:15:04 karl has joined #w3cdnt 17:15:24 ... our privacy is very contextual. 17:15:28 speakerNokia: Users do not necessary what is going on. 17:15:30 ... it would be challenging to try to educate the users. 17:15:34 AC: DNT can be in the operating system, but practical is that user expect that to be in their browser 17:15:49 s-mon has joined #w3cdnt 17:15:50 speakerB: there is a tradeoff 17:15:50 chair: the nutrition community has educated the users. 17:15:50 ... it didn't happen in one night. 17:15:50 Jesse (microsoft): Ability the users have their own sets of controls. I do not track by default but I trust this company. 17:15:52 Aleecia: Starting with keep it simple, and extend if possible. 17:16:04 s/Jesse/JC/ 17:16:17 karl, try switching to one of the others 17:16:27 Harlan Yu: list of properties, do not think simplicity is ad odds with granularity 17:16:35 fjh has joined #w3cdnt 17:17:49 puvisitor and csvapornet are both available for visitors 17:19:23 AM: users are confused by conflicting messages. Important that we are sure that when we violate user expectations, we should be aware and know that we would have to re-aducate millions of people 17:19:34 Apparently we shouln't do what users want and expect? I disagree: when you make a simple statement, and everyone understands that statement, you should comply with that. 17:19:55 karlushi has joined #w3cdnt 17:20:33 ... how do we continue to use and build upon and reducing the creepiness 17:21:08 rigo, if this is a venue for minutes, it's not going to be a great backchanel. why not use a piratepad instead? 17:21:20 AC: they do not even know that it is happening 17:21:28 ... the model was happening before years 17:21:38 rigo: there's audio in the physical room -- is it being recorded? 17:21:40 ... they were few complaints. 17:21:47 ... but once people realize 17:21:51 ... they freak out 17:22:04 ... The goal is to make incremental improvements 17:22:17 ... even if not everyone is understanding it in the first place. 17:22:29 ... And then creating step by step, accountability 17:23:41 Peter: about the education problem 17:24:32 ... what really needs to happen to protect the consumers body. 17:24:33 stpeter, I don't know, we have to ask wendy 17:24:40 tlr needs to install http://lightheadsw.com/caffeine/ 17:24:48 AndroUser has joined #w3cdnt 17:24:57 not really sure what impetus data collectors would have to design their systems to honor "Do Not Track" headers. Higher development cost and screws with the business model 17:25:24 ianp: the threat of regulation 17:25:30 speakerB: There is a subset of educated users who don't care and some users who don't understand. 17:25:56 Aleecia: in lab studies, the 20 years old complaint that they are not informed. 17:26:09 ... they follow the behavior of their parents. 17:26:20 AndroUser has joined #w3cdnt 17:26:34 ... "if the parents are on facebook, it must be safe" 17:26:46 ... Facebook issue with read write web 17:27:21 ... People have a complete confusion, they do not understand what is happening. 17:27:29 ... media coverage is good, it is helpful. 17:27:40 ... education in schools would be good. 17:27:43 AndroUser has joined #w3cdnt 17:28:16 this sounds like we're trying to educate people again... 17:28:29 AC: You don't design a product thinking that the product features will be used by everyone 17:29:05 speakerB: there are some products you can use being uneducated. 17:29:19 AC: the Web 17:29:21 tlr: you could put the IRC channel on screen :) 17:29:34 stpeter, we were looking for a way just now to not blind the people in the front 17:29:42 unsolved problem for the moment 17:29:50 s/tlr:/tlr,/ 17:29:59 tlr: understood 17:29:59 AndroUser has joined #w3cdnt 17:30:07 aleecia: asking users is not the only thing to do. 17:30:10 tlr: move the table forward slightly? 17:30:16 ... It is useful and important. 17:30:19 s/tlr:/tlr,/ 17:30:26 stpeter, yeah - something like that 17:30:33 we'll figure it out in the break 17:30:43 aleecia: education seems to be a very long process. 17:30:47 AndroUser has joined #w3cdnt 17:31:03 AndroUser has joined #w3cdnt 17:31:10 ... Find the gaps between expectations and try to fill them. 17:31:11 AM: something to explain to the user, gap between what is expected and what is being built 17:31:52 this is Hannes Tschofenig speaking 17:31:54 Hannes: in that complex environment you'll have different users will get upset anyway because of different context and culture 17:32:16 AM: good data from Alessandro Acquisti 17:32:43 AndroUser has joined #w3cdnt 17:33:09 Thomas: Softwares had advanced settings 17:33:17 ... it is not a new problem 17:33:35 ... why not having advanced settings. 17:33:45 AndroUser has joined #w3cdnt 17:33:49 speakerB: How do you draw the line? 17:33:51 Thomas Nighthall CITP: some users want simple, some users wants nobs, lets have a default and add knobs and buttons 17:34:00 ... there are too many nuances under that. 17:34:27 s/... there/speakerB: there/ 17:35:32 chair: the software vendors do not want to be responsible for the granularity 17:35:58 aleecia: it is easier to implement "pick your own" but less obvious for users. 17:36:20 ... It is not a technical problem it is a social problem. 17:36:46 AC: there is already a default, which is often what the company has agreed to get from you 17:37:30 rigo, W3C: we have to take into account, features on the server side 17:38:06 ... We should start simply and have guidances for engineers. 17:38:31 Ashkam Soltani: The pop up window was in Mosaic. 17:38:43 ... IE came up with a cookie blocker, disabled by default. 17:38:49 there are differences between what users say they do and what they actually do (AM) a 17:38:51 ... It created an ecosystem 17:38:56 (wow, lag) 17:39:19 ... if we go down the road of granular controls. 17:39:39 ... the system becomes so complex, the user doesn't have the ability to control what is happening 17:39:46 ... facebook went this way. 17:40:07 rigo has joined #w3cdnt 17:40:28 Ian Fette, Google: Even with cookies, it is already a mess. 17:40:37 ... browsers do not agree on what it is. 17:41:01 ... but then if you look at Opera, Chrome, Safari, Firefox, IE, there is not one model 17:41:06 ... nobody knows what a third parties is, send and set are dealt with differently 17:41:23 xxxx: there are a lot of architects in the room 17:41:28 ?? AT&T: we want a solution 17:41:39 ... what are the top 3 users expectations 17:41:47 ... to trust what I'm being told 17:41:55 ... to control these 17:42:26 chair: what is in the top of your list? 17:42:35 AC: Control 17:43:16 speakerB: control is one of the aspects. 