IRC log of dnt on 2011-10-31

Timestamps are in UTC.

15:47:55 [RRSAgent]
RRSAgent has joined #dnt
15:47:55 [RRSAgent]
logging to http://www.w3.org/2011/10/31-dnt-irc
15:47:57 [trackbot]
RRSAgent, make logs world
15:47:57 [Zakim]
Zakim has joined #dnt
15:47:59 [trackbot]
Zakim, this will be
15:47:59 [Zakim]
I don't understand 'this will be', trackbot
15:48:00 [trackbot]
Meeting: Tracking Protection Working Group Teleconference
15:48:00 [trackbot]
Date: 31 October 2011
15:48:04 [npdoty]
Zakim, this will be dnt
15:48:05 [Zakim]
ok, npdoty; I see Team_(dnt)16:00Z scheduled to start in 12 minutes
15:48:15 [npdoty]
Zakim, code?
15:48:15 [Zakim]
the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), npdoty
15:48:18 [karl]
the meeting has not started yet. People entering the room and choosing seats. Quite fool.
15:48:25 [karl]
s/fool/full/
15:49:19 [npdoty]
Zakim, call Salon_3
15:49:19 [Zakim]
ok, npdoty; the call is being made
15:49:43 [npdoty]
Zakim, who's on the phone?
15:49:43 [Zakim]
Team_(dnt)16:00Z has not yet started, npdoty
15:49:44 [Zakim]
On IRC I see RRSAgent, npdoty, JohnSimpson, Joanne, KevinT, karl, Alex__, tl, dsriedel, mischat, hober, pde, trackbot
15:49:46 [aleecia]
aleecia has joined #dnt
15:49:59 [aleecia]
zakim, code?
15:49:59 [Zakim]
the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), aleecia
15:55:04 [tl]
tl has joined #dnt
15:55:51 [npdoty]
Zakim, call Salon_12
15:55:51 [Zakim]
ok, npdoty; the call is being made
15:55:52 [Zakim]
Team_(dnt)16:00Z has now started
15:55:53 [Zakim]
+Salon_12
15:55:53 [hwest]
hwest has joined #dnt
15:57:15 [Kai]
Kai has joined #dnt
16:02:26 [karl]
rooom is really packed today.
16:02:33 [karl]
9:02am not started yet
16:02:42 [Zakim]
+ +1.202.344.aaaa
16:02:44 [Zakim]
- +1.202.344.aaaa
16:02:44 [Zakim]
+ +1.202.344.aaaa
16:02:50 [karl]
*THE GONG*
16:03:46 [Zakim]
+ +1.425.269.aabb
16:03:58 [aleecia]
zakim, who is on the call?
16:03:59 [Zakim]
On the phone I see Salon_12, +1.202.344.aaaa, +1.425.269.aabb
16:04:03 [vincent]
vincent has joined #dnt
16:04:19 [karl]
Matthias, WG co-chair, is introducing the group and welcome messages
16:04:55 [karl]
The goal of this meeting is to have a draft we agree to publish as a 1st public WD
16:05:26 [karl]
We want to nail down some of the issues we already identified.
16:05:58 [WileyS]
WileyS has joined #dnt
16:05:59 [karl]
Scribe: karl
16:06:01 [enewland]
enewland has joined #dnt
16:06:07 [karl]
ScribeNick: karl
16:06:18 [dsinger]
dsinger has joined #dnt
16:06:25 [fielding]
fielding has joined #dnt
16:06:33 [Mike]
Mike has joined #DNT
16:06:45 [suegl]
suegl has joined #dnt
16:07:00 [Jules]
Jules has joined #dnt
16:07:09 [justin]
justin has joined #dnt
16:07:15 [rigo]
rigo has joined #dnt
16:07:32 [tl]
Zakim, who is on the phone
16:07:33 [Zakim]
I don't understand 'who is on the phone', tl
16:07:53 [karl]
matthias is organizing how to scribe
16:08:01 [tl]
Zakim, who is on the call?
16:08:01 [Zakim]
On the phone I see Salon_12, +1.202.344.aaaa, +1.425.269.aabb
16:08:01 [dwainberg]
dwainberg has joined #dnt
16:08:04 [jmayer]
jmayer has joined #dnt
16:08:13 [npdoty]
scribenick: npdoty
16:08:17 [BrianTs]
BrianTs has joined #dnt
16:08:25 [andyzei]
andyzei has joined #dnt
16:08:42 [dwainber_]
dwainber_ has joined #dnt
16:08:48 [Elise]
Elise has joined #dnt
16:08:55 [Mike]
Mike Zaneis from IAB is on the phone
16:08:57 [NinjaMarnau]
NinjaMarnau has joined #dnt
16:09:07 [npdoty]
schunter: look at the agenda, assign scribes, go through the timeline
16:09:30 [npdoty]
… introductions around the room, who they are and what they're trying to get out of this meeting
16:09:45 [npdoty]
… Roy (fielding) will walk us through the Tracking Preference Expression draft
16:10:06 [Zakim]
+Justin
16:10:18 [npdoty]
… goal is to determine whether we can publish a First Public Working Draft
16:10:28 [Mike]
I dialed in on (617)761-6200
16:10:34 [sidstamm]
sidstamm has joined #dnt
16:11:07 [Frank]
Frank has joined #dnt
16:11:30 [npdoty]
Agenda: http://www.w3.org/2011/tracking-protection/agenda-20111031
16:11:46 [Mike]
Sorry. Call from 202-344-4652.
16:11:49 [npdoty]
aleecia: keep this a civil conversation, even when we disagree
16:11:56 [npdoty]
Zakim, aaaa is MikeZaneis
16:11:56 [Zakim]
+MikeZaneis; got it
16:11:57 [Zakim]
+[Microsoft]
16:12:15 [npdoty]
aleecia: so far I've been thrilled, a lot of laughter but no screaming, would like to continue that
16:12:31 [suegl]
suegl has joined #dnt
16:12:33 [npdoty]
… Lee Tien has started up a Community Group, mostly privacy-focused NGOs
16:12:53 [npdoty]
… they will make comments on our drafts, that we must respond to in some form
16:13:10 [amyc]
amyc has joined #dnt
16:13:17 [npdoty]
http://www.w3.org/community/dntrack/
16:13:32 [npdoty]
aleecia: a few five-minute introductory tutorials on basic topics
16:13:37 [npdoty]
no objections
16:13:42 [efelten]
efelten has joined #dnt
16:14:07 [asoltani]
asoltani has joined #dnt
16:14:07 [npdoty]
aleecia: looking forward to a productive and intense session
16:14:17 [dsinger]
…thinks it might be good to have a FAQ explaining the difference between the working group, the interest group, and the community group...
16:14:34 [Frank_]
Frank_ has joined #dnt
16:14:34 [aleecia]
Let me see if I can find the W3C docs, it's up
16:14:48 [karen]
karen has joined #dnt
16:14:56 [Frank_]
Frank_ has left #dnt
16:15:00 [npdoty]
schunter: introductions
16:15:13 [npdoty]
RobVanEijk: work for the Dutch Data Protection Authority but speak for myself
16:15:31 [Frankie]
Frankie has joined #dnt
16:15:40 [suegl]
suegl has joined #dnt
16:15:45 [aleecia]
This may help: http://www.w3.org/community/
16:16:09 [npdoty]
Vincent: from Alcatel-Lucent, but also speak for myself
16:16:43 [npdoty]
Karl: working for Opera, my goal is to have something clear to understand and easily implementable and matters for the user
16:17:02 [npdoty]
AndyZei: work on privacy for the Internet Explorer team, love to see progress on Tracking Selection Lists
16:17:13 [npdoty]
Erica: from CDT, co-editing the compliance draft
16:17:22 [arice]
arice has joined #dnt
16:17:23 [npdoty]
tl: Tom Lowenthal, I work for Mozilla and I fight for the user
16:17:28 [npdoty]
sid: engineer at Mozilla
16:17:38 [npdoty]
efelten: from FTC, speaking for myself
16:17:52 [npdoty]
adamphillips: from ESOMAR, looking for coordination between Europe and US
16:17:58 [npdoty]
JC: from MSFT on Bing privacy and advertising
16:18:06 [AlexD]
AlexD has joined #dnt
16:18:10 [npdoty]
Kevin: from TRUSTe, balancing consumer trust and advertising
16:18:18 [npdoty]
JoanneFurtsch: also TRUSTe
16:18:20 [suegl]
suegl has joined #dnt
16:18:37 [npdoty]
Jules: from Future of Privacy Forum, advance the ball for Europe and still support the basics of analytics and privacy
16:18:49 [npdoty]
BrianTs: from Microsoft, balance the users and technical aspects
16:19:03 [Zakim]
+ +1.408.544.aacc
16:19:04 [amyc]
Nick, just be aware that chairs are coming through loud and clear on call, but participants are a bit garbled. Might help to if chairs repeat key points at times
16:19:12 [npdoty]
Ninja: from the German privacy authority, looking forward to big step for the user
16:19:15 [aleecia]
(Thanks Amy)
16:19:23 [npdoty]
Ashkan: an independent researcher in this space, matching user expectations
16:19:35 [npdoty]
Frank: from BlueCava, my first f2f meeting
16:19:43 [harlanyu]
harlanyu has joined #dnt
16:20:09 [rigo]
harlan, have you joined on the phone?
16:20:11 [npdoty]
npdoty: I'm the staff contact from W3C!
