Web Tracking and User Privacy Workshop, 28 April 2011

28 Apr 2011


See also: IRC log


Lorrie Cranor (lfc), Thomas Roessler (tlr)
karl, rigo, karlushi, rigo_, npdoty, alissa


<dsinger> Someone should say something about how frank we can be here, and, um, how much privacy we get!

<adrianba> Express a preference and see what happens

<wseltzer> each will be tracked per the limits of his or her proposal

<jmayer> one vote for what happens in princeton stays in princeton

What are users' expectations about tracking and tracking controls?

AleeciaMcDonald: People have different expectations
... people think that there is a third part
... Many people also think that it would be the fault of the browser company.
... Click&nothing changes: 51% unsurprised, 49% browser company
... Do Not Track represents an expectation gap. People think being tracked online.
... There are different options to address the expectations gap.
... Ease of adoption is reversed to ease of use

AndyKahl_Evidon: I'm from Evidon.
... what's a user supposed to think.
... Everything is fine OR it is very dangerous
... polarized opinions.
... Tools are also being very binary. The DNT UI is a YES/NO
... The flowchart is a bit more complicated there are many options.

Jonathan Mayer, stanford, Universality vs Simplicity?

Alissa: built in some controls and extensibility
... to add controls

AndyKahl_Evidon: privacy nuanced issue, so some granularity needed
... we do ghostery on third party scripts, some users complain that another script should be stopped and we don't block it, sometimes a subjective decision

Aleecia: 3 things fighting, capture preferences to being able to keep it simple is important. in sharp contrast to privacy being simple

FHirsch: user not understanding, dangerous to believe that users can be educated. We don't want to re-educate user
... need to honor context

Lorrie: some standards have educated people, but didn't lead to solution

JC_Microsoft: universal and persistent is against browser as they are neither. Whitelist of people that I allow to track

JC_Microsoft: our privacy is very contextual.

speakerNokia: Users do not necessary what is going on.
... it would be challenging to try to educate the users.

Alissa: DNT can be in the operating system, but practical is that user expect that to be in their browser

AndyKahl_Evidon: there is a tradeoff

Lorrie: the nutrition community has educated the users.
... it didn't happen in one night.

JC_Microsoft: Ability the users have their own sets of controls. I do not track by default but I trust this company.

Aleecia: Starting with keep it simple, and extend if possible.

HarlanYu: list of properties, do not think simplicity is ad odds with granularity

Aleecia: users are confused by conflicting messages. Important that we are sure that when we violate user expectations, we should be aware and know that we would have to re-aducate millions of people

<lowenthal> Apparently we shouln't do what users want and expect? I disagree: when you make a simple statement, and everyone understands that statement, you should comply with that.

Aleecia: how do we continue to use and build upon and reducing the creepiness

Alissa: they do not even know that it is happening
... the model was happening before years
... they were few complaints.
... but once people realize
... they freak out
... The goal is to make incremental improvements
... even if not everyone is understanding it in the first place.
... And then creating step by step, accountability

Peter: about the education problem
... what really needs to happen to protect the consumers body.

<ianp> not really sure what impetus data collectors would have to design their systems to honor "Do Not Track" headers. Higher development cost and screws with the business model

<stpeter> ianp: the threat of regulation

AndyKahl_Evidon: There is a subset of educated users who don't care and some users who don't understand.

Aleecia: in lab studies, the 20 years old complaint that they are not informed.
... they follow the behavior of their parents.
... "if the parents are on facebook, it must be safe"
... Facebook issue with read write web
... People have a complete confusion, they do not understand what is happening.
... media coverage is good, it is helpful.
... education in schools would be good.

<stpeter> this sounds like we're trying to educate people again...

Alissa: You don't design a product thinking that the product features will be used by everyone

AndyKahl_Evidon: there are some products you can use being uneducated.

Alissa: the Web

Aleecia: asking users is not the only thing to do.
... It is useful and important.
... education seems to be a very long process.
... Find the gaps between expectations and try to fill them.

Aleecia: something to explain to the user, gap between what is expected and what is being built

Hannes: in that complex environment you'll have different users will get upset anyway because of different context and culture

Aleecia: good data from Alessandro Acquisti

TomLowenthal_CITP: Software had advanced settings
... it is not a new problem
... why not having advanced settings?

AndyKahl_Evidon: How do you draw the line?

