01:29:25 lowenthal has joined #w3cdnt 01:38:52 rpacker has joined #w3cdnt 02:13:59 npdoty has joined #w3cdnt 02:23:15 fjh has joined #w3cdnt 02:51:07 dsinger has joined #w3cdnt 03:13:31 lowenthal has joined #w3cdnt 13:11:44 RRSAgent has joined #w3cdnt 13:11:44 logging to http://www.w3.org/2011/04/29-w3cdnt-irc 13:11:58 RRSAgent, make logs public 13:12:48 lowenthal has joined #w3cdnt 13:12:52 Meeting: Web Tracking and User Privacy Workshop - 29 April 2011 13:13:13 rigo has joined #w3cdnt 13:22:05 jmorris has joined #w3cdnt 13:25:13 Serge: UI is critical, and study of UIs for informed consent. 13:25:41 user decision change when shown the low-level detail that will be shared 13:27:25 Q: How do we show users both sides of the tradeoff? 13:27:49 Ian: and how do we show users the impact of their decisions over time... 13:28:31 Serge: avoid browser detritus 13:29:18 Nick Doty: flexibility of implementation vs consistency of UI? 13:30:44 Ian: Security is often not the user's primary objective. Rather, to pay bills, etc. 13:31:14 tlr has joined #w3cdnt 13:31:32 Lorrie: P3P implementers often cut and pasted from the spec, not human-readable 13:31:57 ... the WG should spend some time thinking about implementation UI 13:33:06 Serge: Since the user is the audience for privacy controls, we need study, to focus on users' response 13:34:27 Hannes: Facebook has incremented its privacy options over time, standardization taking years of study doesn't 13:36:17 [Can study be concurrent, rather than blocker?] 13:37:26 Helen Nissenbaum: get informed consent when you're going to violate user expectations 13:37:54 bryan_sullivan has joined #w3cdnt 13:38:02 AndroUser has joined #w3cdnt 13:39:32 Ian: We can't just stick with initial expectations. How to show them the value ads may provide? 13:40:35 XXX MSR: instant preview of difference between view with and w/o tracking - split-screen? 13:42:27 Ian: Dynamic equilibrium. Situation will change if ad-block goes from 5% to 95% 13:43:54 Andy: UI standards are incredibly difficult [crowd agreement] 13:46:44 Jonathan Mayer: align the incentives. e.g. if you start with opt-out, FB has incentive to get the user to opt back in to "Like" 13:48:34 Jules: think about the economic context of adoption 13:48:44 npdoty has joined #w3cdnt 13:50:03 Did Jules just compare privacy-concerned individuals to the Tea Party? 13:50:52 tlr has joined #w3cdnt 13:52:13 Links to WAC's definition of W3C POWDER extensions in ?WAC 2.0? (http://specs.wacapps.net/2.0/feb2011/), to address developer disclosure of device API and private data usage: ?Privacy Considerations for API Usage? http://specs.wacapps.net/2.0/feb2011/core/widget-security-privacy.html#toc-security-privacy-api, ?Privacy Considerations for Device Property Access 13:52:13 http://specs.wacapps.net/2.0/feb2011/core/widget-security-privacy.html#toc-security-privacy-property-groups 13:52:43 fjh has joined #w3cdnt 13:54:47 alissa, trying to point rigo your way with the mic 13:55:42 crowdsourced mic direction... 13:57:58 tlr has changed the topic to: W3C Workshop on Web Tracking & User Privacy | Car & cab sharing wiki: http://www.w3.org/wiki/PrincetonArrivalsAndDepartures 13:59:37 wikipedia - "Moral hazard occurs when a party insulated from risk behaves differently than it would behave if it were fully exposed to the risk" 14:00:06 npdoty_ has joined #w3cdnt 14:00:09 Karl: A user know he's gained weight by looking in the mirror. How can we put mirrors into the browser? 14:00:29 in other words, moral hazard is when you don't have the consequences, e.g. make risky investment but are covered in case of loss etc, so I'm not sure I understand how this is applicable to trust seals - a party can still be liaible 14:00:31 wonders if the comparison with disabling cookies is a red-herring; when I disable cookies\, I do something technical that is not immediately obvious to web sites (though they can test it); web sites that don't test may fail in weird ways, long after I set this. DNT is not like that; it's a request *to the site* and if it has negative consequences they can explain it (and ask permission to over-ride) if needed 14:00:39 s/liaible/liable 14:04:52 rpacker has joined #w3cdnt 14:05:55 AndroUser2 has joined #w3cdnt 14:18:00 ianp has joined #w3cdnt 14:35:35 ianp has joined #w3cdnt 14:37:14 jmorris has joined #w3cdnt 14:37:57 rpacker has joined #w3cdnt 14:39:18 jeff has joined #w3cdnt 14:39:59 npdoty has joined #w3cdnt 14:40:11 bryan_sullivan has joined #w3cdnt 14:40:12 fjh has joined #w3cdnt 14:40:16 adrianba has joined #w3cdnt 14:40:45 fjh has left #w3cdnt 14:42:43 Jules: opt-out rates below 1%; business shouldn't fear a usable opt-out 14:43:46 ... distinguish behavioral from measurement, because lots of industry depends on measurement. 14:44:31 Kevin Trilli, Truste: "There's not all bads companies we certify" 14:45:22 AndroUser has joined #w3cdnt 14:46:53 ... Compliance certification. How does an external party know what's happening? 14:47:37 ...Additional elements of transparency needed. Audit; show profile to users; map to consumer expectations. 14:48:48 ... and companies should be given a chance to get user's trust.. 14:50:11 Evidon: We're competitors, but here we're working together to build a standard. 