01:23:15 aleecia has joined #dnt 01:25:56 KevinT has joined #dnt 01:42:05 ifette has joined #dnt 01:42:37 ifette has joined #dnt 01:51:57 davidwainberg has joined #dnt 01:52:14 tlr has joined #dnt 01:53:06 ISSUE-23: general case of ISSUE-34 01:53:06 ISSUE-23 Possible exemption for analytics notes added 01:53:07 ISSUE-34: special case of ISSUE-23 01:53:07 ISSUE-34 Possible exemption for aggregate analytics notes added 01:54:29 schunter has joined #dnt 01:57:30 issue-28? 01:57:30 ISSUE-28 -- Exception for mandatory legal process -- raised 01:57:30 http://www.w3.org/2011/tracking-protection/track/issues/28 01:57:35 issue-29? 01:57:35 ISSUE-29 -- Tracking that may be required by law enforcement -- raised 01:57:35 http://www.w3.org/2011/tracking-protection/track/issues/29 01:57:45 issue-28: duplicate of issue-29? 01:57:45 ISSUE-28 Exception for mandatory legal process notes added 01:57:51 issue-29: duplicate of issue-28? 01:57:51 ISSUE-29 Tracking that may be required by law enforcement notes added 02:00:41 rrsagent, draft minutes 02:00:41 I have made the request to generate http://www.w3.org/2011/09/22-dnt-minutes.html tlr 02:00:45 rrsagent, make record public 02:09:42 npdoty has joined #dnt 02:10:02 ISSUE: third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? 02:10:02 Created ISSUE-49 - Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/49/edit . 02:10:51 tl has joined #dnt 02:19:51 karl has joined #dnt 02:32:22 sudbury has joined #dnt 03:28:20 schunter has joined #dnt 12:44:26 RRSAgent has joined #dnt 12:44:26 logging to http://www.w3.org/2011/09/22-dnt-irc 12:45:03 rrsagent, make logs public 12:49:26 sudbury has joined #dnt 12:52:29 aleecia has joined #dnt 12:53:05 schunter has joined #dnt 12:57:20 Brett has joined #dnt 12:57:33 efelten has joined #dnt 12:58:45 dwainberg has joined #dnt 13:01:46 tl has joined #dnt 13:01:59 issue-49? 13:01:59 ISSUE-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- raised 13:01:59 http://www.w3.org/2011/tracking-protection/track/issues/49 13:03:06 ifette has joined #dnt 13:03:07 Team_(dnt)13:00Z has now started 13:03:14 + +1.617.715.aaaa 13:03:20 jkaran has joined #dnt 13:03:29 alex_ has joined #dnt 13:03:46 ScribeNick: npdoty 13:03:56 matthias: welcome 13:04:03 … quite some progress yesterday, identified almost 50 issues 13:04:13 … thanks to the scribes from yesterday 13:04:16 13:04:27 Dan has joined #dnt 13:05:16 KevinT has joined #dnt 13:05:23 Frank has joined #dnt 13:05:40 devqc has joined #dnt 13:06:01 enewland has joined #dnt 13:06:12 devqc has left #dnt 13:06:20 suegl has joined #dnt 13:06:26 scott has joined #dnt 13:06:30 amy, erika, kevin, tl 13:06:35 Agenda? 13:06:42 Zakim, agenda? 13:06:42 Frank_ has joined #dnt 13:06:45 I see nothing on the agenda 13:06:59 Agenda: http://www.w3.org/2011/tracking-protection/agenda-20110922 13:07:09 Frank has left #dnt 13:07:12 agenda+ detailed discussion of issues 13:07:37 agenda+ Tracking Preference Expression 13:07:47 agenda+ Tracking Selection Lists 13:08:17 WileyS has joined #dnt 13:08:26 clay has joined #dnt 13:08:29 matthias: go through each issues, discuss, hope to resolve each of the issues 13:08:36 Zakim, next agendum 13:08:37 agendum 1. "detailed discussion of issues" taken up [from npdoty] 13:09:05 tlr has joined #dnt 13:09:18 ISSUE-17? 13:09:18 ISSUE-17 -- Data use by 1st Party -- raised 13:09:18 http://www.w3.org/2011/tracking-protection/track/issues/17 13:09:53 fielding has joined #dnt 13:10:06 aleecia: rather than deciding whether part of the key definition or exemptions, we just want to know whether it's covered or not 13:10:18 … if I visit a first party with Do Not Track on, should there be any difference 13:10:33 acolando has joined #dnt 13:10:39 fielding: will browsers send the DNT header to first party sites, if they make first party requests? 13:10:42 KevinS has joined #DNT 13:10:55 aleecia: as it stands today, I think first parties get the header 13:11:02 Shane: 2 things 13:11:10 scribenick: acolando 13:11:15 .. starting position should be 1st party not do anything 13:11:28 ... 1st party to receive signal and pass on 13:11:50 Nick: NYT should tell that signal received 13:11:58 Frank has joined #dnt 13:12:01 ... NYT can request pay or registration 13:12:33 Shane: first party may serve diff type of ad to user sending DNT 13:12:49 ISSUE: Are DNT headers sent to first parties? 13:12:50 Created ISSUE-50 - Are DNT headers sent to first parties? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/50/edit . 13:13:18 Erika has joined #dnt 13:13:35 ISSUE: should 1st party have any response to DNT signal 13:13:36 Created ISSUE-51 - Should 1st party have any response to DNT signal ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/51/edit . 13:13:55 Thomas: just because does not want targeted ads, not owrthless customer 13:14:07 ... still possible to monetize 13:14:11 s/Thomas/tl/ 13:15:30 Shane: not that extreme, industry research shows OBA does provide increase in value over other ads 13:15:51 Jonathan: has been discredited 13:15:56 <[Thomas]> [Thomas] has joined #dnt 13:16:13 fjh has joined #dnt 13:16:37 karl has joined #dnt 13:16:43 jmayer has joined #dnt 13:16:53 s/Jonathan/jmayer/ 13:17:00 I have a brief writeup on the Beales study at http://donottrack.us/bib/#sec_economics 13:17:26 There was lengthy discussion of the study at the Yale ISP Symposium "From Mad Men to Mad Bots" 13:17:36 Video may be available 13:17:49 amyc has joined #dnt 13:18:19 ??: if first parties are monetizing they need this information and to pass 13:18:45 Jennifer: in terms of 1st party receiving info, need to to know what to do because work with third parties 13:18:51 Beales Study: http://www.networkadvertising.org/pdfs/Beales_NAI_Study.pdf 13:18:51 s/??/David Wainberg/ 13:19:04 ... may need to deliver button or call to ad server, response depends on signal 13:19:20 By way of background, the Beales study was paid for by an industry group and not peer reviewed. 13:19:21 ... whatever user says, what if user has different cookies from self-reg program? 13:19:54 ... DNT turned off, but user has opted out of that entity / site 13:20:24 cris has joined #dnt 13:20:25 ... what if user has registered with company and provded demo info through registration 13:20:42 ... can ads be provided on demo, rather than BT 13:21:04 ISSUE: what if conflict between opt-out cookie and DNT? 13:21:04 Created ISSUE-52 - What if conflict between opt-out cookie and DNT? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/52/edit . 13:21:31 ISSUE: How should opt-out cookie and DNT signal interact? 13:21:31 Created ISSUE-53 - How should opt-out cookie and DNT signal interact? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/53/edit . 13:21:55 ISSUE: can first party provide targeting based on registration information even while sending DNT 13:21:55 Created ISSUE-54 - Can first party provide targeting based on registration information even while sending DNT ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/54/edit . 13:22:23 Ed: clarifying question - how would cookie conflict? 13:22:45 Jennifer: can opt out of individual companies on opt-out page 13:22:56 ... and default DNT is sent to all sites 13:23:12 Ed: does absence of opt-out cookie reflect consent to be tracked? 13:23:37 Jennifer: if DNT is turned on, and user hasn't opted out, then tracking should not happen 13:24:00 ... if DNT is on, but user has opted in to customization, then may have conflict 13:24:08 Ed: self reg does not offer opt-in 13:24:36 Shane: rferences w3c submission, agrees with Ed 13:24:47 ... if you receive opt-out cookie or DNT signal, honor it 13:25:12 ... only race condition is that user has set opt out cookie, but through DNT quid pro quo dialogue 13:25:34 ... would user consent to that dialogue override opt-out? 13:25:54 CBS: BT opt out is different than tracking 13:26:09 Thomas: can't have BT without tracking 13:26:30 Jonathan: can do BT without tracking, references research 13:26:54 ISSUE: What is relationship between behavioral advertising and tracking, subset, different items? 13:26:54 Created ISSUE-55 - What is relationship between behavioral advertising and tracking, subset, different items? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/55/edit . 13:27:34 Aleecia: six possible conditions with chart 13:28:00 Several papers on interest-targeted advertising without server-side third-party tracking at http://donottrack.us/bib/#sec_technology 13:28:12 Frank__ has joined #dnt 13:28:32 amyc_ has joined #dnt 13:28:54 Shane: if DNT definition equates to opt-out definition, then treat the same 13:29:18 Aleecia: what if user has opt out cookie and DNT off? 13:29:39 Jennifer: opting back in may be equivalent to removal of opt-out cookie 13:30:04 Aleecia: we agree on two things, open issue what happens when DNT/opt out doesnt agree 13:30:07 +??P1 13:30:21 ... what happens when users opt back in 13:30:47 Chris: do we have dispute where DNT is on, and no opt out cookie? just honor DNT 13:30:49 ISSUE: what if DNT is unspecified and an opt-out cookie is present? 13:30:49 Created ISSUE-56 - What if DNT is unspecified and an opt-out cookie is present? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/56/edit . 13:31:15 Jonathan: possible first party issue 13:31:31 ISSUE: What if an opt-out cookie exists but an "opt back in" out-of-band is present? 13:31:32 Created ISSUE-57 - What if an opt-out cookie exists but an "opt back in" out-of-band is present? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/57/edit . 13:31:34 ... one approach is that first party may or should do something, leave discretion 13:31:51 ... example, Google could disable web search history feature if DNT is on 13:32:42 Aleecia: example is that Google just uses its existing Google optout for analytics 13:33:04 Sue: does that have possiblity of confusing user, and companies choose to go above and beyond 13:33:23 .. how will users know what to expect 13:33:31 laurengelman has joined #dnt 13:33:43 | DNT: 1 | DNT unspec | DNT: 0 | OptBackIn| 13:33:43 --------------------------------------------------- 13:33:43 OOC | | | | | 13:33:43 --------------------------------------------------- 13:33:43 NO OCC | | | | | 13:33:44 --------------------------------------------------- 13:33:48 OCC=Opt-Out Cookies 13:33:55 ... area of competition 13:34:16 s/OCC/OOC/ 13:34:18 tl: rather than an area of confusion, maybe it's an area of competition for sites to respond to users who express a preference for more privacy and less tracking 13:34:23 amyc has joined #dnt 13:34:34 Kimon: who knows what users want, many different things 13:34:47 ... may want services and customizaiton on website 13:35:16 ... should be technology neutral, perhaps not refer to opt-out cookie, but all technologies used for tracking 13:35:24 Matthias: problem is generic 13:35:46 ... finish table and discuss by email, then document as issue 13:36:07 ISSUE: what if DNT is explicitly set to 0 and an opt-out cookie is present? 