See also: IRC log
<npd> scribenick: npd
Nota bene: Because of inconsistent Internet access during this day's meeting, the minutes may be incomplete in some areas. If you took offline notes that should be merged into these minutes, please contact npdoty@w3.org.
schunter: improved our understanding of each other's views
... but can do better at closing issues (we closed none yesterday)
... want to get more text, since we'll be judged on our text not just our good ideas and discussion
... aleecia and I will work on ways for our process, more structured and text-focused
johnsimpson: I agree with your analysis, but we might try developing text with 2 or 3 people going outside of the room and come back with text
dsinger: we do seem a lot better at improving bad text that creating new text
schunter: for each issue, we need to identify a few people who need to create the text
johnsimpson: and it might be useful to have diametrically opposed people do it together
wileys: agree
schunter: need to have more stringent project management; homework for schunter and aleecia
... fielding has done a great job editing, but david singer has volunteered to help edit the TPE spec, thanks david!
<applause>
scribe volunteers: ninja, jeff, sean, KevinT, amyC
rvaneijk: new version will be announced this afternoon
... Recital 66
... in the EU framework, we always think in terms of purposes, rather than notice and consent
... "users be provided with clear and comprehensive information"
... in the revised directive, disclosure needs to be up front
... need to decide whether this is in scope of Do Not Track or not
WileyS: Recital 66 goes on to say that existing cookie management tools would be sufficient
rvaneijk: don't worry, there's more slides <laughter>
... graphic (nodes and arcs) about sites visited and trackers
... leaves out any sharing of information on the server-side
... Article 5.3, about storing and accessing under consent from the user
... having been provided clear and comprehensive information
... in accordance with the broader Directive 95/46/EC legal framework, must have a legitimate purpose
... regarding the purposes of processing
... need another legitimate purpose for the processing
... Article 5.3 doesn't apply where a service is requested explicitly by the user (perhaps like our definition of "meaningful interaction"); gives us hooks we can work with to make life easier
... Recitals are like the memoranda of understanding that explain the law
schunter: what does "strictly necessary" mean for cookies, for example?
rvaneijk: still under debate about what the list of purposes will be that count as "strictly necessary"; cookies to store language preferences, for example
karl: what about feed readers and web-based email clients?
aleecia: some industry have said that all cookies for advertising are strictly necessary since advertising is necessary for their business
rvaneijk: for each exception (like frequency capping) would have to be considered
... could include data minimization
... and purpose limitation (not reusing data from one exception for some other purpose), could make it easier
bryan: this doesn't apply to server-based storage, right? just client-based?
rvaneijk: yes, but it's been said that evading the law using server-based mechanisms won't be tolerated
... trying to explain where this comes from, and it comes from confidentiality of communications
... like secrecy of mail, not looking into the envelope
... different categories of third parties involved in the ad bidding and ad network process
... 1st/3rd party vs. controller/processor
... three different types of parties: the controller who decides and determines the purposes
... the processor who is bound by contractor (BCRs as we discussed yesterday)
... a third party is the residual category of actors who have no specific legitimacy or contract
... if you are in the third category and don't have a legitimate purpose in the EU context, that will be a problem
... Working Party 29 Opinion 16/2011
... could work if:
... mechanisms enable users to express consent on a case-by-case basis
... and aren't tracked by default (which might be out of scope for us)
... consent must be freely given, specific and informed; the "explicit consent" we've discussed could be very close
... Recital 66 notes that browser configuration could be used for that purpose, could definitely fit our DNT work
fielding: why don't we just re-use all of these definitions?