14:51:59 ... Transactional transparency; relevant information; meaningful choices 14:53:47 Gil Resh, DoubleVerify: behavioral targeting can happen at lots of places in the ad chain 14:54:02 vincent has joined #w3cdnt 14:54:13 ... risk of inadvertently misleading endusers 14:54:54 [Really? then networks should audit clients and statements more carefully] 14:56:49 Gil: opt-out generally intends to leave all behavioral advertising, not per-network 14:57:17 Jonathan Mayer: NAI says opt-out is opt-out of being shown behavioral ads only -- that's not what users want/think 14:57:33 ... any chance for self-reg to get closer to user prefs? 15:01:36 Jules: there might be some minimization you could do, but for the most part collection is mostly the same for ad delivery / measurement as it was for behavioral 15:02:22 Aleecia: users aren't just worried about the ads that appear, but definitely about collection 15:02:52 ... Users would be just as concerned about analytics 15:03:20 ... Will feel betrayed if just as much data is collected but used differently 15:07:06 Jules: you scare a lot of industry folks at the table when you start talking about no collection at all 15:09:19 sudbury has joined #w3cdnt 15:11:40 Gil: should group companies into those with oversight and those without oversight, any other granularity will be indecipherable to the user 15:25:49 all I need of data retention periods is that they are shorter than the time to your next security leak (or other negative consequence) :-) 15:26:57 Jules: it's a shame that iab daa didn't take on retention periods, but maybe someone should 15:27:59 ... Concern by companies about flexibility because if they make a statement today, they're locked in because the FTC might consider it a material change 15:28:37 ... So would prefer to have it defined at a self-regulatory group that could make some reasonable changes later to their policies 15:31:02 lowenthal has joined #w3cdnt 15:31:08 Kevin: consumers think that once the toothpaste is out of the tube, that's it 15:31:58 Lorrie: do we need regulation in addition to self-regulation, and if so, how? 15:32:54 Evidon: is there room for a 2-way body for reporting companies at use particular practices or abuses? Yes. 15:33:15 KevinTrustE: good place for a whitelist. 15:35:51 lowenthal has joined #w3cdnt 15:38:29 "Throw some people over the bus, or off the ship" 15:39:30 Evidon: we need increased pressure for companies to join these selfreg programs. 15:39:56 something... about buses... or throwing. do mean things to them, that's what i'm trying to say 15:41:34 SamuelsonClinic: lots of weasel words in description of terms make it unclear what is specifically intended 15:43:04 ... Consent is not just binary, you commonly give some limited consent based on the context 15:43:05 wseltzer, guarantee: better than whatever is for lunch 15:43:18 tlr has joined #w3cdnt 15:44:30 ... Why don't trade alliances outlaw anti-circumvention techniques, like respawning? 15:45:10 rigo has joined #w3cdnt 15:45:17 npdoty has joined #w3cdnt 15:45:50 EdFelten: from the FTC, but not speaking for the FTC or any particular commissioner 15:46:23 is it universal, would it cover all trackers? 15:46:34 2/ is it usable 15:46:44 3/ is it permanent? 15:47:04 npdoty_ has joined #w3cdnt 15:47:14 4/ does it cover all tracking technologies? Can questions of compliance be addressed? 15:47:38 5/ does it control collection instead of opting out of some use 15:47:43 Ed's slides: http://www.w3.org/2011/track-privacy/slides/Felten.pdf 15:48:01 ScribeNick: npdoty 15:48:19 EdFelten: we are a law enforcement agency, authority granted by Congress 15:48:41 ... sometimes get specific authority, as in Do Not Call where a law was passed by Congress 15:49:08 ... sometimes a general authority, as in the FTC Act, enforcement power against unfair and deceptive acts in commerce 15:50:04 ... deceptive: if a company makes a firm promise not to do something, and then does and a consumer is harmed as a result [npdoty: I don't think harm is important in deception cases], then that would be against the rules 15:50:29 ... does have implications for a self-regulatory setting, FTC might be interested in deviations from that code of conduct 15:50:50 ... speaking for the agency, FTC has not taken a position as to whether a new law is needed for Do Not Track 15:51:07 ... would be happy to see stakeholders agree on some reasonable arrangement that is mutually acceptable 15:51:17 ... might get a good outcome for consumers without a law or rulemaking 15:51:31 ... people are watching (including people in Congress) to see whether that will happen 15:52:11 ChrisSoghoian: academic and activist, no longer at FTC 15:52:38 csoghoian: security and fraud exemptions that have been proposed could be the exemption that swallow the rule 15:53:28 ... Yahoo! kept a separate set of logs for security and fraud, which were not subpoena-proof, so for those concerned about government access this is a considerable problem 15:53:51 ... security and fraud exemptions always seem like a reasonable idea because who wouldn't want that? 15:54:08 ... but many of these are 1st-party, and so wouldn't be under the scope of DNT anyway 15:55:04 ... click-fraud, for example, is related to clicking on an ad, which should count as a 1st-party interaction 15:55:34 ... so the remaining issue is impression fraud 15:56:08 ... somehow, however, ad networks are detecting impression fraud for people who delete cookies, or people who use Apple browsers that block 3rd-party cookies by default 15:56:35 ... why shouldn't DNT users get at least or better protections than people who buy something from the Apple Store? 