TomLowenthal_CITP: some users want simple, some users want knobs, lets have a default and add knobs and buttons

AndyKahl_Evidon: there are too many nuances under that.

Lorrie: the software vendors do not want to be responsible for the granularity

Aleecia: it is easier to implement "pick your own" but less obvious for users.
... It is not a technical problem it is a social problem.

Alissa: there is already a default, which is often what the company has agreed to get from you

rigo: we have to take into account, features on the server side
... We should start simply and have guidances for engineers.

AshkanSoltani: The pop up window was in Mosaic.
... IE came up with a cookie blocker, disabled by default.

<stpeter> there are differences between what users say they do and what they actually do (AM)

AshkanSoltani: It created an ecosystem
... if we go down the road of granular controls.
... the system becomes so complex, the user doesn't have the ability to control what is happening
... facebook went this way.

IanFette: Even with cookies, it is already a mess.
... browsers do not agree on what it is.
... but then if you look at Opera, Chrome, Safari, Firefox, IE, there is not one model

<rigo> ... nobody knows what a third parties is, send and set are dealt with differently

xxxx: there are a lot of architects in the room

BryanSullivan_ATT: we want a solution
... what are the top 3 users expectations
... to trust what I'm being told
... to control these

Lorrie: what is in the top of your list?

Alissa: Control

AndyKahl_Evidon: control is one of the aspects.
... 3 points.
... * transactional transparency

Aleecia: just make it stop
... 3 words instead of 3 priorities
... they want to make the tracking stop.

DavidSinger: "do you want your online activity be tracked for ever?" The way we ask is important

AndyKahl_Evidon: make it stop, maybe, but how it is defined.
... the issue is nuances.

<stpeter> "I told you to make it stop, and the Internet stopped working"

What types of tracking should be in scope?

hmmm social, security, privacy difficult mix

tension in between laws and jurisprudence

<stpeter> karl, to paraphrase Kurt Goedel (who used to live in Princeton), "A completely secure system will be either inconsistent or incomplete, i.e., unable to solve certain problems."


tracking becomes creepy when it enables things we had not expected.

such as aggregation of data, being contacted in a context different from the one we shared a specific information.

<wseltzer> Facebook says a company displaying on a page, or with previous relationship with user, should be able to track as 1st parties

<ianp> when does 1st party analytics tracking become 3rd party analytics tracking?

<karl> wseltzer, yup but there are levels. I'm happy that my coffeeshop remembers that I'm taking this coffee each time I go there in the morning BUT I would not be happy if they start to tell me what I do every week-end outside of the cafe context

<ianp> like is google analytics 1st party or 3rd party?

<wseltzer> karl, what if they tell the supermarket, who use it to offer you milk?

<karl> I would not like it

<karl> hey wseltzer how do YOU know, i'm drinking cafe latte ;) have you followed me? :p

<wseltzer> sophisticated coffee-behavior profiling :)

Hannes: first party or third parties, will be too complicated decisions, do we want to go down that road?
... is the same definition useful for everybody, if regulators are happy or tech companies?

Omar: defer to paper from NTIA, need multiple stakeholders, need to take the economic impact of DNT into account

MeMe: should take into account what the users are concerned about, but should not boil the ocean

Ashkan: You want everyone to have common definitions

Chris: there are California laws for forbidding grocery shops to get your driving license informatin.

ChrisHoofnagle: grocery cart is CA law. Do not call is also the right to opt out
... missing that the lesson taken on what Aleecia said

MeMe: the consumers do not understand

MeMe: part of the issue: Should we start looking at the users as they do not understand
... we should take user expectation into account, but it is complicated

Aleecia: if you build something which violates the expectations, users will be very angry

Andy_Paypal: example of spam and being angry at false positive.
... There are Basic users expectations

<dsinger_> Maybe a tautology, but an IP address is personal if you or anyone else can now or later associate it with me

<rigo_> Ashkan gives examples where tracking is done without need for the functionality of the technology

alan_BlueKai: People might not want to track into vaccuum, but if services are provided in exchange of tracking, some users might want to do it

Omar: tracking does not happen in a vacuum, there is an economic context and needs balance

Alissa: we can try to do better, not just only be the strict legal minimum, talks about the update of the cookie RFC
... "Having the policy before the technology" we have been thinking about it for years. The time is not right yet. There is a window of opportunities, we can already do things
... we have been on this for a long time, now is the time to move

