Tracking Protection Working Group Teleconference

04 Jan 2012

See also: IRC log


+1.408.674.aaaa, tl, [Mozilla], +31.65.141.aabb, sidstamm, rvaneijk, schunter, +1.510.859.aadd, +1.415.520.aaee, +1.202.326.aaff, npdoty, Bryan_Sullivan


<npdoty> trackbot, start meeting

<trackbot> Date: 04 January 2012

<aleecia> Nick, I've done it

<aleecia> We're set

<tl> i love that our robots can't quite work out each others' syntax

<aleecia> Please don't wipe out the agenda :-)

<schunter> zakm, ??P27 is schunter

<vincent> maybe we could add issue 32? I've sent a draft before the holidays

<aleecia> There are many drafts before the holidays that we won't likely get to today, but if we do get through the agenda quickly, I'd love to do more!

<Joanne> +1.415.520 is Joanne

<clp> What is the dial in number and code again?

<aleecia> +1.617.761.6200, conference code TRACK (87225)

<aleecia> useful URLs today: http://www.w3.org/2011/tracking-protection/compliance-issues.html has summary of status on issues; http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html has draft of first party work

<aleecia> I'll repeat those when relevant

<clp> Been away last few weeks, forgive me, real life called me away, here now --clp

<npdoty> scribenick: johnsimpson

minutes are accepted

<aleecia> http://www.w3.org/2011/tracking-protection/track/actions/overdue

move to action items

<enewland> Justin and I are not able to dial in

<cOlsen> C. Olsen has joined

<rvaneijk> action item 14 is in progress, my apologies.

<trackbot> Sorry, couldn't find user - item

<tlr-bbl> action-14: in progress

<trackbot> ACTION-14 Write straw man proposal on response from server being optional (related to Issue-81) notes added

jonathan has not worked on action item

jonathan needs another week

Review of overdue action items

<npdoty> are we using action items for the drafting text assignments that were due Dec 21? are all of those finished?

<aleecia> http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html

turning to action 34.

jonathan: four definitions

plans to address each in sequence...

high level points crisp text

<npdoty> jmayer, we can't hear you

tried to strike balance...

lost jonathan

tom picks up.

we can wal through document

scribe: definitions lots of stuff in it

<tl> http://www.w3.org/2011/tracking-protection/track/actions/overdue

<aleecia> http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html

<jmayer> got dropped

<tl> A "first party" is any party, in a specific network interaction, that can infer

<tl> with high probability that the user knowingly and intentionally communicated

<tl> with it. Otherwise, a party is a third party.

<tl> A "third party" is any party, in a specific network interaction, that cannot

<tl> infer with high probability that the user knowingly and intentionally

<tl> communicated with it.

<jmayer> rejoining

<aleecia> thanks, Jonathan

knowingly and intentionally ... have bunch of specific componets

infer with high probability,,, most confusing word is "party"

<clp> +

<clp> ?+

important component is one set of examples would be Flicker and Yahoo, needs to understand branding. might get that Flcker is Yahoo, not necessarily the other way.. same with Google an You Tube

<clp> +?

<hwest> +q

<clp> +q

<aleecia> (noted)

We think that corporate affiliation is not good. .. must people don't get it. Relying on branding

<aleecia> (going to let Tom finish, then ask Jonathan if he wants to comment, then the queue)

<JC> I can't connect using (617)761.6200

<aleecia> Nick, can you help JC?

<jimk> If anyone can help I'm having trouble with the +1.617.761.6200 number; it's failing via Skype, where it was working

Tom: Lot of non-normative discussion to guide it... mashups multiple first parties

<clp> try dialing 1 first? then wait, then 87225#

<WileyS> +q

<JC> I did

Jonathan comments... High level: balance between bright line rules and high level standards

<clp> now

<fielding> okay to wait for details

nick: my telephone number is 310-292-7041, didn't see what letters zakim assigned

<aleecia> That document URL again in case you cannot find it quickly in email: http://www.w3.org/2011/tracking-protection/temp-parties-draft-jm-tl.html

charles: just wanted to point out some use cases a good use of good branding.

