See also: IRC log
<npdoty> scribenick: sharvey
<aleecia> hi Nick
<aleecia> I have the agenda done, and other housekeeping
<tl> thanks =]
<aleecia> It works all too well :-)
<ninjamarnau> I have issues dialing in
<aleecia> (Nick, can you help Ninja?)
<aleecia> http://www.w3.org/2011/tracking-protection/agenda-2012-24-01-belgium.html
<npdoty> s/charter document/Member Submission document/
<aleecia> https://www.w3.org/2002/09/wbs/49311/brussels-f2f/
<rigo> You need to be registered with Commission services in order to get into the building, so please register
<aleecia> https://www.w3.org/2011/tracking-protection/track/issues/pendingreview
User definition language: can provide with a first draft this week. Due date changed.
For working drafts, incorporating text that is not yet at consensus because people are having a hard time understanding where we're at. It does not mean this is a consensus part of the document yet or not. Things will be tagged. Allows us to read the whole document as a whole.
2 others URLs not added yet. Editors for tracking selection list have come up with a draft. Read it out of source control, but a URL will be added so everyone can read this draft.
Comments coming on first working draft that will be relevant to further discussions, from community groups. We are obligated to respond in writing. Before we arrive in Brussels, we need to be familiar with these four documents.
<scribe> Agenda: Will be similar to other 2 face to face meetings.
Trying to get to "last call" documents, consensus around all of the big issues we are facing. Should be really close. Does not mean the text is the final text, still a draft, and may have additional open issues. But these should be dropping off post-brussels. We think the thinking is good and we want feedback from the larger world on this.
Reminder: registration is required to attend. We may also have some additional info in order to get into some of the EC buildings. URL is in IRC now. Quick form - 5 minutes.
Roy: issues on the TP editor's draft
Sent out diffs yesterday to highlight changes
<aleecia> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
<npdoty> ISSUE-95 isn't yet "pending review", right?
<fielding> Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control. Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled,
<fielding> user is at least able to choose whether to make use of those user agents. In contrast, if a user brings their own Web-enabled device to a library or cafe with wireless Internet access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment, aside from blanket limitations on what sites can or cannot be accessed through that network.
<tl> FINE BY ME
<WileyS> Like it
<tl> excuse me: fine by me
<aleecia> (Rigo?)
<ksmith> +1
<rigo> fine by me, as the HTTP spec allows us to make that assertion and requirement, see tlr's message
<aleecia> of note: Jonathan is regrets today
<rigo> I would rather close this week
Section 3 issue 95:
attempts to reflect all of our previous conversation. Roy: does this represent consensus within the group? Any comments?
NickDoty: confused because it was not pending review.
Roy thought it was still pending review. Is open now but was pending review before.
Roy: We will leave it open for now. Suggest we close next week if there are no comments.
<ChrisPedigo> thanks
<ChrisPedigo> aaoo is me
<dsriedel> with the "zakim, ..."
<dsriedel> @chris
<fielding> http://www.w3.org/2011/tracking-protection/track/issues/78
<WileyS> aleecia - I need to leave in 15 mins - apologies for only participating for 30 minutes this week - unmovable conflict.
Roy: suggest we don't close this yet, but a good time for comments
David Singer. Confirms : generally I ask for DNT:1 but you're special so I'm not asking for it from you.
Consensus was that it should not send DNT:0.
Can we address the introduction document? Feel it does not actually address the real concern.Well address this issue later.
TomLowenthal: DNT0 should be in reference to DNT1 , should not express any preference for anything on any other site. DNT0 just means: I consent to you gathering information about me. Not that you are exempted from general preferences, just that I allow you to gather information about me.
Roy: Let's raise an objection to this issue. Tom will raise his objection on the email chain.
Shane: also covered in issue 35.
Matthias: Tom's point is good. You only send 0 if you send 1 around it. Why 0 is sent doesn't need to be defined here. If we use 0 as an exemption mechanism, they may send it for other reasons as well.