13:36:08 Created ISSUE-58 - What if DNT is explicitly set to 0 and an opt-out cookie is present? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/58/edit . 13:36:09 ... OK to send DNT header to first party? 13:36:23 ... seems like agreement on that point 13:36:33 q+ 13:36:37 Kimon: should first party know? 13:36:51 q- 13:37:10 Nick: two question - should we send to first party; should first party do something 13:37:18 Aleecia: just looking at first question 13:37:35 David: what if client has logic about what DNT signal to send to whom 13:37:53 ... should first party also know what signals sent to third parties on page 13:38:16 ISSUE: should the first party be informed about whether the user has sent a DNT header to third parties on their site? 13:38:16 Created ISSUE-59 - Should the first party be informed about whether the user has sent a DNT header to third parties on their site? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/59/edit . 13:38:29 Aleecia: should or must first parties know what is sent to third parties on their site 13:38:55 Frank_ has joined #dnt 13:39:11 Aleecia: parties may not know if 1st or third party 13:39:16 ISSUE: will a recipient know if it itself is a 1st or 3rd party? 13:39:16 Created ISSUE-60 - Will a recipient know if it itself is a 1st or 3rd party? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/60/edit . 13:39:51 close ISSUE-17, DNT signal will be sent to first parties 13:39:52 clp has joined #dnt 13:39:58 ... no disagreement, closes issue 13:39:58 Aleecia: anyone who disagrees that first party must receive signal? 13:40:05 Charles L. Perkins, Virtual Rendezvous, arriving. 13:40:12 One easy approach to sharing Do Not Track status across domains is postMessage, see http://donottrack.us/cookbook 13:40:25 ISSUE-51? 13:40:26 ISSUE-51 -- Should 1st party have any response to DNT signal -- raised 13:40:26 http://www.w3.org/2011/tracking-protection/track/issues/51 13:40:28 ifette: how would you tell a site whether they are first party or not? 13:40:37 ISSUE-50? 13:40:37 ISSUE-50 -- Are DNT headers sent to first parties? -- raised 13:40:37 http://www.w3.org/2011/tracking-protection/track/issues/50 13:40:46 ISSUE-50? 13:40:46 ISSUE-50 -- Are DNT headers sent to first parties? -- raised 13:40:46 http://www.w3.org/2011/tracking-protection/track/issues/50 13:41:14 close ISSUE-50 13:41:15 ISSUE-50 Are DNT headers sent to first parties? closed 13:41:34 ISSUE-50: The answer is yes. It has been decided to close it through consensus at WG F2F on September 22. 13:41:34 ISSUE-50 Are DNT headers sent to first parties? notes added 13:41:43 effectively, ISSUE-17 has been split into 50 and 51 13:42:43 ifette: it may be a difficult engineering challenge to determine whether an iframe is actually in a first party or third party context (as in Google embedding iframes of other Google domains) 13:43:12 amyc_ has joined #dnt 13:43:38 Kevin: can provide meta data around domains 13:43:48 ... won't solve first party or third party, but browser may be able to look in registry 13:44:19 Charles: can separate whether information is known externally, whether what is going on in browser 13:44:42 ... interesting to know relationships 13:44:53 s/Charles/clp/ 13:45:13 ifette: a site could publish something that shows everything that it considers part of itself 13:45:38 Charles: right, then could hide information in case iframe does not want to be known 13:46:19 Aleecia: sites could publish everything it considers to be part of a site, could be part of reco 13:46:36 ??: significant implementation cost 13:46:39 I.e., RDF, site publishes metdata, useful for research auditing sep. from issue within the browser 13:46:46 just fyi: http://www.w3.org/P3P/2003/12-domain-relationsships.html#Proposed 13:46:49 Yes, but amazingly useful. 13:46:57 s/??/Kevin_Adobe/ 13:47:00 Thomas: cookies that are not domain in browser bar 13:47:22 ... know same domain, don't know domains owned by same company 13:47:46 domains != companies 13:47:47 Charles: may solve problem, can list vendors 13:47:58 ... can publish all service providers 13:48:05 ... to a single site 13:48:21 Aleecia: sites could publish what they are 13:48:34 ISSUE: a site could publish a list of the other domains that are associated with them 13:48:35 Created ISSUE-61 - A site could publish a list of the other domains that are associated with them ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/61/edit . 13:48:37 ... some info could be sent by iframes, not clear what that would look like 13:49:04 ... third possibility, no idea whether content knows it is third party or first party 13:49:06 ISSUE: the browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context 13:49:06 Created ISSUE-62 - The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/62/edit . 13:49:13 KevinT has left #dnt 13:49:17 ... third is current state, we don't do anything 13:49:35 KevinT has joined #dnt 13:49:37 ... another issue is meta data in registry, but may not solve issue 13:49:46 ... deeper technical issue, need to discuss more 13:50:14 ... even if goal is that first party exempt 13:50:39 users can't tell the difference between first and third parties, and nor can we, so why talk about them at all? 13:51:05 Matthas: separate technology from policy, if technology is able to detect third party vs first party 13:51:27 Aleecia: request photo of white board 13:51:34 it would be fairly straightforward to engineer websites so they know whether they're a first party or third party 13:52:04 ISSUE-27? 13:52:04 ISSUE-27 -- Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" -- raised 13:52:04 http://www.w3.org/2011/tracking-protection/track/issues/27 13:52:25 example: use gstatic1.com for google's static first-party content, gstatic3.com for google's static third-party content 13:52:41 ... maybe move to issue 27, skipping issue 49 that is treating 3rd party as 1st party 13:52:56 Nick: provides summary of issues 13:52:58 only issue is mishandling embeds google didn't intend, which i'm ok with 13:53:15 nick - can you post this summary directly because i'm not keeping up 13:53:54 *thanks nick 13:54:13 Awesome readback :) 13:54:14 open list of issues is here: http://www.w3.org/2011/tracking-protection/track/issues/raised 13:54:23 Charles idea wrt site publishing the way to determine 1st party solves many problems and makes a lot more possible. 13:54:35 Kevin: related issue is embedded first party things in site, like weather widget 13:54:45 ... users interacting directly 13:55:00 ... with widget, providing information directly 13:55:11 ... should be treated as first party 13:55:20 ISSUE-26? 13:55:20 ISSUE-26 -- Providing data to 3rd-party widgets -- does that imply consent? -- raised 13:55:20 http://www.w3.org/2011/tracking-protection/track/issues/26 13:55:22 Aleecia: this is existing issue 13:55:48 ... many things fall into widget example 13:56:02 TL: not clear that widgets should be treated as third party 13:56:12 s/third party/first party/ 13:56:12 widgets, extensions, iframe, add-ons, etc. 13:56:28 Charles: should consider whether user has intention of interacting of widget or service 13:56:32 how the user interacts with a widget is also important to consider 13:56:48 is scrolling a weather timeline enough to be tracked? (i think not.) 13:56:54 jkaran to send out a summary of the discussion for issue 17 13:56:57 Aleecia: ACTION; Jennifer to summarize and provide excel sheet 13:57:23 ACTION: jkaran to summarize issue 17 and provide excel sheet 13:57:23 Sorry, couldn't find user - jkaran 13:57:25 ... volunteer to summarize for Issue 27 13:57:29 Please use the projector to display the issue list. 13:57:33 ISSUE-27? 13:57:33 ISSUE-27 -- Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" -- raised 13:57:33 http://www.w3.org/2011/tracking-protection/track/issues/27 13:58:09 Dan: volunteers to create summary of issue 27 13:58:32 Jonathan: starting point is using standard web technologies - no need for new technical mechanism - has examples 13:58:41 ... will post link 13:59:07 ... example of NYT pops up box asking for subscription or agreement to tracking 13:59:18 ... consent overrides DNT signal 13:59:30 Shane: technical details about where stored? 13:59:48 Some examples at http://donottrack.us/cookbook 13:59:57 TL: challenge response system designed to deal with this situation; site responds with DNT 1 or DNT 0 14:00:15 ... this site thinks you consented to be tracked, do you agree 14:00:26 ... then user continues 14:00:48 ISSUE: should there be a popup dialog or something like that which should override DNT? 14:00:51 Created ISSUE-63 - Should there be a popup dialog or something like that which should override DNT? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/63/edit . 14:01:06 Jonthan: pop up is example 14:01:30 ISSUE-63: a "popup" is just an example, the proposal from jmayer is that a site can use existing HTML to show the user a form to opt back in 14:01:30 ISSUE-63 Should there be a popup dialog or something like that which should override DNT? notes added 14:01:37 ??: is user opting into NYT or all third parties on NYT? 14:01:52 ifette: How to communicate to third parties on NYT 14:02:05 Jonathan: could be any of these 14:02:17 s/??/Clay/ 14:02:34 Clay: could NYT be third party tracker on other sites? 14:02:54 Charles: what does it mean to say ok to track dialogue 14:03:03 ... in site registration issue 14:03:24 kcs has joined #dnt 14:03:24 ... who is user, may be multiple people using same browser 14:03:34 ... have to support that in general 14:04:22 karl has joined #dnt 14:04:46 ifette: expectations in having DNT on; click something when visit a site 14:05:05 ... should explore how that interacts with DNT, uses example of language setting 14:05:18 ... what is reasonable expectation 14:06:11 Aleecia: thinks this is new issue, logged in vs logged out is relevant and another issue 14:06:20 ISSUE: how does preference management work with DNT 14:06:21 Created ISSUE-64 - How does preference management work with DNT ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/64/edit . 14:06:39 ISSUE: how does logged in and logged out state work 14:06:39 Created ISSUE-65 - How does logged in and logged out state work ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/65/edit . 