15:57:03 ... ad networks sound like national security, arguing that there can't be transparency for fear of tipping off the bad guys 15:57:46 ... secrecy is hiding things that would otherwise be laughable if described publicly 15:58:11 AndrewPatrick: from the Office of the Privacy Commissioner of Canada 15:58:38 ... web trackers are currently breaking the law (with an asterisk) 15:58:53 ... "law*" 15:59:30 ... at least breaking Canadian laws 15:59:50 ... mostly the 3rd-parties (though perhaps 1st parties are breaking the laws as well) 16:00:46 ... "information about an identifiable individual" 16:00:56 ... IP address and cookies, therefore, can be personal information 16:01:12 ... don't believe the people who say that they're doing anonymous tracking, which is difficult or perhaps impossible 16:01:35 ... just stripping identifiers doesn't go far enough 16:01:44 slides: http://www.w3.org/2011/track-privacy/slides/Patrick.pdf 16:02:00 ... consent is not enough: corporations have responsibilities in addition to just getting consent 16:02:12 ... have to specify the purpose before the time of collection, openness, transparency 16:02:29 ... Do Not Track proposals, while laudable, don't address the problem 16:02:52 ... and could make things worse by letting the trackers off too easy, by claiming that this is the only thing they have to do 16:03:29 RobvanEijk: from the Dutch Data Protection Authority, but speaking for himself 16:04:07 ... May 25th deadline for the ePrivacy directive implementations 16:04:26 ... if US companies are targeting EU citizens, then EU data protection law applies 16:04:53 ... EU privacy directive, been around for at least 30 years 16:05:10 ... a new such directive is under discussion 16:06:10 ... Article 7 is the core of how privacy works in Europe 16:06:51 ... you can process personal data, but if so you need to at least have a legitimate interest balanced against the concerns of the user 16:08:05 ... proportionality: is it necessary to collect all the data I'm collecting? can I accomplish my goal in another way, with less data? 16:08:50 ... in addition to the legitimate interest, companies may fail the condition of having taken into account the rights of the user 16:09:22 ... a lot of different stakeholders involved, but everyone uses different terminology, it would be good to re-use some of the existing terminology 16:11:11 TimLee(CITP): sounds like things under consideration are already potentially illegal in these other countries: is what Facebook is doing today already illegal under these laws? 16:11:53 AndrewPatrick: already illegal today, and I think we've moved Facebook a long way, for example in how they handle disclosure of data to 3rd-party apps 16:12:52 IanFette: contra to csoghoian, you would still need to collect IP addresses for fraud of impressions 16:13:51 csoghoian: you can get by without retaining data 16:14:14 IanFette: but it's more complex, you still need to retain data about IP addresses, for example 16:15:07 DwayneBerlin: (first to admit to being a lawyer), the FTC has already spoken on tracking in the Sears case 16:15:35 ... very broad, speaks to the deployment of any technology that tracks the user's activity on the Web 16:15:58 ... unusually detailed about the form of the disclosure (not in the privacy policy or terms of use), relying exclusively on the informed consent model 16:17:39 RRSAgent, make minutes 16:17:39 I have made the request to generate http://www.w3.org/2011/04/29-w3cdnt-minutes.html karl 16:17:48 csoghoian: the facts of the Sears case wasn't about online tracking, but a program/plugin that users download and install and track 16:18:22 DwayneBerlin: but I'm not sure that was the limitation of the coverage of that rule 16:19:17 FTCLawyer: Sears is about burying a disclosure being a deceptive practice, which applies beyond a specific technology 16:20:35 asoltani: if a consumer disabled DNT in order to watch The Daily Show, would that count as affirmative consent for even more invasive practices? would this actually make it worse, as opposed to baseline regulations? 16:21:19 AndrewPatrick: if the failure to activate DNT counts as acceptable, that definitely lets them off too easy 16:23:33 HelenNissenbaum: would the FTC agree that the burden is on you to show that you're complying? is that within the power of the FTC? 16:24:24 EdFelten: we could have a conversation about how such a regime might work and then if the FTC as a body decided they wanted to do that, the FTC would still have to decide whether they had such an authority or whether Congress would need to give them that authority 16:24:55 s/FTCLawyer/Peder Magee, FTCLawyer/ 16:25:05 ... auditing or reporting requirements (in other contexts) do often enabled improved enforcement 16:26:13 csoghoian: when companies get to choose who audits them, you get really bad audits, as in Enron or Moody's 16:29:43 Bill(U_of_M): policy makers not attuned to adoption issues; fuel efficiency standards or E911 as examples 16:30:13 AndrewPatrick: should really be as technology-neutral as possible 16:30:55 EdFelten: right now there's a vigorous and healthy discussion going on about how DNT works 16:31:08 ... it could easily be counterproductive to dictate at this point what solution makes sense for the stakeholders 16:31:29 ... Congress might act at some point to get the FTC to take a more specific position 16:31:44 ... right now