<clp> I will take an Action to create pictures of good and bad examples for first party / third party relationships in UI

<clp> defniing "obvious to the user"

charles volunteers to offer some pictures of good and bad branding

<aleecia> ACTION: clp to create pictures of good and bad examples for first party / third party relationships in UI [recorded in http://www.w3.org/2012/01/04-dnt-minutes.html#action01]

<trackbot> Sorry, couldn't find user - clp

thanks, nick

<npdoty> is there concern over ambiguity on "ordinary user"?

<npdoty> A "party" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person, that an ordinary user would perceive to be a discrete entity for purposes of information collection and sharing. Domain names, branding, and corporate ownership may contribute to, but are not necessarily determinative of, user perceptions of whether two parties are distinct.

<hwest> No more concern than 'reasonable' and similarly vague words

<tl> npdoty, it's an analogue of the "reasonable person" legal standard

<fielding> me

Aleecia asks for comments on definition

Aleecia says reasonable is vague

<rvaneijk> The first party definition leaves good room to hook up action item 14. I am happy with the defs.

<aleecia> Roy next

<bryan> "that an ordinary user would perceive" needs to be validated through some sort of survey process

heather says reasonable, huge number of vague words

<clp> FYI Aleecia, I hope to have that Action completed by Monday of next week (pictures)

<aleecia> great, thanks Charles

<amyc> is there precedent in W3C specs for such standards?

<amyc> or similar language?

<amyc> that we could reuse in this spec

hwest: are we mandating a survey of users?

jmayer: no

<dwainberg> "overwhelming majority of cases will be clear" << I'm not sure that's true

jmayer: jonathan in close cases the language is designed to put burden on Website

<clp> What about "most users" rather than "an ordinary user" ?

<WileyS> Agree - I believe there needs to be a "good faith" standard - equally subjective but at least sets forth good practices.

Heather: need to clarify expectations

<WileyS> +q

<clp> If you want it stronger, "the vast majority of users"

Aleecia: Not clear to what you are suggesting instead

<justin> I think "good faith" is too weak. Would be fine with "reasonable," "ordinary," or "clear branding"

<clp> "most users"

<clp> was the original idea

<clp> vague

<amyc> agree with Aleecia, want to avoid most or quantitifying

<clp> Aha, the reasonable man standard, got you J.

aleecia: looking at this as user-centric definition

Roy: Questions: Separating parties from other ones is wrong
... all about first party

<laurengelman> usually with a reasonable person standard, someone later-- a court or other entity-- comes up with reasonable implementations

Roy: third party and the second party
... doesn't make sense... a waste of time

<clp> FYI, the second party "the user" can also be software, not a person, FYI

Roy: 1st party is owner of initial page request
... impossible to know if user intentionally accessed. Site can determine if ist site accessed

Jmayer: got trapped in definitions, owner is a website, who mis the owner
... what if page is operated by multiple companies?...

<clp> +q

Jmayer: I think there is so much stuff here we wanted to unpack it...
... not asking the sites to have ESPNN...
... want to set objective standard
... were subjective definitions suggested earlier, we don't think we've done that here.

<clp> I am i the queue for "party"

Aleecia paraphrase Roy: Trying to give general definition across three parties.

<clp> ^^aleecia is queue going to be run though?

Roy: what does branding have to do with 3rd parties?

<dsinger> I think the definition is right in spirit, but problematically vague in testability and detail; there is far too much judgment call in here. We can expect that some organizations will try to operate 'close to the line' and what we have here is a very soft/blurry line. That's not good.

David: Definition is right in spirit, too much judgment calling here. Agree with spirit, not crazy about details...

<fielding> "legal entity"

David: can I bring a suit? are they legal entity? Too much judgment. Need testability.