16:20:20 [npdoty]
WileyS: from Yahoo, enjoying the process so far
16:20:32 [npdoty]
Heather: from Google, co-editing the compliance spec, want to get that going
16:21:10 [npdoty]
JohnSimpson: from Consumer Watchdog, a consumer advocacy organization with a history in California, give users transparent control of their data but doesn't interrupt the economic necessity of the Internet
16:21:21 [npdoty]
@@: from Nielsen, a coherent and cohesive standard
16:21:39 [npdoty]
Alex: also from Nielsen, software engineer so here for the technical park
16:21:43 [harlanyu]
Yes, I
16:21:54 [harlanyu]
've joined on the phone
16:22:09 [npdoty]
@@@: a primarily advertising finance business, Deutsche Telecom
16:22:36 [npdoty]
rigo: an old-timer from W3C, with experience from P3P
16:22:47 [npdoty]
dwainberg: from AppNexus
16:23:03 [Frankie]
Frank Wagner, Group Privacy of Deutsche Telekom
16:23:03 [npdoty]
aleecia: half-time at Stanford and half-time at Mozilla, who are supporting me to be here, looking for consensus
16:23:06 [tl]
s/@@/AlexD
16:23:36 [tl]
s/@@@/Kai
16:23:37 [npdoty]
fielding: from Adobe, also a role at Apache Software Foundation
16:23:42 [Kai]
Kai Scheppe - Deutsche Telekom, specifically the ISP section of DT
16:23:53 [npdoty]
jmayer: from Stanford, looking for something that puts users in the driver's seat now
16:24:10 [npdoty]
TonyR: from MSFT, corporate standards group, just an observer today
16:24:24 [Julian]
Julian has joined #dnt
16:24:28 [npdoty]
ChuckCurran: director of the NAI, compatibility with the existing cookie opt out
16:24:45 [npdoty]
AshokMalhrotra: member of the TAG, just observing
16:25:00 [npdoty]
HenryGoldstein: from CBS, representing the Online Publishers Association, content and consumer trust
16:25:22 [npdoty]
KarenMyers: with the W3C involved in Member Relations, learn about a hot topic
16:25:49 [npdoty]
dsinger: from Apple, excited about the quality of the conversation, hopeful for a specification that consumers, regulators, industry all think they can support
16:26:10 [npdoty]
schunter: seems like the group more or less agrees on our goals, which is not always the case
16:26:22 [npdoty]
… a balance between advertising, user choice, usability
16:26:33 [npdoty]
Topic: Tracking Preference Expression Editor's Draft
16:26:39 [karl]
scribenick: karl
16:26:39 [karl]
scribe: karl dubost
16:27:03 [karl]
schunter: roy has started with a great spec already.
16:27:13 [karl]
(APPLAUSE)
16:27:22 [Zakim]
+ +1.631.403.aadd
16:27:33 [karl]
... the specification is the current state of our discussions.
16:27:41 [karl]
... not everything is solved yet
16:27:49 [efelten]
efelten has joined #dnt
16:28:00 [carmenbalber]
carmenbalber has joined #dnt
16:28:01 [karl]
... we have to identify what we are comfortable with to publish it as 1st WD.
16:28:10 [Vincent]
Vincent has joined #dnt
16:28:31 [karl]
fieding: it is only a 1st draft. I focused on what we want to put in the public.
16:28:40 [karl]
... more than what we will finally be.
16:28:40 [Zakim]
+Carmen
16:29:11 [karl]
(a big show of hands for people having read it)
16:29:32 [npdoty]
we're looking at: http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
16:29:52 [karl]
fielding: The document is split into sections with regard to who will implement what.
16:29:58 [karl]
... sections for browsers
16:30:03 [karl]
... sections for servers
16:30:19 [karl]
... there is an introduction about the Web.
16:30:50 [karl]
Simpson: reading the introduction, I have the feeling that it is only about third party tracking.
16:31:01 [karl]
... not taking into account first party tracking.
16:31:24 [karl]
aleecia: you will see more in the other document, Tracking Preferences Expression.
16:31:37 [karl]
schunter: at this point, we have not yet a full consensus.
16:31:57 [karl]
... but if something is new and different in the future, we might need to update one of the two documents.
16:32:04 [JC]
JC has joined #dnt
16:32:16 [npdoty]
ISSUE-17, ISSUE-51 for example, consider the question of whether first party tracking would be impacted
16:32:40 [Zakim]
+ +1.631.223.aaee
16:32:43 [npdoty]
Zakim, who's talking?
16:32:49 [karl]
fielding: You may comment on old ISSUES or add new issues.
16:32:53 [chuck]
chuck has joined #dnt
16:32:53 [Zakim]
npdoty, listening for 10 seconds I heard sound from the following: +1.631.223.aaee (36%)
16:33:20 [Elise]
Elise has joined #dnt
16:33:28 [karl]
schunter: The specification will reflect what are the current issues.
16:33:48 [NinjaMarnau]
NinjaMarnau has joined #dnt
16:34:00 [karl]
fielding: I have been user agent instead of browser, because Webapps are not browsers and might act as a client.
16:34:23 [npdoty]
Zakim, mute aaee
16:34:23 [Zakim]
+1.631.223.aaee should now be muted
16:34:51 [karl]
lowenthal: An app would be in compliance or not?
16:35:23 [jmayer]
+q
16:35:27 [justin]
justin has joined #dnt
16:35:32 [karl]
fielding: An app doing a browsing activity would not be mandated to be in compliance but could be.
16:35:45 [karl]
... I didn't put the requirements in that specification.
16:35:53 [jmayer]
-q
16:36:01 [karl]
rigo: what if the webapps is transmitting information?
16:36:55 [karl]
fielding: I do not think it is in scope if someone agrees to install the app.
16:37:14 [karl]
singer: I think we should limit ourselves to what people choose to implement or not.
16:37:35 [karl]
felten: It is tied to the 1st party, 3rd party interactions.
16:38:05 [karl]
mayer: You might have exactly the same issues with webapps than a browser. It is the exact same problem.
16:38:33 [karl]
schunter: reminding the goal - do we have issues putting that into public?
16:38:49 [karl]
... if you have issues you can keep in the back of your head.
16:38:59 [karl]
... and we can put the issues in the next version.
16:39:45 [karl]
fielding: do we have an issue with ISSUE-13 right now?
16:39:52 [karl]
... can we publish it?
16:40:25 [npdoty]
jmayer: for example, you might have a 3rd-party analytics provider in a web app that phones home about the user's use of a web app
16:40:47 [karl]
rigo: we are just trying to decide if we can publish the document as is with the issues inside.
16:41:02 [karl]
... have you found anything we do not want publish.
16:41:14 [jmayer]
Recommended reading on mobile app privacy: http://appanalysis.org/ and http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
16:41:40 [karl]
xxx: can we include languages about webapps?
16:42:02 [karl]
s/languages/prose/
16:42:10 [jmayer]
s/xxx/Jules/
16:42:24 [karl]
fielding: what I did is to define apps as user agents. that's all.
16:43:09 [karl]
... "do not get upset with me" because I'm using it only in the browsing context of the web apps.
16:43:35 [karl]
West: keeping it neutral is a good idea like it is now
16:44:00 [Zakim]
-Carmen
16:44:14 [karl]
Singer: The last sentence is an issue.
16:44:37 [karl]
npdoty, could you put the uri of the document
16:44:53 [karl]
wagner: not all communications between the server and the client is tracking
16:45:24 [karl]
lowenthal: I sent to the list a revision text to the list. We can review the text and continue the discussions later
16:45:34 [npdoty]
dsinger: I'm not crazy about the idea of publishing a spec that implies that the spec judges whether a specific class of applications should implement/comply with this protocol
16:45:35 [Alex__]
Alex__ has joined #dnt
16:45:48 [npdoty]
right now we're looking at http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
16:45:50 [karl]
fielding: there are many other issues with privacy which are not necessary tracking issues.
16:46:01 [asoltani]
+q
16:46:05 [karl]
rigo: first party are excluded?
16:46:11 [tl]
s/"a revision"/"a small revision addressing this issue"
16:46:13 [karl]
aleecia: it is an open issue.
16:46:14 [asoltani]
-q
16:46:55 [tl]
s/"this issue text"/"this issue"
16:46:59 [karl]
schunter: Pending review means we are in the process of discussing it
16:47:04 [asoltani]
fyi
16:47:21 [tl]
q+
16:47:21 [asoltani]
an example of what 1st and 3rd partys apps talk to: http://dl.dropbox.com/u/3077/ms.pdf
16:47:33 [JC]
okay
16:47:50 [karl]
fielding: 3 Determining User Preference - ISSUE 4
16:47:59 [karl]
s/ISSUE 4/ISSUE-4/
16:48:24 [npdoty]
q?
16:48:26 [npdoty]
ack tl
16:48:37 [karl]
... this part of the specification is to specify what does that mean enabled or not enabled
16:49:12 [karl]
lowenthal: I would change the user's choice by user's preference.
16:49:14 [asoltani]
actually a better way to visualize: http://dl.dropbox.com/u/3077/ms%20-%20collusion.pdf
16:49:35 [andyzei]
andyzei has joined #dnt
16:49:46 [asoltani]
^^ note flurry 'tracks' app activity across multiple apps (using an HTTP protocol) identical to 3rd party tracking on the web
16:50:07 [npdoty]
q?
16:50:23 [Alex__]
q?
16:50:54 [karl]
aleecia: I do not want to have this as a yes or no only.
16:51:07 [karl]
fielding: I was trying to avoid the "how" in this section.
16:51:25 [karl]
... I wanted to separate the concerns. Put that in an email so I do not forget.
16:51:31 [tlr]
tlr has joined #dnt
16:51:59 [karl]
felten: I imagine a case where an employer, or a library would turn on the system without users consent.
16:51:59 [tl]
lowenthal: i suggest that the phrase "reflect the user's choice" be replaced with the phrase "reflect the user's preference", to cover high-level privacy preference presentations to the user. i also suggest (here and in following sections) the use of the passive voice i.e. "DNT is enabled" rather than the active voice "the user has enabled DNT". i will follow up in an email.
16:52:04 [karl]
fielding: indeed
16:52:24 [karl]
... If you have a suggestion to change this.
16:52:33 [karl]
... it is what we are saying right now.
16:53:12 [karl]
wiley: We should capture as an issue when the user is not choosing by himself/herself
16:53:27 [karl]
singer: how do you write a performance test for this kind of issue.
16:53:32 [karl]
... so it is a problem.
16:53:44 [karl]
... Where are the protocols endpoint?
16:53:55 [karl]
... I think it is server and client
16:54:12 [karl]
fielding: I disagree in the sense that we are shipping softwares
16:54:25 [npdoty]
proposed issu: may an institution or network provider set a tracking preference for a user?
16:54:29 [jmayer]
I think we do not have a consensus on 1) whether user agents can set DNT on or off by default, 2) how intermediaries, including businesses, libraries, and other organizations, can change DNT status.
16:54:36 [jmayer]
Those are open issues.
16:54:37 [lgombos]
lgombos has joined #dnt
16:54:42 [karl]
singer: there are many situations where the choice is not made by users, but by a corporation, organisation
16:54:51 [karl]
rigo: I agree it is a large issue
16:55:35 [karl]
... whatever activates the DNT header, it is difficult to know what it means for the server.
16:55:55 [karl]
... You can't determine from where the DNT comes from.
16:56:10 [jmayer]
+q
16:56:23 [karl]
... All the rules are falling apart in some cases if we do not have this information.
16:56:33 [karl]
fielding: this section is about browser configuration.
16:56:45 [jmayer]
-q
16:56:52 [karl]
... not sending, or sending the DNT header.