17:43:26 ... 3 points. 17:43:34 ... * transactional transparency 17:44:01 aleecia: make it stop 17:44:03 s/?? AT&T/Bryan Sullivan, AT&T/ 17:44:13 ... 3 words instead of 3 priorities 17:44:31 s/make it/just make it/ 17:44:33 ... they want to make the tracking stop. 17:45:06 David Singer (Apple): "do you want your online activity be tracked for ever?" The way we ask is important 17:45:32 SpeakerB: make it stop, maybe, but how it is defined. 17:45:52 ... the issue is nuances. 17:46:14 "I told you to make it stop, and the Internet stopped working" 17:46:24 s/speakerB/Andy Kahl/ 17:47:26 Topic: Session 1.2 17:48:18 RRSAgent, pointer? 17:48:18 See http://www.w3.org/2011/04/28-w3cdnt-irc#T17-48-18 17:48:49 alissa has joined #w3cdnt 17:49:11 AnnR has joined #w3cdnt 17:50:20 karl: I would help minute, but the IRC channel is extremely lagged for me so my minutes would be useless 17:50:42 s/karl:/karl,/ 17:51:06 why not minute in a separate channel, leaving this one for discussion, karl? 17:51:10 stpeter, I have switched to csvapornet and it seesm a lot better 17:51:26 so anyone can enjoy 17:51:56 and make more comments :) though I'm not the master. tlr? :) 17:53:14 rigo_ has joined #w3cdnt 17:53:28 karl/quit 17:54:19 There's some value to having the back channel conversation in the minutes. : For off-the-record remarks, use "/me ...". 17:54:42 stpeter has joined #w3cdnt 17:54:56 yes, csvapornet is much faster 17:55:01 sudbury has joined #w3cdnt 17:56:16 Topic: Part II - What types of tracking should be in scope? 17:57:34 tlr has changed the topic to: W3C Workshop on Web Tracking & User Privacy | Better wi-fi: csvapornet 17:57:38 hmmm social, security, privacy difficult mix 17:57:40 dsinger has joined #w3cdnt 18:00:29 tension in between laws and jurisprudence 18:01:56 karl: to paraphrase Kurt Goedel (who used to live in Princeton), "A completely secure system will be either inconsistent or incomplete, i.e., unable to solve certain problems." 18:02:30 s/karl:/karl,/ 18:02:47 sigh, can't type o-umlaut in IRC :P 18:02:56 sjschultze_ has joined #w3cdnt 18:03:03 ö 18:03:16 Gödel? 18:04:50 http://search.twitter.com/search?q=%23w3cdnt&result_type=recent 18:05:48 tracking becomes creepy when it enables things we had not expected. 18:06:44 such as aggregation of data, being contacted in a context different from the one we shared a specific information. 18:07:03 AnnR has joined #w3cdnt 18:07:42 Facebook says a company displaying on a page, or with previous relationship with user, should be able to track as 1st parties 18:09:18 when does 1st party analytics tracking become 3rd party analytics tracking? 18:09:19 wseltzer, yup but there are levels. I'm happy that my coffeeshop remembers that I'm taking this coffee each time I go there in the morning BUT I would not be happy if they start to tell me what I do every week-end outside of the cafe context 18:09:39 like is google analytics 1st party or 3rd party? 18:10:09 karl, what if they tell the supermarket, who use it to offer you milk? 18:10:40 I would not like it 18:13:13 hey wseltzer how do YOU know, i'm drinking cafe latte ;) have you followed me? :p 18:14:17 tlr, do you want us to minutes slides or only discussions 18:14:27 sophisticated coffe-behavior profiling :) 18:14:46 s/coffe/coffee/ 18:15:26 Hannes: first party or third parties, will be too complicated decisions, do we want to go down that road? 18:15:59 ... is the same definition useful for everybody, if regulators are happy or tech companies? 18:16:44 Omar: defer to paper from NTIA, need multiple stakeholders, need to take the economic impact of DNT into account 18:17:46 MMJ: should take into account what the users are concerned about, but should not boil the ocean 18:18:22 xxx: You want everyone to have common definitions 18:18:34 s/xxx/Ashkan/ 18:19:12 Chris: there are California laws for forbidding grocery shops to get your driving license informatin. 18:19:28 ChrisHoofnagle: grocery cart is CA law. Do not call is also the right to opt out 18:19:49 ...missing that the lesson taken on what Aleecia said 18:20:02 MMJ: the consumers do not understand 18:20:15 MMJ: part of the issue: Should we start looking at the users as they do not understand 18:20:42 MMJ: we should take user expectation into account, but it is complicated 18:20:43 Aleecia: if you build something which violates the expectations, users will be very angry 18:21:34 Andy (Paypal): example of spam and being angry at false positive. 18:22:22 ... There are Basic users expectations 18:23:38 Maybe a tautology, but an IP address is personal if you or anyone else can now or later associate it with me 18:23:58 Ashkan gives examples where tracking is done without need for the functionality of the technology 18:24:48 alan BlueKay: People might not want to track into vaccuum, but if services are provided in exchange of tracking, some users might want to do it 18:25:23 Omar: tracking does not happen in a vacuum, there is an economic context and needs balance 18:25:29 sudbury has joined #w3cdnt 18:26:17 Alissa: we can try to do better, not just only be the strict legal minimum, talks about the update of the cookie RFC 18:26:43 AC: "Having the policy before the technology" we have been thinking about it for years. The time is not right yet. There is a window of opportunities, we can already do things 18:26:46 Alissa: we have been on this for a long time, now is the time to move 18:29:05 Andy: fears overstating of tracking protection that interferes with security 18:29:11 Andy (Paypal): I'm willing to accept certain definitions of DNT. but what do I do when it comes to Paypal where we *need* to track. It doesn't make sense anymore 18:30:18 cookie spec: http://www.rfc-editor.org/rfc/rfc6265.txt 18:30:27 Alissa: RFC 6265 was released just this week new cookie spec 18:30:34 dsinger has joined #w3cdnt 18:31:11 ??: CITP benefit of DNT is that it separates identification and login from tracking 18:31:19 dsinger has joined #w3cdnt 18:31:42 Tobie: personalizing content for you wouldn't work, we are in an existing relationship with customer 18:31:52 s/Tobie/Francis/ 18:32:03 (Francis Larkin, not Tobie Langel) 18:32:28 So Facebook wants our networked eyeballs, without opt-in to personalization 18:34:02 ashkan warns that certain definitions would advantage certain actors in the market 18:36:03 Andy (Paypal): in the case of 3rd party mashups, it is hard to understand. How should we track the logs for security reasons for example. 