<dsinger> "ordinary user" … "perceive" …

jmayer: is there a use case of someone trying to game the text?

<justin> "Legal entity" could either be too narrow or too broad depending on how an organization is structured, and in any event will not conform to users' expectations.

Shane: My concerns in opposite direction...
... agree need to be user centric

<npdoty> +1 to justin, I don't think user expectations will match legal entities, and like user expectations as the motivation

Shane: we'll need to provide good faith examples of people trying to act the way

<justin> Discoverable cannot be the test

<rvaneijk> +1 justin. The legal layer can be on top of the technical layer. The technical layer may be user centric, the legal layer may be legal entity centric.

Shane: important for a Disney to make clear... fair practice, good faith examples needed.

Aleecia: Do you want to move to corporate identity?

<aleecia> so the example of "foo.com, powered by google analytics!"?

<npdoty> I liked your point, Shane, about needing examples to guide implementing sites, but I'm not sure why you conclude that this definition therefore breaks the Internet

Shane says sees examples on both affiliate and and branding model that could work... Need examples. Very needed

<clp> Yes

<laurengelman> what about nbc universal or fox

Shane agrees to come up with examples

<WileyS> -q

<aleecia> ACTION: shane to also write additional examples around branding for first parties by next week [recorded in http://www.w3.org/2012/01/04-dnt-minutes.html#action02]

<trackbot> Created ACTION-44 - Also write additional examples around branding for first parties by next week [on Shane Wiley - due 2012-01-11].

Charles: A subtle point, since describing party. Can a party be scraping, screenware, software, rather than entity itself...

<jmayer> Moving the bar from user understanding to user discoverability is a non-starter for me. Opens loopholes, deviates from user expectations, places an inordinate burden on users.

<bryan> IMO software acting on my behalf is a type of 1st party.

<jmayer> agree

Aleecia points out definition of user agent could answer Charles' issue

<jmayer> YouTube + Google

<clp> (unless there is no agent allowed to be acting on behalf of first and third parties, three software agents all acting on behalf of each party is possible in theory)

dsinger: seems to me the legal entity test is important, two separate legal ought not to be a single entity

<justin> Well, I think we need to make sure that "foo.com powered by google analytics" doesn't make google a first party if Foo is a separate legal entity

<justin> So I agree with dsinger

<jmayer> http://www.youtube.com/t/contact_us

<jmayer> YouTube LLC

Aleecia: question gets into merge acquisitions

<clp> There is: legal structure, functional biz structure, domain structure, web page inclusion structure, and first party/thirf party structure

<bryan> legal entity is itself a fuzzy term

Aleecia: movie companies create brand new companies for liability reasons

<rvaneijk> SInger +1

<clp> good point!

<WileyS> -1 : At the end of the day the same entity is paying for liability related issues

<laurengelman> i think it will be the opposite-- they will claim they are all under one roof as a defense under the first party exception

Alecia: asks Jonathan and Tom to think about issue

<aleecia> Tom's request: if you want changes, please write them down

<aleecia> And add to email

Tom asks to out comments in emails

<justin> I think changing "legal entity" to common ownership would solve most of these problems.

Jmayer: network interaction

<aleecia> 3.1 A "network interaction" is an HTTP request and response, or any other set of logically related network traffic.

<clp> +q

<jmayer> justin, common ownership has all sorts of problems, see the writeup

<aleecia> Determination of a party's status is limited to a single transaction because a party's status may be affected by time, context, or any other factor that influences user expectations.

Discussing Netwok Interaction 3.

Charles: What is "logically related"?

Roy: Is it a single network interaction or a sequence?

<justin> jmayer, corporate ownership as necessary, but not sufficient, for first party status. Still need branding or other means to get "reasonable expectations."

Jonathan: Just a single...

<npdoty> fielding, can you give an example where you think it should be more than one request/response?

<aleecia> 4.1 Definitions

<aleecia> A "first party" is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it. Otherwise, a party is a third party.

