W3C

Tracking Protection Working Group Teleconference

28 Sep 2011

Agenda

See also: IRC log

Attendees

Present
+1.202.872.aaaa, +1.609.981.aabb, dsinger, +1.510.859.aacc, npdoty, aleecia, tl, +1.202.684.aadd, +1.212.231.aaee, Jonathan, +49.721.913.74.aagg, NogaRosenthal, +1.215.591.aahh, alissa, +1.813.366.aaii, +1.813.907.aajj, +1.908.541.aakk, +1.202.326.aall, +1.415.734.aamm, efelten, dmckinney, +49.157.884.8.aann, +1.202.637.aaoo, justin, [Microsoft], +1.646.723.aapp, +1.212.673.aaqq, davidwainberg, +1.510.501.aarr, +1.202.326.aass, PederMagee, enewland, +1.206.658.aatt, +1.415.920.aauu, +1.703.438.aavv, +3249434aaww, +1.571.309.aaxx, +1.571.309.aayy, Thomas, [Apple], hober, +49.157.884.8.aazz
Regrets
Karl Dubost, Roy Fielding
Chair
aleecia
Scribe
tom

Contents


<hober> semi-regrets for today: I won't be on the call but will be here in IRC.

<aleecia> i'm having insane mouse issues; may not be able to type on IRC depending on how things go

time to get started?

<clp> This is Charles L. Perkins, Virtual Rendezvous.

Selection of scribe

<aleecia> scribe: tom

Any comments on minutes?

aleecia: reviewing minutes from boston

<npdoty> http://www.w3.org/2011/09/21-dnt-minutes.html

aleecia: links sent out

<npdoty> http://www.w3.org/2011/09/22-dnt-minutes.html

aleecia: any comments?

<jkaran> Sorry - how do you get the audio?

aleecia: no comments. minutes are approved.

<jkaran> The email had a different code.

npdoty: if you have photos, please send them to nick

<npdoty> Please send me (npdoty@w3.org) any photos.

<npdoty> Sorry about confusion over the code, I sent a correction via email.

<clp> (can hear audio now, had wrong code)

aleecia: announcing some editors
... Justin Brookman [with] Erica Newland editing compliance [specification]
... Roy Fielding, Adobe editing tracking preference expression
... techincal editor [for Selection List document] tba
... turn to pending action items

<npdoty> http://www.w3.org/2011/tracking-protection/track/

aleecia: please review the issues list online

<npdoty> http://www.w3.org/2011/tracking-protection/track/actions/open

aleecia: aleecia has one overdue action
... currently overdue on producing a summary contrasting several input documents
... could anyone volunteer to assist with that action over the next week

<clp> I can try to help you, Aleecia.

aleecia: the rest is silence
... clp volunteers to assist aleecia
... more assistance always useful

Old business (editors, action items, merged issues)

aleecia: move on to look at some of the issues which have been merged and deduplicated

<npdoty> http://www.w3.org/2011/tracking-protection/track/issues

aleecia: there are some closed issues. if you have comments, enqueue yourself in irc.
... issue 16,18 are pure entry error duplicates
... four other duplicate pairs
... 3,33 == about user choice & complexity
... 7,11 == both documenting use cases

jonathan: 34,23: want to note difference between subcontractor exemption and analytics exemption

aleecia: yes, but one could be removed without the other
... renaming issues 19, 37

<dsinger_> Wants to know how you would like discussion of the issues handled. In email, on a wiki, or…?

tl: can we be automatically notified to issue changes?

aleecia: unknown

npdoty: can do atom feeds. we don't want emails, because that's tiresome.

aleecia: prefer to discuss, rather than notify, at least to start

Tracking Preference Expression Definitions and Compliance discussion of issues

aleecia: new business
... base cases!
... #1 when you know you're a third party, and you know you're serving targeted ads
... #2 when you know you're a first party
... the two extremes
... nb issues 19 & 17

<dsinger_> Nothing that COULD be associated with a single user may be recorded

<dsinger_> ?

tl: propose: case #1 do not record any information about dnt user, except for minimized security & performance logs not used for any other purpose

jonathan: question: is the 3p making behavioral advertising use of information, a 3p only doing behavioral ads, or any 3p

aleecia: just a 3p doing only behavioral ads

<npdoty> ISSUE-19?