18:36:10 andy: we don't know what DNT means, we don't know whether it allows to collect IP address 18:36:16 ... what kind of data, and what is used for matters a lot 18:36:47 Bigram/Nokia: if user perceive that DNT doesn't work, he will blame the browser 18:37:47 tools like spam protection does not give a false sense of security, DNT may do 18:38:10 http://www.slideshare.net/mikebrittain/metrics-driven-engineering-at-etsy 18:38:27 Ashkan: sending preference to a site is an early thing. We need a feedback channel with an ACK 18:38:54 http://codeascraft.etsy.com/2011/02/15/measure-anything-measure-everything/ 18:39:49 Ian.Fette: we need to scope this down to something that people understand 18:39:50 ianfette (google): We need to scope that down to something users can understand. 18:40:19 ... "not track" is too generic, neither company nor user understands 18:41:13 we'd do better with a narrower, descriptive name 18:41:18 Omar: do not track is not very different from "do not track for behavioral advertisement" 18:41:51 Askan: early in the process of definition of what tracking means 18:41:59 ...that's why we are here 18:42:06 My problem with behavioral ads is not the ads, it is the existence if the database about me that enables them 18:42:09 ... have to balance security and privacy needs 18:43:11 MMJ/Adobe remakes point that first party analytics are not "tracking" and not 3rd party advertisement 18:43:56 FrankWagner: asking about purpose 18:44:15 s/Omar/Alan/ 18:44:16 logfiles DNT should not mean that there are no logfiles anymore 18:44:22 (Alan Chapell, on behalf of BlueKai) 18:45:02 ... tracking is identification: Frank has seen this site and that site 18:46:07 Ashkan: what if 123 looks at sites 18:46:15 ashkan: pseudonyms can be converted to real identity at a point 18:46:17 Frank: this is psuedonym, you can identify 18:46:22 npdoty has joined #w3cdnt 18:47:19 Jonathan: we should define DNT, even if it is hard to define 18:49:24 AlanChapell: we need to understand the economic ramifications of DNT 18:49:50 (talking revolves around definitions of DNT) 18:50:57 all: please be privacy invasive and share your minutes with the chairs or me (rigo@w3.org) 18:53:04 jmorris: we won't come to a final definition in this room, but can decide whether or how it should be done in a standards body 18:53:55 jmorris: just because privacy situation is terrible doesn't mean that dnt may not progress better than early study of user understanding shows 18:54:07 s/privacy situation/current web privacy status/ 18:55:13 Tim?? wait for next 2 years because technology isn't mature yet 18:55:52 Jules: we have one opportunity because of this dramatic title and movement by the browser vendors, we have an opportunity to do something useful even if it's small 18:55:53 sudbury has joined #w3cdnt 18:55:56 JulesPolonetsky: fear we boil the ocean, we have the opportunity to accomplish something useful 18:55:58 xxx: there is an opportunity to accomplish something useful even if not perfect. 18:56:16 ...can the panel agree that we can start from something robust at the button 18:57:27 Jules: what if we just use the starting point of Do Not Track referring to collecting data across multiple sites for behavioral advertising? could we at least agree on that? 18:58:20 Francis Facebook: There is a very thin line. 18:58:45 Vincent has joined #w3cdnt 18:58:59 Francis: I would be okay with that starting point as long as targeting by services you have a relationship with is exempted. 19:00:10 i wonder what should be considered a reasonable expectation of privacy online? 19:00:28 Francis: a baseline definition would help with the user concern of interactions with companies they know nothing about 19:00:47 xxxx: As a user I'm freaked out when you are tracking across sites 19:01:01 Mary Hodder 19:01:16 I have a separate Facebook browser profile, through Tor, that I use less and less because of FB's tracking 19:01:18 ... If users were able to track themselves it would improve. 19:01:39 ... Millions of data store (personal user store) 19:01:48 ... and then I can decide to share or not. 19:01:55 ... I can make the choice. 19:02:11 ... I want to be in control of what I do on the Web. 19:02:40 ... It is perfectly fine to be tracked by the owner of the site. 19:02:44 s/xxxx/MaryHodder/ 19:02:46 ... but not by third parties. 19:03:29 yes it does karl 19:04:27 [ one of the points in the Paypal paper is that same-origin and first party as a business are distinct ] 19:04:48 xxx (CITP): what if we just had usage limitations? you can keep the data for security purposes (and not count as tracking) as long as you promise not to use for other purposes 19:05:58 xxxx: it would be incredibly cynical if we ended up with the result that all the ads are dumbed down but just as much data is collected about us 19:06:29 Andy PayPal: but companies in that case won't have the incentive to collect 19:06:51 S/xxxx/daveS/ 19:08:07 MMJ: in EU we are analytics and data processor, useful only in a European process for European laws 19:08:20 Hannes: what about the definition of terms, like data processor and data collector as defined in the EU? 19:09:25 Andy Paypal: People outsourced their processing or services. It doesn't help us. 19:10:51 jmorris has joined #w3cdnt 19:22:28 ianp has joined #w3cdnt 19:27:51 lowenthal has joined #w3cdnt 19:37:54 npdoty has joined #w3cdnt 19:41:18 alissa has joined #w3cdnt 19:43:53 dsinger has joined #w3cdnt 19:44:18 fjh has joined #w3cdnt 19:44:30 rigo has joined #w3cdnt 19:44:43 Presenter: Alex Fowler, Mozilla 19:44:45 rpacker has joined #w3cdnt 19:45:17 AlexF: problem is that users' behavior is tracked without choice or control 19:45:39 ... felt like we had no choice but to act (explicitly called out by FTC) 19:46:34 AlexF: looked at a number of approaches 19:46:39 ... not happy with cookies or blocking 19:46:55 ... unintended consequences or burden on users (breaking experience) 19:47:14 ... blocking seemed anti-advertising, so looked for something else 19:47:26 ... 