Move to next section, 4 A first party..

scribe: places where we think a clear difference...

<fielding> same comments as before

<aleecia> +dsinger, should add awareness of the site

<npdoty> does "intentionally" capture "independent choice"?

Dsinger: User should be aware of the distinctness... Should be an independent choice.
... user not making the decison,,. the site is

<jmayer> how about firefoxwithbing.com

Roy: user doesn't use domain...just clicking on link
... following a link is fine...
... no difference between site and a mashup site

<justin> Do these mashups actually exist? Who owns cheezburgerongooglemaps.com in your scenario?

<jmayer> justin, I agree corporate ownership will almost always happen when two entities are the same party (*not* first party). Wouldn't mind specifying that floor.

Aleecia: two different examples here

<jmayer> justin, If multiple first parties, then not necessarily corporate ownership.

Aleecia: google maps and craigs list one type... an aggregating site don't know what you're going to get

<fielding> right, but in those cases the user is "pulling in data" using XHR from two sites, essentially making both third parties, and the sites know that because of the APIs used

<justin> jmayer, fine, but still trying to wrap my head around "multiple first parties"

Aleecia: daivid probably right might want to go more fine grained....

<jmayer> ...if the debate is what to do about mashups, we're in great shape.

Roy: user is pulling data from multiple sites, other sites are third party

<bryan> agree with Roy, a site "can infer with high probability" as the URL for APIs are typically distinct from URLs intended for direct access

<jmayer> I would support some sort of "what the hell, someone just embedded all my stuff" safe harbor for things like personal websites.

<laurengelman> the publisher should be responsible

<npdoty> aleecia: a concerning situation where a site that intends to always be a first party and then gets embedded somewhere without the site's knowledge

Aleecia: I've created a site, I get in sucked in as a third party. How do I deal with that? Roy says you consider to act as a 1st party

<WileyS> +q

<aleecia> (we want to be careful because we don't have safe harbor power :-)

lauren: the publisher is the one the user is interacting with, whatever legal or subjective test the publisher is the only one that can do it...

<jmayer> Would like to reiterate that if we're focusing on corner cases like random embeds, I think we're making awesome progress.

aleecia: I've created a site... can put notice to users that this comes from elsewhere

<justin> HousingMaps.com is the name of the craiglist/google mashup. Why isn't the owner of that site the first party, along with any other co-owned and co-branded corp entity. At least one of Google or Craigslist will be a third-party in that scenario, but I don't see why that's a problem

Shane: 1st party in many cases, wouldn't be in a technical position to affect the outcome...

<aleecia> Justin - I was agreeing with that (and thanks for the url)

<npdoty> justin, I think dsinger's point was that the definition about user interaction would lead Google and Craigslist to argue that they're first parties too

Shane: should recognize should self identify... 3rd party should recognize

<rvaneijk> controller - processor is bounded by a contract.

<justin> npdoty, the user interaction could at some point turn Google or Craigslist into a first party if they're not the owner, but that's a different issue.

Question about the EU context?

<bryan> sites can also know that there has been a mashup of data from their 1st party URLs due to other things such as headers e.g. referrer

<jmayer> As a practical matter - publishers often have no idea what third parties are on their site. Can't expect them to carry much burden.

Lauren: Whole point of the problem is the user has no idea what's going on. ..

<jmayer> Disagree about publisher being in the best position to understand party status.

Aleecia: Useful to build something supports German's and U/

<jmayer> Overwhelming majority of cases, a third party knows it's a third party - and the first party knows essentially nothing about the third party.

<justin> For the record, HousingMaps.com says "this site is in no way affiliated with craigslist or Google" :)

and U.S. practices.

<WileyS> Sorry Aleecia - didn't mean to interrupt - thought you had finished your statement

<aleecia> No problem, I paused too long :-)

<aleecia> My question right now is basically: is this a problem, and if so how large a problem is it

<fielding> possible new issue: what do we do about browser add-ins/extension that overlay or manipulate content on the client-side?