<trackbot> ISSUE-19 -- Data collection / Data use (3rd party) -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/19

<schunter> Matthias: I would rephrase the question as ¨what (technical) means should a 3rd party instantiate in order to ensure that it satisfies the desire of a user not to be tracked¨.

jmayer: i think we can all agree that data cannot be used

<jmayer> My underlying concern here: there's no company that does *just* behavioral advertising use of data.

<jkaran> Yes

aleecia: repeat: proposal: data cannot be used to target ads when dnt is on

<npdoty> ACTION: Jonathan to clarify distinctions on "opt back in" between ISSUE-27 and ISSUE-63 [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action01]

<trackbot> Created ACTION-7 - Clarify distinctions on "opt back in" between ISSUE-27 and ISSUE-63 [on Jonathan Mayer - due 2011-10-05].

jkaran: agree kinda, but we already have self-reg using cookies
... then check to look at cookies

<npdoty> ACTION-7 due 9-30

<trackbot> ACTION-7 Clarify distinctions on "opt back in" between ISSUE-27 and ISSUE-63 due date now 9-30

jkaran: and possibly see if user is opted in

aleecia: are there actually any opt in cookies?

jkaran: no, only opt-out cookies

<jmayer> For the moment we're discussing whether Do Not Track does at least as much as opt-out cookies; does that require figuring out how to reconcile DNT and opt-out cookies?

<schunter> If a cookie is opt-out only, then expressing a prefernce not to be tracked via cookie OR DNT should stop tracking.

jkaran: my opinion: either dnt or cookie is sufficient

<npdoty> I think we're discussing ISSUE-56 and ISSUE-58 now

davidwai: the us does not include opt-in. some companies may use opt in. companies might implement opt-in by deleting an opt-out cookie

<schunter> Only potential conflict is opt-out cookie + DNT expression that tracking is OK (from my perspective).

aleecia: sounds like we're talking about future-proofing against affirmitive opt-in

<npdoty> ISSUE-27?

<trackbot> ISSUE-27 -- Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in" -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/27

pde: let's talk about opt-back-in later, on that issue

aleecia: so let it be done!

<jmayer> This doesn't sound like it falls within OBA use of data.

<schunter> Can you post the final phrasing in IRC?

pde: largely agree with tom: 3p must stop retaining data. also link to another issue: scope of security/ fraud data. that sec/fraud &c data must be protected from misuse. let's talk about that excep later.

aleecia: can talk about both use and collection. let's start first by agreeing on use.
... so, to begin: assert: 3p should not use any ob data aforeobtained to serve an ad

<npdoty> '3rd party that receives a DNT header, modulo some exemptions and opt-back-in options, should not use any behavioral data to target an ad' -- was that the language we're discussing?

<clp> Yes

amyc: there may need to be ad tracking exemptions, some add may need to be served

aleecia: exemptions later. does anyone disagree with the basic principle

<efelten> Not sure what is on the table now. Is it "no use for OBA, other uses to be discussed later" or "no use for OBA, other uses are allowed"?

<jmayer> efelten, the former

<pde> amyc: do you think that ad delivery needs exemptions beyond the exemption for anonymized, statistical reporting, and the exemption for clickfraud?

<jmayer> efelten, and "collection to be discussed later"

dsinger: important to separate the data already collected from data to be collected now.

<jmayer> The question on the table is, in essence, "Does Do Not Track do at least as much as current self-regulation?"

dsinger: i think it would be unacceptable to collect but not use, let's talk about that

aleecia: yes, later
... so are we saying that you can't use data from (current transaction|all time)
... does anyone disagree with a prohibition on using all historical data

<jmayer> Historical data for OBA purposes

david: do we mean any historical data, any historical *oba* data...?