Andy: fears overstating of tracking protection that interferes with security
... I'm willing to accept certain definitions of DNT. but what do I do when it comes to Paypal where we *need* to track. It doesn't make sense anymore

<alissa> cookie spec: http://www.rfc-editor.org/rfc/rfc6265.txt

Alissa: RFC 6265 was released just this week new cookie spec

xx_CITP: benefit of DNT is that it separates identification and login from tracking

FrancisLarkin_Facebook: personalizing content for you wouldn't work, we are in an existing relationship with customer

<wseltzer> So Facebook wants our networked eyeballs, without opt-in to personalization

Ashkan warns that certain definitions would advantage certain actors in the market

Andy_Paypal: in the case of 3rd party mashups, it is hard to understand. How should we track the logs for security reasons for example.

Andy_Paypal: we don't know what DNT means, we don't know whether it allows to collect IP address

<karl> ... what kind of data, and what is used for matters a lot

Vikram_Nokia: if user perceive that DNT doesn't work, he will blame the browser
... tools like spam protection does not give a false sense of security, DNT may

<karl> http://www.slideshare.net/mikebrittain/metrics-driven-engineering-at-etsy

Ashkan: sending preference to a site is an early thing. We need a feedback channel with an ACK

<karl> http://codeascraft.etsy.com/2011/02/15/measure-anything-measure-everything/

IanFette: we need to scope this down to something that people understand
... "not track" is too generic, neither company nor user understands

<wseltzer> we'd do better with a narrower, descriptive name

Alan_BlueKai: do not track is not very different from "do not track for behavioral advertisement"

Ashkan: early in the process of definition of what tracking means
... that's why we are here

<dsinger_> My problem with behavioral ads is not the ads, it is the existence if the database about me that enables them

Ashkan: have to balance security and privacy needs

MeMe_Adobe remakes point that first party analytics are not "tracking" and not 3rd party advertisement

FrankWagner: asking about purpose
... logfiles DNT should not mean that there are no logfiles anymore
... tracking is identification: Frank has seen this site and that site

Ashkan: what if 123 looks at sites
... pseudonyms can be converted to real identity at a point

Frank: this is psuedonym, you can identify

Jonathan: we should define DNT, even if it is hard to define

AlanChapell: we need to understand the economic ramifications of DNT

<karl> (talking revolves around definitions of DNT)

<rigo_> all, please be privacy invasive and share your minutes with the chairs or me (rigo@w3.org)

jmorris: we won't come to a final definition in this room, but can decide whether or how it should be done in a standards body
... just because current web privacy status is terrible doesn't mean that dnt may not progress better than early study of user understanding shows

Tim__: wait for next 2 years because technology isn't mature yet

Jules: we have one opportunity because of this dramatic title and movement by the browser vendors, we have an opportunity to do something useful even if it's small
... fear we boil the ocean, we have the opportunity to accomplish something useful
... can the panel agree that we can start from something robust at the button
... what if we just use the starting point of Do Not Track referring to collecting data across multiple sites for behavioral advertising? could we at least agree on that?

Francis_Facebook: There is a very thin line.

Francis: I would be okay with that starting point as long as targeting by services you have a relationship with is exempted.

<ianp> i wonder what should be considered a reasonable expectation of privacy online?

Francis: a baseline definition would help with the user concern of interactions with companies they know nothing about

MaryHodder: As a user I'm freaked out when you are tracking across sites

<wseltzer> I have a separate Facebook browser profile, through Tor, that I use less and less because of FB's tracking

MaryHodder: If users were able to track themselves it would improve.
... Millions of data store (personal user store)
... and then I can decide to share or not.
... I can make the choice.
... I want to be in control of what I do on the Web.
... It is perfectly fine to be tracked by the owner of the site.
... but not by third parties.

<tlr> [ one of the points in the Paypal paper is that same-origin and first party as a business are distinct ]

xxx_CITP: what if we just had usage limitations? you can keep the data for security purposes (and not count as tracking) as long as you promise not to use for other purposes

DavidSinger: it would be incredibly cynical if we ended up with the result that all the ads are dumbed down but just as much data is collected about us <applause>

Andy_PayPal: but companies in that case won't have the incentive to collect

MeMe: in EU we are analytics and data processor, useful only in a European process for European laws

Hannes: what about the definition of terms, like data processor and data collector as defined in the EU?

Andy_Paypal: People outsourced their processing or services. It doesn't help us.