30 lines of code to implement it in Firefox 4 19:47:38 ... all parties who engage with it have the opportunity to do something with the header 19:48:05 ... as Aleecia pointed out, we were aware that we were going to get blamed if this didn't work 19:48:22 tlr has joined #w3cdnt 19:48:24 Vincent has joined #w3cdnt 19:49:10 AlexF: starting to see sites modify their server-side operations to reduce tracking, or even looking at doing less on-page tracking when they see the header 19:49:39 jeff has joined #w3cdnt 19:50:12 ... AP implemented it: one engineer took a couple of hours (as opposed to hundreds of sites that had to deal with cookies) 19:50:24 ScirbeNick: npdoty 19:50:49 ScribeNick: npdoty 19:51:13 AlexF: Chitika now recognizes the DNT header instead of suggesting the Opt-Out Cookie 19:51:18 ScribeNick: npdoty 19:51:50 AlexF: looking at some different user interfaces to signal that they're not tracking, or giving short notice to explain what you've been opted out of 19:52:15 Presenter: Jonathan Mayer, Stanford 19:52:28 dsinger_ has joined #w3cdnt 19:52:46 jmayer: talk about the DNT DOM flag and the DNT response header 19:53:33 DOM flag could be as simple as a read-only navigator.doNotTrack property accessible by JavaScript 19:54:11 jmayer: JavaScript could still be aware of DNT even without a DOM header; like returning Do Not Track-aware JavaScript 19:55:03 ... a third party always has to check for the DNT HTTP header anyway 19:55:45 ... would the server log the request, for example (assuming that any definition has to include some conditions about logging)? 19:56:13 ... finally, granularity would be very difficult because of script inclusion 19:56:45 ... that is, third-party scripts may run in the first-party DOM 19:56:50 dsinger has joined #w3cdnt 19:57:07 ... benefits of the DOM flag: can be hosted from a static HTTP server 19:57:21 ... does this matter? Akamai will let you handle headers, for example 19:57:44 ... benefit: users won't have to modify their server-side code, which might make it easier 19:58:14 ... cons of the DOM flag: granularity controls would lead to a fingerprinting risk 19:58:22 ... and browsers would have to implement one more thing 19:58:52 Presenter: xxx, Datran Media 20:00:08 Datran: consumers don't understand networks, haven't heard of them, don't have any reason to choose one over another 20:00:21 ... even I, an expert, have no reason to choose one network over another 20:00:31 ... instead we want to give consumers a choice at the brand level 20:01:33 ... can opt in to more customized ads, or opt-out of a particular marketer 20:02:23 Presenter: Adrian Bateman, Microsoft 20:02:49 adrianb: one question is what work should proceed at the W3C 20:03:00 ... want to have clear specifications to give to my engineering team so they know what to build 20:03:28 adrianb: three themes to think about 20:03:44 ... first, balance 20:04:04 ... users should have an opportunity to express a preference 20:05:06 ... people have said to start simple, and a header could be that simple step 20:05:19 ... second, choice -- that users should have control 20:05:38 ... tracking protection lists let users control exactly what requests are made on their behalf 20:05:57 ... a different part is the control to not send data to someone that they might not trust 20:06:10 ... anyone can create a list, or read a list and understand, creating an ecosystem 20:06:41 ... finally, innovation 20:06:59 ... interoperability is really important, and standards help with that, but we want everyone to be able to innovate over their business models 20:07:07 ... standards should be a platform, but we don't know what change there will be 20:07:55 Presenter: John Morris, CDT 20:08:16 jmorris: want to go back to the header not because of my particular preference but because of a connection to a broader concept 20:08:33 ... the idea of binding rules to data and having those rules followed 20:09:31 ... past efforts of these rules have met a number of pushbacks 20:10:12 ... first: no technical way to enforce the rules, no way for the browser to know 20:10:29 ... some engineering bodies were concerned since they couldn't know for sure, that there wasn't encryption, etc. 20:10:44 ... but there are other mechanisms that could work: law, markets, media hysteria 20:10:58 ... second concern: that UI is hard and confusing 20:11:22 ... answer: yes, UI is hard and confusing, but smart people can try to make this work for the user 20:11:39 ... third concern: that users will blame the browser (which we heard from Aleecia today) 20:12:08 ... but while there is a risk of that, the UI can imply not that Mozilla is in control but just that a preference is being expressed 20:12:25 ... fourth concern: a false sense of security / incomplete privacy is worse than no privacy 20:13:00 ... in security that might be true, but in the privacy realm protecting privacy some is desirable even if it's not complete 20:13:07 AnnR has joined #w3cdnt 20:13:16 ... finally: we're not sure this will work 20:13:26 ... but the status quo certainly isn't working 20:14:34 karl: incomplete privacy is only a problem because of the false sense of privacy, which might cause users to do even more online 20:15:10 jmorris: absolutely it's a risk, but if we don't try something people are going to be tracked (unless US passes baseline privacy legislation) 20:15:29 ... Mozilla is already trying to make this clear, do you trust the recipient? 20:16:16 Jules: it's actually an advantage that it's not a technical mechanism, because a signal allows for more finely nuanced controls 20:17:19 Datran: have to have a policy solution, because otherwise people will always attempt to bypass (the arms race) 20:17:48 adrianb: policy wonks need to go and figure this out, and I don't claim to be one of those people 20:18:13 ... as a service provider I need to know what to do with that signal, which is also a technical problem 20:19:06 Paul: have you done the analysis of economic implications? what kind of people will turn Do Not Track on? are they people who were clearing cookies anyway? 