See also: IRC log
Matthias Schunter http://lists.w3.org/Archives/Public/public-tracking/2011Sep/0021 is introducing the goals of the group
matthias: my goal being referee and moderator in this group. very aware of my own privacy
... Instead of having 50 niche solutions, we would like to get a shared solution.
... Our solution must aim at improving the privacy in a way that privacy advocate can support
... I have no clear idea on how to do it. So we need your input.
... We want a solution which is reasonable and efficient. Not big, but simple. And something that anyone can support.
... there is no really viable alternative. Things will stay the same and shattered across the industry.
... The mission is challenging, sometimes perceived as impossible.
... We will need constructive inputs, sometimes thinking out of the box. I value progress.
... We will be using the W3C tracking tool to help us.
... Do not wait the last minute for giving your input.
... Early input is very valuable.
... Everybody is allowed to ask questions. I will myself ask many stupid questions.
... please use the queue for asking questions.
... your hands for new topics
... your pen for for answering
aleecia: Use also IRC
matthias: It will not be easy.
... We will not be able to solve these in two days.
... let's get started.
<APPLAUSE>
matthias: I would like to do a quick round. 3 min each.
... - who you are?
... - 2 to 3 success criterias
... - where are you from?
... we will be writing our success criteria on post it notes and we be sticking them on the wall.
ErikaMcCallister, NIST, lots of standards, but just observing today
tlr: A broadly deployed spec quickly
ClayWebster: CBS, representing online publishers
... not too many publishers here.
... third party definition that helps consumer privacy
KevinTrilli: TRUSTe
... understand how browser works with ad tag solution
... has been US centric so far, different in EU
... large band of consumers with different values, need to consider people with extreme privacy protection and safe advertising
... complex topic, consumers haven't done well with cookie controls, need to avoid niche solutions
EricaNewland: CDT: want to help consumers
DavidWainberg: observing
... want to see policy drive more than technology
RoyFielding: representing Adobe, UX and content management side
... clear definition of tracking
... tell websites I don't want to be tracked is a bad summary, people don't know what it means and it's over-broad
ShaneWiley: Yahoo
... balance privacy and datacenter operations
... take into consideration self regulatory work
... let consumers selectively exercise control
ChrisOlsen: Privacy at FTC
... supporting self regulating efforts to improve transparency, customer choice
... preliminary report laid out criteria for a consumer control mechanism
... universality, ease of use, persistence, effective, enforceable, addresses collection not just use. Want definitions.
... third party issues also important
EdFelten: Chief technologist at FTC. Provide consumers with effective choice and confidence to consumers that they will get what they think they are going to get. Allow for reasonable innovation in industry
... areas with not so much controversy, hope we can move towards concerete standards
... hope we can move towards consensus on others
BrettError: echo adobe, what does tracking mean definition-wise?
... is "tracking" an encumbered term?
JonathanMayer: stanford, care about getting a definition that gives choice over data collection not just use. Want path to adoption in browsers and industries.
... want to do it in a few months
<npdoty> <laughter at getting everything done in a couple months>
EdOConnor: WebKit team at Apple, success: making sure we have definitions and descriptions clear to users, implementers, authors
... technology people are willing to interoperably implement
KevinSmith: Adobe
... wanted to see Cheers
... got to see it last night <laughs>
... clear concise definitions
... implementation
CharlesPerkins: freelance identity and relationship nuance, XMPP Jabber etc at IETF. Success: definition of who you are. True name vs pseudonymity
... important even in the context of tracking, pseudonymous status may allow more tracking if it's truly pseudonymous
... hoping to have core spec with extensions to allow more complexity later
AleeciaMcDonald: thrilled to see diverse representation at the group
... success is about end users
... variation in what people want
... better ads, personalization... vs concern about privacy
... and swing voters in the middle
... many ppl don't understand technology in the background
... stop the arms race
... user preference, enable people to take direct steps with TPLs,
... enables business to thrive and flourish
... implementable
MatthiasSchunter: IBM, tried to make criteria clear earlier
... I'm a European
... get European inputs and get link to EU regulators
... don't want 50 different solutions (for different regions)
NickDoty: W3C and UC Berkeley
... share criteria
... want to see the process itself work
JulesPolonetsky: future of privacy forum
... push the process along
PeterEckersley: technology director at EFF
<edfelten> Names: Jules Polonetsky, Peter Eckersley
PeterEckersley: criteria for success: based on a belief that third party ads / metrics need things from server logs that can be delivered by strongly anonymous methods, but not enough incentive for development for those methods
... incentivize industry participants to develop and deploy those methods
... whatever community delivers should be simple way to gain control over who records your activities
... subtle and hard, but need to partition issue of data retention for fraud detection purposes from other purposes
... find a way to make sure fraud detection doesn't become back channel for how tracking happens
SeanHarvey: Google, straightforward goals. Common standard, easy to use, genuinely useful without undue / unnecessary harm to industry
IanFette: Google, from Chrome team and speaking in that context
KimonZorbas: IAB in Bruxelles
... difficult to define what is meaningful for users, different challenges and interests
... not forget different jurisdictional backgrounds
... debate in Europe alien to privacy framework they have
... look at how the pieces fit into a larger / bigger framework
AlexDeliyannis: With Nielsen
... people know what we do
... able to measure audiences from different web contexts / pages
... and should be device agnostic
... what we come up with on the internet, but there's devices on the net using other protocols
... do we want to have something for these devices as well
... give people using Roku, smart TV etc confidence
... backwards compatability
FrederickHirsch: Nokia
... observing at the present
... understand how it fits into larger issue of privacy. convey user intent. Issues of secondary use, retention
... related to DNT
DanMcKinney: product development for WPP digital
... several businesses
<jkaran> Hi Ian -I'm from DoubleVerify - I saw you didn't catch my intro. We are here to ensure that the standards decided on here can be incorporated into our DAA Self-regulatory program product (we are a certified vendor of the DAA).
DanMcKinney: looking for clear definition on what "track" is
<karl> List of WG Participants<-http://www.w3.org/2000/09/dbwg/details?group=49311&public=1
ScottJulian: effective measure. Same vein as Nielsen.
... I'm australian, but we operate in SE asia / EMENA
... success criteria about guidance
... came to have a great framework people agree on that we can quickly implement
CrisFrancisco: Software development at Blue Cava
... fraud detection and online advertisement
... definition on types of data impacted by DNT
... do not collect behavioral ad data, or broader
... first vs third party
... consistent across browsers
... balance between consumer privacy tools while supporting benefits of advertising supported internet
ThomasLowenthal: Mozilla
... come up with a definition that works for users
... feature users will actually want to use
... not break the open web
... have to be able to create a nice UI for. Concise expression even if there's complexity behind the scenes
MikeZaneis: IAB from DC office
... echo David
... hope policy will drive and technology will inform
... working through first vs third party issues important
... represent DAA (digital advertising alliance). self regulatory body in the US
... working to get members into compliance
... hope we won't add confusion to marketplace
... beginning to see consistency in market
AmyColando: Microsoft, want a healthy and robust ecosystem for providers, consumers
... alignment with self regulatory work
... personally, want to better understand W3C process
KarlDubost: Opera
... previously W3C
... privacy is not binary thus binary solutions will fail
... super easy to implement system
... if it's too complex people won't do it
<npdoty> "ideally one day to implement"
KarlDubost: allow users to block without saying it. don't disclose i am blocking things
... set the right expectation for users
SueGlueck: Microsoft
... IE privacy lawyer as well as Windows privacy lawyer
... not experienced with W3C, looking forward to learning more and appreciate patience
... success learn more about how the technology works on advertising side
... we all need to expand our sphere of knowledge and stand in each others' shoes
... we all need to represent the people not in the room, e.g. consumers
... but also small publishers
... finally, this should be simultaneously easy to implement even for smaller businesses
... and something consumers can understand
... want balance
RichardWeaver: deputy privacy officer at Comscore
... reaching consumers and making sure they understand what's happening
ThomasPottjegort: Comscore, responsible for data collection
... want to be ethical and do the right thing
schunter: happy to see overlap in goals
<tlr> http://www.w3.org/2011/tracking-protection/agenda-20110922
MatthiasSchunter: will walk through W3C process
... then a break
... dinner at Legal Seafood
... self hosted dinner, but have reservation
... tomorrow we will talk about technical deliverables
... if you want to reach consensus, all proposals must be discussed in a larger group
<fjh> Are we talking about task forces here?