<KevinT> But the first party embedded the initial third party to start the chain. with that comes responsibility with what happens downstream with respect to user expectations.

jmayer: often publishers don't know what 3rd parties are doing on sites. Don't see a lot of need for 1st party to get involved, because 3rd party knows their status..

Sean: would fall back on contractual langauge

<bryan> Roy, IMO addins are part of the 1st party site from where they were obtained

Sean: couldn't monitor in real time

<npdoty> fielding, is that part of guidance to the user agent? (I would assume browser extensions are also user agents)

<fielding> and what about the "check for fraudulent website" interaction that many browsers perform automatically?

<laurengelman> i know how it works. i don't disagree. but that is a by-product of publisher's not bearing any legal or social responsibility for what happens to their users, not a architectural requirement of the system.

<jmayer> +q

aleecia: third parties exist to collect data, some exist for other reasons -- how to differentiate?

<bryan> virus/phishing site checkers are a type of 1st party - the user is getting a specific service from them intentionally

<fielding> npdoty, yes … these are network interactions that are not intentionally made by the user but still subject to our DNT protocol, maybe?

aleecia: mashup site providing info is different situation
... how to treat to examples differently?

<justin> Why do we need to treat those sites differently? If the second category of third-party sites isn't tracking, what is the concern, as long as the responsibility is on the third-party, not the first-party (as we have structured thus far)?

<laurengelman> publishers can absolutely have riders in their contracts with ad servers that limit the sharing of user data with campaigns or creative

jmayer: measurement of 3rd parties on web; almost all we've seen are ads, we're treading into corner cases

<jmayer> All in favor of covering edge cases. But want to make sure we recognize points of agreement.

<fielding> referral networks

Aleecia: yes, but edge cases will be interesting...

Roy: referral networks -- common things that aren's ads

<aleecia> 4.2.1 Overview

<aleecia> We draw a distinction between those parties an ordinary user would or would not expect to share information with, "first parties" and "third parties" respectively. The delineation exists for three reasons.

Moving to Section 4.2

<aleecia> First, when a user expects to share information with a party, she can often exercise control over the information flow. Take, for example, Example Social, a popular social network. The user may decide she does not like Example Social's privacy or security practices, so she does not visit examplesocial.com. But if Example Social provides a social sharing widget embedded in another website, the user may be unaware she is giving information to Example Social and u

<aleecia> to exercise control over the information flow.

<aleecia> Second, we recognize that market pressures are an important factor in encouraging good privacy and security practices. If users do not expect that they will share information with an organization, it is unlikely to experience market pressure from users to protect the security and privacy of their information. In practice, moreover, third parties may not experience sufficient market pressure from first parties since increasingly third parties do not have a direc

<aleecia> business relationship with the first party websites they appear on. We therefore require a greater degree of user control over information sharing with such organizations.

<aleecia> Last, third parties are often in a position to collect a sizeable proportion of a user's browsing history – information that can be uniquely sensitive and easily associated with a user's identity. We wish to provide user control over such information flows.

Don't want to reopen "what is tracking debate", put want to list our concerns

<aleecia> We recognize that, unlike with a bright-line rule, there can be close calls in applying our standard for what constitutes a first party or a third party. But we believe that in practice, such close calls will be rare. The overwhelming majority of content on the web can be classified as first party or third party, with few cases of ambiguity in practice.

<aleecia> We require a confidence at a "high probability" before a party can consider itself a first party. Where there is reasonable ambiguity about whether a user has intentionally interacted with a party, it must consider itself a third party. Our rationale is that, in the rare close cases, a website is in the best position to understand its users' expectations. We therefore impose the burden of understanding user expectations on the website. We also wish, in close ca

<aleecia> to err on the side of conforming to user expectations and protecting user privacy. If the standard is insufficiently protective, ordinary users have limited recourse; if the standard imposes excessive limits, websites retain the safety valve of explicitly asking for user permission.