20:19:31 AlexF: we didn't want an anti-advertising approach 20:21:06 ... it's a short-term business model; we shouldn't say that therefore users are okay with it 20:21:40 Datran: if the tracking is so important to your business model, users can be required to opt back in 20:21:54 jmayer: Do Not Track is not going to blow up the entire Internet 20:22:23 ... a lot of the economics papers may not have rigorous methodology 20:22:30 ... http://donottrack.us/bib/ 20:23:01 ... it's not a large portion of revenues, and only relatively recently (as of 2007), though it is growing 20:23:36 ... there are elasticities: you could just allocate the behavioral ads to the non-DNT user 20:24:17 ... how much more are advertisers willing to pay? what alternatives are there? how much better is it than contextual advertising? 20:25:07 ... for interest targeting you could also ask the user their interests, or use client-side [presumably an AdNostic reference] 20:26:14 asoltani: often technologists push policy to fix things and vice versa, I think it could be technology and policy working together 20:27:20 jmayer: enforcement, technologists could help detect violations of DNT even if browsers can't always do it all the time 20:27:40 Datran: yes, can attempt to detect even if they can't block 20:28:01 adrianb: technology and policy should definitely be connected/aligned, technologists should educate the policymakers, for example 20:29:13 wseltzer: how do users know that once they've set the preference and can then go on to browse more? 20:29:51 jmayer: we should try to build early consensus and a clear definition; we've been working on an interim definition until we get a definition from a standards body or regulatory body 20:30:17 wseltzer: what if we changed the name to something less certain than "Do Not Track"? 20:31:07 ianfette: I want to push back on this preference being a meaningful thing; not meaningful until we come to consensus on what tracking means 20:31:28 ... danger of scope creep; iterative approach would lead to uncertainty in the market 20:32:58 AlexF: the fact that you have an opt-out but wouldn't recognize the DNT header would really be a dangerous thing to say to your consumers 20:33:49 ... if we marketed this as "don't serve me targeted ads" it wouldn't have worked as well (for the AP, for example) 20:33:52 AnnR has joined #w3cdnt 20:33:59 ... some constructive ambiguity may be helpful 20:34:36 ... I would rather have those early experiments rather than scope it down 20:35:00 ianfette: isn't it impossible to determine that something is being violated before it's defined? 20:35:33 jmorris: agrees with ian; need clarity over whether a server log is taboo 20:36:19 ... but once we have a definition, we can start getting activists to find violations and we'll get news stories about it 20:36:44 AlexF: we've already seen some feedback based on auditing of the AP implementation 20:36:56 ... we're not doing this to stave off regulation or anything of that type 20:37:18 ... if this looks like it fails, we'll walk away from it, this isn't the last available option 20:37:52 jmayer: frustrated to hear that "I don't know what Do Not Track means" 20:38:20 ... saying I don't know is an abdication of your responsibility to help with the definition 20:38:29 from_the_audience: we're here! 20:39:02 ianfette: I think a good scope would just be to limit to behaviorally-targeted ads and let's see if we can do something to address that 20:39:15 jmayer: and I think that's completely wrong 20:39:41 Gil_DoubleVerify: bad actors can always monitor users 20:40:00 ... it's hard to know that behaviorally-targeted ads are happening 20:40:34 ... the way we define "behaviorally-targeted as" it covers 80% of online advertising today 20:40:57 narm has joined #w3cdnt 20:41:10 Datran: even the definition of "behaviorally-targeted ad" is under dispute 20:41:26 Gil: I'm using the DAA definition, which includes retargeting 20:42:48 adrianb: with all this discussion of user expression of preferences, we shouldn't ignore the bad guys, which is why we proposed TPLs 20:43:19 ... not a perfect solution, but part of the toolset dealing with that situation 20:44:11 Andy_Evidon: I understand more now the pushback from this morning about defining tracking being difficult; there's just no simple definition 20:44:55 ... isn't it just as dangerous to say that a technological solution is a simple answer to this problem, when the problem isn't simple? 20:45:19 ... requires a granular, nuanced solution 20:46:11 jmorris: isn't the process of standardization 90% of the time trying to keep things simple by balancing all the tweaks that people want to add? 20:47:22 tlr: any solution will be imperfect, but we're trying to find a scope that's a good balance somewhere 20:48:13 rigo: if we don't continue this dialog, the pain for both sides will be even bigger. we have to compromise. 20:49:34 ... critics of P3P said that people could just ignore it, or just lie, but there are critics in the society and even in the US the legal system could address violations 20:49:58 aleecia: what did you mean in saying that it's bad to put power in the hands of the users? 20:50:31 Datran: just mean that we shouldn't give them too much power, like requiring access to content 20:51:01 xxx: how do you track support or lack of support? what kind of forensics do you use to determine that they don't honor the preference? 20:51:25 s/xxx/Wu Chou, Avaya/ 20:52:14 jmayer: we're working on enforcement stuff. 20:53:06 xxxx: it's a red herring to talk about bad actors; and the reputable companies won't violate the practice because if the database ever comes to light they'll get in so much trouble 20:53:35 ... whackamole problem 20:54:06 adrianb: isn't that like saying "security is a really hard problem"? if it makes a difference now, why is that a bad thing? 