Roy: rationale is to allow sites to receive dnt0 to be aware that the user agent is sending dnt1 to other sites, allows them to adjust their behavior accordingly .
Matthias: let's walk through some use cases
Aleecia: In concurrence with this. Thought this was going to change what's currently happening. 1 and 0 would both be globals. Issue 35 would be about site specific exceptions. Could turn DNT on and off globally.
Roy: wasn't aware anyone was planning to change browser behavior in that way.
Kevin_MSFT: really liked the ability to say on/off, with nothing being no preference. Could then default to whatever regulations or policies are around.
Nick: would be strange for user to set DNT0 globally. 0 should be for an exception. Why would you set 0 globalliy?
Aleecia: Think there's an idea of these globals and 0 and 1 would be the options. I prefer privacy or I prefer personalization.
DavidSinger: DNT0 may need quite a bit of specification, as Roy's draft stands now.
Rigo: global vs special. Users expect that the browser is handling this & providing a UI (competitive area) as to whether you send it or not and under what contexts. Meaning of sending a DNT is defined by the object we address (first vs third party thing). Using DNT0 for site specific exceptions is too much for us to decide in the spec. Agrees with the Aleecia model.
Aleecia: we don't have consensus on this and need to discuss further. Roy, will you sort this out now, or keep going?
Roy: keep going.
<dsinger> ah, so DNT:0 means "generally I am asking for DNT:1, but you are special and I am not asking you"?
<aleecia> sorry to miss you, Shane
<fielding> DNT 1 = Do not track me across differently-branded sites and do not use previously tracked/obtained behavioral data from other sites to personalize a response.
<tl> +q
<WileyS> +q
<fielding> DNT 0 = Use of cross-site tracking and personalization has been specifically permitted for this site, as described in section 6. User-agent-managed site-specific exceptions.
<WileyS> No DNT response means the site is NOT DNT compliant (either technically or by policy)
<aleecia> (disagree)
<npdoty> WileyS, I think we're talking about the request header, not the response header
<npdoty> and ack Chester
<WileyS> If there is an empty header (DNT = nothing or no DNT header at all), then DNT is not applicable in that scenario. Existing opt-out cookies should continue to be honored.
<fielding> let's try to discuss wide-ranging topics at the f2f
<rigo> I would argue DNT 0 = Use of tracking and personalization has been permitted
<aleecia> +1
<sidstamm> +1 for dnt 0 not implying anything about whether it is an exemption or not
<johnsimpson> having trouble understanding the distinction
<npdoty> can we try to clarify on that issue? I'm not all sure we disagree
<aleecia> issue-35
<npdoty> issue-35?
<trackbot> ISSUE-35 -- How will DNT interact with existing opt-out programs (industry self-reg, other)? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/35
<rigo> remember that we need DNT =0 for recording of consent
<WileyS> Action-35?
<trackbot> Sorry... I don't know anything about this channel
<rigo> +1 to mts
<sidstamm> perhaps "dnt 1x" = (the UA considers you exempt, but the user's default preference is 1) ... just a thought
<rigo> I think the UA can perfectly handle that
<WileyS> Agree with Aleecia - we called out DNT=2 to trigger site-specific exceptions
<sidstamm> aleecia, +1
<WileyS> DNT=0 would be an affirmative choice by a user to either turn off or not activate DNT
<aleecia> +1 to Shane
<tl> +1
<sidstamm> and by "off" we mean "tracking is okay" not "user did not specify", right?
<fielding> If UAs intend to implement a global off, then we should change the definition to allow it -- I thought they were not going to send DNT: 0 when globally off.
<vincent> did we all agree on "DNT=2" means site-specific exception?