rvaneijk: may not work with the notice and consent model
... and the technical definitions may not always fit with these legal definitions
... user perspectives, business perspectives, technical perspectives and two different legal perspectives
... suggest we keep using the technical terms and use footnotes or explanation to explain the connection
ninja and tl scribing
<npdoty> scribenick: rigo
<tlr> ISSUE-7 closed
<trackbot> ISSUE-7 What types of tracking exist, and what are the use cases for these types of tracking? closed
<tlr> ISSUE-8 closed
<trackbot> ISSUE-8 How do we enhance transparency and consumer awareness? closed
<tlr> issue-9 closed
<trackbot> ISSUE-9 Understand all the different first- and third-party cases. closed
<tlr> issue-7: lack of interest at 2012-01-26 meeting
<trackbot> ISSUE-7 What types of tracking exist, and what are the use cases for these types of tracking? notes added
<tlr> issue-8: lack of interest at 2012-01-26 meeting
<trackbot> ISSUE-8 How do we enhance transparency and consumer awareness? notes added
<tlr> issue-9: lack of interest at 2012-01-26 meeting
<trackbot> ISSUE-9 Understand all the different first- and third-party cases. notes added
<tlr> issue-12: lack of interest at 2012-01-26 meeting
<trackbot> ISSUE-12 How does tracking require relation to unique identities, pseudonyms, etc.? notes added
<tlr> issue-12 closed
<trackbot> ISSUE-12 How does tracking require relation to unique identities, pseudonyms, etc.? closed
<tlr> ISSUE-16: discussed collection vs retention, not otherwise needed
<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) notes added
<tlr> issue-16 closed
<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) closed
<tlr> issue-20: touch upon unidentified / unidentifiable in compliance; Shane: challenge to write text
<trackbot> ISSUE-20 Different types of data, what counts as PII, and what definition of PII notes added
<tlr> issue-20: touch upon unidentified / unidentifiable in compliance; Shane: challenge to write text
<trackbot> ISSUE-20 Different types of data, what counts as PII, and what definition of PII notes added
<tlr> issue-20 closed
<trackbot> ISSUE-20 Different types of data, what counts as PII, and what definition of PII closed
<tlr> ACTION: kevin to produce draft for ISSUE-21 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action01]
<trackbot> Sorry, amibiguous username (more than one match) - kevin
<trackbot> Try using a different identifier, such as family name or username (eg. ktrilli2, ksmith5)
<tlr> ACTION: trilli to produce draft for ISSUE-21 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action02]
<trackbot> Created ACTION-55 - Produce draft for ISSUE-21 [on Kevin Trilli - due 2012-02-01].
<tlr> ISSUE-21: jonathan mayer: difference between response header and technical verification is what brought this up initially.
<trackbot> ISSUE-21 Enable external audit of DNT compliance notes added
<tlr> ACTION: mayer to draft text for issue-28 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action03]
<trackbot> Created ACTION-57 - Draft text for issue-28 [on Jonathan Mayer - due 2012-02-01].
<tlr> ACTION: amy to draft text for issue-28 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action04]
<trackbot> Created ACTION-58 - Draft text for issue-28 [on Amy Colando - due 2012-02-01].
<tlr> issue-33: likely duplicate
<trackbot> ISSUE-33 Complexity of user choice (are exemptions exposed to users?) notes added
<tlr> ACTION: npdoty to find duplicate for ISSUE-33, add note [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action05]
<trackbot> Created ACTION-59 - Find duplicate for ISSUE-33, add note [on Nick Doty - due 2012-02-01].
<tlr> issue-35?
<trackbot> ISSUE-35 -- How will DNT interact with existing opt-out programs (industry self-reg, other)? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/35
<tlr> issue-38 closed
<trackbot> ISSUE-38 Granularity for different people who share a device or browser closed
<tlr> issue-41 closed
<trackbot> ISSUE-41 Consistent way to discuss tracking with users (terminology matters!) closed
<tlr> issue-43: addressed by site-specific exceptions
<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track notes added
<tlr> issue-43 closed
<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track closed
<tlr> trackbot, reopen issue-43
<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track re-opened
<tlr> ACTION: npdoty to find out whether ISSUE-43 is a duplicate (and of what) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action06]
<trackbot> Created ACTION-60 - Find out whether ISSUE-43 is a duplicate (and of what) [on Nick Doty - due 2012-02-01].
<tlr> ACTION-60: close issue-43 with appropriate annotation
<trackbot> ACTION-60 Find out whether ISSUE-43 is a duplicate (and of what) notes added
<tlr> issue-45?
<trackbot> ISSUE-45 -- Companies making public commitments with a "regulatory hook" for US legal purposes -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/45
<tlr> ACTION: tl to write no-change proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action07]
<trackbot> Sorry, amibiguous username (more than one match) - tl
<trackbot> Try using a different identifier, such as family name or username (eg. tleung2, tlowenth)
<tlr> ACTION: lowenthal to write no-change proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action08]
<trackbot> Created ACTION-61 - Write no-change proposal for ISSUE-45 [on Thomas Lowenthal - due 2012-02-01].
<tlr> ACTION: mayer to write "text in privacy policy" proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action09]
<trackbot> Created ACTION-62 - Write "text in privacy policy" proposal for ISSUE-45 [on Jonathan Mayer - due 2012-02-01].