14:06:59 nick, i'm assuming that we can clean up issues later 14:07:28 Dan: go to site, pop up window agree to what is in dialogue 14:07:35 if third party service provides service (collects data) for 1st party, it can provide the opt-in backend 14:07:43 ... does this carry over to third party site or apply only to first party 14:08:09 Aleecia: if you consent how and how long does consent exist? 14:08:37 ISSUE: can user be allowed to consent to both third party and first party to override general DNT? 14:08:37 Created ISSUE-66 - Can user be allowed to consent to both third party and first party to override general DNT? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/66/edit . 14:08:41 ISSUE-64: As an example, if a user has DNT on and clicks something that sets a preference (e.g. clicking "German" as a language setting) what is the implication for that? Should the site have to gather explicit opt-in to be able to set a cookie, or are there implicit exemptions 14:08:41 ISSUE-64 How does preference management work with DNT notes added 14:08:46 the yahoo paper: http://www.w3.org/2011/track-privacy/papers/Yahoo.pdf 14:08:57 + +1.202.263.aabb 14:09:06 Shane: should be stored client side so that users can see what exceptions were granted 14:09:31 ... blend of TPL and DNT; DNT is overriding no, then user comes back to say yes to particular sites 14:10:09 ... can first party get permission for tracking Internet wide, as where rich media vendor collects consent on behalf of others 14:10:33 ISSUE: should opt-back-in be stored on the client side? 14:10:33 Created ISSUE-67 - Should opt-back-in be stored on the client side? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/67/edit . 14:10:47 Aleecia: should we specify that consent stored client side in human readable way, should first party be able to collect consent web wide 14:11:11 David: is there a time dimension to conflict, as where user sets DNT after consent? 14:11:12 ISSUE-67: as proposed by Shane, this would allow interrogation on the client, changing these preferences by user on a browser, etc. 14:11:12 ISSUE-67 Should opt-back-in be stored on the client side? notes added 14:11:23 Aleecia: should add new column to table 14:11:35 ... thinks explicit consent should trump 14:11:49 ifette: from our point of view, logging into a site could be made equivalent to optting-back-in (provdided the user is clear on this), while setting a language preference /ought/ not require those things 14:12:11 why set a high-entropy cookie for a language setting? 14:12:13 Jennifer: company could be doing many different things with cookies, from ads to content customization 14:12:13 s/ifette:/ifette,/ 14:12:15 why not just LANG=de? 14:12:28 ... are you opting out of all cookie uses, or just tracking (not defined) 14:12:38 ... related to discussion about opting out of data type 14:13:14 s/ifette: from our/ifette, from our/ 14:13:15 Brett: two dialogue boxes from pop up plus challenge respons 14:13:23 ifette, sorry that's the default behaviour of my IRC client 14:13:28 :) 14:13:40 ... better user experience if a single choice 14:13:48 pde, many sites have a system where rather than enumerating all the preferences a user may have set in the cookie, they simply list an id 14:13:50 if I switch the ":" to a different character, does that fix the issue? 14:13:52 Shane: challenge response does not have to have dialogue box 14:13:58 ... may not have UI 14:14:16 pde, the cookies and values get sent with each request, so if you send a ton of crap with each request it's problematic 14:14:29 Aleecia: we are not designing dialogue boxes 14:14:43 jmayer, okay, so what we're talking about here is whether Facebook's 3rd party widgets are translated into german? 14:14:45 ifette, pde - recall this is about third parties, limited set of sites and options 14:14:47 s/dialogue/dialog/ 14:14:57 Cris: need to import features between browsers, as in saving preferences and favorites across browsers 14:15:11 ... one user with multiple browsers 14:15:15 since facebook as a 1st party can track the user for whatever purpose it wants 14:15:19 Aleecia: in scope? 14:15:22 sure, there's an example - i think it's plenty reasonable to ask facebook to use a language cookie 14:15:30 TL: should be out of scope 14:15:37 or alternatively, 14:15:41 Shane: adds argument for client side storage 14:16:01 ISSUE: should there be functionality for syncing preferences about tracking across different browsers? 14:16:02 Created ISSUE-68 - Should there be functionality for syncing preferences about tracking across different browsers? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/68/edit . 14:16:13 Charles: even if out of scope, perhaps footnote analogizing to how bookmarks 14:16:14 Facebook will suggest that you change your language on facebook.com based on your visits on different sites (e.g., suggest that you change your facebook.com experience to a german one after you visit a german-language site) 14:16:17 when I log into a small 1st party site, it can use tracking methods to set complex prefrences for its 3rd parties (not sure when that would occur, though) 14:16:41 ISSUE-68: tl: suggests this syncing feature is out of scope 14:16:41 ISSUE-68 Should there be functionality for syncing preferences about tracking across different browsers? notes added 14:16:46 Jonathan: even though not designing UI, need to specify adequate notice and consent 14:16:56 Aleecia: FTC would define this 14:17:17 Jonathan: we should specify cannot hide in privacy policy 14:17:22 ISSUE-68: Shane: even if this is out of scope, it might be another advantage of storing the opt-back-in on the client side 14:17:22 ISSUE-68 Should there be functionality for syncing preferences about tracking across different browsers? notes added 14:17:36 Matthias: seems like we can address 14:17:46 specification for mechanism for good notice is useful 14:17:49 Charles: may, should, must possible 14:18:06 Aleecia: do we say anything about double notice 14:18:29 ISSUE: should the spec say anything about minimal notice? (ie. don't bury in a privacy policy) 14:18:29 Created ISSUE-69 - Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/69/edit . 14:18:57 Aleecia: requests picture of whiteboard before break 14:18:58 Break after this last question 14:19:21 i'm not seeing an issue it duplicates 14:19:34 WileyS suggests that issues 42, 43, 44 may be similar to 69 14:19:35 cris: regarding persistence of opt-in, could there be a discussion of how long DNT asks 14:19:41 ... do sites have to ask again 14:19:49 ... after a certain period of time 14:20:06 FTR, usage of MUST, MAY, SHOULD, etc. "For example, they must not be used to try to impose a particular method on implementors where the method is not required for interoperability." — http://www.ietf.org/rfc/rfc2119.txt 14:20:20 Lia has joined #dnt 14:20:29 Aleecia: for example, could require sites to seek additional consent after a certain period of time 14:20:55 Jennifer: what happens when upgrade browser 14:21:12 ... does DNT persist across upgrades 14:21:17 TL: out of scope 14:21:44 ISSUE-68: should DNT persist across browser updates as well? (this may be out of scope) 14:21:44 ISSUE-68 Should there be functionality for syncing preferences about tracking across different browsers? notes added 14:21:53 Thomas: does it persist in client is out of scope 14:23:36 ISSUE: does a past HTTP request with DNT set affect future HTTP requests? (expiration) 14:23:36 Created ISSUE-70 - Does a past HTTP request with DNT set affect future HTTP requests? (expiration) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/70/edit . 14:23:53 Maybe not, if a policy decision needs to be made, like Do Not Call, DMA timout after 5 years 14:24:05 ^^Charles 14:24:30 amyc has joined #dnt 14:24:38 + +1.202.263.aacc 14:24:41 ISSUE: does DNT also affect past collection or use of past collection of info? 14:24:41 Created ISSUE-71 - Does DNT also affect past collection or use of past collection of info? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/71/edit . 14:24:41 Aleecia: do I honor preivously on 14:24:44 jmayer, so imagine I'm a 1st party and I get some logs along with DNT. I am allowed to keep the logs, but I'm not allowed to send them to 3rd parties. I think I need to keep a record of the DNT header for as long as I keep the logs 14:24:49 Shane: take the most recent state 14:25:04 David: from single client or across devices? 14:25:26 ISSUE-70? 14:25:26 ISSUE-70 -- Does a past HTTP request with DNT set affect future HTTP requests? (expiration) -- raised 14:25:26 http://www.w3.org/2011/tracking-protection/track/issues/70 14:25:39 close ISSUE-70 14:25:39 ISSUE-70 Does a past HTTP request with DNT set affect future HTTP requests? (expiration) closed 14:25:54 Aleecia: subsequent visits where DNT is off, treat as DNT off 14:25:55 ISSUE-70: take the most recent answer 14:25:56 ISSUE-70 Does a past HTTP request with DNT set affect future HTTP requests? (expiration) notes added 14:26:03 RESOLUTION: If a user visits a site with DNT ON, and subsequently visits with DNT OFF, that subsequent visit is treated as DNT OFF 14:26:32 Reconvene at 10:50 am 14:26:35 ISSUE-70: HTTP is stateless, and so the server based its responses on each message. 14:26:35 ISSUE-70 Does a past HTTP request with DNT set affect future HTTP requests? (expiration) notes added 14:26:47 Back at 10 before 11 am 14:28:33 -??P1 14:38:32 Hi Lia Sheena from FPF is here 14:41:41 Jules has joined #dnt 14:45:14 cris has joined #dnt 14:49:33 BrianTschumper has joined #dnt 14:50:30 +[Microsoft] 14:54:54 coming back soon? 14:57:39 ISSUE-70, close 15:00:04 scribenick: enewland 15:01:27 npdoty has joined #dnt 15:02:50 Coming back now 15:03:36 scribenick: enewland 15:04:09 Aleecia: Two issues to start with. First, do we exempt analytics. Second, do we exempt aggregate analytics 15:04:27 ISSUE-23? 15:04:27 ISSUE-23 -- Possible exemption for analytics -- raised 15:04:27 http://www.w3.org/2011/tracking-protection/track/issues/23 15:04:32 ISSUE-34? 15:04:32 ISSUE-34 -- Possible exemption for aggregate analytics -- raised 15:04:32 http://www.w3.org/2011/tracking-protection/track/issues/34 15:05:21 Clay has joined #dnt 15:05:49 Tom: Analytics by a first party on itself should be excepted. Analytics by a third party acting as a contractor and stores information appropriately, it should be siloed. Siloed as specified by contract and by technology as well. 15:06:24 ...To clarify. Where an analytics program is operated by a third party that is acting as a contractor and stores information appropriately, this analytics should be excepted 15:06:54 Jonathan: Siloing by tech is not sufficient. Information should be siloed by technology AND contractually 15:07:03 s/Jonathan/jmayer 15:07:30 ISSUE-34? 