16:57:05 [lgombos_]
lgombos_ has joined #dnt
16:57:10 [jmayer]
Reminder: we could disambiguate whether the DNT flag was set explicitly by the user or implicitly by another entity.
16:57:11 [karl]
schunter: do we have an issue with this section as a first public WD?
16:57:20 [karl]
... can we ship and move on?
16:57:22 [jmayer]
Not saying the protocol should, but it is technically trivial.
16:57:32 [npdoty]
ISSUE: may an institution or network provider set a tracking preference for a user?
16:57:32 [trackbot]
Created ISSUE-95 - May an institution or network provider set a tracking preference for a user? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/95/edit .
16:57:35 [karl]
... I recorded the larger issue
16:57:35 [karl]
(no disagreements)
16:58:01 [karl]
fielding: 4 Expressing a Tracking Preference
16:58:18 [npdoty]
if anyone has objections with my naming of that issue, feel free to edit or to add a comment to it
16:58:29 [lgombos__]
lgombos__ has joined #dnt
16:58:39 [lgombos]
lgombos has joined #dnt
16:59:09 [karl]
... I specified the syntax of the header field and took care of eventual extension for the future.
16:59:33 [karl]
lowenthal: the last paragraph makes me uncomfortable.
17:00:28 [karl]
... They might not wish to communicate the header when private browsing mode.
17:00:34 [jmayer]
+q
17:01:02 [karl]
... I want that to be a legitimate browsing experience, aka being conformant
17:01:22 [karl]
q?
17:01:35 [karl]
fielding: do you have a way to phrase that?
17:02:06 [amyc]
q+ via IRC
17:02:08 [karl]
kai: is it about to express what is not forbidden is authorized
17:02:20 [karl]
lowenthal: I'm willing to take an action to soften the text
17:02:28 [npdoty]
q+ amyc
17:02:31 [npdoty]
q- via
17:02:33 [npdoty]
q- IRC
17:02:36 [karl]
... there is nothing to say I do not have a preference.
17:02:56 [amyc]
I am, can type question or ask via phone
17:03:04 [karl]
... I'm happy to take this offline.
17:03:24 [karl]
mayer: This is a clarification, this is not a substantive issue.
17:03:54 [karl]
... A sentence in there explaining the value it is a scope exception.
17:04:18 [amyc]
Clarifying question: this section on server header 0 does not eliminate other options between user and site for recording override, correct?
17:04:37 [karl]
aleecia: I do not think it blocks what you are expressing.
17:04:42 [hwest]
In re jmayer's comment, I think that's worth thinking about, but it's a very hard thing to ask of service providers to somehow know what '0' means in an given context
17:05:01 [amyc]
IOW, site might ask user to consent via registration and stores override
17:05:05 [Adam]
Adam has joined #dnt
17:05:12 [karl]
fielding: I understand lowenthal issue.
17:05:53 [jmayer]
I don't see any significant technical challenge in a 3P understanding the scope of its DNT exception.
17:05:54 [amyc]
thanks roy
17:06:00 [karl]
fielding: in this section, we are not prohibiting other mechanisms such as cookies
17:06:02 [amyc]
and nick
17:06:03 [npdoty]
q?
17:06:07 [jmayer]
-q
17:06:08 [npdoty]
ack jmayer
17:06:09 [npdoty]
ack amyc
17:06:15 [karl]
... (answering to amyc)
17:06:39 [jmayer]
Can use the exact same mechanisms as for signaling 3P DNT status to 1P.
17:07:13 [vincent]
vincent has joined #dnt
17:07:20 [karl]
fielding: (going on through the 4.1 section)
17:08:15 [karl]
Solani: if I subscribed to a 3rd party service to enable it
17:08:22 [karl]
fielding: yes that covers it
17:08:36 [karl]
singer: what about super private ISP?
17:08:39 [karl]
fielding: yes
17:09:10 [karl]
ndoty: shall we mark an issue for this?
17:09:28 [karl]
rigo: it is the same issue with the user consent we had before
17:10:11 [npdoty]
s/shall we/we have the example from Ed about a public library where we might want to allow this, shall we/
17:10:12 [karl]
... should we in the specification here put a note, issue here.
17:11:24 [karl]
fielding: not supported extensions are ignored.
17:11:56 [karl]
... (section 4.2 HTML DOM Interfaces)
17:12:16 [karl]
... The definition comes from Microsoft specification
17:12:44 [karl]
... are the browsers fine with it?
17:12:56 [karl]
browserPeople: seems fine :)
17:14:26 [karl]
(missed it)
17:15:00 [karl]
fielding: it is not as fined grain as the HTTP one
17:15:21 [npdoty]
pde: setting the value for the domain might not work if you're sending different DNT messages to different domains
17:15:25 [karl]
yyy: It should be similar to the HTTP one.
17:15:41 [karl]
singer: why would not it return the same thing?
17:16:00 [karl]
... because we will run into the same issues.
17:16:10 [karl]
fielding: it was the input document but I agree.
17:16:22 [karl]
schunter: I added an issue for this that we should come back to it.
17:16:24 [npdoty]
we would want the extensions to be available in the DOM property as well, right?
17:17:21 [karl]
mayer: I think there is a consensus, that JS should be aware of it.
17:17:42 [npdoty]
ISSUE: the doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.)
17:17:42 [trackbot]
Created ISSUE-96 - The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/96/edit .
17:17:53 [karl]
fielding: I have never seen that JS would get the value from the server.
17:18:01 [karl]
mayer: Mozilla implementations shows it
17:18:12 [karl]
fielding: give a link to it, please. :)
17:18:38 [karl]
fielding: 4.3 Plug-ins API
17:18:57 [karl]
... we need to have the information to put into the specification.
17:19:13 [karl]
... I do not have that much experience with plugin/extension.
17:19:23 [karl]
... so we need to ask information from browser developers
17:19:32 [Zakim]
+JKaran
17:19:33 [karl]
schunter: could you put a note to explain.
17:19:38 [karl]
fielding: alright.
17:19:47 [karl]
... (section 5 )
17:19:54 [jkaran]
jkaran has joined #dnt
17:20:22 [Neutrino]
Neutrino has joined #dnt
17:20:27 [karl]
... I tried to summarize the discussions and include everything we said.
17:20:53 [karl]
schunter: this section is really in an open state
17:21:08 [karl]
... everything is quite open for discussions
17:21:12 [JC]
JC has joined #DNT
17:21:14 [efelten]
efelten has joined #dnt
17:21:26 [karl]
... we haven't figured out the best mechanisms
17:21:50 [pde]
pde: and this problem could be solved by making the DOM property a JavaScript object that is indexed by domain
17:22:41 [pde]
pde: or a function to which the code's origin is passed as a parameter
17:23:04 [asoltani]
pde: that's also benefitial from a security standpoint since there are cases where you wouldn't want third_party_domain_A to know the TPE setting for third_party_domain_B
17:23:32 [asoltani]
pde: or even if the exitence of third_party_domain_B on the page
17:24:10 [pde]
asoltani, I agree that there are fingerprinting issues to consider
17:24:10 [asoltani]
karl, k. sorry
17:24:15 [pde]
asoltani, fingerprint-resistant browsers need to avoid these kinds of granularity
17:24:32 [karl]
rob: are there issues linked to this part of the document?
17:25:13 [karl]
fielding: not really, if it's just an input.
17:26:03 [karl]
rigo: if we publish this WD without the issue in 5.3, it will be a problem
17:26:18 [karl]
aleecia: we should then at least create the issue for it describing it
17:26:42 [karl]
fielding: does it apply to this document or the other one or both
17:26:51 [karl]
... I have no answer.
17:27:33 [karl]
Jules: it should be addressing "legal and regulations"
17:27:48 [hwest]
Just a general note - we're calling out a lot of compliance issues that are likely/definitely will come up in discussing the compliance doc. I think we can integrate them there - how many of these are technical rather than policy?
17:27:52 [karl]
schunter: we should document it.
17:28:05 [karl]
... specifically for people not in the room.
17:28:22 [karl]
fielding: 5.4 machine-readable tracking policy
17:28:44 [karl]
... 5.5 machine response header field
17:29:03 [karl]
s/machine response/tracking response/
17:29:24 [karl]
... 5.6 status code
17:29:31 [karl]
... for non human browsers
17:29:34 [karl]
... open questions
17:30:11 [karl]
lowenthal: for 5.5 the response what do you mean?
17:30:27 [karl]
fielding: it is in the abstract but I didn't write down in that section.
17:31:54 [karl]
fielding: there are issues around cookies vs DNT.
17:32:00 [karl]
... how do we manage it?
17:32:12 [Neutrino]
s/ what do you mean/what do you think the header should look like
17:32:25 [karl]
singer: this is a long discussion.
17:33:05 [karl]
aleecia: the intent is not about saying that you should not respect it.
17:33:18 [karl]
fielding: note the text is excerpt from IRC
17:33:32 [karl]
schunter: we need to clarify or soften the prose in these sections
17:33:44 [Zakim]
-harlanyu
17:33:50 [karl]
fielding: I'm happy to remove that
17:33:53 [tl]
also: that is not an exact quotation
17:34:08 [karl]
singer: do our names stay in the WD?
17:34:16 [karl]
fielding: I'm happy to remove it.
17:35:19 [karl]
... (5.7 opt-backi-in)
17:35:28 [Joanne]
Joanne has joined #DNT
17:35:43 [karl]
... so far we do not have a mechanism, maybe the cookie mechanism which is specific to any sites.
17:36:00 [JC]
JC has joined #DNT
17:36:15 [karl]
schunter: the mechanism is not defined yet. So can we publish with this issue.
17:38:46 [Zakim]
-Justin
17:39:25 [hwest]
Looks like everyone is getting bumped - the consensus is to rename "opt-back-in" to "site specific user exceptions" or something similar
17:39:35 [hwest]
"Site specific user preference"
17:40:26 [npdoty_]
npdoty_ has joined #dnt
17:40:36 [npdoty_]
rrsagent, pointer?