<jmayer> After moving through the document, it would be helpful to hear where people are - is this close to consensus?

Aleecia: Have reasons why not technical definition

<aleecia> 4.2.3 Multiple First Parties

<aleecia> There will almost always be only one party that the average user would expect to communicate with: the provider of the website the user has visited. But, in rare cases, users may expect that a website is provided by more than one party. For example, suppose Example Sports, a well known sports league, collaborates with Example Streaming, a well known streaming video website, to provide content at www.examplesportsonexamplestreaming.com. The website is prominentl

<aleecia> advertised and branded as being provided by both Example Sports and Example Streaming. An ordinary user who visits the website may recognize that it is operated by both Example Sports and Example Streaming.

<aleecia> 4.2.4 User Interaction with Third-Party Content

<aleecia> A party may start out as a third party but become a first party later on, after a user interacts with it. If content from a third party is embedded on a first party page, the third party may become an additional first party if it can infer with high probability that the average user knowingly and intentionally communicated with it. If a user merely moused over, closed, or muted third-party content, the party would not be able to draw such an inference.

<WileyS> Not close until Corporate Ownership and Affiliates are addressed in a more reasonable manner. I believe a "reasonably discoverable" standard should be set here.

<WileyS> That was to JMayer's question...

<jmayer> "addressed in a more reasonable manner" = ?

<clp> Why "average user" here rather than "reasonable" or "ordinary" ?

Shane: Jonathan asked if close to consensus. We can't be close until corporate and affilitiate status are addressed...

<tedleung> yep

<jmayer> clp, tried to be clear that this is objective and, if necessary, testable.

<tedleung> (speaking for Disney)

Shane: ESP and Disney are is an acceptable approach...

<jmayer> Shane, can you expand that example?

Aleecia -- If user and visit ESP, but no branding you're saying OK...

<justin> +q

<fielding> what are we trying to protect by this definition? why does it matter that ESPN and other sites are owned by Disney?

Aleecia: Nielsen says 100 unique sites a day for average

<jmayer> So Disney's position is that, even if users don't understand that ESPN is owned by Disney, ESPN should be able to share data with Disney?

<clp> May be because of images, ads, also loaded with a page? one page can be 12-15 entities?

<bryan> Does that metric include images pulled into email readers etc? Otherwise the number seems way high to me also.

<dsinger> even if the vast majority of sites I visit each day are ones I have visited before, there's no way I am going to research the corporate structure of ANY site I visit, let alone work out which ones I am visiting for the first time!!

Aleecia: You're putting burden on user to discover the affiliations...

<jmayer> Reject this repeated claim about "users who care." The burden should not be on users.

<aleecia> (Aleecia to find Neilsen data for Shane on # unique sites per day)

<fielding> jmayer, why not?

Shane: need to figure out a way to have a best practice for discoverable affiliation.

<laurengelman> This is a list of assets owned by Rupert Murdoch's News Corporation: http://en.wikipedia.org/wiki/List_of_assets_owned_by_News_Corporation so they are covered for sharing ampong all of these as first-party?

<jmayer> Because they're in a terrible position to learn about and understand corporate relationships, as against a company that can use domains, branding, marketing, slogans, etc.

Shane: trying to figure our where gaining consensus

<justin> I just clicked on 20 links on ESPN.com and didn't see anything about Disney at all in those links. THE LINKS THAT A USER WOULD REASONABLY GO TO (stories about sports)

<justin> -1

<enewland> -1

<rvaneijk> -1

<clp> -1

<WileyS> Click on Privacy Policy

<dsinger> -1

<andyzei> -1

<jmayer> -INT_MAX

<Chris> +1

<fielding> sure, but why does it matter which funnel is used to give data to Disney? Disney still has the data.