<aleecia> Nope
MatthiasSchunter: this group doesn't decide for everyone what to think
<aleecia> The idea was to perhaps have smaller subgroups, then come back together to discuss more fully
MatthiasSchunter: should we do things differently? other opinions?
... people want break?
RoyFielding: editors need to be selected for the three drafts
AleeciaMcDonald: editors not yet announced
Matthias: if you are interested in editing, ping us
<aleecia> For example, 5 groups all talking about the same thing at once, coming together to then talk through the issue
tlr: ... this discussion is inevitable
... W3C is a consensus organization
... listen to each other, work through iissues in cooperative spirit
... tools built to support that
... another value is interoperability
... works and uniform in the right way, implementable
... not here to write something that cannot work on the web at large
... something that fits into the overall architecture of the web, not break foundational architecture
... next, want a comprehensible spec that has meaning and is useful
... how do we get there?
... prep phase (at the end now)
... then start a WG, which works on documents
... next break would be a great time to volunteer to edit
... iterate, build consensus over time and publish working drafts along the way
... WDs ARE drafts and will have open questions
... eventually will get to last call
... get broad public review
... work through comments
... then candidate recommendation
... collect information about implementations
... then formal review (proposed recommendation)
... tools: Mailing list public-tracking@w3.org
... irc (here)
... and issue and action tracker
<npdoty> http://lists.w3.org/Archives/Public/public-tracking/
<npdoty> if anyone is still having issues with the mailing list, please let me know
<scribe> ACTION: tlr to close this action, created as an example so people can see what actions look like and where they are DUE 2011-09-25 [recorded in http://www.w3.org/2011/09/21-dnt-minutes.html#action01]
<trackbot> Created ACTION-2 - Close this action, created as an example so people can see what actions look like and where they are DUE 2011-09-25 [on Thomas Roessler - due 2011-09-28].
<npdoty> http://www.w3.org/2011/tracking-protection/track/
ACTION-2?
<trackbot> ACTION-2 -- Thomas Roessler to close this action, created as an example so people can see what actions look like and where they are DUE 2011-09-25 -- due 2011-09-28 -- OPEN
<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/2
tlr: issue tracking helps structure the discussion
... open questions (what about third party? is this or that involved?)
... these are distinct things that can be tracked
... WGs keep public lists of issues
<ifette_> ISSUE: Example issue to be closed, so people can see what an issue looks like.
<trackbot> Created ISSUE-1 - Example issue to be closed, so people can see what an issue looks like. ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/1/edit .
<npdoty> trackbot, close ISSUE-1
<trackbot> ISSUE-1 Example issue to be closed, so people can see what an issue looks like. closed
<ifette_> close ACTION-2
<trackbot> ACTION-2 Close this action, created as an example so people can see what actions look like and where they are DUE 2011-09-25 closed
<karl> http://www.w3.org/2011/tracking-protection/track/changelog
tlr: in issues we explain where we are coming from, respond comments
... we also accept comments from the public during the process
... mailing list is publcly archived
<npdoty> ... issues also help the group to document issues and not come back to the same issues forever, determine what the group's status is
tlr: encourage discussions on mailing list
... publishing drafts is another key component
... we have an aggressive schedule
... publish drafts with lots of open issues to get early review and visibility
... drafts visible to public
... minutes are also public
<jkaran> So drafts are published, but any questions go into the issues list, correcT?
tlr: taken on IRC and published 48h after
jkaram, questions typically come to the mailing list and the working group members and/or chairs open issues or actions based on those questions/comments
tlr: discusses irc commands
... we do collaborative scribing. everyone is a potential victim
<aleecia> (if it wasn't clear - zakim is a bot, not a human)
ACTION-2?
<trackbot> ACTION-2 -- Thomas Roessler to close this action, created as an example so people can see what actions look like and where they are DUE 2011-09-25 -- due 2011-09-28 -- CLOSED
<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/2
ISSUE-1?
<trackbot> ISSUE-1 -- Example issue to be closed, so people can see what an issue looks like. -- closed
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/1
tlr: actions need to have clear owner, date
... if you can't do it, find someone else or change the date
<aleecia> ^change the date^go back to the group/chairs
<aleecia> ...ideally early
aleecia, depends on the group
tlr: discusses meaning of consensus (look at the slides)
<pde> is there a page somewhere that documents these queue management and issue management tools?
<npdoty> Tracker documentation http://www.w3.org/2005/06/tracker/
<fielding> http://www.w3.org/2005/06/tracker/irc
tlr: generally we achieve consensus people can live with. not everyone will necessarily be enthusiastic
<npdoty> Zakim IRC documentation http://www.w3.org/2001/12/zakim-irc-bot
tlr: discusses standing and what good standing means
... currently not intending to apply "bad standing" / "good standing" to this WG
... but important people consider the reasoning of the points behind "good standing"
<pde> anyone mind if I put these in the channel status while people may still be joining?
tlr: e.g. please show up to groups
... and deliver action items in time
... finally, respect conflict of interest policy
... if you are in three companies please disclose all three
... no covert agents
... last call - this is where we think we're done, we get broader review and address issues and document dependencies
... we're not really done at that point though
... group needs to address all comments
... some may be previously considered, at which point you provide a link to previous discussion
... unless new points are raised at which point we may reopen discussion
... there is a back and forth with the commenters
... after LC is a call for implementations
... group collects information about implementations and whether there are problems in the spec w.r.t. implementation
... then transition to formal review
... left the patent policy out of the slides
... oops
... want to produce specs implementable on a royalty free basis
<fielding> I forgot to mention that I am on the board of the Apache Software Foundation, which is also a W3C member, but my role here is just to represent Adobe
JonathanMayer: to what extent does w3c process allow for discussion of business confidential information?
tlr: information shared is at least visible to all w3c members
... this is a needle which must be threaded
... if there are pieces of info based on confidential info you may need to abstract/obfuscate it
... we can't deal with this in general
... exception made in CR phase for implementation phase
... re: who has made the implementation
... and the WG simply sees the list of test cases that "implementation A, B, C" satisfy
... suspect that won't be the issue here
... but this is not the place to share confidential analytics data
<aleecia> ws addressing - example of good process
tlr: failure modes include groups where everyone observes, or people get bogged down in analysis too early
... over-engineering complexity
... timelines designed to keep this at bay
... groups may also self-implode
KarlDubost: groups may also lack the right people
<tlr> http://www.w3.org/2005/10/Process-20051014/policies.html#WGArchiveMinorityViews
<aleecia> please don't just object, also offer what you want to see as a solution
tlr: discusses http://www.w3.org/2005/10/Process-20051014/policies#WGArchiveMinorityViews
... important to include proposed reolutions in objections
<Zakim> karl, you wanted to use dvcs.w3.org for editor's drafts
<aleecia> information on W3C process: http://www.w3.org/2004/02/Process-20040205/cover.html#toc
tlr: would strongly advise using dvcs.w3.org for editors draft and have that be publicly visible
tl: what does it mean?
tlr: they're on the web in version control system
Matthias: would like to move on, any objection to coffee break?