17:40:36 [RRSAgent]
See http://www.w3.org/2011/10/31-dnt-irc#T17-40-36
17:41:06 [dwainberg]
dwainberg has joined #dnt
17:41:08 [dsinger]
dsinger has joined #dnt
17:41:14 [enewland]
enewland has joined #dnt
17:41:15 [WileyS]
WileyS has joined #dnt
17:41:24 [adrianba]
adrianba has joined #dnt
17:41:27 [Frankie]
Frankie has joined #dnt
17:41:28 [Frank]
Frank has joined #DNT
17:41:31 [fielding]
fielding has joined #dnt
17:41:34 [fielding]
and title update in B.1
17:41:41 [JC]
JC has joined #DNT
17:41:43 [Elise]
Elise has joined #dnt
17:41:44 [dwainber_]
dwainber_ has joined #dnt
17:41:44 [Kai]
Kai has joined #dnt
17:41:45 [NinjaMarnau]
NinjaMarnau has joined #dnt
17:41:46 [hwest]
Similarly, the B.1 title should reflect the title for "opt-back-in"
17:41:48 [KevinT]
KevinT has joined #dnt
17:41:58 [fielding]
sec 5.7 change to site-specific user preferences
17:42:00 [karl]
karl has joined #dnt
17:42:21 [karl]
rigo: I'm very reluctant to talk about opt-in, opt-out
17:42:23 [karl]
aleecia: we have a consensus on the bad title.
17:42:25 [karl]
fielding: we can change the issue titles.
17:42:27 [karl]
schunter: should we use the use cases in that document.
17:42:29 [karl]
... B1 we should update the title
17:42:35 [karl]
fielding: C. closed issues
17:43:30 [karl]
npdoty: issue-42 there is no consensus yet
17:43:55 [andyzei]
andyzei has joined #dnt
17:43:59 [NinjaMarnau]
if we call it site-specific user preferences, do this still include third party-specific user preferences?
17:44:08 [karl]
fielding: D. postponed issue
17:44:10 [aleecia]
aleecia has joined #dnt
17:44:45 [karen]
karen has joined #dnt
17:44:49 [karl]
schunter: (explaining the postponed issues)
17:44:51 [efelten]
efelten has joined #dnt
17:44:51 [WileyS]
WileyS has joined #dnt
17:45:12 [karl]
RRSAgent, pointer?
17:45:12 [RRSAgent]
See http://www.w3.org/2011/10/31-dnt-irc#T17-45-12
17:45:20 [karl]
RRSAgent, make logs public
17:45:41 [rigo]
rigo has joined #dnt
17:45:59 [karl]
fielding: I will do the updates sometimes today.
17:46:13 [karl]
schunter: obviously by tomorrow we can check the snapshot
17:46:26 [karl]
RRSAgent, make minutes
17:46:26 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/10/31-dnt-minutes.html karl
17:46:38 [Zakim]
-MikeZaneis
17:46:56 [Zakim]
- +1.425.269.aabb
17:47:03 [karl]
(for the logs we had a brief interruption of IRC, some of the minutes are missing for 5 minutes toward the end of the first session)
17:47:24 [npdoty]
aleecia: Jules will give a high-level overview of advertising ecosystem if you come back early from the break at 11:10
17:52:03 [aleecia]
aleecia has joined #dnt
17:54:03 [Zakim]
- +1.631.403.aadd
17:55:38 [enewland]
enewland has joined #dnt
17:58:17 [Zakim]
- +1.631.223.aaee
18:02:07 [Frank]
Frank has joined #dnt
18:02:09 [Frank]
Frank has left #dnt
18:02:40 [Frank]
Frank has joined #DNT
18:04:26 [lgombos]
lgombos has joined #dnt
18:07:51 [npdoty]
npdoty has joined #dnt
18:08:30 [NinjaMarnau]
NinjaMarnau has joined #dnt
18:11:05 [rigo]
rigo has joined #dnt
18:11:11 [Zakim]
+ +1.425.269.aaff
18:12:16 [Kai]
Kai has joined #dnt
18:13:36 [cyril]
cyril has joined #dnt
18:14:06 [JC]
JC has joined #DNT
18:14:23 [Frankie]
Frankie has joined #dnt
18:14:51 [rigo]
zakim, who is here?
18:14:51 [Zakim]
On the phone I see Salon_12, [Microsoft], JKaran, +1.425.269.aaff
18:14:52 [Zakim]
On IRC I see Frankie, JC, Kai, rigo, NinjaMarnau, npdoty, lgombos, Frank, enewland, WileyS, efelten, andyzei, karl, KevinT, Elise, fielding, dsinger, jkaran, Julian, harlanyu,
18:14:53 [justin]
justin has joined #dnt
18:14:55 [Zakim]
... suegl, arice, asoltani, amyc, Mike, hwest, Zakim, RRSAgent, hober, pde, trackbot
18:15:48 [sidstamm]
sidstamm has joined #dnt
18:15:50 [Zakim]
+Justin
18:15:52 [dwainberg]
dwainberg has joined #dnt
18:16:19 [dwainber_]
dwainber_ has joined #dnt
18:16:50 [dwainberg]
dwainberg has joined #dnt
18:19:08 [Zakim]
+MikeZaneis
18:20:18 [chuckcu]
chuckcu has joined #dnt
18:25:03 [karl]
I would love a diagram with HTTP transactions in between the different entities that Jules is showing and how the DNT changes thing inside that network/graph.
18:26:25 [asoltani]
karl, most of that is http/https
18:27:36 [tl]
tl has joined #dnt
18:28:04 [asoltani]
aleecia: goal is to see how we're doing in the editing process
18:28:18 [karl]
scribenick: asoltani
18:28:22 [npdoty]
npdoty has joined #dnt
18:28:24 [rigo]
merci Karl
18:28:29 [sidstamm]
sidstamm has joined #dnt
18:28:33 [vincent]
vincent has joined #dnt
18:28:44 [alex]
alex has joined #dnt
18:28:49 [NinjaMarnau]
NinjaMarnau has joined #dnt
18:28:53 [sidstamm_]
sidstamm_ has joined #dnt
18:29:07 [asoltani]
aleecia: no objections to the abstract
18:31:04 [jmayer]
jmayer has joined #dnt
18:31:05 [schunter]
schunter has joined #dnt
18:32:58 [asoltani]
rigo: is 1st party/3rd party disctinction worthwhile if we don't discuss what sharing means
18:34:59 [asoltani]
aleecia: lets add a question as to whether '1st/3rd distction is a useful one'
18:35:10 [tobie]
tobie has joined #dnt
18:38:05 [dsinger]
maybe we should have the rough definition of 1st, 2nd and 3rd party (that the user is 2nd, the intended site is 1st, and someone watching from the sidelines is 3rd)
18:38:20 [asoltani]
john simpson: should we change the term to 'tracking' vs 'behavioral'
18:38:35 [amyc]
q+
18:40:13 [amyc]
I believe that the term "transactional data" is potentially confusing and suggest that we use something that is more descriptive such as passively collected browsing data; transactional makes me think of purchase data only
18:40:30 [jmayer_]
jmayer_ has joined #dnt
18:41:10 [JohnSimpson]
JohnSimpson has joined #dnt
18:41:45 [asoltani]
ninja: question about specifically-expected purposes.
18:42:12 [asoltani]
david: uncomfortable with having an adjective in the title/definition of the document
18:42:36 [karl]
q?
18:42:48 [karl]
ack amyc
18:42:57 [rigo]
ack amyc
18:43:03 [asoltani]
amyc: the wording of transactional data seems confusing
18:43:06 [amyc]
thanks JC
18:43:20 [rigo]
AM: come back to this soon
18:45:16 [Zakim]
-JKaran
18:45:28 [Joanne]
Joanne has joined #DNT
18:46:18 [BrianTs]
BrianTs has joined #dnt
18:47:04 [npdoty]
amyc, does this address your question?
18:47:09 [rigo]
transactional data meant in a geek way, want to leave it this way
18:47:16 [rigo]
amyc, okay with this?
18:48:12 [amyc]
still believe that we can use a more descriptive term, rather than trying to redefine
18:48:15 [schunter]
schunter has joined #dnt
18:48:15 [asoltani]
aleecia: changing definitions of tracking as examples
18:50:13 [asoltani]
kevin trilli: can we state what are the 'principles for exemptions'
18:50:37 [rigo]
list under 3.4 discussion:
18:53:47 [rigo]
everybody ok with the list under the condition that the list is still open and just a discussion list
18:54:30 [asoltani]
JC: current examples are the 'result of tracking', not the actual tracking itself
18:54:41 [rigo]
EdFelten: second list exemption of exemptions?
18:54:52 [asoltani]
rigo, thanks
18:55:22 [rigo]
HW: this was the purpose to enumerate things that we are sure are in scope
18:56:04 [NinjaMarnau]
I support use-cases or uses
18:56:21 [asoltani]
aleecia: activities associated with tracking
18:58:40 [rigo]
JM: tracking definition is bleeding into first vs third party tracking
18:59:48 [asoltani]
hwest: section 3.4 should be dependent on 1st vs 3rd party definitino
19:00:17 [enewland]
jmayer is right - there is an inconsistency
19:00:37 [enewland]
in that the definition draws on terms, here commonly-branded, that are not the terms of art we are using
19:00:42 [enewland]
in other definitions
19:01:03 [enewland]
and that replacing commonly-branded and non-commonly branded sites with first and third parties
19:01:05 [asoltani]
rigo: we should highlight 'use cases' as a way to shape the drafting
19:01:10 [enewland]
would make sense
19:01:24 [asoltani]
tom: we should highlight that this is a working draft
19:04:42 [rigo]
Rob: using the terminology the same way as in 95/46/EC
19:04:53 [rigo]
... wants to have this added as an option
19:05:04 [npdoty]
rico & rob, want to create an ISSUE for that?
19:05:09 [npdoty]
s/rico/rigo/
19:06:39 [asoltani]
efelten: section 4 definitions conflict
19:08:36 [asoltani]
shane: intention of definition was 1) first parties dont have a requirement 2) transmission of that data becomes a concern
19:08:54 [rigo]
JC: change websites to entities
19:09:16 [rigo]
AM: ok, make it as options will have the big discussion in the afternoon
19:09:50 [npdoty]
can someone find me the issue number we just created?
19:09:54 [npdoty]
issue-95?
19:09:54 [trackbot]
ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- raised
19:09:54 [trackbot]
http://www.w3.org/2011/tracking-protection/track/issues/95
19:12:35 [npdoty]
rigo, can you create an ISSUE for that or some sample text?
19:12:51 [asoltani]
rigo: strongly suggest language for special treatment for children's data
19:14:03 [JC]
* Ping
19:14:23 [rigo]
Issue 15 should read what special treatment should there be for especially sensitive data such as children's data or data as enumerated in Art. 8 of Directive 95/46/EC
19:15:54 [efelten]
Re issue 15: another possibility is simply to note that there will likely be legal or regulatory requirements relating to children and sensitive data, which are beyond the scope of this document, but with which compliance is of course required by law.