<aleecia> Sid: yes
<WileyS> 0 = tracking is okay, <null> = user did not specify
<tl> vincent, no
<WileyS> We did not agree on DNT=2 - It's open to discussion
<vincent> thanks
<sidstamm> fielding, UAs aren't going to send something unless the user selects it, but users should be able to say "tracking is okay" via DNT: 0
<jeffchester2> We shouldn't confuse privacy with personalization. There can be personalization and privacy
<WileyS> <null> = user did not make a choice, 0 = user is okay with tracking, 1 = DNT, 2 = Site-Specific Exception, 3 = Web-wide Exception
<aleecia> "this draft doesn't apply" might not be quite right
<aleecia> for DNT null
<aleecia> housekeeping:
<aleecia> grr
<tl> +1
<WileyS> Departing - have fun.
<fielding> quickly, can we close http://www.w3.org/2011/tracking-protection/track/issues/84
Issue 84 Do we need a Javascript API DOM for DNT access.
Roy: Wants to close this. Anyone object?
Tom: Really would like a JS DOM but without the possibility of confusion between the request header & the DOM property, esp when a site imports JS from somewhere else inline. So the JS can get correct DNT status information.
<sidstamm> agree with tl
<fielding> tl, we don't have an issue yet for the inline script thing -- can you raise one?
Nick: Issue 42 still outstanding. (alternative to a DOM property) See Tom's point. Can handle this by pulling it out, or some language to say what a third party should do. An alternative proposal that takes out the DOM API is overdue as of today. So don't want to close it until we see the alternative proposal.
<npdoty> um, I just suggested that we shouldn't close it as there's an open action on issue 84
Issue not quite closed. We'll see what we get from jonathan mayer.
<tl> +q
<npdoty> action-42?
<trackbot> ACTION-42 -- Jonathan Mayer to proposes non-normative language to obtain DNT info in Javascript; would replace DOM-API -- due 2012-01-11 -- OPEN
<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/42
<fielding> bummer
<tl> issue: How can we build a JS DOM property which doesn't allow inline JS to receive mixed signals?
<trackbot> Created ISSUE-116 - How can we build a JS DOM property which doesn't allow inline JS to receive mixed signals? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/116/edit .
Aleecia: common technical structure used differently in different regions
Asking for volunteers to start fleshing out these issues & how to handle them. We do have an issue in tracker but we need more.
AmyColando_MSFT: questions that she'll ask separately to understand what you thinking is relative to the discussions in the face to face.
Aleecia: email response to the full list & we'll get discussion going.
Jeff: happy to volunteer but clarification. Do you want a discussion of the contemporary debates/issues are that might impact DNT in the various regions? Or something else?
Aleecia: ways in which DNT technical level may end up being interpreted differently based on local laws. Example: in the US it might be opt out, in the EU it might be opt in. Small group of people. How can we make sure this is a relevant specification in all these places.
Jeff: New EU proposal coming out the day of our meeting, so we will have to take that into account.
Joanne: volunteers to participate.
Jeff also volunteering.
Nina
Aleecia: We will grab some time during one of the breaks in Brussels & start to talk this through.
<eberkower> The draft regulation from the EU Parliament will most likely be delayed at least 1 month
<ninjamarnau> I also volunteer
<npdoty> Jeff, Joanne, Ninja all volunteering to help explain the US/EU consequences and non-normative text -- thanks all!
<aleecia> https://www.w3.org/2011/tracking-protection/track/issues/22
<aleecia> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
<rigo> Nick, I think I can also help with the EU consent expression by DNT
<aleecia> thanks, Rigo!
<aleecia> http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0192.html
operational use of data (sid & shane) both of whom just had to leave.
Kevin_MSFT: the reason issue 31 is connected is it is on data minimization & they were very connected.
Aleecia: some items in the draft proposal: Operational uses: frequency capping, financial logging (imps, clicks, conversions), aggregated reporting, third party auditing (for advertisers & agencies ensuring they are being billed accurately), security.
Any questions/thoughts on these?
Jeff: a reasonable list. Does want more amplification on the frequency capping & financial logging. Concerned data could be distributed to third parties. Have to make sure it is not used for other purposes. Tied into the tracking system, how can it be discreetly taken out? Probably need to address in person.