<clp> Hello everyone, break about to end. --Charles L. Perkins, Virtual Rendezvous, rendezvous.com
tlr: we met in princeton
... and had about 80 people
... find out what we should focus on
... showing slides from workshop
tlr: how did we get here? (history)
<aleecia> (thank you)
tlr: prevalence of tracking on the web
... what are the expectations of users?
... studies on what users felt about opting in?
... introduction of mozilla DNT header
<npdoty> Safari "Send Do Not Track HTTP Header" menu item
tlr: microsoft introduced Tracking Protection Lists (TPL)
<npdoty> Microsoft member submission: http://www.w3.org/Submission/web-tracking-protection/
tlr: big question...what does Do Not Track mean?
... there are different views on the matter
... discussing scope limitations and requirements on properties of tracking controls
<npdoty> CDT requirements: simple, universal, comprehensive, inclusive, effective, seamless, persistent, usable
tlr: there currently is not a two-way dialog between consumer and publisher on DNT
... another view, canadian law ... third parties "web trackers are breaking the law"
<pde> from this argument from bluekai ("as current conceived DNT does not facilitate a transparent two-way dialog between the user and the publisher") a question to address is whether such dialogues should happen in HTTP headers, in web UI, or some mixture of the two
tlr: FTC criteria for do not track: consumer criteria should be universal, usable, persistent, effective and enforceable
... european countries view "cookies should be opt-in"
... Brussels event organized by UC Berkeley: challenge to get DNT done in a year
<aleecia> ePrivacy Directive, article 5(3): http://circa.europa.eu/Public/irc/infso/cocom1/library?l=/public_documents_2010/cocom10-34_guidance/_EN_1.0_&a=d [PDF, sorry]
tlr: the Tracking Protection Working Group Charter now exists (we're here)
... we need to come up with Tracking Preference expression, definition, and compliance
<npdoty> charter, including the list of deliverables, is available here: http://www.w3.org/2011/tracking-protection/charter
tlr: and recommendation for Tracking Selection Lists
... first in person meeting 9/21-9/22 in Cambridge, MA
<npdoty> Kimon: Article 5(3) is about consent, not necessarily opt in
Kimon: discussing european law
aleecia: out of scope opt in vs opt out
ian: what the default tracking setting is greatly affects solution
aleecia: how does the standard change?
<karl> should we record an issue for it?
matthias: let's follow up with how to deal with opt in an opt out at later time?
Brett: definition of tracking will affect the solution
<npdoty> jkaran: +1 on Ian, Brett
Jules: we should spend time understanding issues and uses of opt in or opt out
matthias: issues: exact definition of tracking and data collection
... default (opt in and opt out) and user interface ideas
<karl> ISSUE-1?
<trackbot> ISSUE-1 -- Example issue to be closed, so people can see what an issue looks like. -- closed
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/1
david wainberg: discuss privacy risks with solutions
<karl> ISSUE-2: What is the meaning of DNT (Do Not Track) header?
<trackbot> Sorry... adding notes to ISSUE-2 failed, please let sysreq know about it
<karl> ISSUE: What is the meaning of DNT (Do Not Track) header?
<trackbot> Created ISSUE-2 - What is the meaning of DNT (Do Not Track) header? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/2/edit .
<aleecia> (meta: we'll hit these issues after lunch)
<ifette> ISSUE: what is the granularity of the choice we expect users to make?
<trackbot> Created ISSUE-3 - What is the granularity of the choice we expect users to make? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/3/edit .
matthias: discuss what we are trying to do with wg
... interactions between TPL, TP-Expression, and DNT
<npdoty> one document to describe the technical interaction between the browser and server
<npdoty> and another (compliance, definitions) to describe what the server does once it's reached the server
aleecia: almost done with process side of discussion
... want to discuss charter
<aleecia> http://www.w3.org/2011/tracking-protection/charter.html
aleecia: will have weekly teleconferences
... will have face to face meetings
... out of scope: user interface
ifette: agree, but we can't avoid UI
npdoty: guidelines of user experience would be in scope
<npdoty> tl: we can talk about the UI, understand the implications of the UI, without specifying it
aleecia: tracking selection list = TPL
... we have w3c dependencies for collaboration with other w3c groups
charles: wants to add section for best current practices (like BCP from the IETF world)
<aleecia> http://www.w3.org/2004/02/Process-20040205/tr
aleecia: showing calendar
<npdoty> FPWD out by October 6th, even though there won't be general agreement
aleecia: schedule working draft by oct 6th
<karl> http://www.w3.org/TR/qaframe-spec/
aleecia: Oct 13 - deadline for second face to face meeting
... Oct 25th - internal issue cut-off
... Oct 31st-Nov 1st - next face to face meeting in Santa Clara
... Jan 30 - last call for comments on Dec draft
... Apr 30 - candidate recommendation document
... May 11 - request for transition
... May 22 - proposed recommendation
... drafts should go out on Tues and Thurs (quick iterations)
... discussing issues (with format and associated email thread)
<aleecia> example issue: http://www.w3.org/html/wg/tracker/issues/30
<ifette> ISSUE: what is the default? Is this an opt-in or an opt-out?
<trackbot> Created ISSUE-4 - What is the default? Is this an opt-in or an opt-out? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/4/edit .
Shane: request to put calendar/schedule online
aleecia: Oct 31st-Nov 1st Santa Clara (face to face)
<tlr> ACTION: nick to put meeting calendar on WG home page [recorded in http://www.w3.org/2011/09/21-dnt-minutes.html#action02]
<trackbot> Created ACTION-3 - Put meeting calendar on WG home page [on Nick Doty - due 2011-09-28].
<cris_> trick or treat? :)
<tlr> http://www.w3.org/2011/track-priv/report.html
aleecia: "short" papers from princeton are online
<npdoty> http://www.w3.org/2011/track-privacy/report.html
<tlr> s/track-priv\//track-privacy\//
aleecia: we have a lot of work ahead of us (esp at beginning)
matthias: lunchtime
thomas: legal seafood reservation for 40 people at 7pm 9/21
<clp> Lunch until 1:30 pm FYI
matthias: time to go organize and categorize the success criteria with sticky notes
<fielding> please add "Good one-sentence description of DNT scope for use in browser config" (I am stuck on an Apache board meeting call outside)
<clp> Doing an exercise on the wall
<cris> matthias: review of the sticky board categorization
<cris> sounds fine...let me know
aleecia: reminding group to think about use cases
... going to spend 20 minutes addressing "What is tracking?"
<ifette> the agenda order is 9, 7, 8
aleecia: inviting thoughts from input documents
... first component: semantics
... second component: exemptions
... differing opinions on what should be exempted, and to what extent
... third component: monolithic?
... is this a monolithic choice across all sites, or per-site decisions for users?
... fourth component: notice and feedback?
... should there be a response, and if so, what should it do?
... everyone has a view of what tracking means
... often conflicting
... inviting input on what tracking means
ThomasLowenthal: we should start with a broad definition and add exemptions
... "Anything that accumulates attributes or particular pieces of information about a user, a browser, or perhaps even a device."
PeterEckersley: EFF has a blog post on this
... broad definition, with exemptions
... quoting from blog post
<npdoty> "retention of information that can be used to connect records of a person's actions or reading habits across space, cyberspace or time"
<pde> npdoty: you beat me to it :)
<pde> I was quoting myself from this blog post: https://www.eff.org/deeplinks/2011/02/what-does-track-do-not-track-mean
IanFette: would define more narrowly, e.g. behavioral tracking
... thinks it will be difficult to make progress with a broad definition
... "Collecting data to generate a profile of a user."