19:16:06 [rigo]
Roy: please editors make a global search/replace on Do Not Track header to DNT header
19:18:00 [jmayer]
jmayer has joined #dnt
19:18:58 [amyc]
+1 on efelten approach for known children's data; safety concerns with identifying children online
19:20:31 [npdoty]
is there an open issue for User Education and Communication?
19:20:40 [asoltani]
tom: if section 6.3 is closed, can we open it?
19:20:57 [rigo]
ed, I think this is rather helping people
19:21:17 [Zakim]
-Justin
19:21:22 [rigo]
in that we may give some hints in this document on how to deal with sensitive information
19:21:29 [asoltani]
+
19:21:32 [rigo]
like children, politics, religion
19:21:33 [asoltani]
+q
19:23:14 [npdoty]
fix the issue 14 in the tracker to refer to collector instead of controller
19:23:23 [asoltani]
-q
19:23:38 [karl]
ACTION: karl to do a review of the Tracking Protection WG deliverables according to http://www.w3.org/TR/qaframe-spec
19:23:38 [trackbot]
Created ACTION-26 - Do a review of the Tracking Protection WG deliverables according to http://www.w3.org/TR/qaframe-spec [on Karl Dubost - due 2011-11-07].
19:23:44 [rigo]
I changed Issue 14
19:24:20 [npdoty]
q?
19:24:56 [karl]
RRSagent, this meeting spans midnight
19:24:58 [Zakim]
-MikeZaneis
19:25:08 [fielding]
Julian Reschke suggests we exclude comma from the DNT-extensions to avoid confusion with HTTP header folding. I agree and will make that change.
19:25:37 [Zakim]
-[Microsoft]
19:25:40 [Zakim]
- +1.425.269.aaff
19:27:51 [Zakim]
+ +1.631.223.aagg
19:27:51 [mischat]
mischat has joined #dnt
19:27:52 [Zakim]
- +1.631.223.aagg
19:27:52 [Zakim]
+ +1.631.223.aagg
19:27:56 [Frank]
Frank has joined #DNT
19:33:56 [npdoty]
npdoty has joined #dnt
19:34:02 [npdoty]
Zakim, who is on the phone?
19:34:02 [Zakim]
On the phone I see Salon_12, +1.631.223.aagg
19:34:16 [npdoty]
Zakim, mute aagg
19:34:16 [Zakim]
+1.631.223.aagg should now be muted
19:36:48 [Frankie]
Frankie has joined #dnt
19:37:27 [dsinger]
dsinger has joined #dnt
19:45:33 [Frankie_]
Frankie_ has joined #dnt
20:03:48 [enewland]
enewland has joined #dnt
20:13:54 [tlr]
tlr has joined #dnt
20:16:28 [KevinT]
KevinT has joined #dnt
20:22:12 [Frank]
Frank has joined #dnt
20:22:16 [andyzei]
andyzei has joined #dnt
20:22:51 [aleecia]
aleecia has joined #dnt
20:22:58 [aleecia]
For those playing our home game, you'll want to take a look at http://www.w3.org/2011/tracking-protection/track/issues/open
20:25:51 [aleecia]
Thomas demoing Collusion plugin
20:28:55 [Frankie]
Frankie has joined #dnt
20:29:20 [dwainberg]
dwainberg has joined #dnt
20:29:34 [JohnSimpson]
JohnSimpson has joined #dnt
20:29:56 [dwainber_]
dwainber_ has joined #dnt
20:30:14 [Kai]
Kai has joined #dnt
20:30:18 [jmayer]
jmayer has joined #dnt
20:30:18 [rigo]
rigo has joined #dnt
20:30:23 [Zakim]
+ +1.425.269.aahh
20:30:31 [rigo]
who just joined?
20:30:33 [vincent]
vincent has joined #dnt
20:30:46 [dsinger]
dsinger has joined #dnt
20:30:51 [npdoty]
npdoty has joined #dnt
20:30:52 [rigo]
zakim, aahh is Sue_Gluck
20:30:52 [Zakim]
+Sue_Gluck; got it
20:31:00 [rigo]
scribenick rigo
20:31:04 [npdoty]
rrsagent, pointer?
20:31:04 [RRSAgent]
See http://www.w3.org/2011/10/31-dnt-irc#T20-31-04
20:31:07 [npdoty]
scribenick: rigo
20:31:28 [aleecia]
For those playing our home game, you'll want to take a look at http://www.w3.org/2011/tracking-protection/track/issues/open
20:31:28 [tobie]
tobie has joined #dnt
20:31:43 [fielding]
fielding has joined #dnt
20:31:48 [rigo]
http://www.w3.org/2011/tracking-protection/track/products/1
20:31:54 [rigo]
tracker open issues
20:31:56 [hwest]
hwest has joined #dnt
20:32:17 [BrianTs]
BrianTs has joined #DNT
20:32:19 [rigo]
this is issue 17
20:32:30 [vincent]
http://www.blaeu.com/uploads/tracking/110827%20gossip%20.html exanple of my research
20:32:34 [chuck]
chuck has joined #dnt
20:32:35 [rigo]
http://www.w3.org/2011/tracking-protection/track/issues/17
20:32:38 [alex]
alex has joined #dnt
20:32:40 [efelten_]
efelten_ has joined #dnt
20:33:10 [sidstamm]
sidstamm has joined #dnt
20:33:14 [rigo]
AM: do we want to distinguish between 1st and 3rd parties
20:33:33 [rigo]
...distinguishing, the user has already made a decision
20:34:03 [npdoty]
s/...distinguishing/... distinguishing/
20:34:21 [rigo]
.. goal is to get this done by the end of the day
20:34:31 [JC]
JC has joined #DNT
20:34:32 [npdoty]
s/.. goal/... goal/
20:34:34 [Adam]
Adam has joined #dnt
20:34:43 [Adam]
Adam has left #dnt
20:34:47 [vincent]
code is at http://www.blaeu.com/uploads/main.pl (Rob)
20:35:11 [rigo]
TL, we use this since some time and we wanted to distinguish between the party that the user blieves he is interacting
20:35:17 [rigo]
and other parties
20:35:57 [rigo]
Rob: first and third party are technical terms as from a legal perspective, is a different question
20:36:08 [rigo]
and it would be good to meet in middle
20:36:17 [rigo]
JP: good to learn from the data processing term
20:36:31 [npdoty]
s/and it/... and it/
20:36:57 [rigo]
... in limited way to interact with 3rd parties
20:37:27 [rigo]
DavidSinger: we have to start from the perspective of the sites that the user believes he is interacting with
20:37:43 [Joanne]
Joanne has joined #DNT
20:37:49 [Frank]
Frank has joined #DNT
20:38:19 [suegl]
suegl has joined #dnt
20:38:23 [rigo]
ShaneWiley: we are attempting to define first party in a social way, not only the domain. Intent is to try to observe the user's intent
20:39:04 [rigo]
... data processor is a legal contract, agree with Jules, the data processor construct is good as dp has no independent right to use the data
20:39:15 [rigo]
... facebook like button is different
20:39:57 [rigo]
HeatherWest: should work on something that is technically feasable. User intent is not something, we could implement
20:40:29 [karl]
karl has joined #dnt
20:40:48 [rigo]
JCC: sometimes third party gives me what I told him to deliver me
20:41:20 [npdoty]
JC: a third-party weather widget might be something I want that tracks me
20:41:45 [Zakim]
+[Microsoft]
20:42:07 [rigo]
TL: like buttons issue, if I interact with the +1 button, I want to communicate with Google, if I don't click on it and it communicates than its third porty
20:42:59 [tl]
i also want to make clear that i don't like this 1st/3rd party terminology
20:43:00 [rigo]
AdamPhilipps: EU data protection is about data collector making assertions on what they gonna do with the data. May have multiple collectors
20:43:02 [sidstamm]
sidstamm has joined #dnt
20:43:17 [amyc]
amyc has joined #dnt
20:43:32 [rigo]
... first party is not helpful except for people know where to complain to
20:43:36 [Kai]
q?
20:43:37 [tl]
the eu data collector/controller/processor is useful, provided we attempt to identify who the user is trying to communicate with
20:43:38 [rigo]
Shane
20:44:34 [rigo]
ShaneWiley: First party acting like a third party. Beginning to look at interaction vs impression, to qualify as a first party
20:45:00 [rigo]
AM: terminology FB like button is rather as a widget,
20:45:34 [npdoty]
ShaneWiley: think there is agreement that impression of a widget shouldn't count the same as an interaction with the widget (which would be a first party context)
20:45:50 [rigo]
FrankWagner: Doesn't matter first or third party, user goes to website and there is one entity responsible for the site
20:46:13 [rigo]
... challenge is to make transparent to the user the network
20:46:45 [rigo]
??: widgets are also used to provide content
20:47:05 [npdoty]
s/??/@@Facebook/
20:47:06 [rigo]
AM: it may be acceptable to break things for people have DNT=1
20:48:32 [rigo]
JP: sites have been certified as privacy friendly despite sharing on the unders
20:50:38 [alex]
alex has joined #dnt
20:51:40 [alex]
q?
20:53:36 [rigo]
RW: not entangling the definitions of parties in technical and social way, not doing the distinction
20:54:02 [rigo]
AM: first vs third party poll
20:55:06 [rigo]
AM: user's view or first party and third party
20:55:15 [rigo]
Shane: want a third option
20:56:00 [amyc]
think we need both approaches
20:56:41 [sidstamm]
sidstamm has joined #dnt
20:56:58 [rigo]
12 people user are interacting with elements of a site and we should deal with it
20:57:44 [rigo]
edF: deliberate interaction and going to a website is that expression
20:58:55 [rigo]
many more want first party and third party and want to look into the interactions on that fact
20:59:07 [rigo]
AM: discussing more
20:59:54 [rigo]
Rob: Tom showed interaction, I want to cover those secret interactions that take place in the background
21:00:17 [rigo]
??: are we trying to assign responsibilities?
21:00:31 [npdoty]
s/??/Alex_Nielsen/
21:00:32 [rigo]
AM: we try to assign requirements
21:01:14 [MeMe]
MeMe has joined #dnt
21:01:40 [rigo]
... and first party has less burden than third party
21:06:24 [rigo]
??: First party visit to assume implied consent
21:06:53 [npdoty]
s/??/dweinberg/
21:07:32 [dwainber_]
s/dweinberg/dwainberg/
21:07:35 [sidstamm]
sidstamm has joined #dnt
21:07:43 [rigo]
KaiScheppe: new to discussion. Have large site, have 250 partners and deliver content is like from one site
21:08:48 [rigo]
... user doesn't care about 3rd party, want to know where their data is going
21:08:57 [rigo]
... keep it simple as much as possible
21:09:28 [rigo]
... sports portal of soccer results.