<tlr> issue-54?
<trackbot> ISSUE-54 -- Can first party provide targeting based on registration information even while sending DNT -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/54
<tlr> issue-15?
<trackbot> ISSUE-15 -- What special treatment should there be for children's data? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/15
<tlr> ISSUE-15: consensus this is not an issue we take on specifically; fall back to applicable law
<trackbot> ISSUE-15 What special treatment should there be for children's data? notes added
<npdoty> issue-15 pending review
<tlr> issue-15 closed
<trackbot> ISSUE-15 What special treatment should there be for children's data? closed
<npdoty> issue-36?
<trackbot> ISSUE-36 -- Should DNT opt-outs distinguish between behavioral targeting and other personalization? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/36
<tlr> ACTION: lowenthal to write counter-proposal for issue-36 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action10]
<trackbot> Created ACTION-63 - Write counter-proposal for issue-36 [on Thomas Lowenthal - due 2012-02-01].
<tlr> ISSUE-36: current text intended *specifically* for third parties
<trackbot> ISSUE-36 Should DNT opt-outs distinguish between behavioral targeting and other personalization? notes added
<npdoty> I think we probably need different action items for different counter-proposals
<npdoty> jeff, ninja, nick, tom are the interested parties for issue-36 counter-proposals
<tlr> ISSUE-36: JeffC, ninja, Nick, Tom will review action
<trackbot> ISSUE-36 Should DNT opt-outs distinguish between behavioral targeting and other personalization? notes added
<tlr> issue-39?
<trackbot> ISSUE-39 -- Tracking of geographic data (however it's determined, or used) -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/39
<tlr> issue-39: historic data covered; real-time use out of scope
<trackbot> ISSUE-39 Tracking of geographic data (however it's determined, or used) notes added
<tlr> ISSUE-16 reopened
<tlr> trackbot, reopen ISSUE-16
<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) re-opened
SW: issue 63 is out of scope of DNT
<tlr> ACTION: jonathan to propose new text for ISSUE-16 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action11]
<trackbot> Created ACTION-64 - Propose new text for ISSUE-16 [on Jonathan Mayer - due 2012-02-01].
<tlr> ACTION: lowenthal to propose clarification on ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action12]
<trackbot> Created ACTION-65 - Propose clarification on ISSUE-39 [on Thomas Lowenthal - due 2012-02-01].
<tlr> ACTION: chester to propose counterproposal for ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action13]
<trackbot> Created ACTION-66 - Propose counterproposal for ISSUE-39 [on Jeffrey Chester - due 2012-02-01].
issue-16: Jonathan to propose new text
<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) notes added
<tlr> ACTION: justin to propose text on ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action14]
<trackbot> Created ACTION-67 - Propose text on ISSUE-39 [on Justin Brookman - due 2012-02-01].
<tlr> issue-54?
<trackbot> ISSUE-54 -- Can first party provide targeting based on registration information even while sending DNT -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/54
SW: can third parties use registration information from first party
<tlr> SH: need to generalize beyond first registration data
Jeff: DNT should trump
Sean: this is more than registration data
Justin: information is not covered. That needs to be clarified
<tlr> ACTION: justin to provide text on ISSUE-54 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action15]
<trackbot> Created ACTION-68 - Provide text on ISSUE-54 [on Justin Brookman - due 2012-02-01].
<npdoty> action-68: we need to clarify that data collected while you're a first party can't be used later as a third-party (in a third-party ad context, for example)
<trackbot> ACTION-68 Provide text on ISSUE-54 notes added
<tlr> SW: argue that use of registration information in should only happen first-party contexts
MS: if advertising on Yahoo as first party, this trumps DNT signal
SW: we have some out of band agreement to have photo logged on Blog. That will be conflict with DNT
... explicit consent will trump DNT
TL: agree, but difference with real consent and some general conditions
Sean; specific registration, suggest to close this issue
<tlr> ACTION: harvey to propose renaming issue-54 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action16]
<trackbot> Created ACTION-69 - Propose renaming issue-54 [on Sean Harvey - due 2012-02-01].
Andy: we have issue 65
<tlr> issue-65?