<pde> ifette: I should have said what I thought the exceptions were
<pde> since I think those go a long way toward bridging between the broad definitions tl and I were starting with, and the narrower one you thought we could move forward with
CharlesPerkins: "realtime or historical collection of information that in the aggregate is considered private by the user"
BrettError: think about consumer expectations and what consumers should be able to ask about
... do you expect your library to forget you?
ThomasLowenthal: I think this is about needed data collection
ShaneWiley: if a broad definition, should have a caveat for "across non-associated sites or experiences"
Aleecia: please clarify
ShaneWiley: should be able to apply to apps, devices, and others
efelten: what's the difference between peter's and ian's definitions?
<tl> s/Thomas Lowenthal: I think this is about needed data collection/Thomas Lowenthal: I think that the most important exception is for the information needed to provide & use the service
pde: We have exemptions in our definition for first parties, fraud, clear opt-back-in, and where needed to provide a service
aleecia: trying to hold off on the exemptions discussion
efelten: still looking for a clarification
<npdoty> sean: aggregate reach calculation, frequency capping
<KevinT> TRUSTe definition of behavioral targeting (subset of tracking): http://www.truste.com/privacy-program-requirements/
SeanHarvey: would like to use data collection for aggregate statistics and frequency capping
<KevinT> "Behavioral Targeting" is the collection and use of information on an Individual's Online activity over a period of time for the purpose of developing and using predictive models to determine potential future behavior or interests.
ThomasPottjegort: "Information about individual users or machines across sites of multiple owners"
<tlr> slides from this morning: http://www.w3.org/2011/tracking-protection/tlr-dnt-process-20110921.pdf, http://www.w3.org/2011/tracking-protection/tlr-dnt-kickoff-20110921.pdf
jkaran: wondering if a broad definition is possible given all the things even one company might do that could be considered tracking
<tlr> s/fro,/from/
karl: this is about unique ids and linkability of data
... that includes an ip address
ScottJulian: about collection of attributions about an individual user
... about "do not track me"
... about uniqueness of attributes
JonathanMayer: tracking masks a first order question about what are users concerned about, what should users be concerned about
... it's not about profiling or specific use of data
<fjh> +1 to user centric definition
JonathanMayer: but that there are companies with a list of a user's reading habits, or large portion of what they've seen on the web
... regardless of what that is used for, that necessitates a broader definition
... if you think the concern is narrower, that mandates a narrower definition
... would like to hear what people think users are/should be concerned about
<tl> tracking definitions piratepad
<tl> http://piratepad.net/w3-tpw3
MikeZaneis: many parties are trying to get to an end result
... almost everything we're talking about is tracking
... the DAA's definition is very broad
<npdoty> "basically, collection of data over time across sites"
MikeZaneis: we have to be honest that with many exceptions, Do Not Track won't cover all tracking
-q
Brett: we need to figure out what the problem is, and how to frame the question we're asking users
... "do you want free content on sites?"
schunter: we need a common understanding of what we mean
<npdoty> jmayer: want to get at the underlying concern, some people think it's about seeing ads based on what they do on other sites, other people upset about profiles being created, others (including myself) about collection of reading habits at all
CharlesPerkins: concern is no explicit, simple description of tradeoff between functional content and privacy
<karl> some users, not all users.
ShaneWiley: blended conversation between what users are concerned about/should be concerned about and what we do
... "Do Not Track" is a buzzphrase with press and FTC
... I believe that "Do Not Track" has left the station
... we can't choose a new name
<npdoty> I thought Shane was making the opposite point, that there's actually too much friction to try to re-name
ShaneWiley: concern is profiling and tracking across sites
ifette: what is realistic to expect?
... asking web services to forget a user's interaction is unrealistic
fjh: not following process, think we should be working through definition and exemptions
<fjh> Some exemptions can involve some complexity so trying to capture in a single definition at the start can be hard
<ifette> Jules: would it be worth defining the contexts in which we're defining tracking?
<fjh> Tom and Scott offered what appears to be a simple and user-centric, simple, starting point
JulesPolonetsky: Do we need a single definition of tracking, or would it be ok to have two or three?
tl: there are two approaches, start broad and add exemptions, or give specific examples of tracking
Jules: there are a range of sensitivities around tracking, we should accommodate them
Brett: I don't understand what we collectively view the problem to be
... here's what I think it is
... I don't think we're saying that when a consumer gives a first party some information, she expects the first party to not have the information
... if I haven't given information to a site and it personalizes for me, that's the problem
pde: EFF's problem is that other companies see what you read on the New York Times or a dating site. Companies that the user doesn't expect to give their information to.
Brett: I agree.
fielding: Storing information on the third-party is the issue. There's no way to avoid a third party storing an audit of where content appears. That's needed for click fraud prevention. Would silo data.
<pde> Brett: I think we are making progress, right?
fielding: Should be stored by a specific advertising network for each site.
<karl> Thinking about indirect tracking such as the mail I sent to a user with his data being tracked, my address information shared with a friend and put in a system which does data mining.
KevinT: Have to distinguish between general use case and sensitive information, e.g. medical information.
... Concerns about identifiability of information are a driver.
<fjh> Can the combination of data that is not sensitive become sensitive when combined?
AmyColando: Consumers differ in what they think is ok.
<pde> fielding: leaving companies the necessary room to fight clickfraud while preventing that from being an open-ended record of their reading habits is in my view the most insolube part of DNT
<pde> something like "siloing" may be the best we can do
pde: we have some ideas on it, talk later
AmyColando: we need to work on making choice and what's going on more transparent for consumers
<fielding> pde, I think we should focus on DNT preventing sharing of data rather than collection of data
<pde> siloing, along with limited retention and other things
<tl> emphasis: when third parties need to store data, it should be as an agent of the first party, and strictly siloed
<pde> fielding: whereas my view is we should just exempt retention that feeds into a siloed clickfraud prevention process
kimon: think we should be talking about browsers
<karl> active sharing with someone else through a service doesn't mean sharing with the company offering the service. Example: Discussions of two friends in a cafe or on the phone. You do not want your discussion analyzed.
kimon: might be more room to agree there
<tl> i would like to reiterate karl's position strongly
aleecia: wide range of views, closer than expected
... starting from princeton, broad definition with exemptions
... we'll wind up with a definition
... it'll be a point of contention whether it's narrow or broad
... and what's exempted
<tlr> matthias
CharlesPerkins: we could try using adjectives around tracking, e.g. "behavioral tracking"
matthias: 1. what is tracking as first issue — take this list in there
<ifette> ISSUE: What is the definition of tracking?
<trackbot> Created ISSUE-5 - What is the definition of tracking? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/5/edit .
<ifette> ISSUE: What are the underlying concerns? Why are we doing this / what are people afraid of?
<trackbot> Created ISSUE-6 - What are the underlying concerns? Why are we doing this / what are people afraid of? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/6/edit .
matthias: 2. what are underlying concerns, why do we do this, what are people afraid of — document
... 3. what types of tracking exist, how is tracking used — click fraud, frequency tracking
<ifette> ISSUE: What types of tracking exists, and what are the use cases for these types of tracking?
<trackbot> Created ISSUE-7 - What types of tracking exists, and what are the use cases for these types of tracking? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/7/edit .
matthias: would like to see a list what are the useful things that are done with these data
<Brett> karl, Agreed. The phone company should not collect information about me by evesdropping on my calls.
photos of the whiteboard will be available
schunter: issue of exemptions
<KevinT> Input document: TRUSTe consumer research on OBA (http://www.truste.com/ad-privacy/TRUSTe-2011-Consumer-Behavioral-Advertising-Survey-Results.pdf) - specific q's around DNT and perceived threats
schunter: last issue is transparency and better informing users
<npdoty> crowd: user awareness, education
ISSUE: How do we enhance transparency and consumer awareness?