21:09:28 [vincent]
vincent has joined #dnt
21:09:45 [rigo]
MS: do they do tracking?
21:09:46 [chuckcu]
chuckcu has joined #dnt
21:10:06 [rigo]
KS: more specialised now
21:10:23 [chuckcu]
chuckcu has joined #dnt
21:10:25 [efelten]
efelten has joined #dnt
21:11:08 [glazou]
glazou has joined #dnt
21:11:09 [chuckcu]
chuckcu has left #dnt
21:11:29 [glazou]
glazou has left #dnt
21:11:47 [rigo]
Rob: difficult to start with bottom up approach, perhaps start with top down. Perhaps start with ICO website where you're asked wether you want preferences
21:11:57 [chuck]
chuck has joined #dnt
21:12:00 [rigo]
AM: make future proof
21:12:35 [rigo]
... everything from example.com is first party
21:12:54 [rigo]
... others would have increased responsibility.
21:13:52 [rigo]
... if user clicks on FB button, has affirmatively interacted with. This is more robust to distinguish between affirmative and secret interactions
21:14:13 [rigo]
... have primarily discussion on how we talk about things
21:15:54 [rigo]
??: customize edit buttons...
21:17:07 [suegl]
q+
21:17:10 [rigo]
Tom: create feature like comment box, one way with DNT and once with tracking.
21:17:11 [karl]
I wonder what it means if we allow for DNT based on a domain list. a bit like cookies.
21:17:21 [tl]
tl has joined #dnt
21:17:35 [suegl]
I have a question about Aleecia's example. What if nytimes.com keeps the photos they themselves take on nytimesphotos.com? The user didn't intend to visit nytimesphotos.com, so if the user has indicated DNT=1, then no photos?
21:17:45 [rigo]
FW: pixel graphics for web measurements
21:18:33 [rigo]
... in addition the same root domain is used
21:18:34 [fielding]
a.k.a., web beacons
21:18:45 [schunter]
schunter has joined #dnt
21:19:00 [npdoty]
suegl, is nytimesphotos.com also run by the New York Times and just happens to use a different domain? (I think Aleecia and Rigo discussed this)
21:19:30 [suegl]
npdoty, yes
21:19:34 [rigo]
AM: beacon is part of site and is setting cookies on behalf of first party
21:20:38 [rigo]
David: counterexample of interaction is URI shortener. User 1 has interaction, user 2 just clicks on teh link and redirects
21:20:41 [suegl]
npdoty, what was the resolution/answer? My apologies - it's hard to hear on the phone sometimes
21:20:53 [rigo]
AM: please create issue on redirection
21:21:17 [schunter]
?q
21:21:17 [schunter]
?q
21:21:22 [rigo]
q?
21:21:24 [schunter]
q?
21:21:25 [npdoty]
suegl, I thought that Aleecia had summarized that we all agreed that different domain names that are functionally the same, then it wouldn't be an issue
21:21:31 [rigo]
q+ schunter
21:21:37 [rigo]
q- schunter
21:21:41 [schunter]
sue, you are next.
21:21:42 [npdoty]
yes, rico, I can create the issue
21:21:47 [suegl]
npdoty, Thanks, Nick.
21:21:56 [suegl]
q-
21:22:00 [rigo]
ack
21:22:01 [jmayer]
q+
21:22:39 [rigo]
q+ EdFelten
21:22:53 [asoltani]
q+
21:23:06 [rigo]
ShaneWiley: redirection is bigger than shorteners, click analytics is redirect on own site
21:23:17 [rigo]
... wouldn't count that as first party
21:23:41 [npdoty]
ISSUE: re-direction, shortened URLs, click analytics -- what kind of tracking is this?
21:23:42 [trackbot]
Created ISSUE-97 - Re-direction, shortened URLs, click analytics -- what kind of tracking is this? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/97/edit .
21:23:58 [efelten]
q- EdFelten
21:23:58 [rigo]
... interactive ads, rich media, has reach interaction, is that collecting information in the first party context?
21:24:17 [schunter]
fyi: I prefer show of hands for entering the queue...
21:24:30 [schunter]
[unless you are on the phone ]
21:24:45 [schunter]
I recorded jmayer, edfelten, sontani
21:24:54 [fielding]
q+
21:25:00 [rigo]
DavidSinger: redirect is teh same as the framing of example.com If the top level domain the actual content site would be first party
21:25:35 [fielding]
ack jmayer
21:25:38 [rigo]
??: example.com does not realize that they are third party
21:26:06 [karl]
sometimes the content/tracking is coming from a server-side client
21:26:10 [rigo]
JM: overlaying information, content data over maps e.g
21:26:33 [npdoty]
s/??/BilCorry/
21:26:37 [rigo]
... site that is co-branded, who is the actual first party
21:27:13 [rigo]
... what about 5 redirections to circumvent 3rd party cookie blocking
21:27:19 [asoltani]
q-
21:27:29 [Zakim]
- +1.631.223.aagg
21:28:09 [schunter]
q?
21:28:38 [rigo]
Ashkan: enforcement side of it. Trademark multiple step test. Setting guidelines, make reasonable steps to fulfill user expectations about use of third parties
21:28:59 [rigo]
... so that the case can be enforced by having that test
21:29:00 [schunter]
ack fielding
21:29:01 [karl]
webapps store with the web apps staying in the store when using it
21:29:33 [jmayer]
s/what about 5 redirections to circumvent 3rd party cookie blocking/what about 5 redirections to circumvent 3rd party cookie blocking - we should be explicit about different use cases for redirection/
21:29:44 [rigo]
AM: recollecting: site has a certain policy and if they can honor it, fine, if they can't are treated as 3rd party site
21:30:23 [rigo]
HW: do like more technical definition, easier to determine whehter I'm first/third party
21:31:01 [karl]
I think that most people do not know that Youtube == Google
21:31:07 [karl]
or Flickr == Yahoo!
21:31:09 [fielding]
ack fielding
21:31:13 [rigo]
Roy: vote for meshy site of things
21:31:24 [fielding]
s/meshy/mushy/
21:31:31 [rigo]
AM: if you have general comments, quick feedback
21:31:35 [hwest]
Here's another idea around a first party: the entity that decides what else ends up on the page, ie, places the script for analytics or embeds the widget
21:31:44 [schunter]
q+ fielding
21:31:50 [schunter]
q- fielding
21:31:50 [rigo]
.. very quick feedback, no more than 10 min
21:32:34 [rigo]
KaiScheppe: unifying aspect is user, if you adapt user centric view, the user's expectations should be taken into account
21:32:37 [fielding]
focus on compliance in terms of user expectations instead of trying to define all of the mechanisms -- let the implementations worry about mechanisms as long as they comply with the user's expectations
21:32:54 [rigo]
AM: comment; one way to get the information is not to use DNT
21:33:07 [rigo]
KS: user may change their mind
21:34:03 [rigo]
Sid: important to distinguish between things that we call and those that are automatic
21:39:21 [rigo]
RW: distinction between first and third party will get you into legal nightmare and suggest to only scope by actual http request
21:39:34 [Zakim]
-[Microsoft]
21:40:45 [npdoty]
Vincent: in cases of prefetching, as with the Google Chrome feature, what should we do when a browser fetches the content of a page before the user affirmatively chooses to look at it?
21:41:50 [sidstamm]
sidstamm has joined #dnt
21:47:24 [sidstamm]
sidstamm has joined #dnt
21:47:57 [asoltani]
+q
21:48:14 [rigo]
KD: set header per site, dependent on domain name
21:48:17 [fielding]
q+
21:49:37 [fielding]
q-
21:49:59 [rigo]
.. bla.analytics.com will sent DNT but not to example.com being in the same site
21:52:02 [rigo]
JP: using cloud services and those still in the same hands
21:52:24 [rigo]
Rob: want to remain on user centric view that looks at one site, keep it simple
21:54:01 [rigo]
David: want to support that we should scope by http
21:54:09 [rigo]
... but have to discuss further
21:54:38 [rigo]
Ashkan: we have to be careful on what the sites do so that they don't circumvent the browser controls
21:54:41 [rigo]
... what
21:54:57 [rigo]
.. s the right thing to do on the server side
21:55:13 [fielding]
This topic is going in circles. We have the issue of implied consent. Rigo's point is that there should not be any implied consent and instead have browsers maintain domain lists. The browser developers have previously stated that they do not wish to implement such lists. Sending DNT selectively (only to third parties) denies the first party from adjusting their content to be DNT-amenable (paid for).
21:55:15 [rigo]
Andy: David did a good job on capturing
21:55:19 [rigo]
.. support that
21:55:37 [pde]
q+
21:55:55 [fielding]
ack asoltani
21:55:57 [karl]
fielding, it is not true. at least three browser developers said they were positive
21:56:00 [Zakim]
-Sue_Gluck
21:56:01 [rigo]
we will reconvene 3:15
21:56:02 [schunter]
queue will be shelved until after the break
21:56:07 [karl]
Microsoft, Mozilla, Opera
22:03:22 [Zakim]
-Salon_12
22:03:23 [Zakim]
Team_(dnt)16:00Z has ended
22:03:24 [Zakim]
Attendees were Salon_12, +1.202.344.aaaa, +1.425.269.aabb, Justin, MikeZaneis, [Microsoft], +1.408.544.aacc, harlanyu, +1.631.403.aadd, Carmen, +1.631.223.aaee, JKaran,
22:03:26 [Zakim]
... +1.425.269.aaff, +1.631.223.aagg, +1.425.269.aahh, Sue_Gluck
22:04:00 [Frank]
Frank has joined #DNT
22:12:11 [Joanne]
Joanne has joined #DNT
22:13:56 [Frankie]
Frankie has joined #dnt
22:22:06 [Frank_]
Frank_ has joined #DNT
22:23:51 [dwainberg]
dwainberg has joined #dnt
22:24:07 [fielding]
fielding has joined #dnt
22:25:17 [Kai]
q?