<jmayer> everything!

aleecia: if you are a 3p, seeing dnt, does it it merely mean that you cannot use this session's data, or all history data... to serve ads

<pde> it's /tracking/ data

<pde> anything that is linkable

<jmayer> any data about an individual user

david: oba data, or any data?
... should it mean no use of ob data for ob ads, or anything else?

aleecia: yes

david: sounds like industry opt out

aleecia: yes. starting here

<jmayer> unsure what "OBA data" means

aleecia: potentially moving further later

<jmayer> industry self-regulatory language is absurdly slippery, would want some clarification there

pde: further: re: past records. but first, should verify consensus on first point

aleecia: does anyone disagree with the current point?
... no disagreement

<npdoty> agreed: a third party receiving a do not track signal should not use the current data from the current interaction to serve a targeted ad

aleecia: CONSENSUS: a 3p receiving the dnt signal must not use data from the current transaction to serve a targeted ad

pde: retaining data is the crux of ads

<jmayer> what is this "current transaction" thing?

<jmayer> because i'm totally cool with contextual and demographic advertising

<amyc> what about use of IP address?

pde: if you see a dnt header, you should cease retaining data for other transactions.

aleecia: will deal with that later
... so: is ip address information in question

pde: obvs, you need to use ip in order to send

<amyc> qustion is about geo target of IP address for current ad only

<pde> amyc, IMO it's not tracking if you don't retain it

aleecia: yes, but question is whether ip can be used for targeting

<jmayer> Rationale: if an advertising company gets the IP and referrer no matter what, why not allow some advertising use?

tl: any current info, including ip, may not be used to target an ad

jonathan: perhaps advertising people will like this.
... using current ip or referrer , without collection, would be ok
... i'm ok with uncollected session information used to target

tl: i can live with jonathan's definition

<pde> and let's focus on the privacy problem we need to address here, which is the /retention/ of the IP and referrer by the advertiser

aleecia: what about the user interaction of showing a geotargeted ad to user with dnt on. is that good?

amy: using current ip doesn't seem like tracking or oba

pde: do we have consensus to use ip, referrer in a fleeting manner to target ads

<aleecia> noted

<pde> clp: worried that users would perceive geotargetting as "tracking", even though behind the scenes nothing was being retained about them

jules: distinguish between geo-targeting (which is important) for say region-coding by country, rather than targeting based on aggregate demographics assoociated with ip/zip
... the latter is a de-facto profile

hear hear!

jmayer: jules, taking an ip, and using that as the index for profiles would count as oba, and excluded

jules: yes

dsinger_: it may not be prudent to offer ads that may nonetheless be allowed, because the user thinks that creepy. nonetheless, treating user as if you know nothing else about them than what you see right now

<davidwai_> will the standard include best practice recommendations?

<aleecia> ?

dsinger_: ex, if historical data is used, user may see no difference, =[

aleecia: propositon: a 3p seeing dnt, barring conflict w/ opt-back in or exemptions, may not us current data to target ad, except ip or referrer

<dsinger_> I think the basic principle is that you are treating me as someone about whom you know nothing except what is visible in this transaction, and remember nothing.

aleecia: (at a minimum, may add to this later)
... to serve a targeted ad

<pde> Zakim: pde is Peter Eckersley

davidwai_: i am not aware of a definition of tracking which includes current session info

aleecia: does anyone agree with david?

tl: propose that definition, because users find it creepy

BrianTs: query string is passed to third party. what about additional information passed by first party
... may see a targeted ad on that

<amyc> I agree with David

jmayer: some agreement with david

<dmckinney> I agree that this is Targeting, not Tracking

jmayer: what if a 1p passes say gender to a 3p? i'm okay with that, probably. but not more info.
... say name

<aleecia> is davidwai_

<dsinger_> I feel we need a strawman and more email discussion

<aleecia> I'm noticing that too

davidwai_, tom, srsly?

tl: reiterate, assertion.

aleecia: users are asking to have ads not personalized to them
... dnt is the ui for that

<jkaran> disagree with aleecia

aleecia: folks should write up proposals

<dsinger> users are asking not to have databases built about them; targetting is a symptom, not the core problem, IMHO

<aleecia> will be asking for proposals

<aleecia> think about if you'd like to make one

pde: what part of this consensus do you not agree with

j: i don't understand the exemption for ip & referrer

pde: not an exemption, it's an explanation

<dmckinney> what about lat/long info from a mobile device?

pde: you always get ip & referrer with that specific request. that's not tracking. the real question is whether you can use info from five minutes ago.