Joseph:
Nick: Interested to see how we turn this into specification text. It's just a list. Accept all collection in DNT1 context. Tracking is about collection of data, putting data collection in scope, concern is this suggests all the same collection by multiple third parties would continue if you can with a DNT1 signal.
Aleecia summary: comments from FTC asks that data collection is important, not just use. If we go down this path, is there anything left that is not collected? Now we are just looking at use.
Roy: perhaps partitioning could be involved.
Nick: when we put it into specific language, e.g. minimization, there may be some way to do this while still minimizing data collection & making it less of a concern.
<aleecia> > Frequency Capping - A form of historical tracking to ensure the number of times a user sees the same ad is kept to a minimum.
<aleecia> > Financial Logging - Ad impressions and clicks (and sometimes conversions) events are tied to financial transactions (this is how online advertising is billed) and therefore must be collected and stored for billing and auditing purposes.
<aleecia> (need more sleep)
<aleecia> so to add to minutes: Jeff's concern is mostly about information use, that data collected for these uses not be mixed
<aleecia> Nick's concerns: data collection may be global, not have any limits
<aleecia> But minimization may help
<aleecia> http://lists.w3.org/Archives/Public/public-tracking/2012Jan/0007.html
Issue 23 analytics exemption, plus issue 34's aggregate analytics.
David singer & jonathan mayer drafted.
Aleecia: do we need to have a separate exemption for analytics at all if we're going to say it is ok to work with a third party as long as that third party does not share that data beyond the use for which they are contracting with the third party.
David: wonder what's left in the analytics exception? Don't think anything.
Rigo: David's text is well written. Covers the risk that we're tackling here. Aggregation is the danger.
Roy: when you come to a website foo.com, they want to know how did you get there (referrer) as a part of analytics. May also care about where they go to, but referrer is something that is easy to get & is something commonly done. May need a new issue.
Jeff: we do need to talk about referrers. Agrees we can drop 23/34 in light of the larger exception. But referrer information is something we need to discuss.
Lauren: many services/vendors who could do a wide variety of things as a vendor for many companies. Whatever restriction there is on sharing amongst the different clients of a vendor would be the same regardless of whether its analytics or whatever.
Aleecia: two irc discussion points.
i. At a technical level referrer is different. It may be difficult or impossible to do away with collection of referrer data
ii. Use or retention is an issue though.
iii. Thomas: referrer could be used as a way to communicate identifiers across sites.
Amy: Lauren makes a good point about keeping the language as flexible as possible. Question to Roy about referrers. This is something the first party could or would see anyway. What we're more concerned about is additional data.
Roy: referrer is provided as data for the requests. If general first party exception, that would cover it.
Amy: flexible for many business models while preventing first party from seeing things that they would see already.
Aleecia: do we want an issue around referral? This seems like a sane way to approach this.
Rigo: this is an obvious case of a third party that is under the condition of David Singer's wording - this is my data, not the 3p data. First party is the controller of this data. Justifies that we treat this theoretic third party under the control of the third party as being a first party itself.
Chris: need to set limits on the use of data in these third party exceptions. Data is being collected by third parties, owned by the third party.
Aleecia: 23 & 34 can go away. We can leverage this text for the more general exception. And we will open a new issue on referrer data. Referrer might be a limitation on use rather than collection.
Rigo: let's preserve david's text & merge it into issue 49.
AI: Aleecia creates new issue & merges text into #49.
Group agrees to close these issues out.
<jeffchester2> I agree
<JC> That depends on how closely we define a first party
<aleecia> discussion of if we need a specific analytics text, or if it's already covered by the idea of contracting to 3rd parties
<aleecia> Rigo: risk of 3rd parties merging data across sites
<aleecia> Rigo: partitioning so data is only scoped to a specific 1st party, not in general pool, is well reflected in drafted text
<fielding> do we have have a separate issue for referral tracking?