<trackbot> Created ISSUE-8 - How do we enhance transparency and consumer awareness? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/8/edit .
aleecia: four buckets to work through: semantics, exemptions, monolithic?, and notice and feedback
... semantics is the base case
aleecia: moving on to use cases
davidwainberg: preface that there are many commonalities among definitions
... privacy risk is complex, about who stores data, how, and more
... use case 1: retargeting
... user visits site A, views a product; visits unaffiliated site B, sees an ad for the product
... just a single data point used for retargeting
... use case 2: interest segments stored in a cookie
... use case 3: cookie used as an ID for a server-side store
... all three have very different risk profiles
ShaneWiley: disagree with davidwainberg
... all three use cases would fall into Do Not Track
<fjh> ... And would no longer occur if user elects dnt
pde: non-linkable forms of segment targeting should be ok
aleecia: question is whether we should have an exemption for client-side segmenting
<npdoty> pde saying segmented targeting (not uniquely-identifiable) fine even under Do Not Track
JonathanMayer: disagree with peter in what he just said, but agree with what he said two months ago
... way he's thought about this is to bring a holistic definition of the high level semantics
... at the same time allow things that don't engender privacy concerns
... is to lump that into exemptions buckets
... disagreements around how the balance lies
... broad definition leads to lots of exemptions, narrow definition has fewer exemptions
... re: segments in cookies
... on that specific issue of client side data storage, would like to not get too far into specifics because there's many options with marginally different privacy options
... if we just say "it's a client side storage thing" and leave the details for later
CharlesPerkins: as long as it's pseudonymous we shouldn't be worried
tl: i don't think that's a consensus view
<pde> jmayer: what do you think I changed my opinion of over the past two months?
Brett: how information came to be on the client matters a lot, e.g. a cookie sync
SeanHarvey: use case 1: first party on own site
... use case 2: third party across multiple websites
... use case 3: companies like CBS that use a third-party vendor with a third-party cookie, but used as just a software tool and with only the website able to read the data
... use case 4: companies that collect data on their own sites and want to leverage that data on other sites
<tl> it's important to note that users have no idea what first and third parties are
SeanHarvey: doubleclick is 3, google display network is 2
ShaneWiley: pure first party, pure third party, first party as third party, third party as first party
... a lot of discussion of first party as a third party, e.g. the facebook like button
ISSUE: Understand all the different first- and third-party cases.
<trackbot> Created ISSUE-9 - Understand all the different first- and third-party cases. ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/9/edit .
CharlesPerkins: need to be able to explain to the user what these use cases are
karl: suppose someone has an account with gmail
... they're ok with being tracked by google
... i'm on my own personal server for email
... and I email someone who uses gmail
SeanHarvey: Google would be a first party in this case.
ChrisOlsen: suppose I'm forbes, and there's data collection on other websites, and i want to use that for ad targeting
SeanHarvey: that's a third-party product
<fjh> Is email like trash, once you put it out it isn't private or yours ( depending on receivers choices) ?
ShaneWiley: yahoo analytics product allows a customer to request that their data be stored in a silo
<pde> fjh: perhaps a better way of fitting that slightly off-topic email example into the framework we've been discussing, is that Google's receipt of the email you sent is necessary for the completion of a transaction you requested, and therefore is covered by an exception even if it's tracking
KevinSmith: how are first party as first party and third party as first party separate
CharlesPerkins: the third party might be untrusted
npdoty: Depends on what "silo" means. Can have significant implications for users.
jkaran: many third parties can be brought in with a single ad
<pde> is "tag" an advertising term for a javascript include?
enewland: separating out first and third parties can be circular, but valuable
ThomasPottjegort: if you silo data, it would be wise to anonymize the data before storing it
CharlesPerkins: users might expect that some first party uses would be covered
... for example inside google
MikeZaneis: small companies with distinct brands can also be difficult for a definition
<fjh> Pde, depends on how you define necessary.
<karl> note that "email" was just an example of a Web service in the case of gmail. You could use any services using Web standards to communicate across domain names (not silos) where the consumption of data of someone else might end up to the creation of a profile without having even agreed on any terms about it.
ClayWebster: there can be difficulties where there are differences in branding or logo or domains
... for example, this weird .com.com thing we did for awhile
... we have to be a first party for ourselves
<fjh> But I see your point, pde
pde: Responding to Charles Perkins, there will be cases where consumers are concerned about one entity sharing information internally. But it's a company's problem if it violates consumer expectations. That's very different from different domain names.
AmyColando: Defining first party is a key foundation, probably can't get it done today.
<ifette> ISSUE: What is a first party? As an example, CBS and C|Net are the same company but visually distinct websites/brand, is this a first party relationship?
<trackbot> Created ISSUE-10 - What is a first party? As an example, CBS and C|Net are the same company but visually distinct websites/brand, is this a first party relationship? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/10/edit .
AmyColando: Good reasons for third parties to keep data without anonymizing it.
ShaneWiley: Recall that in the EU there are different definitions, data controller vs. data processor.
<pde> fjh, I think it's reasonable to say that the recipient's mx servers (and anything they forward to) are a necessary part of email transactions; and per karl's example I think this would work equally well for any other back-end protocol that users interact with through websites
<karl> what is data controller? What is data processor.
<fjh> Perhaps karl's point can be restated as how can user DNT request be handled when no direct 1st party relationship is involved
ShaneWiley: there's a t least three versions of first party, common branded, same domain, and affiliated
<karl> thanks fjh for clarifying my concern :) in a better way that I did.
davidwainberg: Why do these definitions matter?
ShaneWiley: Because we're going to reference the often.
<pde> clp: looking at the youtube homepage, the word "google" does not appear on it anywhere. I would not be surprised if a large fraction of Youtube's users were unaware that the site was owned by Google.
aleecia: Issues about user expectations and implementation.
schunter: Our aim is to surface issues, we're doing that.
<npdoty> ISSUE: document a longer list of use cases -- what's going on today
<trackbot> Created ISSUE-11 - Document a longer list of use cases -- what's going on today ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/11/edit .
<karl> http://www.w3.org/2011/tracking-protection/track/issues/raised RAISED ISSUE so far
KevinT: Are apps in scope?
<npdoty> ISSUE: how does tracking require relation to unique identities, pseudonyms, etc.?
<trackbot> Created ISSUE-12 - How does tracking require relation to unique identities, pseudonyms, etc.? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/12/edit .
schunter: Apps aren't excluded from scope, would address at some point.
<npdoty> ISSUE: what are the requirements for DNT on apps/native software in addition to browsers?
<trackbot> Created ISSUE-13 - What are the requirements for DNT on apps/native software in addition to browsers? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/13/edit .
<ifette> ISSUE: How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor?
<trackbot> Created ISSUE-14 - How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/14/edit .
Kimon: not clear who's a controller or processor under eu law
Brett: Have to consider how personal the data being collected is.
<ifette> ISSUE-14: How does what we talk about with 1st/3rd party relate to European law about data controller vs data processor
<trackbot> ISSUE-14 How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor? notes added
KevinT: Have to deal with special treatment for children.
tl: differences between legal questions about what's personal and technical questions about whether users can be identified
ISSUE: What special treatment should there be for children's data?
<trackbot> Created ISSUE-15 - What special treatment should there be for children's data? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/15/edit .