15:07:30 ISSUE-34 -- Possible exemption for aggregate analytics -- raised 15:07:30 http://www.w3.org/2011/tracking-protection/track/issues/34 15:07:34 Shane: For aggregate and anonymous reporting, contractual and technological requirements may not be necessary. 15:08:12 amyc has joined #dnt 15:08:25 Aleecia: what do we mean by aggregate? 15:09:10 Shane: Yahoo analytics may be used by site owners. Yahoo may use information collected across sites but used in the aggregate. And that should be exempted from DNT 15:09:30 Aleecia: to clarify -- as long as data is aggregated, DNT does not apply 15:09:38 Shane: yes 15:10:25 Matthias: Is it our job to set out the specific mechanisms of isolation? 15:10:35 David: What is the rationale for exempting analytics? 15:10:57 jmayer: We want to preserve comparative advantage on the web. 15:11:26 ...we may want an exception for analytics and related stuff. eg ad serving too 15:12:32 matthias: so we need a distinction between those who are processing the data as contractors and those who are collecting/using it for their own purposes 15:13:27 Justin-CDT has joined #dnt 15:13:46 efelten has joined #dnt 15:14:03 ... if we can guarantee that such where data is not being connected by these contractors, then this is an exemption and a principle we can apply 15:14:56 shane: if there are no independent rights to use that information, then yes, they should be excepted. but if they are using that info themselves, then the exception shoudlnt apply 15:15:19 [Microsoft] is Brian Tschumper 15:16:02 aleecia: independent use --- agent of first party 15:16:02 ISSUE: basic principle: independent use as an agent of a first party 15:16:02 Created ISSUE-72 - Basic principle: independent use as an agent of a first party ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/72/edit . 15:16:24 Zakim, [Microsoft] is BrianTschumper 15:16:24 +BrianTschumper; got it 15:17:21 aleecia: analytics is a special case, a subset of a larger case. About the role of a contractor where the contractor is taking data that is siloed and only using it for the purposes specified by the first party. is analytics worth treating separately from everything else within this larger case? 15:17:36 Jules Polonetsky is here on IRC and on and off the phone 15:17:43 shane: we still have to talk about analytics in the third party context 15:18:10 enewland: are we basically drawing the data controller / data processor distinction from EU law? 15:18:21 erica: are we drawing a distinction here that is basically the data controller/data processor distinction in the EU 15:19:16 This is Justin Brookman, following on IRC, will call in after lunch. 15:19:24 X: the controller is the entity that makes the decisions. Can outsource activities to processor and retains responsibility for how the processor uses that information. But different countries may define roles a bit differently. There are also co-controllers 15:19:44 s/X/Kimon/ 15:19:59 -BrianTschumper 15:20:03 ... We also have to figure out what is data? how do we define data 15:20:24 +[Microsoft] 15:21:02 ? 15:21:21 amyc has joined #dnt 15:21:25 http://en.wikipedia.org/wiki/Analytics 15:21:32 clarification from me: the data controller is the "owner" of the data, and responsible for it to the customers. a data processor is someone who is contracted to do something with that data, as an agent of the controller. 15:21:53 Aleecia: Charles is saying that there is a sub issue to the bound by siloed contract odes the contract persist after sale? 15:22:01 s/odes/does 15:22:10 s/odes/does/ 15:22:26 Charles: what if a first party collects data and then is bought out by another party who can then try to reuse the data? 15:23:05 owner is not going to be a super helpful term unless it is defined 15:23:40 Matthias: If a first party contract results in first party outsourcing functionality to an agent. Is that agent exempt from the DNT requirement provided it does not use that data for other purposes? 15:23:45 http://en.wikipedia.org/wiki/Web_analytics 15:24:52 +??P38 15:25:20 X: Google Analytics -- In some cases the publisher agrees to share the data with google for aggregate usage, but the publisher can opt out fo this 15:25:24 s/fo/of/ 15:26:10 Aleecia: we have an open issue that hasn'tt been resolved as to whether these parties need to be bound by contract, technology or both 15:26:12 s/X/Sean Harvey 15:26:17 s/X/Sean Harvey/ 15:27:11 .... so do we have agreement that an agent that is bound in whatever way we determine to only use the data on behalf of the site should be treated as the site itself? 15:27:29 Shane: this can bleed into operational use case as well. 15:27:30 i agree! 15:27:47 Aleecia: Whether you are a contractor doing analytics or shipping, this principle applies. 15:28:20 what if you transfer it at the command of the first party to their partner? 15:28:50 jmayer: Clarifying Question. To vote on this issue, we need to first resolve whether the third party agent needs to be bound by contract, technology, or both 15:29:06 Aleecia: We are going to vote. Three options. 15:29:18 can we vote via IRC? 15:29:26 ... We can say the agent must be bound by contract, bound by technology - open issue as to what it means, or both. 15:29:52 Matthias: A fourth option. Unspecified. Raise the policy objective in a technology neutral way. 15:30:15 Shane: or we could have a fourth option. Which is either (contract and technology) OR (technology) 15:30:36 ISSUE: in order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract 15:30:36 Created ISSUE-73 - In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/73/edit . 15:31:02 Peter: So is a contract necessary on top of the technology? This can raise thorny issues with regards to existing contracts. 15:31:16 Jonathan: I don't mean a legal contract. 15:31:24 s/Jonathan/jmayer/ 15:31:57 Aleecia: Can W3C create a contract requirement? 15:32:11 ... question of authority here. 15:32:49 Matthias: We should say that the agent must ensure that the data can't be used in other contexts. And then just list some potential ways this could be achieved. Describe the ends that must be satisfied by these technologies rather than the means. 15:33:36 Brett: if the data CAN be combined, even if it's not combined. This is a privacy risk. eg, government access. So there should be no exception here, where the data can be combined 15:33:43 s/I don't mean a legal contract./It can be any sort of legal commitment, so long as it's enforceable by both customers and regulators./ 15:34:01 Kimon: That will be difficult to enforce. Hard to separate law from technology here. 15:35:28 I agree with Matthias 15:35:31 Shane: we need to be able to use data in the aggregate. useful for companies, society, etc. We don't want to be too overly prescriptive. 15:35:42 tl has joined #dnt 15:36:21 npdoty: If we say that analytics providers can track you across multiple sites such that they use the data in the aggregate, then the government can go to the site, request the data, which is used in the aggregate but not held in the aggregate, and then DNT has provided no protection. 15:37:07 Peter: if we postpone here, are we postponing the question of what kind of technology should be used? 15:37:52 q+ 15:38:09 Tom: On the question of people being bound legally. We can write in a specification what you need to do to comply with the specification. We can say that for a server to be in compliant with a certain standard, the CEO has to be wearing a blue hat. We can determine what is and is not compliance. Then if someone says they are compliant and they are not, then that is between the entity making that assertion and whoever they are making a false promise to 15:38:55 Kimon: If we exempt something, how much do we need to define it? 15:39:07 David Wainberg: are there any examples of W3C or other technical specifications that make a requirement on companies of this type? 15:39:22 jkaran has joined #dnt 15:39:32 we need to define it completely, otherwise anything can get in under the exemption 15:39:35 q- 15:39:36 ... If we agree that A is tracking and then we see web analytics is excluded and then define web analytics, we may impose a definition on the market that does not really accord with how the market is used today. 15:40:45 fielding, can you help us scribe your last statement 15:40:53 Charles: We don't have to say do or don't do something. We can say should or may. 15:41:16 Matthias: We have been talking about must 15:42:23 Brett: If we are going to carve out an exception in this case, then the data must truly remain in a first party contract. If i am saying do not track me and i am retaining the same user id across sites, then i am being tracked across site. Period. 15:42:42 ... there has to be no way to combine the information across different contexts if we are going to create an exception here. 15:43:42 Thomas: We are talking about an exchange of signals. Communication that when that byte or set of bytes goes over the wire, then here is what we expect you to do. There can be many ways to achieve the expected effect. We do not want to get too specific about how entities are supposed to achieve that effect. 15:43:42 . 15:43:46 s/Thomas/tlr/ 15:44:08 agree++ to what tlr said 15:44:22 ... This is a technical document. Let's focus on what the meaning of the messages is. The meaning of the messages that go over the wire. We can provide implementation guidance, but let's think to the effect that actually matters to the intent. 15:44:48 Aleecia: I would like to see if we have something we can get consensus on right now. If not, then I want someone to take action items to draft text, possibly competing proposals, and we will discuss this further on calls. 15:45:37 ... I suggest that we start by looking to see if we have rough consensus around the idea that we will not specify whether the requirement is technical or contract. Instead that it is based on intent that contractors are bound not to use data in other contracts and must only use data on behalf of the first party site if they are to be treated as a first party themselves. 15:45:46 ... is this something that, roughly, people in the room support? 15:45:55 David: we are talking about user level data, right? Not aggregate. 15:45:58 Aleecia: Yes. 15:46:09 ... This is not just analytics 15:46:25 I was agreeing with Matthias that we should say that the agent must ensure that the data can't be used in other contexts -- the various ways in which the agent could ensure such a thing does not matter for the standard because only the effect is measurable and only the effect matters in terms of compliance. 15:46:26 Kimon: I might have reservations if this is broader than analtytics 15:46:45 Matthias: This is a question of principle. We know it is not articulated completely. 