W3C

Tracking Protection Working Group Teleconference

16 Nov 2011

Agenda

See also: IRC log

Attendees

Present
+49.176.780.0.aaaa, +1.408.674.aabb, +1.415.520.aacc, [IPcaller], dsinger, +49.431.98.aadd, +1.202.326.aaee, efelten, +1.949.483.aaff, +1.310.392.aagg, +1.206.664.aahh, +1.202.263.aaii, +1.202.835.aajj, +1.646.825.aakk, +49.721.913.74.aall, +1.510.859.aamm, dsriedel, aleecia, npdoty, +1.202.637.aann, sidstamm, +1.202.263.aaoo, Joanne, johnsimpson, +1.212.631.aapp, +1.408.349.aaqq, +1.202.637.aarr, +1.978.944.aass, +1.609.858.aatt, Justin, +1.212.565.aauu, +1.801.830.aavv, [Microsoft], +1.908.541.aaww, +1.202.744.aaxx, +1.813.366.aayy, +1.714.852.aazz, rvaneijk, fielding, +1.206.619.bbaa, +1.650.862.bbbb, +1.646.654.bbcc, +1.813.366.bbdd, alex, karl, +1.202.629.bbee, BrianTs
Regrets
Chair
schunter
Scribe
NinjaMarnau

Contents


Administration

Matthias: comments on the minutes from last call?

<npdoty> old minutes: http://www.w3.org/2011/11/09-dnt-minutes

Matthias: then I take these as approved
... venue and date of next f2f meeting?

aleecia: should be interesting for local observers, probably Brussels, starting early afternoon on tuesday until 5pm on thursday

Matthias: should we have a public outreach event?
... is there initial feedback?

<WileyS> Depends on how far along we are - difficult to field external questions at this time.

Nick: Would be good. In January probably better timing for this.

<npdoty> Jules: happy to help

<dsinger_> Presenting what we have seems premature, but soliciting input and comment is probably ok.

WileyS: at the moment we have more question than answers. So it might be more a call for input.

Matthias: we need to decide in december if we have suffient results to present something

<dsinger_> Given that we have a public document, explaining it and the process might be prudent

Matthias: if we do an outreach event it would be extra to the f2f

<npdoty> http://www.w3.org/2011/tracking-protection/track/actions/open

Matthias: now going through the list of action items

<aleecia> (is done, just not updated)

<johnsimpson> agree with david singer. would be good to explain process publicly.

<andyzei> +1.206.619.bbaa is me

<aleecia> (rather: Peter's action item is done)

<npdoty> ACTION-31?

<trackbot> ACTION-31 -- Andy Zeigler to write up a proposal for a user-agent-managed site-specific exception -- due 2011-11-08 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/31

Andyzei: Action 31is still under discussion now

<aleecia> Now that Andy's given so much thought to this, perhaps he could write what he does want to have happen, plus find a new author for the text he was originally writing

<aleecia> +1 Nick

Nick: is their still support for the action item?

<andyzei> aleecia: That's what i'm trying to accomplish on the email thread

<aleecia> Sid, can you help Shane?

WileyS: I could help but need someone to assist from the technical side.

Nick: We will take this offline

matthias: Jonathan's action item will be discussed next week
... There was quite some press activity
... what was the feedback that you received?

<npdoty> http://www.w3.org/TR/2011/WD-tracking-dnt-20111114/

<npdoty> http://www.w3.org/TR/2011/WD-tracking-compliance-20111114/

<aleecia> Karl, so you're trying to call in and it's not working? What's going wrong?

WileyS: Many people appointed that there are more questions than answers in the compliance stack. So we explained the W3C way of working

Jules: General misunderstanding of what the announcement ment. People just reading the headlines.