<tl> -1

<vincent> -1

<hwest> +1 potentially

<laurengelman> -1

<npdoty> sharvey: +1

-1 strongly disagree

<vincent> we have to click on the link "learn more" first, meaning that I have to intereact with ESPN before I actually know it belongs to Disney

<justin> WileyS, given the typical ESPN browsing experience, how can you say that I am intentionally or even knowingly sharing data with Disney?

<bryan> The way the question was phrased implies an inordinate amount of effort to research the relationship - I don't think that was the intent of the discoverability assertion.

<tedleung> I don't have a prescription for a solution

Shane: I see this as an area where we will polarize as group.

<dsinger> I really hope we can find a non-polarized consensus!

<tedleung> but we definitely have concerns around the current language re: branding

<jmayer> Another important safety valve for erring on the side of multiple parties - websites can ask for an exception.

<jmayer> If a website decides it's a first party, the user is out of luck

<justin> Why isn't branding the non-polarizing middle ground? Yahoo/Flickr are co-parties, but ESPN/Disney isn't because there's no branding where any ordinary user would see it?

<justin> _q

<justin> -q

Aleecia: I think everyone understands there is a need to send data. I think need to have understanding of data flows when DNT is on.

<tedleung> it's a good example. I'm not taking it personally

<WileyS> "no understanding" is strong - many could argue users willingfully "dont want to understand" hence the low privacy policy reading rates

<aleecia> Shane, how would I know what I don't know?

<aleecia> What you suggest is that users would have to pay attention to corp ownership for each site they visit

<jmayer> roy, users might care about what part of Disney gets data, who it can share it with, how it can use it, ...

Roy: If the concern of the user is being provided to corporations they don't know about. What I care about is not how data gets to Disney, but if they have it.

<aleecia> And make decisions based on this

<aleecia> It's like we're reinventing the privacy policy problem

<jmayer> aleecia, +INT_MAX

<aleecia> It's not the users don't care, it's that the burden for reading privpols is way too high

<jmayer> We've tried putting the burden on users. It doesn't work.

<WileyS> There has to be a middle ground

Roy: Like to find easy definition of what trying to protect against...

<aleecia> I hope so

<justin> WileyS, "don't want to understand" isn't fair --- it's not economically rational for users to click through privacy policies to try to figure out what's going on --- they're not useful document for users

<laurengelman> This plan purposely favors large companies over small one. It permits a company with multiple entities to create profiles and prevents small companies with one or few sites from doing so.

<aleecia> Use case of hospital and insurance company

Brian: discoverable is related to what is a good example...

<WileyS> Justin - many companies have invested heavily to make their privacy centers "useful" to users - so a blanket statement here doesn't feel fair

<jmayer> Shane, companies have been working on improving privacy transparency. But it has real limits. Can't pretend that better website design will solve the problem.

<justin> WileyS, the average privacy policy is not worth a user clicking on

Bryan: Things are more discoverable than they seem; just need examples.

<WileyS> Safe Travels Jonathan!

<npdoty> yes

<WileyS> All of this boils down to User Education

<dsinger> - thinks 'discoverable' is a lot less important than 'evident', and (like before) something that is NOT easily discoverable is prima facie, not evident :-)

<WileyS> Branding, Data Collection / Use Practices, etc.

<aleecia> If you can solve user education, you're first on my holiday gift list :-)

Ted: We are a bigger company; for smaller companies it's a much tougher problem. When read so many other parts of spec in flux... hard to know what will work...
... part of where we are is that we're still working through all the pieces and need to see how work together...
... that's what I'm feeling...from reading all the drafts.

<laurengelman> yes. it would be useul to understand what data flow can happen or not happen if disney and espn are both first parties or not.

Aleecia: Would be useful to take the text been discussing and put it in and see what's going on...
... feel getting close...

<npdoty> +1, maybe having all of the text pieces in the same draft (even though we're not finished with it) will help us see the multiple (moving) pieces together

<fielding> yay, more writing tasks ;-)

Aleecia: please but issues in email...