20:54:28 xxxx: why wouldn't they evade it? you've declared war. 20:55:15 adrianb: it might be reasonable that a site detects that a user doesn't see an ad and so decides not to show content 20:55:47 ... some market effects on choosing a good TPL 20:56:13 jmayer: response headers make it easier to measure 20:56:29 ... and you could start blocking domains/cookies if a site doesn't use a response header 20:57:05 ... could bring it under deceptive business practices for companies that respond with the header but don't follow it 20:57:57 ATT: Do Not Track is more a concern about recording of behavior, warehousing of that data, monetization in unexpected ways; today behavioral advertising is the most glaring instance, but won't be the only one 20:58:21 jmorris: +1, a good question 20:58:29 +1 20:59:02 jmayer: some DAA members have already said that they'll continue to collect data under opt-out [scribe: did I get this right?] 20:59:27 dsinger has joined #w3cdnt 20:59:53 ryan_adobe: web sites could just do whatever they do with an opt-out cookie; seems like a dangerous policy since opt-out cookie policies vary between players 21:00:13 dsinger has joined #w3cdnt 21:01:31 AlexF: are we talking about danger to the user or danger to the business model? 21:03:19 Topic: Opt-outs, granular control and multiple mechanisms 21:03:58 Presenter: Frederick Hirsch, Nokia 21:04:15 rpacker has joined #w3cdnt 21:05:05 fjh: in DAP, we're discussing issues beyond minimization (like how data is used or retained) and beyond advertising 21:05:17 jmayer has joined #w3cdnt 21:05:26 ... accountability is an encompassing theme 21:06:05 ... benefits of defining a wire format -- enabling loosely coupled systems, evolution, simple testing 21:06:35 ... Do Not Track is interesting, but more generally we could convey user intent 21:06:59 ... how can we hold someone responsible if we don't have an opportunity to express our intent? 21:07:32 ... have to have a way to express preferences about re-use, etc. 21:07:47 Presenter: Harlan Yu, CITP 21:08:31 harlan: Microsoft's submission suggests a universal header and universal DOM property 21:09:13 ... but users may want to specify more granular cases, and we should assume that users will use it this way (as in the Abine extension) 21:09:39 ... Q: in which cases is the DNT header difficult to process on the server-side? 21:09:56 ... Q: how useful would a DNT DOM property be? 21:10:27 ... it's hard to get a DOM property to accurately mirror the DNT header 21:10:57 ... users may want to opt back in outside of setting the header 21:11:22 ... that option could happen outside of the browser setting, actually inline on the web page 21:12:00 ... dangerous because the browser might start showing the user that Do Not Track is in force, but many applications may consider the user to be opted back in, which would be difficult for the user to keep track of 21:12:26 ... response headers could include an ack, just to confirm that intermediaries aren't altering 21:12:44 jmorris has joined #w3cdnt 21:12:59 ... and a second bit could communicate back to the browser whether or not the preference is being respected 21:13:15 ... tell the browser I'm not respecting it because, for example, the user opted back in out-of-band 21:13:33 ... could get much more complex as to what the server responds, but worth discussion 21:13:43 Presenter: Wu Chou, Avaya 21:14:50 wuchou: face more complex issues in the enterprise, too complex for the DNT and TPL proposals 21:15:29 ... want to accommodate both user preferences and the enterprise's own tracking policies 21:15:52 ... should these rules be enforced on the Web proxy? 21:16:39 ... enterprise needs to be agnostic to particular browser implementation 21:18:21 ... layered combination of enterprise policies and user preferences 21:19:11 Presenter: David DeLuc, SIIA 21:20:42 DavidDeLuc: SIIA's approach to Do Not Track, certainly agreement to consumer's opting out of collection of some data, we all agree on that 21:21:09 ... industry-led, voluntary and enforceable -- I think there's a lot of agreement in the room on that 21:21:38 ... economic harm element: preserve the economic model 21:22:10 ... general agreement on carving out exceptions for the good stuff (analytics, fraud protection, etc.) 21:22:47 ... I wouldn't doubt it if behavioral ads were 3 times as effective 21:23:06 ... but the Web experience is importantly interactive 21:23:26 ... need a lot of education around how things work, so they don't get freaked out 21:23:43 ... people might actually like it if they realize that it's being used to help them 21:24:13 ... "I think Do Not Track is off track" 21:25:30 ... none of us want the Web to break 21:26:04 Presenter: Shane Wiley, Yahoo! 21:26:25 shanewiley: publishers must be able to engage with consumers in the discussion 21:26:40 ... consumers should have consistent tools across browsers 21:27:14 ... hybrid solutions should include CLEAR Ad and Do Not Track 21:27:46 ... Yahoo! believes that definition of track should be left up to policy focused groups, like CDT or self-regulatory groups 21:28:05 ... DNT opt-out should be OBA opt-out 21:28:30 ... users should be able to grant exceptions to DNT when it's turned on 21:28:44 dsinger has joined #w3cdnt 21:29:03 ... format would be based on domains (example.com) and could even subscribe to lists 21:29:18 ... publishers should receive a signal when a third-party on their page is blocked 21:29:42 dsinger_ has joined #w3cdnt 21:30:26 hannes: are existing proposals mixing policy and technology, and should they? 21:32:23 wuchou: follow the enterprise proposal first, only without it should fall back on the user preference 21:33:34 ianfette: response header is interesting but need to think about these responses at more than just a single HTTP request/response 21:34:14 ... for example, at NYT.com the DNT request/response in question would actually come from the advertiser 21:35:33 BryanSullivan: the DOM flag should be on the window 21:35:52 fjh: work has been done by CDT in DAP on rulesets 21:36:19 xxx: I like the idea of a dialogue, because usually DNT sounds too inflexible, like an ultimatum 21:36:31 ... maybe a protocol that has multiple phases, negotiation, dialogue 21:37:08 shanewiley: we completely agree, publishers should be able to communicate the pros and cons of using their service 21:38:31 AndyPaypal: analogy to Caller ID, escalation about blocking caller ID, laws against spoofing caller ID, some sort of dialogue between the two about wanting to make an anonymous call 21:39:45 fjh: the phone company used to be a very centralized office, so the analogy may not be applicable 21:41:07 jmorris: push back on acknowledgement; 1) if there is an easy way for companies to declare that they are ignoring it, then they will simply do so and probably successfully avoid legal liability 21:41:44 ... 