15:47:11 Kimon: We may need more clarification than a commahere. 15:47:22 David: What do we mean by use? 15:47:41 Peter: We need to put a technical component into that commitment. 15:48:03 Alecia: yes, we're talking about use constrained to the first party 15:48:13 ... There are low hanging technical ways to do it. Our wording should specify that. As well as requiring a commitment as an actor 15:48:18 s/Alecia/aleecia/ 15:48:42 Peter: Must on the technical and should on the other commitment. But I would be ok in swapping that around. 15:48:52 Aleecia: We need some people to take action items for people to draft text. 15:49:21 Matthias: We have consensus that if the binding is sufficiently strong, then it is ok to treat these third party agents as first parties, it seems. But what is sufficiently strong? 15:49:45 Aleecia: But this question of what is sufficiently strong is a big deal. We need to resolve that first. 15:50:16 "once Shane and Jonathan agree, then we're all set" 15:50:49 Shane: I am fine with us not specifying too specifically what sufficiently strong means. 15:51:05 Aleecia: Maybe we should assign action items and move on? 15:51:37 Thomas: I think we have some agreement. We have consensus on the general principle and what piece of this still needs to be worked out 15:51:43 Matthias: So do we call this issue closed? 15:51:53 Aleecia: I want us to move on, but I do not want us to close this issue. 15:52:12 Aleecia: Jonathan and Shane will draft action items. 15:52:20 ISSUE-23? 15:52:20 ISSUE-23 -- Possible exemption for analytics -- raised 15:52:20 http://www.w3.org/2011/tracking-protection/track/issues/23 15:52:24 ISSUE-34? 15:52:24 ... for Issues 23 and Issues 34 15:52:24 ISSUE-34 -- Possible exemption for aggregate analytics -- raised 15:52:24 http://www.w3.org/2011/tracking-protection/track/issues/34 15:52:27 I argue that "tech" cannot be defined in any meaningful way that could reach consensus ... that is a rathole 15:53:02 davidwainberg has joined #dnt 15:53:46 15:54:06 Shane: How about writing up the issue by 9/30? 15:54:07 ACTION: Shane to draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) - due 2011-09-30 15:54:08 Created ACTION-5 - draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) [on Shane Wiley - due 2011-09-30]. 15:54:18 ACTION: Mayer to draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) - due 2011-09-30 15:54:19 Created ACTION-6 - draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) [on Jonathan Mayer - due 2011-09-30]. 15:54:28 action-5 due 2011-10-03 15:54:28 ACTION-5 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-10-03 15:54:33 action-6 due 2011-10-03 15:54:33 ACTION-6 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-10-03 15:54:39 tlr I thought we said next friday? 15:54:46 whooops, right 15:54:48 sorry 15:54:49 http://www.w3.org/2011/tracking-protection/track/actions/open 15:55:04 Shane: I am going to be saying that you must sign up for something in here, must obligate your organization to do something, whether that be contract or technology. Different organizations will meet the obligation in differentw ays. 15:55:05 ACTION-5 due 2011-09-30 15:55:05 ACTION-5 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-09-30 15:55:24 ACTION-5 due 2011-10-03 15:55:24 ACTION-5 draft proposed text to resolve ISSUE-23 and ISSUE-34 (organizations should commit to blah, must do the following things) due date now 2011-10-03 15:56:02 Aleecia: Next we will talk about Issue 25, and then Issue 22 15:56:11 Zakim, ISSUE-25? 15:56:11 I don't understand your question, enewland. 15:56:11 ISSUE-73 may also apply to ISSUE-23 and -34 15:56:21 ISSUE-25? 15:56:21 ISSUE-25 -- Possible exemption for research purposes -- raised 15:56:21 http://www.w3.org/2011/tracking-protection/track/issues/25 15:56:25 ISSUE-25? 15:56:25 ISSUE-25 -- Possible exemption for research purposes -- raised 15:56:25 http://www.w3.org/2011/tracking-protection/track/issues/25 15:56:46 ISSUE-22? 15:56:46 ISSUE-22 -- Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.) -- raised 15:56:46 http://www.w3.org/2011/tracking-protection/track/issues/22 15:56:59 Aleecia: Starting with Issue 25. 15:57:21 Shane: Many see 'analytics' and 'research' differently 15:58:12 ... Information being used for research is not being used to directly impact an individual's experience. To us that is the difference between the two. The information might be at the individual level, but it's only used for the research purpose. 15:59:18 -??P38 15:59:19 Aleecia: We have a suggested definition. That research is data that does not used to affect's a user's experience. 15:59:27 [disagreement] 16:00:39 What if the research is on how an individual uses the Web? 16:00:44 Jonathan: Data that does not identify the web history of an individual user. In a technical sense. 16:00:53 Jmayer -- is this your definition of research? 16:01:11 Research or aggregate analytics. 16:01:29 Charles: but even if it's not used to directly impact a user's experience, the collection can affect how a user experiences the web, her feelings about privacy, etc. 16:01:40 jonathan, does that specifically mean, for example, that data set would not include IP addresses or cookie identifiers? 16:01:48 Ed: If we say yes to this exemption, is all collection for this purpose ok? Are there retention limits? 16:02:02 ... This is an issue that may arise for alot of our issues 16:02:19 s/Ed/efelten/ 16:02:29 XX: So this is an exemption based on use? 16:02:32 s/alot of our issues/a lot of our proposed exemptions/ 16:02:40 - +1.202.263.aacc 16:02:44 amyc, cookie identifiers for sure, ip addresses are a technical question where we need more research 16:02:47 Shane: Yes. There will be continued collection for a limited use exemption. 16:03:03 XXX: the point of doing research is to improve the user experience 16:03:11 s/XXX/ifette/ 16:03:16 Shane: Direct user experience. Like OBA 16:03:28 s/XX/ifette/ 16:03:31 +??P5 16:04:09 Shane: I can learn about a specific cookie and then change an experience in response to that specific cookie. That is OBA. In the research example, I collect information about individuals, and then apply the things i learn to the general population 16:04:56 szhunter: i'm not sure what we're talking about 16:05:02 Scott: how about "not directly addressable"? 16:05:04 s/szhunter/schunter/ 16:05:22 Shane: This is general use exemptions for DNT. not related to collection 16:05:56 ... this is product improvement, etc. 16:06:04 Aleecia: Are you also seeing this as things like surveys 16:06:29 Shane: We have been discussing observed data. Surveys to me are declared information. That is different. 16:06:54 Scott: With surveying, would someone with DNT on never see a survey invite? 16:07:11 Aleecia: We have an issue, are surveys out of scope 16:07:18 ISSUE: Are surveys out of scope? 16:07:19 Created ISSUE-74 - Are surveys out of scope? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/74/edit . 16:07:37 Shane: I posit that all declared data is out of scope. For the entire DNT conversation 16:07:44 Aleecia: that is already an issue 16:08:54 Roy: I am confused. We are talking about web analytics here? Not analytics in general? What do we mean by research? Think about legitimate research institutions. These require consent from individuals. Tracking someone across the web requires consent for legitimate research. 16:09:24 shane: we didn't really get to the aggregation question 16:09:44 erica: if the collection still records an individual history across the web, then there are still privacy concerns 16:09:48 shane: "lots of ways to solve the government bogeyman problem" 16:10:34 amyc has joined #dnt 16:10:43 shane: different technical measures (blinding, one-way hash, destroying keys, etc.) so that the data can be collected in such a way that even if the government accessed it they couldn't find the person's name 16:11:22 erica: but even if it's not connected to a particular name, a pseudonym could allow for re-identification 16:11:33 i completely agree with erica on this 16:11:35 shane: well, there are questions of anonymization 16:12:11 + +1.425.681.aadd 16:12:44 - +1.425.681.aadd 16:12:52 X: we are getting to a fundamental disagreement. Collection vs use. What does collection mean? What collection is permissible and what is not. 16:13:19 s/X/Sean/ 16:13:25 Zakim, who is on the phone? 16:13:28 On the phone I see +1.617.715.aaaa, +1.202.263.aabb, [Microsoft], ??P5 16:13:44 Zakim, aaaa is WG-Live 16:13:44 +WG-Live; got it 16:13:45 Sean: It is not appropriate to say DNT is on but let people collect information about you around the web for research purposes. 16:14:05 Zakim, mute aabb 16:14:05 +1.202.263.aabb should now be muted 16:14:11 Zakim, mute [Microsoft] 16:14:11 [Microsoft] should now be muted 16:14:16 Zakim, mute ??P5 16:14:16 ??P5 should now be muted 16:14:35 Charles: what about ISPs? Then we already have collection and logging. 16:14:46 Aleecia: so this raises an issue. Are ISPs in or out of scope? 16:15:13 Thomas: we should stay on the application layer 16:15:18 ... and not raise this as an issue 16:16:05 I am on the phone 415 16:16:10 Frederick: I'm concerned about the idea that hashing IDs is the same as anonymity. If we are talking individual records for individual entities. This is a privacy problem. Maybe we should use a 'should' here. 16:16:17 Shane: to get aggregate, you have to start with somethign else 16:16:20 s/Frederick/fjh/ 16:16:34 … there is a point in time when you don't have aggregate data, even if you will at some point 16:16:35 fjh: So maybe it's a retention issue 16:16:50 Aleecia: Is hashing or trying to de-ietntify enough to be anonymous or should we require aggregate only? 16:16:53 I am talking too fast today. If "research" includes the study of humans activity (data collection of individual behavior for the sake of understanding that behavior), then legitimate research that complies with universally accepted human studies policies MUST obey the DNT preference because it expresses an opt-out. If "research" means studying something other than human activity, such as an aggregate set of paths from other sites and statistics regarding th 16:16:53 paths, then this should hall into the category of exemption by aggregation (i.e., we only want to exempt research if it is only stored in aggregate form). 16:17:04 16:17:07 fjh: so-called anonymization may not work as well as want it to. 16:17:13 rrsagent, bookmark? 16:17:13 See http://www.w3.org/2011/09/22-dnt-irc#T16-17-13 16:17:26 Kevin: what is the mechanism of exemption? 16:17:28 fjh: we could have a SHOULD requirement about anonymization or measures against de-identification 16:17:28 s/hall/fall/ 16:18:14 Kevin: How do companies claim exemptions? 