<trackbot> ISSUE-65 -- How does logged in and logged out state work -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/65
JC: if we do that all social widgets will be disabled
TL: disagreed with the premise, disagreed to have anything in the text
<tlr> ACTION: lowenthal to review andy's text on issue-65 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action17]
<trackbot> Created ACTION-70 - Review andy's text on issue-65 [on Thomas Lowenthal - due 2012-02-01].
<tlr> ACTION: zeigler to link previous text proposal from issue-65 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action18]
<trackbot> Created ACTION-71 - Link previous text proposal from issue-65 [on Andy Zeigler - due 2012-02-01].
MS: to Tom, if you find to agree with Andy just send empty counterproposal
<tlr> issue-95?
<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95
issue-95?
<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95
SW: intermediaries that should not modify signal
<npdoty> action-71: Andy had already written a draft shared with Tom and some revisions, but would be good to link that directly to issue-65
<trackbot> ACTION-71 Link previous text proposal from issue-65 notes added
AM: not to be discussed now. Matthias business
<tlr> issue-74?
<trackbot> ISSUE-74 -- Are surveys out of scope? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/74
<tlr> issue-25?
<trackbot> ISSUE-25 -- Possible exemption for research purposes -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25
issue-74?
<trackbot> ISSUE-74 -- Are surveys out of scope? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/74
AM: action on me
<tlr> ACTION: kathy to review aleecia's draft on issue-25, issue-74 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action19]
<trackbot> Created ACTION-72 - Review aleecia's draft on issue-25, issue-74 [on Kathy Joe - due 2012-02-01].
Kathy offers to review that text
AM: please send directly to the mailing list
<npdoty> issue-74: could also connect to the Market Research exception discussed 24 January 2012
<trackbot> ISSUE-74 Are surveys out of scope? notes added
issue-91?
<trackbot> ISSUE-91 -- Might want prohibitions on first parties re-selling data to get around the intent of DNT -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/91
Justin: 4.1 of compliance spec
<tlr> issue-91 closed
AM: propose to close the issue
<trackbot> ISSUE-91 Might want prohibitions on first parties re-selling data to get around the intent of DNT closed
Resolution: current text accepted
<npdoty> issue-91: closed as per the existing text "If an operator of a first party domain stores a request to which a [DNT-ON] header is attached, that operator must not transmit information about that stored communication to a third party, outside of the explicitly expressed exceptions as defined in this standard."
<trackbot> ISSUE-91 Might want prohibitions on first parties re-selling data to get around the intent of DNT notes added
AM: editorial pass at the end of the process to get wording in line
... what is a user?
Ninja: Tom and I are still working on this
<tlr> issue-91?
<trackbot> ISSUE-91 -- Might want prohibitions on first parties re-selling data to get around the intent of DNT -- closed
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/91
<tlr> issue-101?
<trackbot> ISSUE-101 -- What is a user? add to defns -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/101
TL: Please put deadline on me and Ninja to come up with a wording until 3 Feb
<npdoty> the action is action-40
AM: issue-101 move from pending to open
<tlr> action-101?
<trackbot> ACTION-101 does not exist
<tlr> ISSUE-101?
<trackbot> ISSUE-101 -- What is a user? add to defns -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/101
issue-104?
<trackbot> ISSUE-104 -- Could use a better defn of user agent, rather than browser -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/104
AM: good text that came in from Roy.
<tlr> issue-104 closed
<trackbot> ISSUE-104 Could use a better defn of user agent, rather than browser closed
AM close issue 104
<tlr> ISSUE-104: section 3.11 user agent
<trackbot> ISSUE-104 Could use a better defn of user agent, rather than browser notes added
3.11 text accepted
DS: exception and exemption are not used consistently
AM: used in different ways, I'm mixed up too
<npdoty> scribenick: npdoty
aleecia: some things that I've heard
<rvaneijk> Aleecia: Do Not Track profile
<rvaneijk> ... Do not X-site track
aleecia: Do Not Profile -- continue to collect, but don't profile
... Do Not Cross-site Track
... Do Not Cross Time Track
rigo: a scenario where somebody visits a site on medical information to inform himself, and this is shared with his insurance which affects his fees when they assume that he's sick
... a pure 1st-party scenario
... can or should Do Not Track address that
?
aleecia: discuss this list or add to the categories first; later we can look at specific use cases
dsinger: do not build a database? is that different than "Do Not Profile"?
jimk: about data collection/retention, unlike the others
WileyS: I think do-not-profile can be characterized in that way
tl: treat me as someone about whom you know nothing and remember nothing about me
aleecia: every impression is a first impression, like "Do Not Track Across Time"
fielding: tl, do you intend that to also include 1st parties?