Mechanisms: Do Not Track Header and Tracking Protection Lists

Presenter: Alex Fowler, Mozilla

AlexF: problem is that users' behavior is tracked without choice or control
... felt like we had no choice but to act (explicitly called out by FTC)
... looked at a number of approaches
... not happy with cookies or blocking
... unintended consequences or burden on users (breaking experience)
... blocking seemed anti-advertising, so looked for something else
... 30 lines of code to implement it in Firefox 4
... all parties who engage with it have the opportunity to do something with the header
... as Aleecia pointed out, we were aware that we were going to get blamed if this didn't work
... starting to see sites modify their server-side operations to reduce tracking, or even looking at doing less on-page tracking when they see the header
... AP implemented it: one engineer took a couple of hours (as opposed to hundreds of sites that had to deal with cookies)
... Chitika now recognizes the DNT header instead of suggesting the Opt-Out Cookie
... looking at some different user interfaces to signal that they're not tracking, or giving short notice to explain what you've been opted out of

Presenter: Jonathan Mayer, Stanford

jmayer: talk about the DNT DOM flag and the DNT response header
... DOM flag could be as simple as a read-only navigator.doNotTrack property accessible by JavaScript
... JavaScript could still be aware of DNT even without a DOM header; like returning Do Not Track-aware JavaScript
... a third party always has to check for the DNT HTTP header anyway
... would the server log the request, for example (assuming that any definition has to include some conditions about logging)?
... finally, granularity would be very difficult because of script inclusion
... that is, third-party scripts may run in the first-party DOM
... benefits of the DOM flag: can be hosted from a static HTTP server
... does this matter? Akamai will let you handle headers, for example
... benefit: users won't have to modify their server-side code, which might make it easier
... cons of the DOM flag: granularity controls would lead to a fingerprinting risk
... and browsers would have to implement one more thing

Presenter: Steven Vine, Datran Media

Datran: consumers don't understand networks, haven't heard of them, don't have any reason to choose one over another
... even I, an expert, have no reason to choose one network over another
... instead we want to give consumers a choice at the brand level
... can opt in to more customized ads, or opt-out of a particular marketer

Presenter: Adrian Bateman, Microsoft

AdrianBa: one question is what work should proceed at the W3C
... want to have clear specifications to give to my engineering team so they know what to build
... three themes to think about
... first, balance <laughter at dog photo slide>
... users should have an opportunity to express a preference
... people have said to start simple, and a header could be that simple step
... second, choice -- that users should have control
... tracking protection lists let users control exactly what requests are made on their behalf
... a different part is the control to not send data to someone that they might not trust
... anyone can create a list, or read a list and understand, creating an ecosystem
... finally, innovation
... interoperability is really important, and standards help with that, but we want everyone to be able to innovate over their business models
... standards should be a platform, but we don't know what change there will be

Presenter: John Morris, CDT

jmorris: want to go back to the header not because of my particular preference but because of a connection to a broader concept
... the idea of binding rules to data and having those rules followed
... past efforts of these rules have met a number of pushbacks
... first: no technical way to enforce the rules, no way for the browser to know
... some engineering bodies were concerned since they couldn't know for sure, that there wasn't encryption, etc.
... but there are other mechanisms that could work: law, markets, media hysteria
... second concern: that UI is hard and confusing
... answer: yes, UI is hard and confusing, but smart people can try to make this work for the user
... third concern: that users will blame the browser (which we heard from Aleecia today)
... but while there is a risk of that, the UI can imply not that Mozilla is in control but just that a preference is being expressed
... fourth concern: a false sense of security / incomplete privacy is worse than no privacy
... in security that might be true, but in the privacy realm protecting privacy some is desirable even if it's not complete
... finally: we're not sure this will work
... but the status quo certainly isn't working

karl: incomplete privacy is only a problem because of the false sense of privacy, which might cause users to do even more online

jmorris: absolutely it's a risk, but if we don't try something people are going to be tracked (unless US passes baseline privacy legislation)
... Mozilla is already trying to make this clear, do you trust the recipient?

Jules: it's actually an advantage that it's not a technical mechanism, because a signal allows for more finely nuanced controls

Datran: have to have a policy solution, because otherwise people will always attempt to bypass (the arms race)

AdrianBa: policy wonks need to go and figure this out, and I don't claim to be one of those people
... as a service provider I need to know what to do with that signal, which is also a technical problem

Paul: have you done the analysis of economic implications? what kind of people will turn Do Not Track on? are they people who were clearing cookies anyway?