16:18:26 ISSUE: How co companies claim exemptions and is that technical or not? 16:18:26 Created ISSUE-75 - How co companies claim exemptions and is that technical or not? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/75/edit . 16:18:46 q? 16:18:54 Aleecia: We do not have consensus on this. 16:18:58 lunch 16:19:00 Lunch time 16:19:02 … confusion by talking about different layers (SSL for example separates into two layers) 16:20:45 -[Microsoft] 16:27:15 -??P5 16:29:46 scott has joined #dnt 16:56:26 clp has joined #dnt 16:56:31 Back 16:58:07 Justin has joined #dnt 17:08:06 +[Microsoft] 17:08:14 zakim, [Microsoft] is me 17:08:14 +adrianba; got it 17:09:05 efelten has joined #dnt 17:10:12 npdoty has joined #dnt 17:10:52 +[Microsoft] 17:12:16 cris has joined #dnt 17:21:02 mischat has joined #dnt 17:29:00 kick off 17:29:21 scribenick: KevinT 17:29:50 referring to intro schematic around browser/server - focusing on message exchange details 17:30:10 matthias leading 17:30:47 amyc has joined #dnt 17:30:59 goal - find areas of fundamental agreement and build with those smaller pieces into the larger picture 17:31:09 tl has joined #dnt 17:31:09 this should be more technical than last discussion 17:31:34 tracking lists not in this discussion (next one) 17:32:12 Thomas starting with FF proposal around challenge response 17:32:19 IETF draft (from jmayer et al.) here -- http://datatracker.ietf.org/doc/draft-mayer-do-not-track/ 17:33:46 browser send DNT 0 or 1, server responds {0|1} <— what it thinks the browser said {0,1} <— confirmation of consumer actions (possible opt-in) 17:33:50 ... 17:33:52 17:33:55 jkaran has joined #dnt 17:34:05 17:34:49 tl: essentially Harlan Yu's position paper at the Princeton workshop 17:35:14 Tom Comscore - offering his proposal 17:35:52 yu's paper: http://www.w3.org/2011/track-privacy/papers/yu.pdf 17:36:04 tlr; do you have a copy of harlan yu's slide deck? 17:36:05 …server response (0,1) only (user desire, server reply) 17:36:08 adrianba, is there anyone on the phone from microsoft to describe the DOM proposal? 17:36:44 next proposal from Roy Adobe 17:37:01 s/Roy Adobe/fielding/ 17:37:12 npdoty, the proposal is simply to make the value that would be sent available in script - there was lots of discussion at Princeton about whether that is a good idea or not 17:37:28 …use Link: 17:37:43 npdoty, i think at this point it suffices to say that there is a proposal that this MAY be made available to script somehow 17:38:10 next proposal from Charles 17:38:30 Erika has joined #dnt 17:39:04 npdoty, i can speak to that briefly if necessary but i don't have much more to say :) 17:39:19 …include strings and ability to respond with a subset 17:39:26 next proposal from Ian 17:39:57 …in server response include a 3rd field for "I don't know" field 17:40:58 next proposal from Jonathan — IETF submission - server just replies with just user request confirmation 17:41:19 s/...include strings/... include strings/ 17:41:40 s/...in server/... in server/ 17:42:29 ditto 17:43:05 shane: include a response of providing an already expressed consent signal 17:43:32 jmayer has joined #dnt 17:43:55 dave: how do we communicate states among parties? 17:44:22 charles: this is in my proposal 17:44:51 david: … as in communicating to a first party whether one of the third parties is blocked 17:44:58 A set of requested String the encode: Desired things to NOT be tracked, shared, relationships of trust etc. 17:45:03 ^^Charles 17:45:13 ... reply is subset that the server can do 17:45:39 P1 - C "DNT: {0|1}" - S "DNT: {0|1},{0,1}" 17:45:39 P2 - C "DNT: {on,|off}" - S "DNT: {off|on,}" 17:45:44 ISSUE: should a server echo the DNT header to confirm receipt? 17:45:44 P3 - C "DNT: {0|1}" - S "DNT: {0,1}" 17:45:44 Created ISSUE-76 - Should a server echo the DNT header to confirm receipt? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/76/edit . 17:45:48 P4 - C "DNT: {0|1}" - S "DNT: ;rel=tracking;state=on" 17:45:50 P5 - C "DNT: {0|1}" - S "DNT: {0|1},{0,1,?}" 17:45:59 the concern is that http proxies suck, and have a poor habit of removing headers that they don't recognise 17:46:24 actually, custom headers almost always traverse the net 17:46:28 tl, how is this handled for other HTTP headers? 17:46:37 there's a study on this by collin jackson 17:47:06 jmayer: by custom headers do you mean X-foo 17:47:10 jmayer, link? 17:47:24 s/jmayer:/jmayer,/ 17:47:26 ISSUE: how does a website determine if a first or third party and should this be included in the protocol? 17:47:26 Created ISSUE-77 - How does a website determine if a first or third party and should this be included in the protocol? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/77/edit . 17:47:50 ISSUE-77: connected to ISSUE-60 17:47:50 ISSUE-77 How does a website determine if a first or third party and should this be included in the protocol? notes added 17:48:53 last paper in http://donottrack.us/bib/#sec_technology 17:49:18 q+ 17:49:21 wileys: add link back to where your DNT policy exists 17:49:30 susan: +1 17:49:39 s/susan/jkaran/ 17:50:34 roy: do we need have to send DNT=0 or just skip? 17:50:52 ISSUE: what is the difference between absence of DNT header and DNT = 0? 17:50:53 Created ISSUE-78 - What is the difference between absence of DNT header and DNT = 0? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/78/edit . 17:52:13 Kevin Adobe raised issue of whether to send a shortcut instead of string (well known location, e.g.) 17:52:41 ISSUE: should a server respond if a user sent DNT:0? 17:52:41 Created ISSUE-79 - Should a server respond if a user sent DNT:0? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/79/edit . 17:52:59 s/Kevin Adobe/KevinSmith:/ 17:53:54 pde: put the browser back in the loop, knowledge of the opt back ins 17:54:02 ... include a domain field 17:54:51 ISSUE: instead of responding with a Link: header URI, does it make sense to use a well-known location for this policy? 17:54:52 Created ISSUE-80 - Instead of responding with a Link: header URI, does it make sense to use a well-known location for this policy? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/80/edit . 17:55:10 P6 - C "DNT: {0|1}" - S "DNT: {1|0},domain, …" 17:55:25 ISSUE: Do we need a response at all from server? 17:55:25 Created ISSUE-81 - Do we need a response at all from server? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/81/edit . 17:56:34 ISSUE-81: ifette suggests that the user either trusts the site or doesn't, so why would the browser bother to expose this response to the user? 17:56:35 ISSUE-81 Do we need a response at all from server? notes added 17:57:02 matthias: reframe client—> server and server —> client core payload 17:58:21 jmayer has joined #dnt 17:59:15 … client-> server: DNT preference to be set by client as 0 or 1 (agree) 18:00:08 fredrich: extensibility — user can specify any limitations 18:00:19 does anyone know the number of that issue on extensibility? 18:00:30 s/fredrich/fjh/ 18:02:13 npdoty, not sure there is an issue open yet. I'm checking 18:03:56 issue-59? 18:03:56 ISSUE-59 -- Should the first party be informed about whether the user has sent a DNT header to third parties on their site? -- raised 18:03:56 http://www.w3.org/2011/tracking-protection/track/issues/59 18:04:21 npdoty, no issue open for extensibility of DNT header 18:04:47 Shane: just raising the problem, not a solution, that the first party will want to know which 3rd-parties are being blocked 18:04:52 ISSUE: Should the DNT header be extensible with additional parameters? 18:04:52 Created ISSUE-82 - Should the DNT header be extensible with additional parameters? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/82/edit . 18:05:08 matthias: from board generally: extensions include: 1) 1st or 3rd party, 2) fine grained controls, 3) identities, 4) blocking info 18:05:57 ChrisOlsen: what if the user wants to opt back out after they've opted back in? 18:06:18 issue: how do you opt out if already opted in? 18:06:19 Created ISSUE-83 - How do you opt out if already opted in? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/83/edit . 18:07:23 ifette: not thrilled around creating a bunch of UI in browser to manage these features 18:08:30 amyc: web based applications? is there a way to access the header? 18:09:13 ISSUE: do we need a JavaScript API / DOM property for client-side js access to Do Not Track status? 18:09:14 Created ISSUE-84 - Do we need a JavaScript API / DOM property for client-side js access to Do Not Track status? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/84/edit . 18:09:29 jmayer: DOM sets boolean flag but longer conversation 18:09:47 ISSUE: DOM property and its access generally and specifically to web apps 18:09:47 Created ISSUE-85 - DOM property and its access generally and specifically to web apps ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/85/edit . 18:09:59 close issue-85 18:09:59 ISSUE-85 DOM property and its access generally and specifically to web apps closed 18:10:11 issue-85: duplicate of issue-84 18:10:11 ISSUE-85 DOM property and its access generally and specifically to web apps notes added 18:11:06 npdoty, it wasn't a formal vote 18:12:13 jkaran has joined #dnt 18:12:16 ISSUE-78? 18:12:16 ISSUE-78 -- What is the difference between absence of DNT header and DNT = 0? -- raised 18:12:16 http://www.w3.org/2011/tracking-protection/track/issues/78 18:12:41 tl has joined #dnt 18:13:04 tl: there are two states, DNT:1 and the other state 18:13:22 David: there seems like an important distinction here if the header doesn't get sent at all 18:14:02 aleccia: reality is that most browser do not have this feature 18:14:10 s/aleccia/aleecia/ 18:14:23 efelten: are there any browsers with DNT set to 0? 18:14:36 s/any browsers/any current implementations/ 18:14:42 tom_comscore: AdBlock Plus does (?) 18:16:18 tlr: if header is present - then 0 or 1, open question is whether absence of header a different meaning for user? 18:16:23 ISSUE-58? 18:16:23 ISSUE-58 -- What if DNT is explicitly set to 0 and an opt-out cookie is present? -- raised 18:16:23 http://www.w3.org/2011/tracking-protection/track/issues/58 18:19:48 RESOLUTION: if a DNT header is present, its value is either 1 or 0 18:20:16 or at least, it's no options other than 0 or 1 18:20:28 DNT: the children 18:21:24 issue: do we have general extensibility capability for header response? 18:21:24 Created ISSUE-86 - Do we have general extensibility capability for header response? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/86/edit . 18:21:28 issue-82? 