tl: this would only apply if I didn't intend to communicate with you, so 1st parties would be exempt
sean: concerned about 1st/3rd party distinction for these
dsinger: we can separately define the exceptions to tracking, but the definition of tracking is under discussion now
fielding: applying to ePrivacy directive
... including the first party issues that have to do with setting cookies
... setting cookies as a first party under the ePrivacy directive might be something we're trying to address here
rigo: recording consent in the first party context
<cross-talk: should we be having this high-level conversation?>
rvaneijk: tracking is "following user behavior across sites"
mzaneis: pretty clear that the Internet is based on data collection; everybody collects data and everybody tracks
karl: distinction of cross-site tracking between companies or by services
<jmayer> jmayer: If your views on web privacy reduce to one word, you are part of the problem, not part of the solution.
johnsimpson: do not track should mean do not collect
wileys: "do not target", even if it's not going to be popular in the room <some laughter>
<rvaneijk> vtoubiana: if do not profile means do not remember?
vincent: would recommend-- remember my interests, but not the sites that I visited
<rvaneijk> JC: pulling profiles out of a log file is different
scribe not sure he got that one right
<rvaneijk> DGINFSO: identifyability is enough of a disctinction
alex: do not collect data unique to a user
<rvaneijk> bsullivan: not including PII?
bryan: isn't that the same as not collecting PII?
aleecia: Google opt-out cookie might be an example in practice
... aggregation as another potential tool
collection, retention, use, minimization, aggregation
Do Not Target: still allows collection, allows retention, has a use limitation, could have minimization, aggregation unlikely
Do Not Profile: allows collection, allows retention, use limitation
Do Not Create A Profile: limits collection, limits retention, some kind of minimization?
Do Not Cross Site Track (dsinger): tunnel vision, don't remember anything about the interaction except what took place between you and the user
scribe: impacts collection, impacts retention (in a different way), doesn't limit use
Do Not Cross Time Track / Forget Me / Don't Remember Me / a stateless service: allows collection, prohibits retention, no other changes
Do Not Collect Identifiable Information: affects collection and retention
aleecia: collection will generally always involve retention, right?
... minimization and aggregation don't differentiate between these proposals
ninja: what's the difference between Do Not Target and Do Not Profile?
WileyS: Do Not Target would create a profile and keep it around in case the user changes their mind
Do Not Profile is just Do Not Create A Profile
Do Not Collect Identifiable Information might be mostly about aggregation
aleecia: Do Not Remember Me is the more-than-just-advertising view of Do Not Profile
<rvaneijk> ndoty: use limitation instead of data collection limitation
<rvaneijk> shane: categorisation is key in creating profiles
<scribe> scribenick: rvaneijk
rigo: can data that has been collected be shared to oter parties
rfielding: it is ok to customize for current session
... so targeting in current session based on data collected in current session
swiley: if we only can vote for one, then distinguise enough between options
<npdoty> no support for Do Not Target
<npdoty> some support for all others, perhaps less for the last one around which there was confusion
aleecia: humming result: do not target is off the list
<npdoty> ACTION: ninja to write-up Do Not Collect Identifiable Information [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action20]
<trackbot> Created ACTION-73 - Write-up Do Not Collect Identifiable Information [on Ninja Marnau - due 2012-02-01].
<npdoty> action-73 due 02-08
<trackbot> ACTION-73 Write-up Do Not Collect Identifiable Information due date now 02-08
<npdoty> ACTION: jeffc to write-up Do Not Create A Profile [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action21]
<trackbot> Sorry, couldn't find user - jeffc
<npdoty> ACTION: chester to write-up Do Not Create A Profile [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action22]
<trackbot> Created ACTION-74 - Write-up Do Not Create A Profile [on Jeffrey Chester - due 2012-02-01].
<npdoty> ACTION: shane to write-up a hybrid of Do Not Profile and Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action23]
<trackbot> Created ACTION-75 - Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track [on Shane Wiley - due 2012-02-01].
<npdoty> ACTION: kevin smith to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action24]
<trackbot> Sorry, amibiguous username (more than one match) - kevin
<trackbot> Try using a different identifier, such as family name or username (eg. ktrilli2, ksmith5)
<npdoty> ACTION: ksmith5 to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action25]
<trackbot> Created ACTION-76 - Write up Do Not Cross-Site Track [on Kevin Smith - due 2012-02-01].