AlexF: we didn't want an anti-advertising approach
... it's a short-term business model; we shouldn't say that therefore users are okay with it

Datran: if the tracking is so important to your business model, users can be required to opt back in

jmayer: Do Not Track is not going to blow up the entire Internet
... a lot of the economics papers may not have rigorous methodology
... http://donottrack.us/bib/
... it's not a large portion of revenues, and only relatively recently (as of 2007), though it is growing
... there are elasticities: you could just allocate the behavioral ads to the non-DNT user
... how much more are advertisers willing to pay? what alternatives are there? how much better is it than contextual advertising?
... for interest targeting you could also ask the user their interests, or use client-side [presumably an AdNostic reference]

asoltani: often technologists push policy to fix things and vice versa, I think it could be technology and policy working together

jmayer: enforcement, technologists could help detect violations of DNT even if browsers can't always do it all the time

Datran: yes, can attempt to detect even if they can't block

AdrianBa: technology and policy should definitely be connected/aligned, technologists should educate the policymakers, for example

wseltzer: how do users know that once they've set the preference and can then go on to browse more?

jmayer: we should try to build early consensus and a clear definition; we've been working on an interim definition until we get a definition from a standards body or regulatory body

wseltzer: what if we changed the name to something less certain than "Do Not Track"?

IanFette: I want to push back on this preference being a meaningful thing; not meaningful until we come to consensus on what tracking means
... danger of scope creep; iterative approach would lead to uncertainty in the market

AlexF: the fact that you have an opt-out but wouldn't recognize the DNT header would really be a dangerous thing to say to your consumers
... if we marketed this as "don't serve me targeted ads" it wouldn't have worked as well (for the AP, for example)
... some constructive ambiguity may be helpful
... I would rather have those early experiments rather than scope it down

IanFette: isn't it impossible to determine that something is being violated before it's defined?

jmorris: agrees with ian; need clarity over whether a server log is taboo
... but once we have a definition, we can start getting activists to find violations and we'll get news stories about it

AlexF: we've already seen some feedback based on auditing of the AP implementation
... we're not doing this to stave off regulation or anything of that type
... if this looks like it fails, we'll walk away from it, this isn't the last available option

jmayer: frustrated to hear that "I don't know what Do Not Track means"
... saying I don't know is an abdication of your responsibility to help with the definition

from_the_audience: we're here!

IanFette: I think a good scope would just be to limit to behaviorally-targeted ads and let's see if we can do something to address that

jmayer: and I think that's completely wrong

Gil_DoubleVerify: bad actors can always monitor users
... it's hard to know that behaviorally-targeted ads are happening
... the way we define "behaviorally-targeted as" it covers 80% of online advertising today

Datran: even the definition of "behaviorally-targeted ad" is under dispute

Gil: I'm using the DAA definition, which includes retargeting

AdrianBa: with all this discussion of user expression of preferences, we shouldn't ignore the bad guys, which is why we proposed TPLs
... not a perfect solution, but part of the toolset dealing with that situation

Andy_Evidon: I understand more now the pushback from this morning about defining tracking being difficult; there's just no simple definition
... isn't it just as dangerous to say that a technological solution is a simple answer to this problem, when the problem isn't simple?
... requires a granular, nuanced solution

jmorris: isn't the process of standardization 90% of the time trying to keep things simple by balancing all the tweaks that people want to add?

tlr: any solution will be imperfect, but we're trying to find a scope that's a good balance somewhere

rigo: if we don't continue this dialog, the pain for both sides will be even bigger. we have to compromise.
... critics of P3P said that people could just ignore it, or just lie, but there are critics in the society and even in the US the legal system could address violations

Aleecia: what did you mean in saying that it's bad to put power in the hands of the users?

Datran: just mean that we shouldn't give them too much power, like requiring access to content

wuchou: how do you track support or lack of support? what kind of forensics do you use to determine that they don't honor the preference?

jmayer: we're working on enforcement stuff.

xxxx: it's a red herring to talk about bad actors; and the reputable companies won't violate the practice because if the database ever comes to light they'll get in so much trouble
... whackamole problem

AdrianBa: isn't that like saying "security is a really hard problem"? if it makes a difference now, why is that a bad thing?

xxxx: why wouldn't they evade it? you've declared war.