22:28:17 [Zakim]
Team_(dnt)16:00Z has now started
22:28:24 [Zakim]
+[Microsoft]
22:28:37 [Joanne]
Joanne has joined #DNT
22:29:39 [Zakim]
-[Microsoft]
22:29:41 [Zakim]
Team_(dnt)16:00Z has ended
22:29:41 [Zakim]
Attendees were [Microsoft]
22:30:08 [Zakim]
Team_(dnt)16:00Z has now started
22:30:15 [Zakim]
+[Microsoft]
22:30:43 [npdoty]
npdoty has joined #dnt
22:31:32 [aleecia]
Propose, conceptually: 1. We continue with 1st v. 3rd parties. 1st parties must be sites that users intended to visit: a series of five re-directs does not make all five into 1st parties, only the site the user intended to visit. 2. We layer user interactions as: when users affirmatively interact with 3rd party content on a 1st party site, we promote that 3rd party to the 1st party standard for data use/collection/DNT compliance.
22:31:39 [suegl]
Is something wrong with the concall? I can't hear anything...
22:31:52 [tl]
hear hear
22:32:29 [npdoty]
Zakim, call Salon_12
22:32:29 [Zakim]
ok, npdoty; the call is being made
22:32:31 [Zakim]
+Salon_12
22:32:42 [npdoty]
Zakim, unmute Salon_12
22:32:42 [Zakim]
Salon_12 was not muted, npdoty
22:32:50 [suegl]
thanks - I can hear now
22:38:05 [rigo]
dunno
22:38:49 [sidstamm]
sidstamm has joined #dnt
22:39:00 [sidstamm_]
sidstamm_ has joined #dnt
22:39:10 [alex]
alex has joined #dnt
22:39:20 [npdoty]
scribenick: npdoty
22:39:32 [npdoty]
"the only way we can get consensus is if no one can write it down"
22:39:39 [mischat]
mischat has joined #dnt
22:40:09 [tlr]
tlr has joined #dnt
22:40:17 [npdoty]
aleecia: for ISSUE-10, can someone translate my high-level language into specific language?
22:40:40 [npdoty]
ACTION: tl to write-up the consensus for what is a first party on ISSUE-10
22:40:41 [trackbot]
Created ACTION-27 - Write-up the consensus for what is a first party on ISSUE-10 [on Thomas Lowenthal - due 2011-11-07].
22:41:06 [npdoty]
pde: when we make a decision, it's only partly concrete, if we reveal something else we can come back to this decision
22:41:10 [npdoty]
ACTION-17?
22:41:10 [trackbot]
ACTION-17 -- Shane Wiley to write a concrete proposal re 3rd party response. -- due 2011-10-28 -- OPEN
22:41:10 [trackbot]
http://www.w3.org/2011/tracking-protection/track/actions/17
22:41:15 [JC]
JC has joined #DNT
22:41:19 [Joanne]
Joanne has joined #DNT
22:41:20 [npdoty]
aleecia: what restrictions should we put on the first party?
22:41:23 [NinjaMarnau]
NinjaMarnau has joined #dnt
22:41:24 [npdoty]
ISSUE-17?
22:41:24 [trackbot]
ISSUE-17 -- Data use by 1st Party -- open
22:41:24 [trackbot]
http://www.w3.org/2011/tracking-protection/track/issues/17
22:42:06 [JC]
Acting as scribe
22:42:07 [npdoty]
WileyS: repeat of jmayer's proposal, first parties in the context of a first party (intending to have an interaction with that party), they would have no responsibilities
22:42:11 [pde]
pde: I just reminded WG members that consensus on X now does not mean X is fixed in stone for all time come what may
22:42:13 [JC]
Shane: 1st party has no responsibilities to DNT
22:42:27 [npdoty]
scribenick: JC
22:42:45 [JC]
..1st-party cannot share user data with 3rd party
22:42:50 [npdoty]
"would not share information about that user with a third party"
22:42:56 [npdoty]
s/..1st/... 1st/
22:44:17 [npdoty]
WileyS: no such sharing should occur, unless there was explicit permission from the user
22:44:57 [JC]
..unless there is explicit consent from user
22:45:04 [npdoty]
s/..unless/... unless/
22:45:07 [JC]
Aleecia: Want to add offline sharing as well
22:45:37 [eberkower]
eberkower has joined #dnt
22:45:41 [JC]
Shane: need to cover what is meaningful consent
22:48:08 [JC]
Rigo: Does it include "as required by law"?
22:48:08 [JC]
?? Does this include sharing with ad servers?
22:48:12 [jmayer]
jmayer has joined #dnt
22:48:18 [JC]
Ninja: What about necessary sharing as in working with cloud services?
22:48:33 [JC]
... service providers should have same protections as 1st party
22:48:33 [npdoty]
s/??/Frank_BlueCava:/
22:48:38 [JC]
Shane: We need to explore cases where services are using other services.
22:49:58 [JC]
Aleecia: If a site is using a third party and that party is not compliant then the first party is not compliant
22:50:26 [npdoty]
WileyS: we are responsible for what our vendors do
22:50:29 [hwest]
hwest has joined #dnt
22:51:35 [johnsimpson]
johnsimpson has joined #dnt
22:52:26 [WileyS]
More specifically: 1st parties are responsible for their Service Providers with respect to honoring DNT.
22:53:06 [npdoty]
scribenick: npdoty
22:53:30 [npdoty]
asoltani: might want an exception for COPPA cases, need to disclose to third parties that a particular user is a child and needs to be treated as such (or not)
22:54:18 [hwest]
I think that COPPA stuff could be covered when parents opt kids in to the services, etc
22:54:19 [hwest]
hwest has left #dnt
22:54:35 [hwest]
hwest has joined #dnt
22:54:42 [jmayer]
Just to put it in IRC - I think the generalizable rule here is that if a first party shares with a third party, the same restrictions and exceptions apply as if the third party had collected the information itself.
22:54:48 [rigo]
rigo has joined #dnt
22:55:35 [npdoty]
schunter: what about making a bank transfer?
22:55:44 [dsinger]
suggests that IF a first-party does (accidentally?) relay user-data to a third-party that is under a DNT obligation, the third-party SHOULD discard that information ("I didn't want to know his name!!")
22:55:45 [npdoty]
tl: we should have an issue/exemption for the current transaction
22:58:12 [npdoty]
proposed_consensus: A first party that receives a DNT:1 signal should not further share info about that user with other parties, unless there's an exception.
22:58:36 [howard]
howard has joined #dnt
22:58:59 [tl]
tl has joined #dnt
22:59:46 [npdoty]
TonyR: passing on credit card information on to the payment site? -- current transaction exemption
22:59:57 [rigo]
npdoty: may take this as users preference for better privacy dealing (less logging)
23:00:42 [Julian]
Julian has joined #dnt
23:00:43 [npdoty]
npdoty: could we also note that a first party may (not an absolute requirement) choose to respect a user's preference by logging less
23:01:25 [npdoty]
rigo: in Europe, when you have a general prohibition, you must provide for exceptions, either an enumeration or a general rule, like every necessary to carry out the transaction
23:01:42 [jmayer]
To be clear, some of these exceptions might be high-level standards.
23:02:48 [rigo]
s/in Europe, when you have a general prohibition/resolution 17 establishes general prohibition of sharing/
23:03:32 [Frankie]
ISSUE 17 Is it possible to describe what is allowed to be done by a first party is - instead of describing what its NOT allowed ????
23:03:45 [npdoty]
npdoty: suggesting an additional but non-binding suggestion that first-party sites may take additional protections
23:04:05 [npdoty]
tl: I had some text on that in an earlier draft, will send to Shane
23:04:19 [NinjaMarnau]
I see the problem that if state "MUST NOT" we need to have so many exemptions we get lost, or otherwise we will have blanket clause exemptions which basically enable the first parties to do whatever they want
23:04:57 [rigo]
exactly
23:05:15 [rigo]
but speak up Ninja, otherwise this will get lost
23:05:31 [rigo]
you're mainly arguing against issue 17
23:05:44 [npdoty]
jmayer: as a generalizable rule, there are classes of data that don't bring any risk of eventually re-inferring pseudonymously identifiable browsing histories
23:05:57 [npdoty]
ISSUE-30?
23:05:57 [trackbot]
ISSUE-30 -- Will Do Not Track apply to offline aggregating or selling of data? -- open
23:05:57 [trackbot]
http://www.w3.org/2011/tracking-protection/track/issues/30
23:06:19 [npdoty]
dsinger: if you remember anything about a transaction, the onus is on you to be sure that it can't be reassociated with the user
23:06:38 [tl]
hear hear
23:06:40 [jmayer]
- and we need to be very careful about what we allow to come within this exception, assertions of statistical aggregation aren't nearly enough
23:07:29 [NinjaMarnau]
rigo, I'm not opposed to issue 17 in general, I just think the must not - approach may be far too ambitious
23:07:49 [npdoty]
jules: with aggregation there's always some risk (HIPAA and other examples), given that there's scales of risk and value to society
23:08:16 [npdoty]
… how do we deal with it here?
23:08:43 [npdoty]
… the measure of what you need to do with every type of data, we should reference some appropriate level of deidentification per the type of data
23:08:52 [rigo]
Ninja, issue 17 was closed with consensus that general prohibition, now discussing 1001 exceptions
23:08:53 [dsinger]
I think the point is that if you don't know if you can manage the risk of de-identification, don't record data. The more you record, the more granular it is, the better you need to understand what you are doing.
23:09:15 [rigo]
this is the way to make things so complex that it resolves by itself
23:09:29 [npdoty]
aleecia: your data might seem innocuous but it reidentifies someone else's data set
23:09:33 [hwest]
I don't think we should get to the techniques used to deidentify/aggreagate data
23:09:35 [NinjaMarnau]
yeah, I was too late in the queue ... and missed the point to jump in
23:10:33 [npdoty]
tl: aggregation needs to be not just stripping identifiers but aggregating a number of users so that it isn't reidentifiable, and if it is reidentifiable, then it's your fault (you weren't in compliance and if you said you were you were being deceptive)
23:11:41 [npdoty]
alex: what about the geolocation case where we might aggregate successfully for most locations, but some geographic areas might be reidentifiable, am I liable for that?
23:11:53 [dsinger]
remembering that there were 20,000 californians, and separately that there were 40,000 men, and separately that there were only 10,000 over-50's, and so on, is fine; but remembering that there was a male, californian, over-50's, etc. -- dangerous. be careful.
23:11:58 [tl]
and saying that you were in compliance might include sending a dnt header
23:12:08 [npdoty]
efelten: it's not fuzzy in the sense of unknowable, it can just be difficult to determine in some cases, which suggests being conservative
23:12:55 [npdoty]
… it is a technically precise question whether something can be inferred from a dataset or not, rather than giving the exact means we could just say that they should achieve that reasonable result
23:13:04 [npdoty]
aleecia: what bar is reasonable?