<aleecia> fielding: cross-site with where people came from and left to, referral related
<jeffchester2> +q
<amyc> Roy, wouldn't first party see referral?
<rigo> yes, so this is a non-issue for me
<laurengelman> +q
<amyc> if first party can see, then they are just allowing third party to see what first party can see
<npdoty> I don't see any separate issue on tracking referrals
<rigo> come from is easy IMHO, but revealing where they go to may be hard and need the orwell-view on the web
<aleecia> (rigo, why is that different?)
<npdoty> I would think there's a difference between tracking Referer: header values vs. otherwise using 3rd-party status to track a user before or after arriving on a particular site
<tl> let's just unilaterally modify the http spec to remove referers
<rigo> aleecia, because the referrer only reports the site you've been to. And the first party will not see where the user has gone to, but always where the user came from
<aleecia> Jeff: refer may violate x-site tracking
<tlr> referer is a communication channel between two sites
<vincent> tl, we discussed that already :)
<tlr> It can be used to hand unique identifiers between two sites
<rigo> only if the site after our first party uses the same aggregator/analytics service, you can tell where the user has gone from my first party site
<tlr> it's just another way for sites to collude.
<fielding> I meant referral data in general, not just the Referer header field.
<vincent> rigo, a website could monitor click on "outgoing" links
<rigo> ah, so the meaning is beyond the actual old http header
<fielding> tlr, it is also the second largest revenue stream on the Web (after advertising, which itself depends on referral information)
<aleecia> lauren: analytics not different from other companies; don't need specific analytics text
<rigo> vincent, sure, but they can monitor whatever and send to the analytics service if it is under the conditions that David put forward
<npdoty> fielding, do you want to suggest ISSUE text for referral (beyond Referer headers)?
<aleecia> amyc: agree to keep language broad where possible; if 1st party sees referer then why is that an issue for 3rd parties able to see what 1st parties see?
<amyc> +1
<aleecia> ChrisPedigo: limits on use for 3rd parties acting on behalf of 1st parties, not consistent across outsourcing and exceptions
<jeffchester2> as long as third party cannot use or aggregate, I agree
<laurengelman> yes, where the third party is doing the data collection/transfer for the 1st party
<npdoty> what's the separate issue for third-party-as-first?
<npdoty> issue-49?
<trackbot> ISSUE-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/49
<johnsimpson> Sounds like the right way to handle and include David's text
<dsinger> issue-49?
<aleecia> issue-49?
<trackbot> ISSUE-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/49
<trackbot> ISSUE-49 -- Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/49
<fielding> http://www.w3.org/2011/tracking-protection/track/issues/73
<rigo> nick, but also means first party collecting data and giving it to third party for further processing. Both are essentially the same
<aleecia> ACTION: aleecia clean up issue-49, issue-22, create new issue on refer [recorded in http://www.w3.org/2012/01/11-dnt-irc]
<trackbot> Created ACTION-45 - Clean up issue-49, issue-22, create new issue on refer [on Aleecia McDonald - due 2012-01-18].
<johnsimpson> unmute me
Exemptions
Talk generally about them in preparation for the Brussels meeting.
Aleecia: Every time we add something special, it muddies the message.
John Simpson: starting point would be no exceptions, asks us to persuade him that a particular one is needed. The list is intriguing, but needs to see more about how they would be implemented. Concerned about a possibility for gaming the system with some of them. Willing to listen & consider with respect to some of them. Just because current business practice is to do a particular thing doesn't mean its consistent with user privacy.
<jeffchester2> frequency capping can have privacy implications, if the ad (such as smart ad process) is personalized.
<JC> If DNT is enabled the ad should be personalized.
<johnsimpson> mute me
Facebook commented: since no tracking, should be nothing special for children in particular. Jeff Chester suggested turning DNT on for children.
Jeff Chester: on the sites whose principal business model is targeting children. Found that the majority of sites who target children engage in all kinds of tracking. Could we accommodate that the sites whose primary focus is children have some kind of obligation to have DNT as enabled unless otherwise informed (by the parent or whoever the appropriate party is in a given region).