it's good for the FTC to be involved in the discussion and foster the discussion by the stakeholders 16:33:37 RigoW: it's really difficult when regulators are ignoring the technical community and discussing their thing in their corner and wondering why their law remains pure fantasy 16:34:00 ... at the same time, the technology community often doesn't give due respect to those societal values 16:34:22 ... W3C has some track record in getting this discussion to happen, but W3C won't put forward an opinion itself 16:34:52 EdFelten: FTC definitely isn't ignoring it, given that people are here 16:35:12 RigoW: yes, that's why this discussion is happening (contra the past) 16:35:21 csoghoian: it's a huge improvement over years in the past 16:36:05 DaveSinger: if law enforcement will mandate retention, will limiting retention on the consumer side matter at all? 16:37:11 RobvanEijk: this problem may be addressed in the EU because the Privacy Directive will cover law enforcement as well 16:38:05 csoghoian: FTC has concluded that privacy policies aren't read and privacy-by-design is valuable, while DoJ and FBI take contrary positions (reasonable expectation; encryption off by default) 16:39:31 jmorris: should there be an ack or an agreement response header? if it were a one-way transmission and a company regularly ignored it, would that be enough to warrant a legal action? what do we have to do to get the FTC to use its unfairness standard? would an industry best practice that isn't followed be enough? 16:40:09 AndrewPatrick: even if they do acknowledge, there are still other obligations that they have 16:41:44 EdFelten: unfairness is a complicated question; it does matter whether something is a considered a best practice or whether the practice is widely followed 16:42:41 csoghoian: since deception is so important, I like the idea of a hook for FTC 16:43:16 ... also an interesting idea that whitelisted tracking (for TPLs) that had the string "no-tracking" or "no cookies", which might be a hook for deception 16:44:19 Jules: want to push back on the idea that the companies that have been doing this for 10 or 15 years have been breaking the law 16:45:59 ... in EU, by arguing that it's not personal information, they may have avoided even taking the steps towards a link for opting out since there is a law 16:46:46 ... express consent opt-in for cookies is heading for a clash unless we get something like DNT to count 16:47:56 RobvanEijk: if you'd like to know what's going on, you should be able to get a signal 16:48:21 Lorrie: what kind of time frame is the FTC observing this process? 16:48:50 EdFelten: it doesn't quite work that way; there may come a time where the leadership of the FTC decides that we need a more assertive strategy, but there's no fixed deadline as far as I know 16:53:27 jeff has joined #w3cdnt 16:56:41 AndroUser2 has joined #w3cdnt 17:13:54 sudbury has joined #w3cdnt 17:45:20 sudbury has joined #w3cdnt 17:49:57 sudbury has joined #w3cdnt 17:52:37 jmorris has joined #w3cdnt 17:54:55 jeff has joined #w3cdnt 17:55:01 karl has joined #w3cdnt 17:55:57 alissa has joined #w3cdnt 17:58:32 npdoty has joined #w3cdnt 17:58:51 ScribeNick: npdoty 17:59:32 wseltzer: transparency as part of FIPPs 18:00:20 rpacker has joined #w3cdnt 18:00:38 tlr has joined #w3cdnt 18:00:52 ... if you don't get feedback from the server about whether you really aren't being tracked 18:01:16 ... but could still at least be audited on the server side. 18:02:02 ... visibility: showing info back to the user (as in notification icons proposed by self-reg) if they drill down into it 18:02:22 AndroUser has joined #w3cdnt 18:02:40 ... TPLs give active feedback to the user, so the user can adapt their behavior to what they get from the server 18:03:06 I'm personally not aware of the active feedback that comes from an applied TPL 18:04:36 wseltzer: if we have to call in the heavy hand of the law, we get less flexibility. 18:05:28 ... TrustE has modified their TPL in response to feedback about having too many whitelisted domains: a helpful feedback loop. 18:05:56 SueGlueck: Senior Attorney, Microsoft 18:06:13 Topic: Tracking to Consensus; Coordination of Policy and Technical Standardization in Web Privacy Efforts 18:06:41 jmorris has joined #w3cdnt 18:06:57 SueGlueck: what do we actually want to standardize and how do we want to go about doing it? 18:07:24 ... Poll: do you policy kind of work in the weekdays? 18:07:53 ... Poll: have you also participated in significant standards work? 18:08:44 ... Poll: are you a technologist? [Lots.] Poll: and you have been involved in a policy standard? [Many hands go down.] 18:08:59 ... an interesting ride working through policy issues in a technical standards body 18:09:54 ... what should be standardized? My list: Tracking Protection [Lists] as one more choice 18:11:32 ... which standards bodies have the most experience working through policy issues? Would this be in the scope of the charter of IETF? 18:12:04 ... because browsers have started to implement DNT header, the clock is ticking and we need to get this done 18:12:15 ... we should idenitfy the stakeholders 18:12:46 ... global nature of the web (given the earlier presentation on legality in Canada/EU) 18:12:47 ... There are also countries without any legal frameowrks, the Web is happening anywhere. 18:13:04 AlexF: why standardize? what should get standardize? should standards groups define policy? 