AdrianBa: it might be reasonable that a site detects that a user doesn't see an ad and so decides not to show content
... some market effects on choosing a good TPL

jmayer: response headers make it easier to measure
... and you could start blocking domains/cookies if a site doesn't use a response header
... could bring it under deceptive business practices for companies that respond with the header but don't follow it

ATT: Do Not Track is more a concern about recording of behavior, warehousing of that data, monetization in unexpected ways; today behavioral advertising is the most glaring instance, but won't be the only one

jmorris: +1, a good question

<fjh> +1

jmayer: some DAA members have already said that they'll continue to collect data under opt-out [scribe: did I get this right?]

ryan_adobe: web sites could just do whatever they do with an opt-out cookie; seems like a dangerous policy since opt-out cookie policies vary between players

AlexF: are we talking about danger to the user or danger to the business model?

Opt-outs, granular control and multiple mechanisms

Presenter: Frederick Hirsch, Nokia

fjh: in DAP, we're discussing issues beyond minimization (like how data is used or retained) and beyond advertising
... accountability is an encompassing theme
... benefits of defining a wire format -- enabling loosely coupled systems, evolution, simple testing
... Do Not Track is interesting, but more generally we could convey user intent
... how can we hold someone responsible if we don't have an opportunity to express our intent?
... have to have a way to express preferences about re-use, etc.

Presenter: Harlan Yu, CITP

harlan: Microsoft's submission suggests a universal header and universal DOM property
... but users may want to specify more granular cases, and we should assume that users will use it this way (as in the Abine extension)
... Q: in which cases is the DNT header difficult to process on the server-side?
... Q: how useful would a DNT DOM property be?
... it's hard to get a DOM property to accurately mirror the DNT header
... users may want to opt back in outside of setting the header
... that option could happen outside of the browser setting, actually inline on the web page
... dangerous because the browser might start showing the user that Do Not Track is in force, but many applications may consider the user to be opted back in, which would be difficult for the user to keep track of
... response headers could include an ack, just to confirm that intermediaries aren't altering
... and a second bit could communicate back to the browser whether or not the preference is being respected
... tell the browser I'm not respecting it because, for example, the user opted back in out-of-band
... could get much more complex as to what the server responds, but worth discussion

Presenter: Wu Chou, Avaya

wuchou: face more complex issues in the enterprise, too complex for the DNT and TPL proposals
... want to accommodate both user preferences and the enterprise's own tracking policies
... should these rules be enforced on the Web proxy?
... enterprise needs to be agnostic to particular browser implementation
... layered combination of enterprise policies and user preferences

Presenter: David DeLuc, SIIA

DavidDeLuc: SIIA's approach to Do Not Track, certainly agreement to consumer's opting out of collection of some data, we all agree on that
... industry-led, voluntary and enforceable -- I think there's a lot of agreement in the room on that
... economic harm element: preserve the economic model
... general agreement on carving out exceptions for the good stuff (analytics, fraud protection, etc.)
... I wouldn't doubt it if behavioral ads were 3 times as effective
... but the Web experience is importantly interactive
... need a lot of education around how things work, so they don't get freaked out
... people might actually like it if they realize that it's being used to help them
... "I think Do Not Track is off track"
... none of us want the Web to break

Presenter: Vinay Goel, Yahoo!

VinayGoel_Yahoo: publishers must be able to engage with consumers in the discussion
... consumers should have consistent tools across browsers
... hybrid solutions should include CLEAR Ad and Do Not Track
... Yahoo! believes that definition of track should be left up to policy focused groups, like CDT or self-regulatory groups
... DNT opt-out should be OBA opt-out
... users should be able to grant exceptions to DNT when it's turned on
... format would be based on domains (example.com) and could even subscribe to lists
... publishers should receive a signal when a third-party on their page is blocked

hannes: are existing proposals mixing policy and technology, and should they?

wuchou: follow the enterprise proposal first, only without it should fall back on the user preference

IanFette: response header is interesting but need to think about these responses at more than just a single HTTP request/response
... for example, at NYT.com the DNT request/response in question would actually come from the advertiser

BryanSullivan: the DOM flag should be on the window

fjh: work has been done by CDT in DAP on rulesets

xxx: I like the idea of a dialogue, because usually DNT sounds too inflexible, like an ultimatum
... maybe a protocol that has multiple phases, negotiation, dialogue