<aleecia> (thanks on the : oops. Sometimes calling in a few times works. -- good)

<npdoty> thanks to WileyS and Jules for responding to those questions appropriately, I think that will be a big help

<npdoty> amyc: some concern in the press that this is about warning the user about tracking, might want to clarify in the future

Amyc: lot of misunderstanding of how the standard should work. People not reading the document and having wrong impressions

Matthias: Misunderstandings of complex press releases are quite common
... so the IBM PR staff was not overly concerned

<aleecia> We'll also spend some time internally on press, Amy. Thanks.

Tracking Preference Expression Response/URI proposal

Matthias: Now discussion on open issues and open items from the list
... Proposal on Header/URI

<fielding> anyone have a link?

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2011Nov/0067.html

tl: describes the proposal. First character of respnse header describers the state of DNT; second character points to a well known URI

sorry if I got it wrong, was very fast

<karl> TND?

<aleecia> Short is good

<JC> DNTR?

<ksmith> +1 to DNTR

<aleecia> I'm happy with DNTR now and we can reopen if there's any need to

<sidstamm> "DNT-Response"?

tl: we could replace these characters with something longer, but the content of them is more important. I don't worry about the abbreviation

<dsriedel> sorry, but "catchable" same as "cacheable" in this document?

Matthias: agree. we should loke at semantic elements

<npdoty> it could even potentially be useful for other purposes if the user agent knows which servers are first or third party

Matthias: discussion on how the server tells whether it is 1. or 3. party

<Jules> take note of this privacy conference in brussels during proposed in person date http://www.cpdpconferences.org/

<dsinger> am I reading this right; "DNT; o;r=7" would indicate a 3rd-party opt-in with an explanation at /.well-known/dnt?r=7 ??

<tl> DNT:o7

<aleecia> Jules, part of why we're going to be in or new Brussels. Would've liked to overlap with it less… but that's the time our WG members are available. Ideally we have some observers from the conference.

tl: useful information to have. But not sure how to do/use it.

<aleecia> (argh, thanks Karl :-)

tl: We decide this on behalf of clients and what they think about their status of 1./3. party. What about contradiction between header and well known URI
... they should never contradict each other.

Matthias: we need to discuss this issue.
... we could solve this by one of this overwriting the other

<schunter> This proposal: Header is binding and URL only offers additional (refining) info.

<schunter> In this scheme, it would be weird if the explanation undoes/contradicts the header.

<aleecia> Wait, you can have dynamic content in a URL

<aleecia> URL stays the same. Content changes.

<schunter> good point.

tl: header is more important. nevertheless contradiction needs to be avoided

ksmith: concerns about the complexity of letters and numbers. I suggest a more simple code method

<karl> lowercase/uppercase is a syntax issue.

ksmith: first charcter should be just true or false. easy to read

<karl> they should be changed, but that is orthogonal to their meaning.

<dsinger> let's argue about what information is conveyed, and then design the best header to convey it. can I suggest that we not bike-shed the compression now? I agree it's over-compact, but...

Matthias: first let us focus on content. it is a valid concern but first content, then coding

Clay: from a performance pov - a dynamic response header might be prohibitive

<karl> this seems to encourage servers to go a simpler way: which is yes we track, no we do not track anything.

aleecia: you can have a static URL but have dynamic content

<aleecia> (if it never matters to you if you're first or third party, you can always claim 3rd party all the time)

<karl> SHOULD be able to do it. I still don't see how :/

WileyS: extensive chain on deciding on 1./3. - each party should be able to determine in what role they act. Many possible techniques to arrive at this conclusion. Companies should be able to determine this in most circumstances

<aleecia> +1

<aleecia> Huge fan of: if your site is complex, your DNT world may be complex. If your site is simple, we should build a way for DNT to be simple for you.

<karl> agreed with aleecia

efelten: for most parties it should be very simple to decide on this an give an answer. Just need to make sure the answer is very clear.

<efelten> Not first-party vs. third-party, but rather first-party vs. not-claiming-to-be-first-party

<aleecia> +1 Ed

<johnsimpson> +1 Ed

<Clay> Thinking of the 100M active (500M total) websites. Most of those aren't operated by their "owners".