18:13:20 Topic: why standardize? what should get standardize? should standards groups define policy? 18:13:40 Consumer/User values what does that mean in the DNT system? 18:13:40 AlexF: find consensus; define outcomes; make it enforceable 18:13:47 ... Consumer/User values what does that mean in the DNT system? 18:14:31 ... What should get standardized? On the table: TPL, DNT Header, DOM property, response header, whitelisting capability, compliance audit perspective 18:14:34 ... (graphs of the different parts that should be standardized) 18:15:01 ... should standards groups define policy? we DO have the expertise, in the W3C those with expertise are eager to get involved 18:15:11 ... We do have the expertise, but not enough stakeholders. 18:15:27 ... we DON'T have the full range of stakeholders, including some of the display advertising folks, for example 18:16:16 ... joint (with Stanford) submission to the IETF for the DNT header, defining syntax and semantics of the header and the response -- this is a DRAFT 18:16:29 ... (few points from the position papers) 18:16:32 ... See http://www.w3.org/2011/track-privacy/papers/mozilla.pdf 18:16:34 ... TPLs are independent from DNT header/DOM element 18:16:54 ... feasible efforts for work across W3C and IETF 18:17:22 ... public forum, need to have public participation, so that we can bring in the ad networks / display ad ecosystem and have their buy-in and input 18:17:39 ... The tracking protection in the DOM element should be done at W3C 18:17:50 ... so we propose W3C cover TPLs and DOM, while IETF covers HTTP header and corresponding pieces 18:17:51 ... and the corresponding pieces at the IETF 18:18:31 PeterSaintAndre: I do not speak for IETF 18:18:52 PeterSaintAndre: we work based on rough consensus and running code 18:18:58 ... anyone can write a proposal, IETF has a very open process. 18:19:03 ... a very open process, anyone can participate 18:19:06 ... we value freedom of speech 18:19:08 ... people feel very free to speak 18:19:24 ... got lots of vocal feedback at Prague 18:19:50 ... whether everyone will show up is an open question, have to corral them sometimes 18:20:06 ... there has been a good relationship between W3C and IETF 18:20:07 ... division with W3C: IETF has tended to do HTTP protocol while HTML/XML etc done at the W3C 18:20:24 ... open question of the right place is where to do this work 18:21:12 ... IETF is structured into working groups, multiple streams, including IETF working groups or individual submissions, enter into RFCs 18:21:40 (next IETF meeting: http://www.ietf.org/meeting/81/index.html Quebec city, Canada, July 24 - 29, 2011) 18:21:43 ... a lot of similarity in how things work between IETF/W3C, advantages and disadvantages 18:22:13 ... at IETF, no consensus or decision yet on whether to take on this work or decide where it should be done 18:23:11 Jmayor: how ietf and w3c cooperate? 18:23:13 jmayer: historically, how have IETF and W3C collaborated? 18:23:32 tlr: historically had joint working groups 18:23:57 ... now prefer to carve out which pieces can be done where and then have a liaison relationship on how to coordinate 18:24:23 ... a good working relationship, which functions well when there's a good interface defined between work items 18:24:52 PeterSaintAndre: the relationship had been improved for the last few years 18:25:00 PeterSaintAndre: things have gotten better as we've had more overlap in people, people getting involved as individual participants on both sides 18:25:34 dsinger: DNT is HTTP header so IETF, but it is also user management, policy 18:25:40 DavidSinger: on the one hand, I think HTTP header so should be IETF, on the other hand, I think because it's about state and about users which seems like W3C 18:25:41 .... which is IETF usually. 18:25:52 PeterSaintAndre: yes, that's why it's challenging 18:25:55 s/which is IETF/which is W3C/ 18:26:34 Shawn: why split it between the two? 18:27:20 AlexF: very different user experience of the TPL and DNT 18:27:21 alexF: my understanding is that there are strong differences between the TPL and DNT Headers. 18:27:32 ... more stakeholders we can bring in on advertising would increase success 18:28:35 jmayer: as a technological matter, TPLs are relatively straightforward in how we understand them, whereas the meaning of the header requires much more standardization 18:29:09 SueGlueck: it's not intended as an ad blocker, curated lists for blocking tracking 18:29:23 ... which could be advertising or some other form of blocking 18:30:22 ... the struggle around the header is about defining what tracking means, is the IETF better for making these policy decisions 18:30:27 ... ? 18:30:44 PeterSaintAndre: working groups have done work with policy implications, like GeoPriv 18:31:11 ... policy decisions about tracking might not be defined in a technical standard at all 18:31:16 s/... ?/What are really the differences? IETF-W3C? why one better from another one/ 18:31:37 ... tracking might be a different thing in the EU and Canada 18:32:23 csoghoian: browser vendors are apparently implementing before any formal standardization spec 18:33:01 ... technology companies are implementing it before an agreement while the advertising companies are deciding to wait 18:33:33 ... since Microsoft is both, why isn't Microsoft's ad business respecting the header? 