VinayGoel_Yahoo: we completely agree, publishers should be able to communicate the pros and cons of using their service

AndyPaypal: analogy to Caller ID, escalation about blocking caller ID, laws against spoofing caller ID, some sort of dialogue between the two about wanting to make an anonymous call

fjh: the phone company used to be a very centralized office, so the analogy may not be applicable

jmorris: push back on acknowledgement; 1) if there is an easy way for companies to declare that they are ignoring it, then they will simply do so and probably successfully avoid legal liability
... 2) an ack means that law enforcement will only pursue violations that include an affirmative ack

harlan: but there are some scenarios where a user can opt back in, and then you get into a situation where the browser can't accurately report your status

alissa: +1 on jmorris
... for people looking at negotiation, the more complicated the mechanism is, the harder it will be to define in policy-land

harlan: complexity is not ideal, but the out-of-band option may be unavoidable

<wseltzer> Is DNT Response an opportunity for user-provider dialog, or invitation to ignore user preferences?

VinayGoel_Yahoo: the idea of the cookies was to respond with whether the option is respected or not and why [?]
... exempt frequency capping, analytics, 1st-party advertising,

<AndroUser> VinayGoel_Yahoo -> vinay goel. Shane is out this week.

jmayer: using postMessage to communicate that a 3rd-party received a DNT

<karl> wseltzer, if the browser beeps all time the server replies "no no, we do not care about DNT", the user will remove the DNT preference.

jmayer: could put the opt-back-in control either in the browser or let sites do it themselves or...
... or a middle way [long explanation that the scribe didn't understand]

VinayGoel_Yahoo: yes, that sounds very similar to Yahoo!'s proposal

<wseltzer> karl, and then we're back to the market failure in privacy

ChrisHoofnagle: Do Not Call was not simple at all; Caller ID divided the privacy community as well
... all sorts of industry showed up saying that we need an exemption, the justification being that they would lose money
... what is the policy rationale for suggesting that Do Not Track == Do Not Track for OBA?
... is it just that your particular business model doesn't work?

<karl> wseltzer, yup. We are running around a bigger issue, which is data aggregation or/and centralization.

DavidDeLuc: maybe that was just because it seemed simpler to define

VinayGoel_Yahoo: we need to start somewhere

<karl> wseltzer, issues also with Web sites using features services (such as maps, commenting systems, photos, etc), used on many sites, and then which are used for profiling.

VinayGoel_Yahoo: start with something we've identified as a harm and something we can address

<wseltzer> karl, right. That suggests limiting dialog, to make it easy for a mass of end-users to express similar preferences easily,

harlan: the harm isn't online behavioral advertising, that's just the only visible case

<ianp> too bad nobody from wrapleaf is here

<wseltzer> then let regulators figure out the details.

xxx: when a company claims that they comply based on the icon, what level of compliance do they need to get that icon?
... what level of compliance does a company commit to when they claim to respect DNT?

David: this is a request that the user is making generally, but maybe this would be a good opportunity to explain why we're ignoring your preference (because I'm part of your enterprise, or because you've opted in somewhere else)

<wseltzer> is granularity the route to divide-and-conquer the users?

Related research

Presenter: Craig Wills, Worcester Polytechnic Institute

craigwills: 1st party sites are leaking to third parties
... sometimes explicit, sometimes implicit
... so it's not just about tracking, sites receiving private info
... how leakage occurs
... 1st parties embed info in URL
... page titles
... third parties masquerade as first parties (hidden)
... 1st parties pass info on to third parties (from forms)
... how leaks can be prevented:
... if you block requests, there's no leakage
... opt-out cookies do not prevent leakage
... target to fix the problem should be first parties
... first parties can be better about avoiding leakage

Presenter: Jens Grossklags

jens: disagreement about transparency as much as on definitional issues
... what info should be included in interface to user?
... what info is traded away and when
... what is the info used for?
... at what point can we claim to have achieved transparency?
... need to spend more time on this aspect
... few relevant research findings:
... material/immaterial tradeoffs: about how users trade off bundles of info about themselves, subject to different kinds of influences
... consumers have problems making decisions over time
... difficult to make a decision now about something that can change in the future
... again not talking about static decisions, but constant reaction and counter-reaction
... in presence of enticing features like good recommendations, consumers' preferences can be shaped
... consumer choose dancing pigs over security risks every time
... oink
... DNT interface challenges:
... not same as do not call list
... calls are invasions in privacy at home when users engaged in unrelated activity
... different from web browsing
... web context is more problematic from a behavioral point of view
... DNT is just another privacy tool
... how do users define composite privacy metric across all these different privacy decisions?