<justin> Agree with PDE

<dsinger> you should treat me as a person about whom you know nothing, have been told nothing, and remember nothing, using only data that is not remembered and not associated with me. So it's OK to notice I am in California, where it is evening, on a web site that sells bar snacks. Maybe I have a party this evening....

<aleecia> action tl Tom to write a proposal on what DNT means to 3rd parties due by tuesday

<trackbot> Created ACTION-8 - Tom to write a proposal on what DNT means to 3rd parties due by tuesday [on Thomas Lowenthal - due 2011-10-05].

<jmayer> dsinger, what about other things the bar snacks site says about the user?

aleecia: any competing proposals

<pde> pde: I also said (to which several ppl agreed) that allowing the 3rd party to use data from 5 minutes ago /would/ be tracking, and we'd need to talk about a special exception for that

<npdoty> ACTION: Write a proposal on what DNT means to 3rd parties (for davidwainberg) - due Tuesday [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action02]

<trackbot> Created ACTION-12 Write a proposal on what DNT means to 3rd parties (for davidwainberg) [on Nick Doty - due 2011-10-04].

aleecia: pure 1p interaction, what to do when seeing a dnt header

pde: 1ps should get may or should rather than must
... more advice & best practices rather than requirements

dsinger: 1p must not relay personal info to 3p

jmayer: i do not believe in a must for 1ps

<dsinger> ok, I can live with the onus being on the 3rd party to ignore it, and only recommend that the 1st party not relay it

jmayer: probably, dsinger's suggestions should be shoulds, not musts

<amyc> dsinger - that would mean first party would not be able to display any ads, right?

jmayer: most info handoff code is from 3ps

action tl to proposal for what 1ps must do, by tuesday

<trackbot> Created ACTION-9 - Proposal for what 1ps must do, by tuesday [on Thomas Lowenthal - due 2011-10-05].

aleecia: any other proposals, suggestions?

<pde> we seem to have some problems with the relationship between our IRC nicks and our identities in W3C systems. I bet Aleecia told us about what to do about this right at the start of the process :)

<tlr> ACTION: mayer to draft a proposal for the obligations (or not) on first parties [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action03]

<trackbot> Created ACTION-10 - Draft a proposal for the obligations (or not) on first parties [on Jonathan Mayer - due 2011-10-05].

dsriedel: what are 1p, 3p?

<pde> ACTION: Jonathan to write 2(+?) sentence proposal that no MUSTs for first parties - due Tuesday [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action04]

<trackbot> Created ACTION-11 - write 2(+?) sentence proposal that no MUSTs for first parties [on Jonathan Mayer - due 2011-10-04].

<pde> oops

aleecia: we have not agreed, there are open issues, that is deferred.
... we'll get to that later

<tlr> to fix this: http://www.w3.org/2011/tracking-protection/track/users?login

<aleecia> davidwai_ for example

tl: account-nick pairings?

aleecia: will fix
... watch this space: next week, same time, same place. you know where to find us.

<jmayer> thanks aleecia

aleecia: adjourned!

<clp> bye

<pde> tlr: how do I add myself to the list of TPWG participants?

Summary of Action Items

[NEW] ACTION: Jonathan to clarify distinctions on "opt back in" between ISSUE-27 and ISSUE-63 [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action01]
[NEW] ACTION: Jonathan to write 2(+?) sentence proposal that no MUSTs for first parties - due Tuesday [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action04]
[NEW] ACTION: mayer to draft a proposal for the obligations (or not) on first parties [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action03]
[NEW] ACTION: Write a proposal on what DNT means to 3rd parties (for davidwainberg) - due Tuesday [recorded in http://www.w3.org/2011/09/28-dnt-minutes.html#action02]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2011/09/30 01:40:53 $