18:33:49 SueGlueck: chicken/egg problem 18:34:12 ... clock is ticking both because we have implemented the header in our browser and because of FTC and other regulators are putting pressure on it 18:34:27 AndroUser has joined #w3cdnt 18:34:27 ... does lead to some uncomfortable choices because we own an ad network 18:34:45 ... do think it's a good forcing function for us 18:35:09 AlexF: HTML5 is another example of browsers leading before a formal specification 18:35:14 18:35:43 AlexF: browser movement does change the discussion from theoretical to concrete 18:36:32 karl: usually work is done in one forum rather than the other because the interested people are there 18:36:37 ... there's no strong sense of competition 18:36:44 ... lots of overlap in both organizations 18:36:57 ... differences are in patent practices, forms of working 18:37:09 ... depends on the competencies of the people engaged in the work, that's the main difference 18:37:40 ... it happens all the time that browsers implement something in a sort of beta form to see if it works before working together to standardize 18:38:33 PeterSaintAndre: that's why IETF believes in rough consensus and running code, sometimes one comes first, sometimes the other 18:39:32 JohnMorris: I'm skeptical that be w3c or ietf 18:39:36 jmorris: my personal assumption is that I'm skeptical that an IETF WG or W3C WG is the right place for the meaning of tracking to be resolved 18:39:58 ... the meaning of tracking will be well defined in these fora 18:40:39 ... TPL and DNT header could be done in separate working groups or at least separate workflows, so that debates over one won't slow down the other 18:40:47 ... I would hate battles of one piece of technology slowing down the other ones. 18:41:03 tlr: what are the timelines for this work to be done, and how do we match up the work on those timelines? 18:41:38 view from the front of the room: lots of glowing apples 18:41:51 WuChou: DNT HTTP header in IETF makes sense since IETF covers HTTP protocol 18:42:23 ... good to do TPLs through W3C since it's most likely to be described through XML 18:42:53 tlr: HTTP headers are one of the well-defined extension points so that other groups can standardize them and then have them approved by IETF 18:43:33 PeterSaintAndre: Joint WG last call, coordination, are part of the processes to have appropriate reviews 18:43:36 PeterSaintAndre: can ask for review from HTTP experts at the IETF, or get last call review at the IETF 18:44:37 jmayer: could we have advisory work in the standards body, help from the technical community to a federal agency that's looking at regulation. does this seem sensible, or is there history of this? 18:45:19 hannes: in emergency services, there was a question about how the technology works, and standards group provided information to FCC 18:45:56 ... FCC has requirements on location accuracy (different in different jurisdictions), and so the technical standard needs to support the strictest such requirement 18:46:52 tlr: can a standards body organize a forum for discussion between technologists and regulators? interest groups are one way to do that, a public discussion that can be managed by chairs and staff 18:47:42 alissa: different standards bodies require different numbers of existing implementations; in W3C you generally need 2 in order to reach a final recommendation, in IETF it varies by the level of standard 18:48:13 jeff has joined #w3cdnt 18:48:38 (session closed) 18:49:01 (we will be using the blackboard) 18:49:05 Topic: Switching to the chalk board! with tlr and Lorrie 18:49:56 I've been impressed with the diversity of views at this workshop; does anyone know what the breadth of participation has been like at IETF, at Prague, for example? 18:50:58 lfc: definitions include all-tracking, oba-tracking (as in opt-out cookies, just behavioral targeting), middle ground (CDT, EFF, etc. definitions with exceptions) 18:51:41 ... how much consensus is there around school of thoughts 18:51:42 ... are people willing to proceed in the process even if the definition isn't the one that they most like? 18:52:21 (laughing about doing a show of hands or a hummmm) 18:52:27 ... what would your first choice be out of these three choices? 18:53:40 Each approach got some hums 18:54:05 a longer or a shorter hmmm 18:54:13 hmmmmmmmmmmmmmmmmmmmmm 18:54:15 hmmm 18:54:18 hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm 18:54:20 :) 18:54:32 let the record show that nobody hummed to say that the CDT definition is unacceptable for work 18:56:07 tlr: working groups are for the purpose of negotiating between the participants about the technical and sometimes policy decisions 18:56:21 ... could also have an interest group as a forum for additional discussion, including future work 18:56:31 ... W3C is prepared to run and staff a Working Group 18:57:00 ... we have limited time, some questions that need to be resolved relatively quickly in a way that's visible and accountable to the public 18:57:49 ... I have heard that we need a process that will address several of these questions within a set time, and if that doesn't happen then we need to accept that maybe there is no consensus on this particular topic 18:58:16 whatever we do needs to be time-limited and tightly-scoped 18:58:27 tlr: whatever we do needs to be time-limited and tightly-scoped 18:58:37 ... what is that scope and that timeline? 