[organizational discussion]
schunter: propose to break into small groups, each focuses on a narrow set of issues
<Brian> Brian Tschumper from Microsoft on phone
<clp> Break
[decision: discuss everything as a group]
<npdoty> ACTION for nick to set up iCal subscribable version of our events calendar
<trackbot> Sorry, couldn't find user - for
<npdoty> ACTION: nick to set up iCal subscribable version of our events calendar [recorded in http://www.w3.org/2011/09/21-dnt-minutes.html#action03]
<trackbot> Created ACTION-4 - Set up iCal subscribable version of our events calendar [on Nick Doty - due 2011-09-28].
<clp> I will try to transcribe the next section, This is Charles L. Perkins, clp, rendezvous.com
<aleecia> Hi - is Microsoft JC Cannon?
<Brian> Microsoft is Brian Tschumper
<aleecia> Thank you!
Session begins
Notes that there will be weekly telephone conferences
SHow of hands for timezones
About equal between PDT and ET then about 1/2 as many in other timezones
1 from Australia
11 am ET 8 am PT 5 pm Central Europe
Notes that Europeans have trouble with 10/31 and 11/1 meeting anyway
Suggestion to moving it one hour later
90 min call, weekly
5 conflicts on Thur
4 on Tuesday
2 for Wed
at noon 9 6 for ET / PT / Central EU
Wed chosen
noon ET, 9am PT, 6 pm Central Europe.
(for now)
Send Aleecia email if you have issues with this time / day
<karl> http://www.timeanddate.com/time/dst/2011.html
She will try to work it out
Take the next section as a Lightning Round
Alex: is the phone number published?
yes it will be
<karl> October 30, DST ends in Europe
<karl> November 6, DST ends in USA
<karl> known as the messy week for teleconferences
No judgements fast rounds now is the idea
Semantics and Exceptions, hopefully separate first
First exchange of preference, then site behavior will change
Shane: will we begin with use cases from last time?
Issues 1-- data collection, 2-- data use
(context 3rd party)
Thomas: isn't semantics and exception/exemptions really the same thing?
aleecia: Trying to keep separate? No, let's give up and combine the first discussion.
Thomas: can we straw poll this?
Not now.
Issues for what it means to Comply with getting a Don Not TRack signal
EG 1st party Data collection:
Jules: What is "collecting" in semantics?
... Collecting, Logging, etc.
... Caching eg, is that collecting?
<npdoty> ISSUE: what does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)
<trackbot> Created ISSUE-16 - What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/16/edit .
davidwainberg: Retention, Accumulation, Profile
Attribution, Identification (another term)
jkaran: data use by 1st party
<clp_> back
jkaran: data collection methods, HTTP cookies and other technology types
Time/Space device etc.
Atrribution / Identifiable
Time/space Devices
Parties -- what is definition of "Party"?
Issue: Data use by 1st Party
<trackbot> Created ISSUE-17 - Data use by 1st Party ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/17/edit .
Data collection -- cookies or not
Issue: Collection definition (not sure I said the prefix before?)
<trackbot> Created ISSUE-18 - Collection definition (not sure I said the prefix before?) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/18/edit .
Issue: Data collection / Data use (3rd party)
<trackbot> Created ISSUE-19 - Data collection / Data use (3rd party) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/19/edit .
Jules: What isn't covered? Is there a magic button that gives you privacy? Do not track button does what?
... Some linkage.... what is not part of this?
... Common denominator.... why is it in scope of the button?
... Is there something that makes it belong on this page?
... is it PII and no cookie etc?
Matthias: can we focus just on the tracking part?
<jmayer> would like to flag - the legal notion of PII is very different from the technical question of what information is identifiable
Shane: exception focus... so the ability for consumer to grant an exception... it's important to Yahoo and regulators -- need external auditibility
<npdoty> ISSUE: different types of data, what counts as PII, and what definition of PII
<trackbot> Created ISSUE-20 - Different types of data, what counts as PII, and what definition of PII ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/20/edit .
Shane: outside operations, analytics and/or research
... fraud detection and defence
Matthias: examples?
Shane: prove in an audit that you didn't exceed promises, or that billing was properly done, etc.
... DNT compliance audit
<npdoty> ISSUE: enable external audit of DNT compliance
<trackbot> Created ISSUE-21 - Enable external audit of DNT compliance ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/21/edit .
<npdoty> ISSUE: still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.)
<trackbot> Created ISSUE-22 - Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/22/edit .
<npdoty> ISSUE: possible exemption for analytics
<trackbot> Created ISSUE-23 - Possible exemption for analytics ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/23/edit .
<npdoty> ISSUE: possible exemption for fraud detection and defense
<trackbot> Created ISSUE-24 - Possible exemption for fraud detection and defense ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/24/edit .
Shane: network quality is industry term - showing your Ads in places that are reputable
<npdoty> ISSUE: possible exemption for research purposes
<trackbot> Created ISSUE-25 - Possible exemption for research purposes ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/25/edit .
Clay: ... lots of overlap... but denial of service prevention... store but maybe not use for this
Peter: ... decent fraud will handle that hopefully
Shane: just so we know advocates don't like a general exception there FYI
<npdoty> ISSUE-22: should cover denial of service attacks, click fraud
<trackbot> ISSUE-22 Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.) notes added
Clay: we need the semantics well published
... the auditing will have to mesh well
Aleecia: lead time? what are you saying?
Clay: yes, substantial lead time, before this kicks in
Matthias: easier for them, kick off issues
Clay: have you had a SOX (Sarbanes Oxley) (sp?) audit? Avoid at all cost!
... is there a limited defacto opt-in with having to explicitly opt in, e.g. zip code provided ...
... eg, if you're not being prompted yet you are supplying info, does it opt you in?
Aleecia: if you provide e.g. your billing address...
Jules: but someone then explicitly gives more info, not billing
efelten: how does this differ from the consumer consent?
Clay: widget on a page
tlr: I go to site foo
... it shows me something
Kevin: eg a weather widget?
Thomas: does the 3rd party... yes, thank you
Clay: 3rd party widget and others providing explicit consent
<npdoty> ISSUE: providing data to 3rd-party widgets -- does that imply consent?
<trackbot> Created ISSUE-26 - Providing data to 3rd-party widgets -- does that imply consent? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/26/edit .
<tlr> example: 3rd party weather widget from t.com gets information while embedded with a.com, does this count as consent for t.com to track me when I visit b.com?
ThomasComScore: there is one exception he is not sure why it is an exception / issue
Matthias: it's perfectly OK to exempt something ... if its an exclusion it's evident anyway
Kimon: Zorba the Greek... to remember ... not sure about debate... at first don't want to be tracked... yet now I like Google, OK for them to track me
<tlr> kimon: I might decide I don't want to be tracked — but may permit some specific site to track me regardless?
Kimon: revoke the DNT for explicit cases?
<tlr> ... other point, going into frequency capping
<npdoty> ISSUE: mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in"
<trackbot> Created ISSUE-27 - Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/27/edit .
Kimon: Post click or other methods, e.g. conversion, advert --> sale
... those should not be excluded
... asks Shane
Shane: yes, when we talk about 3rd party widgets: 2 concepts:
... impression vs interaction
... see affliate ad vs they click on it
Scott: Law enforncement requirements?
<npdoty> ISSUE: different rules for impression of and interaction with 3rd-party ads/content
<efelten> ISSUE: Exception for mandatory legal process
<trackbot> Created ISSUE-28 - Exception for mandatory legal process ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/28/edit .
Charles: fits into my larger point: existing law, policy, how we fit into it
<npdoty> ISSUE: tracking that may be required by law enforcement
<trackbot> Created ISSUE-29 - Tracking that may be required by law enforcement ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/29/edit .
Erica: .. for policy or legal reasons we don't want DNT to apply to them... are there things that we just don't think are NOT in the scope of this?