23:13:11 [karl]
location of someone in the desert and location of someone in the city do not have the same impact on privacy/tracking
23:13:32 [npdoty]
efelten: that it can't be used to infer something useful about a particular user or device [scribe is paraphrasing]
23:13:39 [npdoty]
… not reasonably possible to infer information
23:14:01 [tobie]
tobie has joined #dnt
23:14:02 [npdoty]
hwest: to make it future proof, we shouldn't identify specific numbers of users, just set a generalized rule
23:14:30 [hwest]
We can set a policy rule that the data should not be reasonabliy reidentified
23:14:38 [npdoty]
dsinger: if you don't know how to handle data, you shouldn't record it
23:14:41 [hwest]
We can't determine that it's definitely safe
23:14:44 [karl]
privacy in aggregation of data is highly dependent on the data context
23:15:03 [npdoty]
jmayer: we could have both a high-level standard and a specific rule that implements that standard that you could use right now (and different rules in the future)
23:15:42 [npdoty]
… I think we do have to give some guidance and rules, even non-normative, as we hear over and over again from companies that are confused about anonymity/pseudonymity/aggregation
23:16:19 [karl]
if we are 20 john during the meeting and I'm aggregating John… then the aggregation is not very harmful. If we all have a different names. it suddenly become more "harmful"
23:16:20 [npdoty]
… if we don't give a good practice to those two guys in the garage, then we shouldn't expect them to [paraphrasing that last part]
23:16:56 [npdoty]
tl: fine with putting a pointer to guidelines, but should standardize on results
23:17:38 [npdoty]
robvaneijk: in a way we're coming up with a new definition of "personal data", which is very tricky and has been worked on for many years, could look at the one in the Directive
23:17:51 [npdoty]
aleecia: summarizing points
23:18:08 [NinjaMarnau]
I agree with rob
23:18:09 [npdoty]
… 1. If you are selling or otherwise distributing aggregate information, it's your responsibility that it can never be re-identified.
23:18:51 [NinjaMarnau]
but there is no good (understandable for everyone) definition in the Directive either ...
23:19:28 [npdoty]
… 2. Sliding scale of risk/value -- but what if you release data that re-identifies some other data?
23:20:13 [npdoty]
tl: only responsible if the data was collected when data was sent with DNT:1
23:20:21 [jmayer]
I don't think we should get into how valuable data is.
23:20:36 [jmayer]
If it can reasonably be identified, then it's covered.
23:20:45 [jmayer]
If it's valuable, the entity can ask for consent.
23:21:11 [npdoty]
aleecia: do we agree that multiple parties, all parties, responsible for re-identification?
23:22:04 [tlr]
tlr has joined #dnt
23:22:40 [hwest]
This distinction between public and private data on sites needs to be reflected somewhere in the spec - this is not reflected right now.
23:22:57 [asoltani]
agreed
23:23:17 [asoltani]
we're stepping into data sharing practices that should be covered in privacy policies
23:23:33 [NinjaMarnau]
exactly
23:23:37 [npdoty]
WileyS: what about data that's collected (posting a name and data on marathon web site) and then a search engine and the Wayback machine also collect it?
23:24:07 [npdoty]
tl: if you posted it publicly on the site, then the user has given consent
23:24:17 [hwest]
This has to be a balance between reidentifiability and the data - as long as there's a good faith effort, reasonable standards, etc
23:24:43 [hwest]
If there is no measure for reasonable efforts, then all innovation disapears and/or no one uses the standard
23:24:55 [npdoty]
JC: what if I had no way to reidentify, but someone else with an additional dataset could? I shouldn't be liable for that
23:24:56 [rigo]
this will be so complex that first parties will just refuse to use DNT and send back "we don't do DNT"
23:25:49 [jmayer]
I think we should define aggregation such that this sort of re-identification isn't even possible.
23:26:12 [karl]
it is not tracking protection but tracking preferences so far
23:26:17 [npdoty]
ISSUE-73?
23:26:17 [trackbot]
ISSUE-73 -- In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract -- open
23:26:17 [trackbot]
http://www.w3.org/2011/tracking-protection/track/issues/73
23:26:18 [jmayer]
We should be conservative - data that has rich pseudonymous records or limited k-anonymity is not going to fly.
23:26:38 [hwest]
De-identification will continue to evolve, so will re-identification.
23:26:51 [rigo]
now comes the re-invention of data processor in a loser way
23:26:59 [npdoty]
aleecia: the idea is that I'm a first party and I'm sharing data with someone who's working on my behalf, and they're not sharing the data with anyone else
23:27:58 [asoltani]
clarification, there are numerous guidelines we can point to on the de-anon issue such as those created by HHS http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/deidentificationworkshop2010.html
23:28:04 [asoltani]
would suggest just linking to best practices, etc
23:28:05 [npdoty]
jmayer: more than just a contract, legal enforceability by multiple actors (regulators and/or users in addition to the company they contracted with)
23:28:33 [npdoty]
aleecia: I propose enforce technically, or by contract, but the agents must not share the information
23:29:14 [npdoty]
jc: if there's no contract, then what could stop them? there should be a contract in place
23:29:28 [npdoty]
WileyS: a "must" on the contract and a "should" on the technology
23:29:49 [npdoty]
… but we agreed that there must be some contractual structure, but jmayer and I had disagreed about how specific or prescriptive we should get with the technology
23:30:33 [npdoty]
aleecia: could say "must technically silo" but not go into details on the technology
23:31:23 [npdoty]
rigo: could each agent just contract with all the other parties as agents on their behalf? and reconstruct the complexity of the ad network that Jules showed earlier?
23:31:42 [npdoty]
WileyS: but there would be a limit on using the data for anyone other than you
23:31:54 [npdoty]
aleecia: remaining disagreements?
23:32:02 [npdoty]
WileyS: on how specific the technical limitation should be
23:32:22 [npdoty]
jmayer: might have a disagreement on the legal means
23:32:39 [npdoty]
… a legal means that's enforceable by the User and Regulator and the contracting Company
23:33:10 [npdoty]
… and a minimum set of technical protections, based on the same-origin policy for siloing data
23:33:38 [npdoty]
… same-origin policy should be a MUST, it's important, a low technical impact, does a lot for users, lots of companies do this already
23:34:35 [npdoty]
aleecia: couldn't using the same identifier be prohibited in the contract?
23:35:31 [npdoty]
jmayer: [sent long list of requirements for the contractual relationship to the mailing list] but I wouldn't include different identifiers as a legal requirement in the contract
23:36:10 [npdoty]
… prevent companies from shooting themselves in the foot, making a common mistake
23:36:34 [npdoty]
aleecia: Shane, why shouldn't it be a MUST?
23:37:07 [npdoty]
WileyS: just seems very prescriptive, could use something like physical separation (different data on different servers), seems like an overreach of the standard
23:37:48 [npdoty]
aleecia: what about -- must do same-origin siloing or equivalent or better
23:38:20 [npdoty]
WileyS: just think a standard shouldn't be that specific
23:38:34 [npdoty]
dwainberg: I think both the contractual and technical provisions are both overly prescriptive
23:38:36 [hwest]
jmayer, do you have an example of what you would consider a must for the standard on a technical level?
23:38:44 [npdoty]
… instead should just take reasonable measures to assure
23:38:52 [WileyS]
Specifically: Standards should not cement technical prescriptive measures when multiple valid and appropriate alternatives may exist.
23:38:56 [jmayer]
yes, different first-party client = different identifier
23:39:07 [jmayer]
+ other information stored
23:39:41 [howard]
howard has left #dnt
23:39:44 [rigo]
Ninja, Frank just says this is the annex to Article 9 BDSG combined with standard contract clauses
23:41:16 [NinjaMarnau]
rigo, yes it is - I don't get why we are reinventing European privacy laws
23:41:24 [npdoty]
WileyS: must have a technical measure (and should do this different-identifier policy)
23:41:44 [npdoty]
jmayer: I could live with that as well
23:42:23 [hwest]
Another point where I feel the need to point out that being technically prescriptive here may in fact have a negative impact on privacy in the future
23:42:32 [npdoty]
aleecia: jmayer to go back and make a change on the text, we're very close but it will help to have text to agree on
23:43:26 [npdoty]
dsinger: specifying a result rather than a means has advantages (in the same way that we want governments to let us choose means)
23:43:38 [npdoty]
ifette: examples should be non-normative
23:43:50 [johnsimpson]
johnsimpson has left #dnt
23:43:57 [rigo]
sharing with agents on non-normative clauses is cool
23:44:18 [jmayer]
ACTION: Write section on outsourcing exception by Monday
23:44:18 [trackbot]
Sorry, couldn't find user - Write
23:44:38 [jmayer]
ACTION: jmayer to write section on outsourcing exception by Monday
23:44:38 [trackbot]
Created ACTION-28 - Write section on outsourcing exception by Monday [on Jonathan Mayer - due 2011-11-07].
23:44:41 [npdoty]
meet aleecia at 6:15 if you'd already arranged with her about dinner
23:45:40 [npdoty]
trackbot, end meeting
23:45:40 [trackbot]
Zakim, list attendees
23:45:40 [Zakim]
As of this point the attendees have been [Microsoft], Salon_12
23:45:41 [trackbot]
RRSAgent, please draft minutes
23:45:41 [RRSAgent]
I have made the request to generate http://www.w3.org/2011/10/31-dnt-minutes.html trackbot
23:45:42 [trackbot]
RRSAgent, bye
23:45:42 [RRSAgent]
I see 4 open action items saved in http://www.w3.org/2011/10/31-dnt-actions.rdf :
23:45:42 [RRSAgent]
ACTION: karl to do a review of the Tracking Protection WG deliverables according to http://www.w3.org/TR/qaframe-spec [1]
23:45:42 [RRSAgent]
recorded in http://www.w3.org/2011/10/31-dnt-irc#T19-23-38
23:45:42 [RRSAgent]
ACTION: tl to write-up the consensus for what is a first party on ISSUE-10 [2]
23:45:42 [RRSAgent]
recorded in http://www.w3.org/2011/10/31-dnt-irc#T22-40-40
23:45:42 [RRSAgent]
ACTION: Write section on outsourcing exception by Monday [3]
23:45:42 [RRSAgent]
recorded in http://www.w3.org/2011/10/31-dnt-irc#T23-44-18
23:45:42 [RRSAgent]
ACTION: jmayer to write section on outsourcing exception by Monday [4]
23:45:42 [RRSAgent]
recorded in http://www.w3.org/2011/10/31-dnt-irc#T23-44-38
23:46:00 [Zakim]
-[Microsoft]