Roy: when you have defaults in the absence of communications or protocols, that's not a part of this standard. How do we define "targeting children"? How do we know if they're children?
TomL: completely unrelated to core purpose of DNT. This is more related to following normative preferences on how to deal with information coming from children. More appropriate for regulators than for our mission.
Ted: He wrote original text. We're crossing over from a technical spec into something that is a matter of policy, which is different in different regions.
Aleecia: what if we had a non-normative best practice - if you are a site that is mostly children's content focused, you should consider treating everything that is not DNT0 as being DNT1. Took a straw poll. A mix but people generally would not even want to do non-normative as a preference here.
Jeff: intended to propose what aleecia has articulated, build in some way a mechanism to protect children as well as teens. Does the standard a service to acknowledge that children are a special case.
TomL: Too much to take on.
DavidS: Govt has the right to do this, but it's a regulatory issue, not a spec issue. We should not include it.
Aleecia: most people think it should not be in the spec. Not quite ready to close it as an issue. But right now seems that's the way that we're heading. Probably need a bit of discussion still.
<aleecia> https://www.w3.org/2011/tracking-protection/track/issues/15
<aleecia> http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0199.html
<aleecia> The DNT:1 header does not require special treatment for children because DNT:1 means
<aleecia> no tracking regardless of whether the user is a child or not. Note that operator handling of children's
<aleecia> data may also be governed by local laws and regulations, such as COPPA in US.
<JC> How do you know it is a child without tracking?
<dsinger> ...if you know you have a child in hand, you can do child-specific targeting and advertising.
<aleecia> Jeff's text: "that even when a DNT signal is not on, a website that knowingly primarily targets a child should assume its DNT:1 unless informed otherwise. Same for sites that specifically primarily target teens." See details of our discussion below.
<dsinger> ...maybe it's better if no-one knows if you are a dog|policeman|child ...
<tl> +q
<ChrisPedigo> US COPPA law doesn't kick in unless you have "actual knowledge" that user is a child
<ChrisPedigo> doesn't apply broadly to all kid-directed sites
<johnsimpson> mute me
<efelten> Doesn't COPPA have a notion of sites that are "directed to children" and therefore covered?
<jeffchester2> Yes, I am saying that cites that specificlaly target kids, they are required to enact DNT, unless requested
<Joanne> yes to Ed
<johnsimpson> thanks, rigo
<fielding> to be clear, I would personally support such regulation -- it just isn't a W3C issue
<amyc> agree with tom, generic technical spec could be tool to be used by regulators or self-reg such as CARU
<jeffchester2> +q
<tl> +1
<andyzei> +1
<ChrisPedigo> +1
<amyc> +1
<dsriedel> +1
<tedleung> +1
<jeffchester2> -1
<Joanne> +1
<BrianTs> +1
<dsinger> -1 (but later)
<npdoty> -1 (fine with non-normative on best practices)
<KevinT> -1
<JC> +1
<johnsimpson> -1
<eberkower> +1
<punderwood> +1
<fielding> arch, is that a triple-negative?
<fielding> +1
<Lia> +1
<alex_> +1
<rigo> +1
<tl> +q
<ChrisPedigo> very hard to differentiate between teen and early adult....some would say impossible
<jeffchester2> I am talking about teen targeted sites only.
<ChrisPedigo> again very hard
<ChrisPedigo> tmz.com?
<amyc> we should have non-normative text to get tl a pony
<tl> ^_______^
<jeffchester2> Use comscore's list of what prime target is. that's what we did with our OBA and kids site study
<tl> fielding, victory is mine! i take the analogy, and get a pony from amyc!
<andyzei> lol
<amyc> wait a moment!
<ChrisPedigo> anecdotally speaking, every teen wants to read what the 22 year olds are reading!
<npdoty> register: https://www.w3.org/2002/09/wbs/49311/brussels-f2f/