... data aggregation EG, collects lots of data, selling to someone else
Aleecia: not online explicitly tracking ... data sharing / enhancementdata in offline world, combined with online
Jules: commerce site, just sells the data, seems like we saying it has to have seomthing to do with online tracking?
... is offline the only exemption? replicating privacy law and existing ... are we including don't give that data to them?
Matthias: What privacy problems are out of scope?
<npdoty> ISSUE: will Do Not Track apply to offline aggregating or selling of data?
<trackbot> Created ISSUE-30 - Will Do Not Track apply to offline aggregating or selling of data? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/30/edit .
Jonathan: Minimization... in some cases privacy concern might be minimal, but in many cases lots of tech apporaches
... to what extent so we want to recommend tech / nice tech?
... broad exceptions yet some tech might be better for implementing them?
... frequency capping eg, we are NOT going to allow it in .... but may be allow it in this other case, where minimization makes a difference
Peter: The technical conditional nature of exemption
Aleecia: Is it reasonable for us to only have exemption only based on the tech they use?
<npdoty> ISSUE: minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)
<trackbot> Created ISSUE-31 - Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/31/edit .
Peter: is it a particular detailed choice like language, or just general tech choices
Jonathan: high level... is it reasonable to ask people to ever adopt or not a given tech...
Shane: are there reasonable tech. exemptions
<pde> I'm more comfortable with "specific approaches" than "specific technologies"
<npdoty> ISSUE-31: Shane: do you get exemptions by using particular technical implementations?
<trackbot> ISSUE-31 Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions) notes added
<pde> clp_: Peter == pde
Brett: we also need to address... the sharing of data between entities
... cookie sync'ing
... beacon calls ... more of a Use Case
Matthias: do we alll agree we know what cookie sync'ing is?
Brett: a 3rd party reads in a 1st party cookie, makes it their own and use it everywhere else (beacon)
Peter: For example, Cookie ID1 and ID2 are the same person is one EG
<npdoty> ISSUE: sharing of data between entities via cookie syncing / identity brokering
<trackbot> Created ISSUE-32 - Sharing of data between entities via cookie syncing / identity brokering ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/32/edit .
Brett: may be covered in the linking section.
Brad: complexity of the choice we ask users to make
... are you actually exposing these exemptions to users, or just saying these are them
<npdoty> ISSUE: complexity of user choice (are exemptions exposed to users?)
<trackbot> Created ISSUE-33 - Complexity of user choice (are exemptions exposed to users?) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/33/edit .
Aleecia: many ways of slice/dice the DNT
... no split one choice
... DNT either on or off
ThomasLowenthal: ... user said on/off separately from what you do (on/off), there are multiple states the user could be in
Aleecia: that is in Notices and Feedback
Shane: what do you mean again?
Aleecia: One possibility, one button.
Scott: aggregate analytics
<npdoty> ISSUE: possible exemption for aggregate analytics
<trackbot> Created ISSUE-34 - Possible exemption for aggregate analytics ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/34/edit .
Kevin: if you have individual exemptions... can a site then ask the user, hey for US is it OK for US (this site) to track this now?
... opt back in just for this site
<npdoty> ISSUE-27: Kevin (Adobe): users should be able to opt back in for either a first or third party
<trackbot> ISSUE-27 Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" notes added
Brett: Want a way to express the level of trust, for tracking.
Shane: Brand, and/or affiliated network... what is the definition of a party?
<npdoty> ISSUE-27: opting back in for a brand, for "an affiliated party"
<trackbot> ISSUE-27 Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" notes added
EdFelten: how interacts with other existing programs
Aleecia: including industry self-regulation
<npdoty> ISSUE: how will DNT interact with existing opt-out programs (industry self-reg, other)?
<trackbot> Created ISSUE-35 - How will DNT interact with existing opt-out programs (industry self-reg, other)? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/35/edit .
Thomas ComScore: behavior Ads / content ... tracking is not the issue, but that the content has changed because of what I did before...
Aleecia: Two tiers? ONe is just behaviorally targeted Ads the othe rot just persinalization
Thomas: yes
XXX: I have the idea we need a split, don't know how we decide.
<karl> another issue is people with shared devices and/or cybercafes. The browser (the device) is not the person. Specifically in third world countries
Jonathan: this might draw laughter... you could go all the way toward declarative P3P
... laughter...
<npdoty> ISSUE: should DNT opt-outs distinguish between behavioral targeting and other personalization?
<trackbot> Created ISSUE-36 - Should DNT opt-outs distinguish between behavioral targeting and other personalization? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/36/edit .
Jonathan: specific biz user roles in ecosystem
ThomasLowenthal: that seems to be explicitly out of scope
Aleecia: If not deep, OK, if deep, out of scope.
Kevin: as an actual consumer, what data is being kept, why, and is it only the advantage for me or just for you?
<tl> for reference: "The Working Group will not design mechanisms for the expression of complex or general-purpose policy statements."
Kevin: something that wide is doable?
<npdoty> ISSUE: granularity could be as complex as something P3P-style, based on business types and uses
<trackbot> Created ISSUE-37 - Granularity could be as complex as something P3P-style, based on business types and uses ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/37/edit .
Kevin: I am fine with the company keeping the info, for this reason, ...
... part of the split is so wide... conceptually that's what is driving me as the consumer
Aleecia: some categories can then be rolled up
Kevin: Why they want GPS, if it makes sense, will say yes.
Scott: That covers a lot of what I want to say.
<npdoty> ISSUE-37: could have exemptions that are based on different types of use ("I'm okay with anonymized use for research")
<trackbot> ISSUE-37 Granularity could be as complex as something P3P-style, based on business types and uses notes added
Kevin: setting up a DNT on exception and rules, just noting the user doesn't even know its happening, still invisible
... consideration of when tracking is actually happening
Aleecia: anonymized data, splitting based on data use
Kimon: term of Europe, anonymized means something else perhaps, render a data set anonymous
Shane: break the tie with production system, here in US a random ID is not PII, in EU, used repetitively is not OK
Karl: meaning of DNT with user process in 3rd world country where computer / browser used by many people not just one
... mobile phone shared by community
<npdoty> ISSUE: granularity for different people who share a device or browser
<trackbot> Created ISSUE-38 - Granularity for different people who share a device or browser ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/38/edit .
Clay: goes alone with mobile, be able to toggle based on geographically ... don't want to be tracked via GPS
... don't transmit my location ever ... yes
... other possibly use/not use DNT just for this session
<npdoty> ISSUE: tracking of geographic data (however it's determined, or used)
<trackbot> Created ISSUE-39 - Tracking of geographic data (however it's determined, or used) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/39/edit .
<npdoty> ISSUE: enable Do Not Track just for a session, rather than being stored
<trackbot> Created ISSUE-40 - Enable Do Not Track just for a session, rather than being stored ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/40/edit .
<npdoty> ISSUE-12?
<trackbot> ISSUE-12 -- How does tracking require relation to unique identities, pseudonyms, etc.? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/12
Charles: True Name vs pseudonymity
... also social networks as analogy to trust in brand / groups of them
Jennifer: we you use tracking negative but interest based targeting is positive
... a way to discuss this with users, words matter
<npdoty> ISSUE: consistent way to discuss tracking with users (terminology matters!)
<trackbot> Created ISSUE-41 - Consistent way to discuss tracking with users (terminology matters!) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/41/edit .
Jennifer: be consistent, alleviate confusion
Charles: Monolithic is where my social networking thing fits
Matthias: a channel from the browser from the site is there a back channel?
Cris: use cases.... make tracking more prominent in the browser
... e.g. you see Green or a lock
Aleecia: as a UI issue, we won't go into that
<npdoty> ISSUE: feedback to the user from the browser when Do Not Track is turned on
<trackbot> Created ISSUE-42 - Feedback to the user from the browser when Do Not Track is turned on ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/42/edit .