Presenter: Tom Lowenthal

lowenthal: paper was about nonconsensual forms of tracking
... problem we've been talking about is very narrowly scoped
... situation where user and site both agree to comply with some set of requirements
... does not encapsulate vast majority of online interactions
... sites are motivated to ignore user requests
... users should rely on their browsers using effective technical measures instead
... browsers can implement counter-measures, have incentive to do so because they're competing for usrs
... rather than hoping for consensus, we should hope that browser vendors can actually try to minimize info available to services
... browsers should act as the agent of the user and do what the user wants even if user does not understand
... we've been talking about granular mechanisms based on headers/cookies
... users will not understand these technical details
... browsers should ship with sensible defaults that users can change
... measures to include:
... act as an agent. user knows consequences of his actions -- which sites to share with, e.g.
... not just in realm of tracking, but other simple changes in browsers could be helpful, e.g., providing a shorter user-agent string
... doesn't impact usability but does impact privacy
... more effective privacy mode
... using more complex UI cues so users know which mode they're in, which elements on the page are getting their data
... certificate control: allowing broken certs should not be allowed
... sites should break in this case
... browsers have effective tools to help users control their information

MaryHodder: Everyone hinting at personal data auditors.
... Have had meetings with IAB and national advertising association. They think they could create model where users opt out without any auditing. What they want is for us to reverse engineer when there is a problem. When we discover that, we would report it. No consequence other than getting kicked out of self-reg program if they're in the program to begin with.
... Terrible scenario to end up in.

<fjh> is the reason auditing is standard practice in the financial, corporate and other communities due to the need for dispute resolution information etc

MaryHodder: In your model for the W3C version of DNT, what does auditing entail?

Tom: In my model users share minimal info to begin with. Don't want to have to audit them.

MaryHodder: What if data gets through anyway?

Lorrie: We will discuss this tomorrow.

IanFette: Take issue with characterization with last presentation.
... Browsers have been trying to solve this for awhile.
... We have incognito mode.
... The notion that we can have complex options page is not accurate. Fewer than 10% of users go to options, much less privacy page.
... If you try to go around ad industry, it's a big industry with large incentives. Some players are more ethical than others.
... When we make user-agent strings -- when Opera hit Opera 10, the number of sites that broke was huge.
... Not something browsers can hope to solve by themselves as a purely technical thing.
... Hundreds of ad networks are now offering a solution. Can argue merits of solution. But we're willing to talk about tracking and so on. Need participation from ad networks.

Tom: Agree with many things just said. You guys are working hard. Incognito is good but still needs work.
... Users should know what incognito does do and doesn't do. Great feature. Loads of other steps that can be taken. Can't make it go away with settings pages. But sensible defaults would help. Sites will work it out if browser changes break them.

AshkanSoltani: Difficult to ask only the browsers to do things. Good incentives to circumvent, so there's an arms race.
... If you start doing all these things in the browser you start breaking things. If you go after only certain sites, asking browser to decide between sites. Have this for malware but for privacy we hit Jens' issue: consumer not good at making decisions in that case.
... Monopoly issues if Google starts blocking Facebook
... Smart defaults necessary.

BryanSullivan: On question of if sites will overcome browser changes that break functionality.
... Especially problematic in mobile with platform variation. Customization necessary even on desktop.
... Very dangerous to tinker with UA header.

RigoWenning: With P3P tried to achieve sensible way to deal with cookies.
... If you call out the browsers to compete over tools, it may break things. Do we need more standardization so sites can adapt?

Tom: Standards make this really useful. If we had better standards for pages we would have less variation, wouldn't need user-agent string.
... Standards good until they restrict innovation/competition.

Jens: Relates to Ashkan's comment. What actually leads to situation where consumer or browser has decidable problem?
... More standards means set of options is reduced which helps to make decisions.
... Decision about tracking is not always a decidable problem.
... Need some heuristics at some point.
... Standards related to methods of auditing lead to other problems. Moral hazard paper by Ben Edelman -- only good actors seek certification.
... Deirdre Mulligan also notes race to bottom from certian kinds of regulation.

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2011/05/09 15:50:59 $