<aleecia> http://www.w3.org/2011/tracking-protection/compliance-issues.html

Aleecia: Thanks for getting text in.. Look forward ti getting into docs

<andyzei> Happy New Year!

Happy New year

<tedleung> thanks aleecia

<bryan> Final note: We should be able to reach consensus on what is discoverable (in terms of branding relationships) by an average user through consideration of typical examples from our public websites and services. I believe that average users can typically find out with one or two clicks whether content presented on a site is sourced by an affiliate of the 1st party (and not thus a 3rd party). I recommend that group members provide such examples to determine how easy

<fielding> too late, I guess … just replace in minutes

<fielding> s/+1.714.852.aarr/fielding/

<clp> Bye all, Happy New Year

<fielding> it's because I hung up first

<aleecia> Bryan, please go ahead and take a try

<npdoty> trackbot, end meeting

Summary of Action Items

[NEW] ACTION: clp to create pictures of good and bad examples for first party / third party relationships in UI [recorded in http://www.w3.org/2012/01/04-dnt-minutes.html#action01]
[NEW] ACTION: shane to also write additional examples around branding for first parties by next week [recorded in http://www.w3.org/2012/01/04-dnt-minutes.html#action02]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.136 (CVS log)
$Date: 2012/01/04 18:34:33 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.136  of Date: 2011/05/12 12:01:43  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/okay/okay to wait/
Succeeded: s/Heather adsks/hwest:/
Succeeded: s/Jonathan says/jmayer:/
Succeeded: s/1st/... 1st/
Succeeded: s/impossible/... impossible/
Succeeded: s/ESP/ESPN/
Succeeded: s/ESP/ESPN/
Succeeded: s/Brian/bryan/
Succeeded: s/but/put/
FAILED: s/+1.714.852.aarr/fielding/
Found ScribeNick: johnsimpson
Inferring Scribes: johnsimpson

WARNING: Replacing list of attendees.
Old list: +1.408.674.aaaa tl [Mozilla] +31.65.141.aabb sidstamm rvaneijk schunter +1.510.859.aadd +1.415.520.aaee +1.202.326.aaff npdoty efelten dsinger +1.760.705.aagg +1.301.270.aahh +1.202.684.aaii +1.801.830.aajj +1.813.366.aakk +1.408.349.aall bryan +1.202.326.aamm +1.508.655.aann +1.310.392.aaoo +1.813.366.aapp +1.202.326.aaqq +1.714.852.aarr +1.202.643.aass alex__ +1.646.825.aatt cOlsen +1.202.637.aauu +1.206.369.aavv tedleung +44.789.449.aaww +1.212.565.aaxx adrianba +1.415.520.aayy +1.206.658.aazz aakk +1.202.684.bbaa jmayer [Microsoft] johnsimpson +44.789.449.bbbb BrianTs +44.142.864.bbcc
New list: +1.408.674.aaaa tl [Mozilla] +31.65.141.aabb sidstamm rvaneijk schunter +1.510.859.aadd +1.415.520.aaee +1.202.326.aaff npdoty

Default Present: +1.408.674.aaaa, tl, [Mozilla], +31.65.141.aabb, sidstamm, rvaneijk, schunter, +1.510.859.aadd, +1.415.520.aaee, +1.202.326.aaff, npdoty
Present: +1.408.674.aaaa tl [Mozilla] +31.65.141.aabb sidstamm rvaneijk schunter +1.510.859.aadd +1.415.520.aaee +1.202.326.aaff npdoty Bryan_Sullivan
Found Date: 04 Jan 2012
Guessing minutes URL: http://www.w3.org/2012/01/04-dnt-minutes.html
People with action items: clp shane

WARNING: Possible internal error: join/leave lines remaining: 
        <cOlsen> C. Olsen has joined

WARNING: Possible internal error: join/leave lines remaining: 
        <cOlsen> C. Olsen has joined

[End of scribe.perl diagnostic output]