Cris: DNT enabled, educate user: here's how the site will change because of DNT being "on"
... either that, condition of using this site is ... we will capture this info., share this with those guys, etc.
... or you can pay a monthly subscription
Aleecia: vaguely like a Privacy policy is one, another is choice: money or lose functyionaliyu
Cris: Android... why access to my call list? Sure, I will give that up
Karl: Do you mean the server should be able to directly change the setting in the web page?
<npdoty> ISSUE: sites should be able to let the user know their options when they arrive with Do Not Track
<trackbot> Created ISSUE-43 - Sites should be able to let the user know their options when they arrive with Do Not Track ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/43/edit .
Cris: Yes, right, like in Firefox they provide that header,, so they can detect and set it up.
Jonathan: 3 use cases
... 1 measure detect who is making a commitment to DNT
<npdoty> ISSUE: ability to measure/detect who is honoring Do Not Track at a technical level
<trackbot> Created ISSUE-44 - Ability to measure/detect who is honoring Do Not Track at a technical level ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/44/edit .
Jonathan: 2 regulatory hook here, companies making commitments here is only way now, have feedback mechanism into US Law
<npdoty> ISSUE: companies making public commitments with a "regulatory hook" for US legal purposes
<trackbot> Created ISSUE-45 - Companies making public commitments with a "regulatory hook" for US legal purposes ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/45/edit .
Jonathan: 3 some users might want to engage in self-help, this site promises DNT, user says only use those sites
Aleecia: reads back some:
... Know who supports DNT across ecosystem (exhaustive list), not just of the sites I was visiting
Jonathan: both would be nice
<npdoty> ISSUE: enable users to do more granular blocking based on whether the site responds honoring Do Not Track
<trackbot> Created ISSUE-46 - Enable users to do more granular blocking based on whether the site responds honoring Do Not Track ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/46/edit .
Jonathan: interface right in browser, and also list
Aleecia: regulatory hook?
Jonathan: US Law... without all details.... if a company makes a representation, then violates it, would be to make DNT enforceable via these committments
<npdoty> ISSUE-44: useful both for broader crawling analysis and for per-site notice about which items are responsive
<trackbot> ISSUE-44 Ability to measure/detect who is honoring Do Not Track at a technical level notes added
Shane: challenge/response method, or texturally in Privacy Policy, former in IETF draft
Amy: question for Jonathan
... co branded page?
<npdoty> ISSUE-45: a way to address "toothless" complaints or enforcement issues for Do Not Track
<trackbot> ISSUE-45 Companies making public commitments with a "regulatory hook" for US legal purposes notes added
Jonathan: providing some ability to know who is honoring it... combined page... broader web context is another... users, reseachers, regulators, stakeholders, etc.
Amy: collaborative résponse creation OK?
Aleecia: role up, multiple entities
Kimon: not sure the regulatory hook,, would not work out with 27 regulatory jurisdictions
... unless it is personal data
... program of accountability.... isn't it under that heading?
Jonathan: both self-regulation and law, both useful here...
... he thinks law is doable, taking it offline
Aleecia: US and EU could differ, self-regulatory, and auditing can be bundled together, feedback mechanism
<npdoty> ISSUE-45: could be useful for enforcement either through regulation or self-regulation; "accountability"; could be EU/US jurisdiction distinctions
<trackbot> ISSUE-45 Companies making public commitments with a "regulatory hook" for US legal purposes notes added
Shane: self regulation should have teeth via Audits.
RoyFielding: issue
<npdoty> ISSUE: should the response from the server point to a URI of a policy (or an existing protocol) rather than a single bit in the protocol?
<trackbot> Created ISSUE-47 - Should the response from the server point to a URI of a policy (or an existing protocol) rather than a single bit in the protocol? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/47/edit .
<tlr> ISSUE-47: candidates: HTTP link relationship, .well-known, ...
<trackbot> ISSUE-47 Should the response from the server point to a URI of a policy (or an existing protocol) rather than a single bit in the protocol? notes added
ThomasLowenthal: re-propose, suggest use case: challenge / response, specific proposal
Matthias: Details not ironed out yet
Nick: are there specific details here?
ThomasLowenthal: Challenge is 1, server says I am going to follow 1, or allow 0. I see you are requesting DNT, and I as server may or may not accept that.
ThomasComScore: that means for exception you also have to...
ThomasLowenthal: No
... reply sent depends on why . what... taken offline
<npdoty> ISSUE: response from the server could both acknowledge receipt of a value and (separately) whether the server will honor it
<trackbot> Created ISSUE-48 - Response from the server could both acknowledge receipt of a value and (separately) whether the server will honor it ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/48/edit .
<tlr> ISSUE-48: alternate design choice for ISSUE-47
<trackbot> ISSUE-48 Response from the server could both acknowledge receipt of a value and (separately) whether the server will honor it notes added
Kevin: reframe ... with the Icon system ... is there a response with every back/forth so you can see it happening
... self asserted compliance vs audited compliance
... more weight to oversight?
Aleecia: Self-asstered compliane, useful feedback, <back and forth with Kevin>
... independent audit
Frederick: why not comply?
Aleecia: Facebook says we do not comply with the way that compact policies work rather than having tokens as part of that
... it exists now
Shane: no pen but have a use case
... depending on how we go about allowing the user to give consent
... leave it to parties to give consent vs (lost)
Aleecia: ... opt in using some other procedure
<npdoty> Shane: a common use case for specifying that you don't comply is the use case of noting that you the user have opted back in through some out-of-band measure
KevinAdobe: as a consumer once I click that box user assumes there is no tracking, but actually we can't tell... you may still be tracked
Peter: or they could lie and track you anyway
Aleecia: Notice of sites that DON'T give notice
<npdoty> ISSUE-48: could enable the browser to tell the user that they may still be tracked
<trackbot> ISSUE-48 Response from the server could both acknowledge receipt of a value and (separately) whether the server will honor it notes added
<clp_> Matthias: closing
Matthias: now we have all the boards .... catch all these balls in the air and put into documents somehow
... We opened 48 issues. 47 in fact. we closed the first one.
<npdoty> ... very positive so far, people listening to each other
Matthias: original agenda... too early for tech... best if we take the issues list and sort it, make little groups... tackle some of the issues
... if I would be me
... I would do the basic things first, find what they are, start there, in each issue
... smaller groups ideal
... drop yourself into issue interest groups
... report results back to larger group, then iterate
Aleecia: slip deadline on other deliverables?
Matthias: I don't know
... what we should do tomorrow: morning: ironing out issue
... afternoon sort issues into documents, create resolved and unresolved
tlr: agenda adjustment on the fly usually a bad idea
... may want to reallocate the time, a dinner discussion
... equal time, e.g. tech deliverable longer time needed
ifette: we are proposing breaking into groups for issues
... but people in the room don't agree, not that they don't understand them
... example of meaningful group discussion
Matthias: 1st party 3rd party, carve out all the cases, document them
ifette: expand and generate
Matthas: identify preliminary agreement... make proposals, plausible conclusion / solution
... focuses energy, makes results more tangible
Roy: anyone who raised an issue, gives mailing list your own description of what the issue means
Brad: only members can see issues, so some can't see them
tlr: you can send email, that will get registered and linked properly
Aleecia: subscribe if you have not, archives are public
<karl> http://lists.w3.org/Archives/Public/public-tracking/2011Sep/
<karl> Mailing list
Matthias: end, dinner at 7 pm at Legal Sea Food
... map on wall
... end session.
<fielding> http://www.w3.org/2011/tracking-protection/track/