<aleecia> What I'm hearing: need for examples section in the proposed text to clarify this

<schunter> +1

dwainberg: if several servers operated by one party are asked, they might give contradicting information.

tl: it is not contradicting but fine grained. the servers can act independently/differently

<fielding> I don't see a need for 1st/3rd party distinction since the browser knows what kind of request has been made and just needs to know if the server is allowing cross-site tracking or not.

<tl> fielding, but the server's response allows the browser to check that the server know's what's up

<karl> hmmm

<aleecia> I'm not convinced the browser knows 1st v 3rd

<dwainberg> or that the browser's version of 1st vs 3rd is different from ours

<karl> the browser doesn't know for sure. and a server doesn't know if it is a 1st or a 3rd either

fielding: if the server answers I respect your dnt, but I track you, it is immanent that the entity has an exception

<fielding> aleecia, it doesn't need to know

<aleecia> Ok, I'm not understanding you - that's good :-)

fielding: so the browser does not need a response header on whether 1. or 3. party

<schunter> you = matthias/

<dsriedel> Do we ignore in this discussion how the browser actually treats all the answers from all involved servers/parties in the actual displayed website? I do not see this in the document but also do not know whether this is a concern in this working group. But the feasability of implementation might be a concern?

<fielding> If the server says it is compliant, *why* it is still tracking is not a browser concern. Only the fact that it is tracking matters.

<rvaneijk> @Roy, if the server says is is compliant, a user might want to know if that is based on opt (back) in or not.

Matthias: feedback on the opt-back-in character?

<schunter> is my sound quality OK?

Kevin: why did we want to seperate opt-back-in from the other exceptions?
... this diversifies the possible answers even more. Opt-back-in might be just one more exception

tl: opt-back-in is user specific. therefore, the opt-back-in in a well known URL is not in a good position. It should be highlighted via the response header.

Institutions setting tracking preference

Matthias: continue with issue 95
... header expresses user preference, should providers (employers, libraries etc.) be able to set it?

<dsinger> issue-95?

<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95

WileyS: edge cases may be employers who could have the legal right to set the dnt signal. But in general the user should set it. Evil example would be an malicious ISP setting the signal for all its users.

<karl> DNT:1;proxy

<dsinger> yes

<aleecia> yes karl

<karl> proxy = piece of hardware, institution using this proxy to modify it

karl: there will be a few cases. There will be wrong pieces of softwares. We can't avoid it. There will be institutions modifying toward a DNT:1 or DNT:0 against the user or for the user will. Is a paramter useful? I'm not sure. So I guess what we want is to check what we want to achieve on the server side.

tl: a provider between my and a website (proxy) is much less acceptable than an institution (e.g. library) setting my dnt signal.

<dsinger> don't think it's worth arguing much about whether it's 'shall not', 'should not' etc. as the truly nasty intermediates won't care about compliance anyway

<karl> it is why we need blocking list

<karl> against rogue providers ;)

Matthias: who will provide a specific text we can discuss it in two weeks?
... WileyS want to volunteer?

WileyS: yes, Tom can you assist?

<dsinger> issue-95?

<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95

Opt Back In mechanism

Matthias: issue 27 - opt back in mechanism

<tl> ACTION: tom to email shane distinguishing proxies, proxy pratices, and institution-owned computers, related to issue 95, by friday [recorded in http://www.w3.org/2011/11/16-dnt-minutes.html#action01]

<trackbot> Sorry, couldn't find user - tom

<dsinger> issue-27?

<trackbot> ISSUE-27 -- How should the "opt back in" mechanism be designed? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/27

<tl> ACTION: tlowenth to email shane distinguishing proxies, proxy pratices, and institution-owned computers, related to issue 95, by friday [recorded in http://www.w3.org/2011/11/16-dnt-minutes.html#action02]

<trackbot> Created ACTION-36 - Email shane distinguishing proxies, proxy pratices, and institution-owned computers, related to issue 95, by friday [on Thomas Lowenthal - due 2011-11-23].