18:21:28 ISSUE-82 -- Should the DNT header be extensible with additional parameters? -- raised 18:21:28 http://www.w3.org/2011/tracking-protection/track/issues/82 18:21:38 close issue-86 18:21:39 ISSUE-86 Do we have general extensibility capability for header response? closed 18:21:45 issue-86: duplicate of issue-82 18:21:45 ISSUE-86 Do we have general extensibility capability for header response? notes added 18:21:57 did we capture the scope of David's reservation? 18:22:08 matthias: moving to Server response side 18:22:19 I'm not sure I understand David's reservation regarding the resolution 18:22:27 should ISSUE-82 be simply, "Should the DNT header be extensible" 18:22:38 davidwainberg, can you give more detail on your reservation? 18:23:26 "a server could use this to say the server does not know or will not tell you" 18:23:43 fielding: as a server developer I would never do this 18:24:07 David has joined #dnt 18:25:09 ifette: for very small sites, I might say that I understand but I don't know if I'm cooperating or not 18:25:19 matthias: list of options 1) bouncing user preference, 2) sending server choice, 3) extensions... 18:26:02 efelten: isn't is assumed the server receives this? 18:26:25 … what's the practical difference between not responding at all or responding with a ? 18:26:46 ifette: well, I don't think any of the responses will matter to the end user…. 18:28:10 roy: would not send "I don't know" other downstream servers or external processes that could be overridden erroneously 18:28:17 s/roy/fielding/ 18:29:20 karl: is response useful to browser or user (filter) 18:29:35 … if a response won't be useful to a user, then why send it? 18:30:05 pde: for user opting back in, need server response 18:30:22 other components of the server (application filters or subrequests) may know what they are doing or external components (TCP routers that do logging external to the web server) may know what they are doing, and I wouldn't want my clueless response to override the others 18:31:17 kevin adobe: don't define response if can't define use 18:31:32 OTOH, I agree with ifette that it would be better not to respond at all and just rely on the published policy for indicating compliance 18:31:46 cris: policy reputation might be a good response for consumers to trust 18:32:14 clay: server response —> claim 1st or 3rd party 18:33:20 ifette: p3p ui not understood —> why create DNT UI ? 18:34:06 brett: server response bring enforceability (base contract) 18:34:29 ifette: argue in privacy policy already 18:35:57 Zakim, ISSUE-82? 18:35:57 I don't understand your question, efelten. 18:36:05 ISSUE-82? 18:36:05 ISSUE-82 -- Should the DNT header be extensible with additional parameters? -- raised 18:36:05 http://www.w3.org/2011/tracking-protection/track/issues/82 18:36:09 ISSUE: Should there be an option for the server to respond with "I don't know what my policy is" 18:36:12 Created ISSUE-87 - Should there be an option for the server to respond with "I don't know what my policy is" ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/87/edit . 18:36:53 ifette, so you're okay with 0|1|?|no response ? 18:38:20 ifette, what about 0|1|no header ? 18:38:23 pde, i would prefer there be no server response. If as a group we decide there should be a server response, I would prefer the list of acceptable responses to include a '?' value 18:38:35 no header is not the same as "?" 18:38:47 no header could be just "I don't understand what DNT is" 18:38:53 ifette, i can think of a whole load of ui things that i like, and a whole load of non-ui things that browser might do.... 18:38:56 clp: other extensions — fine grained preferences 18:39:22 tl, happy to hear suggestions 18:39:28 ifette, so I think you do think the response should have 4 values rather than 3 (if there is going to be a response at all) 18:39:47 pde, if there is a response header, i was saying 3 values (0/1/?) 18:39:53 I would have been okay as leaving "not sure" and "I don't know about DNT" as the same case (the server sends no header) 18:40:08 ifette, for instance: i might enable or disable features that facilitate tracking. perhaps i treat third-party cookies, differently, or change my signature 18:40:12 efelten: other extension: URL of policy/link header 18:41:00 ifette, changing topics slightly -- I think your points about bad privacy UI design are well taken 18:41:05 dan has joined #dnt 18:41:17 ifette, incidentally, it's an eye, not a whirlpool in IE 18:41:21 and it's certainly dangerous/tricky/hard to put anything in browser chrome about this 18:41:38 but for us it's a good avenue to leave open if any browsers want to try it 18:41:43 tl i realize it's an eye, but it looks like a whirlpool to me and if I say an eye it might bias responses :) 18:41:51 while certainly avoiding any SHOULDs or MUSTs on the subject 18:42:17 "browsers MAY tell or ask users about this, or choose do anything else" 18:42:19 I thought efelten's suggestion was a response header that included a string about why the server is responding DNT:0 18:42:36 clp: other extension: Identity response 18:43:07 ifette, one big thing is that the browser might make really different choices in private browsing mode 18:43:40 sudbury has joined #dnt 18:44:47 ifette, the browser might ignore "DNT:1,0" in regular mode, but warn the user with a doorhanger notice in private browsing mode... 18:45:21 jkaran: include info around sub-domains 18:46:25 - +1.202.263.aabb 18:46:27 tl we explicitly say in our private mode that "Going incognito doesn't affect the behavior of other people, servers, or software" 18:46:54 for us, private browsing is about reducing the traces left on the user's computer 18:46:56 ifette, true enough, but that doesn't mean that you shouldn't do as much as possible 18:47:08 we don't want to give a false sense of security 18:47:29 ifette, we're considering how to adapt our private mode to local, remote, and network threats 18:47:46 short of using tor, it's not clear we're not giving users a false sense of security 18:47:49 (we've talked about tor...) 18:49:54 there's a lot you'd have to do to use tor safely... 18:50:01 18:51:33 winding down discussion, deciding on action items 18:53:14 use cases around "?" will hold after documentation of protocol to see if necessary 18:53:22 -[Microsoft] 19:01:06 adrianba, does anyone on the phone from MSFT want to talk during the next session on Lists? 19:01:47 scott has joined #dnt 19:02:51 jmayer has joined #dnt 19:07:36 npdoty, we don't have anything specific to present - our proposal is the list section of our submission 19:08:07 npdoty, our preference would be to start there and iterate based on feedback but want to hear what the group thinks 19:08:55 npdoty, for example karl has sent feedback to the list, which we're preparing a reply to 19:12:17 thanks, adrianba, you don't have any other specific comments for the live meeting? 19:14:50 npdoty, not at the moment 19:15:44 gotcha 19:16:48 Want to make sure the Adblock Plus format gets significant consideration. 19:17:50 It is hands down the most popular content blacklist format. 19:17:55 the input documents I see are: 19:17:59 * http://www.w3.org/Submission/web-tracking-protection/ 19:18:16 * http://adblockplus.org/en/filters 19:18:20 tlr has joined #dnt 19:18:35 * http://www.opera.com/support/mastering/kiosk/#url-filter 19:18:49 scribenick: tl 19:19:25 Zakim, agenda? 19:19:25 I see 3 items remaining on the agenda: 19:19:27 1. detailed discussion of issues [from npdoty] 19:19:28 2. Tracking Preference Expression [from npdoty] 19:19:29 3. Tracking Selection Lists [from npdoty] 19:19:33 zakim, close agendum 1 19:19:33 I see a speaker queue remaining and respectfully decline to close this agendum, npdoty 19:19:38 q? 19:19:41 matthias: last technical session: tracking selection list 19:19:43 q- pde 19:19:50 zakim, close agendum 1 19:19:50 agendum 1, detailed discussion of issues, closed 19:19:51 I see 2 items remaining on the agenda; the next one is 19:19:53 2. Tracking Preference Expression [from npdoty] 19:19:58 zakim, close agendum 2 19:19:58 agendum 2, Tracking Preference Expression, closed 19:20:00 I see 1 item remaining on the agenda: 19:20:02 3. Tracking Selection Lists [from npdoty] 19:20:07 zakim, take up agendum 3 19:20:07 agendum 3. "Tracking Selection Lists" taken up [from npdoty] 19:20:23 karl: microsoft tsl proposal 19:21:03 ... simple text file where each line lists a domain, and whether it should be allowed or blocked 19:21:22 ... ex: "-d rogue.example.com" blocks 19:21:57 ... and: "+d splendid.example.com" allows 19:22:59 ... already in IE 19:23:30 ... opera "url filters" proposer 19:23:44 s/proposer/proposal 19:23:54 tlr has joined #dnt 19:23:55 jmayer has joined #dnt 19:24:05 ... uses an .ini file, has dom api 19:24:20 ... in ms proposal, can have many lists 19:24:23 RRSAgent, bookmark 19:24:23 See http://www.w3.org/2011/09/22-dnt-irc#T19-24-23 19:24:24 +[Microsoft] 19:24:59 ... in firefox, there is another api 19:25:17 [i think karl is referring to adblock plus, not firefox] 19:25:56 david: clarification: after parsing list, if a domain is to be blocked, all third-party requests to that domain are ignored 19:26:25 ... if a domain is allowed on one list but blocked on another, it is allowed 19:26:51 the other reason for having an allow is so that you can have a simple general block rule and then allow exceptions 19:27:09 http://tplviewer.com/ 19:27:16 aleecia: you can use your own custom list, and your list overrides all others 19:27:28 karl: no, your own list does not override 19:27:46 http://www.w3.org/Submission/web-tracking-protection/#processing-multiple 19:28:04 merging lists, all allow rules merge at the top 19:28:16 tl: clarification, the "mozilla" mechanism is actuall abp 19:28:22 s/actuall/actually 19:29:10 ifette: this seems a lot more than tracking protection, it seems like an ad-blocker in the browser, and we don't want to ship one of those 19:30:13 davidwainberg: this standard is about dropping http requests. what else should i know about this? 19:30:48 ifette: ex: cross-origin http requests would have been dropped under some circumstances 19:31:22 thomas c: or multiple redirects 19:31:48 npdoty, not from ms but: not for blocking advertising, more like one-pixel trackers 19:31:50 jmayer has joined #dnt 19:32:12 Mozilla nsIContentPolicy, Interface for content policy mechanism. https://developer.mozilla.org/En/NsIContentPolicy 19:32:20 kevin: as a web developer, i don't like being unable to control my site 19:32:51 (Firefox has a bunch of APIs you can use to block content.) 