19:00:20 karl: Incubator Group (very time-limited) good for documenting the state of existing work, definitions of terms, conclusions about next steps 19:01:44 jeff: I don't think we should plan for failure, we should set a scope that can be done in a year and then do it 19:02:35 ... would hate to only have an Incubator Group out of this, I think it's important that we move quickly on whatever we do 19:03:20 ... regarding criticisms of W3C openness: we make extensive use of Invited Experts in order to ensure that we get stakeholders involved even when not members 19:03:34 tlr: +1, that's part of our job as staff 19:04:22 alissa: via asoltani, hard to define the scope and timeline differently; if the scope is very small (bits on the wire) can do it quickly, with a larger scope it will take longer 19:05:14 DavidSinger: we have got to do something soon for Do Not Track, within the year; we need to make it quite obvious that this is not the only problem 19:05:28 ... need an Interest Group to consider privacy problems on an ongoing basis and spawn specific projects as necessary 19:06:28 Aleecia: given that there are implementations already, we are already late. it takes at least a year to define what tracking means, get a consensus, etc. but there's a value in a beta definition to be out in the very near term 19:06:41 ... and then have a full process on the definition that takes as long as it takes 19:06:57 ... beta definition should be within 6 weeks 19:07:55 jmayer: skeptical that we can get full consensus of Do Not Track meaning (to the level that W3C and IETF usually use) 19:08:12 ... but can get consensus now that just not-targeting-ads isn't sufficient 19:08:30 ... and that there's a clear definition now, so at least there's a process for airing your grievances 19:08:50 ... bad for everyone for people to continue to say that they don't know what Do Not Track means and as a result won't respond to it 19:09:45 tlr: want to build a process that can handle disagreement and find the points that have broad consensus and address objections 19:11:08 Bryan: look at this from an ecosystem perspective and the various entities, what are the parties and how does this affect them? 19:11:57 vinaygoel: I think W3C/IETF should focus on the technical and leave up the policy decision to other groups (including self-regulatory groups) 19:12:32 ... there is low-hanging fruit or easy consensus to get DNT as meaning OBA opt-out 19:13:08 xxx: +1 on an interest group for ongoing 19:13:56 http://tools.ietf.org/html/draft-mayer-do-not-track-00 19:14:06 there is already a draft for the DNT header 19:14:11 ... need some consensus on the definition before we expect to make a significant impact 19:15:03 asoltani: need a process for defining both technical standards and definitions 19:15:49 ... there are a few bills: a California bill, some in DC, etc., that's one limit on the timeline 19:16:31 csoghoian: pushback on Yahoo! (vinaygoel), people in DC would pat themselves on the back if we agreed on that, but we actually only get one shot now until 10 years from now 19:16:51 ... ad networks know this, so want to make this not very useful now so that the pressure will be off 19:17:19 harlan: how do we know when we have consensus? tlr: it depends. 19:18:15 tlr: it's the skill of the chair so sometimes there are no major objections, but in contentious issues you can use things like a hum or a vote 19:18:33 ... the chairs are particularly important because they will lead the way to consensus 19:19:36 ... W3C has the process of Formal Objections for cases of vehement dissent, an appeal to the director TBL 19:20:05 Peter: IETF has similar processes; rough consensus doesn't have unanimity, but if you vehemently disagree you can appeal 19:20:11 ... +1 that the chair is very important 19:20:57 alissa: DAA members aren't here, and they need to be in whatever room the definition is decided on 19:21:26 http://lists.w3.org/Archives/Public/ietf-http-wg/2011AprJun/0133 19:21:45 ... legislative season ends in the fall, so would recommend an extremely quick technical spec with little definition 19:22:43 jeff: I'd like to get something done soon 19:24:10 ... is there a policy definition that can be defined in the very short term that is a good one? 19:25:25 DavidSinger: is OBA opt-out just the same as tracking everything but not building a profile? 19:25:54 vinaygoel: no, OBA opt-out means collecting data for some purposes (measurement, etc.) but not building profiles 19:26:04 lfc: that's not the official OBA definition, that must be a new one 19:27:14 karl: jmayer has already submitted a draft in March, it's there, push it! 19:28:15 ... see http://lists.w3.org/Archives/Public/ietf-http-wg/2011AprJun/0133 19:28:33 jmorris: on behalf of CDT, CDT is actively thinking about whether they can handle a policy process like this, which would be a possibility 19:29:24 aleecia: (this might not be a good idea, but,) could at least come up with a basic user communication a la: "hi, I see that you have a DNT header turned on, here's what it means for this site" 19:29:26 s/behalf of CDT,/behalf of CDT and without making any predictions or commitments/ 19:30:56 Shawn: we would really need the W3C to come out with prescriptive rules about what you have to do in response to the header 19:31:10 AlexF: really need a definition on 1st party vs 3rd party 19:31:40 ... from a Mozilla perspective, we are coming up with an implementation guide for what servers should do 19:31:46 ... this could be an incubator 19:32:34 Andy: what about reducing the