Matthias: f2f outcome: publisher want a dialogue to communicate to users that they need to opt back in to use a service.

jkaran: there is opt-in and opt-back-in, we need to differentiate. Europe's and USA's default is different.
... the daa has mechanisms already in place that are non cookie based. we need to consider this when finding a solution

<rvaneijk> Jennifer, could you please summarize this for the minutes?

WileyS: publishers should be able to trigger data (opt-in) for providing free content. Is this managed by the publisher or the browser?.

<karl> +1

WileyS: if there is a general dnt signal we might want to have a general list of excepted publishers.

tl: one place to administrate the exceptions for the user rather than do this individually for each site.

<Zakim> karl, you wanted to clarify about UI sketching wrt F2F

<karl> karl: I agree with shane it would be an excellent exercise for the WG F2F to understand how we design the technology. By modeliing HTTP interactions physically with index cards and movement of people. (not necessary drawings)

<jkaran> rvaneijk, sure no problem. Should I summarize here or in an email?

Matthias: any opinions how the opt-back-in could look like? the next f2f is two far away to wait for it and decide then.

<aleecia> +1

JC: the implementation in the browser is out of scope. we shouldn't lose too much time on this discussion

<karl> we are not talking about creating the UI

<aleecia> If we're sure it can be useful that's ample

<karl> what are the messages that we exchange. Is it doable.

<aleecia> If we're not sure it's useful, then it's worth short time to talk about

<karl> it is UX, not UI

WileyS: it is just a way to show how it COULD work as an example

<aleecia> Nice, Karl

<rvaneijk> (jkaran summarized: The DAA program requires networks and BT companies to allow users to opt out of collection. By default, in the US, collection/usage is turned on. When this occurs, an opt out cookie is placed on the user's browser. If the cookie is removed (through clearing cookies or through opting in), then the user just has their opt out cookie removed.They are then, by default opted in)

<amyc> we also want to make sure that we are open to different technical methods of recording that override/consent

WileyS: regarding the difference between EU and US, the ePrivacy is still under debate and is still being transposed.

<rvaneijk> This is issue -98

WileyS: we should keep this in mind but not regard it as a major driver

<rvaneijk> issue-98?

<trackbot> ISSUE-98 -- Should we consider applicable laws and regulations, such as the Article 5, paragraph 3 ePriv Dir -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/98

<dsinger> is concerned that opt-in mechanisms could be hard to define, but would like to think about how to link from a site claim "you opted in" back to how the user did that, or evidence that they did

dsinger: discussion on UI can be too vast. but I want to emphasize that the user needs to understand or connect his previous actions with this you are opted-in / opted-back-in signal he gets

<dwainberg> karl, I am willing to help with that

<karl> ACTION: karl to sketch diagram (if possible) on interactions with opt back in mechanisms. [recorded in http://www.w3.org/2011/11/16-dnt-minutes.html#action03]

<trackbot> Created ACTION-37 - Sketch diagram (if possible) on interactions with opt back in mechanisms. [on Karl Dubost - due 2011-11-23].

<npdoty> trackbot, end meeting

Summary of Action Items

[NEW] ACTION: karl to sketch diagram (if possible) on interactions with opt back in mechanisms. [recorded in http://www.w3.org/2011/11/16-dnt-minutes.html#action03]
[NEW] ACTION: tlowenth to email shane distinguishing proxies, proxy pratices, and institution-owned computers, related to issue 95, by friday [recorded in http://www.w3.org/2011/11/16-dnt-minutes.html#action02]
[NEW] ACTION: tom to email shane distinguishing proxies, proxy pratices, and institution-owned computers, related to issue 95, by friday [recorded in http://www.w3.org/2011/11/16-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2011/11/17 05:19:24 $