19:33:26 jkaran, often things are requested on a pathway through several servers, if we block an intermediary, it might affect revenue counts 19:33:40 s/jkaran,/jkaran:/ 19:34:06 ... this list could be huge, and it's not clear to a user how these lists may interact 19:35:03 Brett: this is a terrible idea. you can end up blocking css and other site-critical elements. most of these lists actually are ad-blockers, and this is content theft. 19:35:30 ... i love that this gives consumers choice, i hate that it takes choice from content providers 19:35:56 roy: i don't see any interoperability needs for these lists 19:36:42 tl, to block tracking, you have to block advertising http://cyberlaw.stanford.edu/node/6730 19:38:42 tl: web developers: i know that you like to control experience, but if you do something that users object to, they're entitled to be in on that conversation 19:39:14 re: ad blocking as "theft," it's trivial to tier access to visitors who block ads 19:39:26 tl: it may be the case that billing is broken, but if billing depends on objectionable tracking, that's something that users should be involved in 19:39:27 cris has joined #dnt 19:39:29 I don't see any interoperability issue here that can be standardized -- the browsers do not share these lists with other browsers, even those owned by the same user. 19:39:38 s/re: ad/re ad/ 19:39:51 tl: re standards: the formats, one piece of content, that's entirely the point of a standard 19:40:06 ifette, browsers are user agents, they should follow user needs 19:40:39 ... agree with tl's point re negotiation. we need to facilitate negotiations between users and sites 19:40:42 ... someone couldn 19:40:46 strike that 19:41:02 ... someone couldn't just walk into a store and take without paying 19:41:14 ...likewise, shouldn't do the same with content 19:41:15 ifette: but the content belongs to the site. So, both party's interests need to be respected 19:41:32 thomas c: lists seem unscalable, blunt instruments 19:42:07 ...content publishers have some mechanisms to identify third part calls 19:42:29 kevin: is crazy-talk, nobody would ever do that. 19:42:45 thomas c: yeah, but you could do it sometimes. 19:43:26 thomas z: all about negotiation. publishers need to know about blocking when it happens. 19:43:48 jmayer_ has joined #dnt 19:43:57 KevinT: lists provide a way to make policy. there can be a system separate from policy 19:44:06 ... exemptions can also be filtered 19:44:12 s/kimon/thomas z/ 19:44:58 s/thomas z/kimon/ 19:45:05 ... this concept of reputation is important. users shouldn't have to decide who's trustworthy, they should be able to outsource that to list-authors (like with antivirus) 19:45:13 oops, thanks ed :) mixed up the order 19:45:33 clay_ has joined #dnt 19:45:36 cris: need to have conversation between first party and advertisers, users 19:46:11 tlr has joined #dnt 19:46:28 tlr has joined #dnt 19:46:30 just to quote vp at bluecava, Eric Johannsen 19:46:41 “If tracking protection is implemented so that consumers cannot be tracked, there will be no free internet.” 19:46:51 charles: if anyone wants to use these lists, we should agree on the format. if we have a better way to implement these lists, we should do that. negotiation is awesome, need a good way to express that 19:47:20 q? 19:47:24 we need the ability for consumers to express a preference, not blocking, not protecting, to whether or not to allow website to track in exchange for service and content 19:48:16 karl: @ifette: sometimes opera and google disagree. you don't want to ship these lists; at the same time, chrome has an adblock extension. users may want the choice to install these addons, and these lists are the tools they need to do that effectively. 19:49:01 ... i naysay to those who think that users who block ads will kill the web. arguing against this is arguing against reality: people already do this! 19:49:32 matthias: adblockers exist, and it's not our place to disallow those. we need to talk about the actual interoperability needs of these lists. 19:49:42 Unclear that Do Not Track will get buy-in. We should standardize tools for consumers to help themselves if that doesn't happen. 19:50:00 ... c.v. antivirus, where there's lock-in on lists, and less competition. 19:50:45 ... browser vendors are free to use these lists or not. from a standards perspective we need to decide whether we want to mandate these lists. 19:52:05 tl: we don't want to mandate the use of these lists, we just want to agree on the format 19:52:06 karl: concur 19:52:06 kevin: should we talk about this at all? 19:52:06 ifette: suggest: no needs for standards 19:52:16 ... exist many adblockers, they don't seem to be suffering from a lack of standards 19:52:27 ... why should we deal with helping them 19:52:34 ... our time could be better spent 19:53:16 s/needs for standards/no need for standards for blocking lists/ 19:53:47 thomas z: when you get on a bus, you see ads. there's bad advertising, but it's here to stay. agreeing on an industry standard to block ads is wrong, and it's an abuse by browser manufacturers 19:53:56 s/thomas z/kimon/ 19:54:02 s/no needs for standards/no need to standardize list format for ad blockers/ 19:55:43 npdoty: this isn't "stealing". this is a good place to agree on a common format. we should not try to control what users do. standards exist to allow users to do what they want. some have disabilities or other problems. user agents should not be *forced* to make requests 19:56:08 Would like to note that Chrome was once on track to support blocklists. http://code.google.com/p/chromium/issues/detail?id=16932 19:56:33 ... re: notice and negotiation: good idea! the user-agent should fire-off a download error when blocking, so sites can react and monetize. 19:57:12 +1 to npdoty 19:57:32 tlr: clarification requested by matthias: it is up to chair to make decisions about use of time & resources 19:57:48 matthias: we agree that we shouldn't mandate lists 19:57:54 karl: we couldn't 19:57:54 scott has joined #dnt 19:58:37 matthias: anyone want to do this? 19:58:47 tl: if there's so little interest, it should take no time 19:59:03 ifette, if there's little interest, perhaps someone else can do it 19:59:15 s/someone else/some other group/ 19:59:34 kevin: all conversation about lists moves to adblocking. perhaps we should listen to that 19:59:39 not everyone is here that might be interested in this discussion, some had to leave early 20:00:03 karl: the list format is not content-specific. it could block malware, or anything else. 20:00:20 charles: we all agree that we do not want to mandate these lists 20:01:21 tl: clarification: we do not want to (and may not be able to) mandate the use of these lists. we shall speak of it no more! 20:01:48 matthias: if ads are blocked through an ad blocker, do we need some way to communicate this to a site 20:02:20 ifette: i thought we didn't care? 20:02:35 aleecia: we can later discuss whether we care 20:02:39 ifette: deal 20:02:43 charles: negotiation? 20:02:50 matthias: maybe 20:02:57 It's really quite straightforward to detect ad blocking with current tools. 20:03:16 matthias: repeats "if ads are blocked through an ad blocker, do we need some way to communicate this to a site" 20:03:30 matthias: straw poll: 20:03:52 ifette: who cannot live with continuing to work on it 20:04:05 aleecia: significant split 20:04:14 edfelten: also, ms is not here 20:04:26 matthias: session ended 20:04:48 This is bogus. Advertising companies force users to choose between publisher monetization and privacy, then cry foul when users choose privacy. 20:05:16 Break until 4:30 pm for wrapup 20:07:14 adrianba has left #dnt 20:07:19 -adrianba 20:07:29 Charles: take a look at this: 20:07:30 http://www.slate.com/id/2304404/pagenum/all/#p2 20:07:39 .... a la blocking issues 20:12:30 ... (it's nothing revolutionary, just thought the automated list abuse underlined earlier arguments made) 20:18:54 Wrapup 20:19:09 scribenick: npdoty 20:19:19 aleecia: we have aggressive deadlines at the moment and we don't have text yet 20:19:23 Aleecia: agreesive deadlines no text yet 20:19:31 … we're planning to have editors before next Wednesday 20:19:40 … expecting to have straw man drafts at the same time 20:19:57 … need to turn minutes and the issues list into something useful (merging, grouping, removing duplicates) 20:20:08 … call on Wednesday start creating action items out of the issues list 20:20:16 … really enjoyed the energy level, people engaged 20:20:30 … comments have been constructive; heated, but not personal, working towards resolution 20:20:38 … we've been productive in raising issues 20:20:49 … and understanding the W3C process 20:21:05 … thx to the scribes! and nick and thomas 20:21:15 … thanks for coming on short notice and participating 20:21:34 … not everyone will make this Wednesday's call we know, but that will be the standing call 20:21:56 clp: recorded audio -- let me know if you're interested 20:22:20 tlr: better to announce recording of audio ahead of time 20:23:04 email pictures and links of pictures to npdoty@w3.org who will compile for the sake of the minutes 20:23:24 matthias: thanks as well, next wednesday call we'll take the issues and start assigning 20:23:31 bye all 20:23:34 … liked this meeting a lot and had everyone engaged 20:23:39 … see you again in Santa Clara 20:23:41 20:23:54 Zakim, close agendum 20:23:54 I don't understand 'close agendum', npdoty 20:23:58 Zakim, agenda? 20:23:58 I see 1 item remaining on the agenda: 20:23:59 3. Tracking Selection Lists [from npdoty] 20:24:08 Zakim, next agendum 20:24:08 I do not see any more non-closed or non-skipped agenda items, npdoty 20:24:20 Zakim, close agendum 3 20:24:20 agendum 3, Tracking Selection Lists, closed 20:24:21 I see nothing remaining on the agenda 20:24:46 -[Microsoft] 20:24:48 rrsagent, bookmark? 20:24:48 See http://www.w3.org/2011/09/22-dnt-irc#T20-24-48 20:24:53 rrsagent, draft minutes 20:24:53 I have made the request to generate http://www.w3.org/2011/09/22-dnt-minutes.html npdoty 20:25:02 rrsagent, make minutes public 20:25:02 I'm logging. I don't understand 'make minutes public', npdoty. Try /msg RRSAgent help 20:25:09 laurengelman has joined #dnt 20:27:13 jmayer has joined #dnt 20:32:36 aleecia has joined #dnt 20:34:49 jmayer has joined #dnt 20:38:36 jmayer_ has joined #dnt 20:45:14 tlr has joined #dnt 20:58:01 ifette has joined #dnt 21:05:00 disconnecting the lone participant, WG-Live, in Team_(dnt)13:00Z 21:05:01 Team_(dnt)13:00Z has ended 21:05:04 Attendees were +1.617.715.aaaa, +1.202.263.aabb, +1.202.263.aacc, BrianTschumper, +1.425.681.aadd, WG-Live, adrianba, [Microsoft] 21:23:56 <[Thomas]> [Thomas] has joined #dnt 22:22:52 fielding has joined #dnt 22:36:01 dan has joined #dnt 22:43:30 KevinT has joined #dnt 23:16:05 KevinT has left #dnt 23:16:59 tl has joined #dnt