scope? (concerned about having exemptions for fraud/security) 19:33:04 ... if those are exempt, I don't need to participate as much 19:34:08 DavidSinger: response headers or responding with consequences from the site sounds good; supporting Aleecia's suggestion 19:34:50 asoltani: don't want to add more confusion 19:35:50 Yahoo!: http://aboutads.info/choices in particular the bottom of the page 19:36:26 Evidon: need more research projects 19:38:01 jmorris: a beta definition that changes later might upset users about things changing underneath them 19:38:30 vinaygoel: without granular control, users might opt out completely instead of just opting out of brands they don't trust 19:39:01 csoghoian: but consumers don't have the time to opt out of every single brand 19:39:18 ... and haven't heard of any of these companies (ad networks) 19:40:20 vinaygoel: what I mean instead is that if Yahoo! requires them to opt back in (a quid pro quo), they should be able to opt back in only for a single party 19:40:53 csoghoian: but what if the quid-pro-quo requirement is about unknown companies? 19:42:49 tlr: how do we get this pile of work into something that happens in a reasonable amount of time? what are the direct next steps? 19:44:02 AlexF: we have been talking to ad networks / trade associations 19:44:54 ... that could be one of our first action items 19:46:10 Bryan: a typical first step is to create a landscape document (entities, technologies involved) would demonstrate to the market that we have a good understanding 19:47:17 jeff: concern about not getting the right thing, concern about not having all the important stakeholders 19:47:41 ... we the W3C want to have as many stakeholders as possible, happy about Alex's suggestion, we'll go wherever we need to go to have those meetings 19:48:14 ... if for whatever reason we can't get all that together, we still need to do something, so we may end up with a beta definition anyway 19:49:55 jmayer: I don't disagree with CDT or other concerns about the beta, but there are opportunity costs in not going ahead quickly 19:50:54 xxx: the choice is not now or never 19:51:36 SueGlueck: there are alphas and there are betas; if it does feel uncertain or alpha, industry is less likely to embrace it or invest money/engineering into it 19:52:10 ... a more robust or thoughtful beta would be more useful, even if it takes longer than 6 weeks 19:53:26 Andy: most of the bills introduced call for FTC rulemaking, so the legislative timeline may not be a specific limit on defining tracking 19:54:01 lfc: some people would like to do something before any bill gets passed; FTC has to issue a report by the end of the year 19:54:46 alissa: it's not about timeline of passage of specific legislation, but about general interest 19:55:16 DavidSinger: the time limit is the next major privacy incident 19:56:01 asoltani: we could have an opportunity to shape the language in some of these bills, smart guidance to policymakers might be helpful 19:56:44 Aleecia: if I were running an industry self-reg group, I would try to get a definition out as soon as possible, in order to beat a W3C definition and be the only voice 19:57:14 csoghoian: FTC rulemaking since you don't want Congress making specific technical requirements 19:57:49 ... self-regulatory response will be that they get to avoid regulation altogether because of, for example, agreement on DNT == OBA opt-out 19:58:54 tlr: this is a global problem, what does coordination beyond the US need to look like? 19:59:30 +1 to tlr 20:00:35 alissa: it's hard to say something nation-specific in an international standards body 20:02:40 kevin: tls/ssl was international, but then certificate authorities had national discretion 20:04:20 http://lists.w3.org/Archives/Public/public-privacy/ 20:04:33 tlr: immediate action will be a report on what's on the board and this discussion 20:05:08 ... questions of forum could be figured out through usual channels 20:05:16 ... at least consensus on Interest Group 20:05:41 ... have made progress on what the recommendation work should be, at W3C, IETF and elsewhere, but still needs to be finalized 20:05:47 you can subscribe by sending an email to public-privacy-request@w3.org with the word subscribe in the topic 20:06:23 lfc: a summary of the hums 20:06:32 ... fairly evenly split about their first choice was 20:06:53 ... but show-stoppers for both, but the CDT definition wasn't a show-stopper for anyone in the room 20:08:27 Bryan: related work in Device API disclosure, should look at the overlap of existing work (in W3C or outside) 20:09:01 jeff: thanks to tlr and lfc [lots of applause] 20:09:12 ... what will we be seeing next? 20:09:20 BIG THANKS to npdoty and wseltzer 20:10:40 tlr: first record of the meeting will be out soon, perhaps a week; a summary report no later than mid-May (to tell the AC at Bilbao) 20:11:19 ... strawman charter by the end of May 20:12:02 ... announcements will go to the registration list, but eventually please subscribe to http://lists.w3.org/Archives/Public/public-privacy/ 20:16:47 AndroUser2 has joined #w3cdnt 20:17:08 AndroUser2 has joined #w3cdnt 20:17:58 AndroUser2 has joined #w3cdnt 20:18:39 AndroUser2 has joined #w3cdnt 20:18:40 AndroUser2 has joined #w3cdnt 20:19:09 AndroUser2 has joined #w3cdnt 22:00:12 AndroUser2 has joined #w3cdnt 22:38:19 lowenthal has joined #w3cdnt 23:39:00 alissa has joined #w3cdnt 23:49:56 lowenthal has joined #w3cdnt