2) an ack means that law enforcement will only pursue violations that include an affirmative ack 21:42:33 harlan: but there are some scenarios where a user can opt back in, and then you get into a situation where the browser can't accurately report your status 21:43:07 alissa: +1 on jmorris 21:43:46 ... for people looking at negotiation, the more complicated the mechanism is, the harder it will be to define in policy-land 21:44:19 harlan: complexity is not ideal, but the out-of-band option may be unavoidable 21:45:47 Is DNT Response an opportunity for user-provider dialog, or invitation to ignore user preferences? 21:46:05 shanewiley: the idea of the cookies was to respond with whether the option is respected or not and why [?] 21:46:34 ... exempt frequency capping, analytics, 1st-party advertising, 21:47:16 shanewiley -> vinay goel. Shane is out this week. 21:47:19 jmayer: using postMessage to communicate that a 3rd-party received a DNT 21:47:34 s/shanewiley/vinaygoel/g 21:48:15 wseltzer, if the browser beeps all time the server replies "no no, we do not care about DNT", the user will remove the DNT preference. 21:48:19 jmayer: could put the opt-back-in control either in the browser or let sites do it themselves or... 21:48:57 ... or a middle way [long explanation that the scribe didn't understand] 21:49:11 vinaygoel: yes, that sounds very similar to Yahoo!'s proposal 21:49:31 karl, and then we're back to the market failure in privacy 21:49:40 cjh: Do Not Call was not simple at all; Caller ID divided the privacy community as well 21:50:22 ... all sorts of industry showed up saying that we need an exemption, the justification being that they would lose money 21:51:02 ... what is the policy rationale for suggesting that Do Not Track == Do Not Track for OBA? 21:51:15 ... is it just that your particular business model doesn't work? 21:51:34 wseltzer, yup. We are running around a bigger issue, which is data aggregation or/and centralization. 21:51:44 DavidDeLuc: maybe that was just because it seemed simpler to define 21:52:51 vinaygoel: we need to start somewhere 21:53:16 wseltzer, issues also with Web sites using features services (such as maps, commenting systems, photos, etc), used on many sites, and then which are used for profiling. 21:53:32 ... start with something we've identified as a harm and something we can address 21:53:55 karl, right. That suggests limiting dialog, to make it easy for a mass of end-users to express similar preferences easily, 21:54:00 harlan: the harm isn't online behavioral advertising, that's just the only visible case 21:54:01 too bad nobody from wrapleaf is here 21:54:08 then let regulators figure out the details. 21:54:44 xxx: when a company claims that they comply based on the icon, what level of compliance do they need to get that icon? 21:55:06 ... what level of compliance does a company commit to when they claim to respect DNT? 21:56:09 karl, this channel is devoid of conversation because the aggressive minuting makes conversation uninviting 21:56:22 lowenthal, just jump in! 21:56:59 David: this is a request that the user is making generally, but maybe this would be a good opportunity to explain why we're ignoring your preference (because I'm part of your enterprise, or because you've opted in somewhere else) 21:57:18 wseltzer, but i'm not going to be keeping track, because so many of the messages are non-conversant 21:58:10 I appreciate the notes, npdoty 21:58:17 rigo has joined #w3cdnt 21:58:44 npdoty, the notes are great, i'd just prefer if there were a separate forum for them, like a live document, or a different channel 21:58:49 npdoty, that was awesome! 21:58:54 is granularity the route to divide-and-conquer the users? 22:01:13 ianp has joined #w3cdnt 22:01:22 tlr has joined #w3cdnt 22:08:50 ianp has joined #w3cdnt 22:13:35 alissa has joined #w3cdnt 22:13:51 npdoty has joined #w3cdnt 22:14:25 ScribeNick: alissa 22:14:32 craig wills talking 22:14:43 dsinger has joined #w3cdnt 22:14:43 jmorris has joined #w3cdnt 22:14:52 1st party sites are leaking to third parties 22:14:58 npdoty has joined #w3cdnt 22:15:01 sometimes explicit, sometimes implicit 22:15:20 ... so it's not just about tracking, sites receiving private info 22:15:44 ... how leakage occurs 22:15:53 ... 1st parties embed info in URL 22:16:02 ... page titles 22:16:13 fjh has joined #w3cdnt 22:16:16 rigo has joined #w3cdnt 22:16:18 ... third parties masquerade as first parties (hidden) 22:16:50 ... 1st parties pass info on to third parties (from forms) 22:16:52 rpacker has joined #w3cdnt 22:17:02 ... how leaks can be prevented: 22:17:11 ... if you block requests, there's no leakage 22:17:19 ... opt-out cookies do not prevent leakage 22:17:34 ... target to fix the problem should be first parties 22:17:55 ... first parties can be better about avoiding leakage 22:18:02 next speaker: Jens Grossklags 22:18:43 ... disagreement about transparency as much as on definitional issues 22:19:19 ... what info should be included in interface to user? 22:19:39 ... what info is traded away and when 22:19:48 what is the info used for? 22:20:03 ... at what point can we claim to have achieved transparency? 22:20:28 ... need to spend more time on this aspect 22:21:01 ... few relevant research findings: 22:22:01 ... material/immaterial tradeoffs: about how users trade off bundles of info about themselves, subject to different kinds of influences 22:22:19 ... consumers have problems making decisions over time 22:22:43 ... difficult to make a decision now about something that can change in the future 22:23:21 ... again not talking about static decisions, but constant reaction and counter-reaction 22:23:49 vincent has joined #w3cdnt 22:23:54 ... in presence of enticing features like good recommendations, consumers' preferences can be shaped 22:24:18 ... consumer choose dancing pigs over security risks every time 22:24:29 ... oink 22:24:59 ... DNT interface challenges: 22:25:13 ... not same as do not call list 22:25:32 ... calls are invasions in privacy at home when users engaged in unrelated activity 22:25:39 ... different from web browsing 22:25:54 ... web context is more problematic from a behavioral point of view 22:26:14 ... DNT is just another privacy tool 22:26:38 ... how do users define composite privacy metric across all these different privacy decisions? 22:27:13 next speaker: Tom Lowenthal 22:27:27 ... paper was about nonconsensual forms of tracking 22:27:43 ... problem we've been talking about is very narrowly scoped 22:27:57 ... situation where user and site both agree to comply with some set of requirements 22:28:06 ... does not encapsulate vast majority of online interactions 22:28:13 ... sites are motivated to ignore user requests 22:28:25 ... users should rely on their browsers using effective technical measures instead 22:28:38 ... browsers can implement counter-measures, have incentive to do so because they're competing for usrs 22:29:19 ... rather than hoping for consensus, we should hope that browser vendors can actually try to minimize info available to services 22:29:38 ... browsers should act as the agent of the user and do what the user wants even if user does not understand 22:30:03 ... we've been talking about granular mechanisms based on headers/cookies 22:30:04 jmayer has joined #w3cdnt 22:30:11 ... users will not understand these technical details 22:30:21 ... browsers should ship with sensible defaults that users can change 22:30:33 ... measures to include: 22:31:08 ... act as an agent. user knows consequences of his actions -- which sites to share with, e.g. 22:31:43 ... not just in realm of tracking, but other simple changes in browsers could be helpful, e.g., providing a shorter user-agent string 22:32:04 ... doesn't impact usability but does impact privacy 22:32:17 ... more effective privacy mode 22:32:39 ... using more complex UI cues so users know which mode they're in, which elements on the page are getting their data 22:33:05 ... certificate control: allowing broken certs should not be allowed 22:33:15 ... sites should break in this case 22:33:42 ... browsers have effective tools to help users control their information 22:35:40 ???: Everyone hinting at personal data auditors. 22:36:04 ... Have had meetings with IAB and national advertising association. They think they could create model where users opt out without any auditing. What they want is for us to reverse engineer when there is a problem. When we discover that, we would report it. No consequence other than getting kicked out of self-reg program if they're in the program to begin with. 22:36:12 s/???/MaryHodder/ 22:36:12 s/???/Mary Hodder/ 22:36:23 :) 22:36:25 ... Terrible scenario to end up in. 22:36:28 is the reason auditing is standard practice in the financial, corporate and other communities due to the need for dispute resolution information etc 22:36:48 ... In your model for the W3C version of DNT, what does auditing entail? 22:37:16 Tom: In my model users share minimal info to begin with. Don't want to have to audit them. 22:37:26 Mary Hodder: What if data gets through anyway? 22:37:34 Lorrie: We will discuss this tomorrow. 22:37:51 Ian Fette: Take issue with characterization with last presentation. 22:38:04 ... Browsers have been trying to solve this for awhile. 22:38:11 ... We have incognito mode. 22:38:33 ... The notion that we can have complex options page is not accurate. Fewer than 10% of users go to options, much less privacy page. 22:38:57 ... If ypu try to go around ad industry, it's a big industry with large incentives. Some players are more ethical than others. 22:39:18 ... When we make user-agent strings -- when Opera hit Opera 10, the number of sites that broke was huge. 22:39:35 ... Not something browsers can hope to solve by themselves as a purely technical thing. 22:40:04 ... Hundreds of ad networks are now offering a solution. Can argue merits of solution. But we're willing to talk about tracking and so on. Need participation from ad networks. 22:40:28 Tom: Agree with many things just said. You guys are working hard. Incognito is good but still needs work. 22:41:11 ... Users should know what incognito does do and doesn't do. Great feature. Loads of other steps that can be taken. Can't make it go away with settings pages. But sensible defaults would help. Sites will work it out if browser changes break them. 22:41:37 Ashkan Soltani: Difficult to ask only the browsers to do things. Good incentives to circumvent, so there's an arms race. 22:42:31 ... If you start doing all these things in the browser you start breaking things. If you go after only certain sites, asking browser to decide between sites. Have this for malware but for privacy we hit Jens' issue: consumer not good at making decisions in that case. 22:42:45 ... Monopoly issues if Google starts blocking Facebook 22:42:49 s/ypu/you/ 22:42:56 ... Smart defaults necessary. 22:43:28 Bryan Sullivan: On question of if sites will overcome browser changes that break functionality. 22:43:51 ... Especially problematic in mobile with platform variation. Customization necessary even on desktop. 22:44:00 ... Very dangerous to tinker with UA header. 22:44:41 Rigo Wenning: With P3P tried to achieve sensible way to deal with cookies. 22:45:02 ... If you call out the browsers to compete over tools, it may break things. Do we need more standardization so sites can adapt? 22:45:27 Tom: Standards make this really useful. If we had better standards for pages we would have less variation, wouldn't need user-agent string. 22:45:36 ... Standards good until they restrict innovation/competition. 22:45:58 Jens: Relates to Ashkan's comment. What actually leads to situation where consumer or browser has decidable problem? 22:46:12 ... More standards means set of options is reduced which helps to make decisions. 22:46:25 ... Decision about tracking is not always a decidable problem. 22:46:34 ... Need some heuristics at some point. 22:47:10 ... Standards related to methods of auditing lead to other problems. Moral hazard paper by Ben Edelman -- only good actors seek certification. 22:47:24 ... Deirdre Mulligan also notes race to bottom from certian kinds of regulation. 22:52:20 AndroUser2 has joined #w3cdnt