<npdoty> ACTION: singer to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action26]
<trackbot> Created ACTION-77 - Write up Do Not Cross-Site Track [on David Singer - due 2012-02-01].
<tlr> issue-5?
<trackbot> ISSUE-5 -- What is the definition of tracking? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/5
rfielding: please attach all comments on these action items as issue-5
<npdoty> ACTION: karl to write up Forget Me/ Do Not Cross Time Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action27]
<trackbot> Created ACTION-78 - Write up Forget Me/ Do Not Cross Time Track [on Karl Dubost - due 2012-02-01].
<npdoty> aleecia: for each, please tag with issue-5, a description and use cases
dsinger: implications on structure of document and use of already drafted terms
aleecia: will take this into account in future process of dealing with the issuelist
ksmith: all depends on what we are going to do. THerefor it is important to choose as a group on what we are going to do. So we can answer the question: does this text meet our objectives?
<npdoty> back at 1:30
<dsinger> issue-25?
<trackbot> ISSUE-25 -- Possible exemption for research purposes -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25
<sean> We are online baby!
<sean> Matthias: we now move to TPE spec
<npdoty> scribenick: sean
Matthias: goal is to assign as many of the issues as possible
... has a list of pending items on the screen: let's go through the list together
ISSUE-27 - how should opt back in mechanism be decided. draft text from shane & nick.
Nick: overview. the idea is taht some sites may want to ask for an exception. your browser will know all of your exceptions. no need to track out of band exceptions.
... A JS API keeps track of the exceptions asynchronously.
... DOM property could check for exceptiosn & wouldn't need to prompt the user.
... Exceptions limited to origin pair. while i browse site x, vendor y can "track" me
Adobe: does not currently pass first party info to third party, NIck/Shane: this is an open item.
RIgo: the way browsers work may clash with our party definitions. we need to measure pain of sticking iwth browser definitions vs benefits of enlarging first party definitions (multiple first parties, etc.)
NIK; spec is agnostic on how the data is stored, done on client side but client can choose how (in answer to Tom from Opera)
Shane: its up to each vendor to decide on the interface
Matthias: main issue: does this work where there are multiple first parties? and is the proposed format expressive enough.
ACTION ITEM for ISSUE 27 for Tom: validate whetherh TPE lists can be used to store opt-back-in features or not.
<trackbot> Sorry, couldn't find user - ITEM
ACTION ITEM for Issue 27: Shane to work with David Singer & Nick to determine whether David's party paradigm would resolve this issue.
<trackbot> Sorry, couldn't find user - ITEM
Shane: what you would store in the 1/3 party pair would be the parent. Nick is skeptical.
thx
<scribe> ACTION: Tom to validate whether TPE lists can be used to store opt-back-in features or not [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action28]
<trackbot> Sorry, couldn't find user - Tom
<aleecia> (helps to have a deadline too, like ACTION: Tom to make cookies by tuesday)
<aleecia> (Tom = tl)
<tl> No, that item was assigned to Karl?
yes sorry
<scribe> ACTION: karl dubost to validate whether TPE lists can be use to store opt-back-in features or not [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action29]
<trackbot> Created ACTION-79 - Dubost to validate whether TPE lists can be use to store opt-back-in features or not [on Karl Dubost - due 2012-02-01].
<scribe> ACTION: dsinger with shane to determine whether dave singer's new party paradigm would be a solution for Issue 27 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action30]
<trackbot> Sorry, couldn't find user - dsinger
<scribe> ACTION: david singer and shane wiley to determine whether dave singer's paradigm on parties would be a solution for Issue 27 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action31]
<trackbot> Created ACTION-80 - Singer and shane wiley to determine whether dave singer's paradigm on parties would be a solution for Issue 27 [on David Singer - due 2012-02-01].
<rigo> ACTION: Karl to validate whether the TPLs can also express a cluster of whitelists for use with the Javascript API as defined by Nick [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action32]
<trackbot> Created ACTION-81 - Validate whether the TPLs can also express a cluster of whitelists for use with the Javascript API as defined by Nick [on Karl Dubost - due 2012-02-01].
Matthias: Shane can get us an opinion on Action 81 in the next week
... close the discussion on Issue 27
<rigo> trackbot, drop Action-81
<trackbot> Sorry, rigo, I don't understand 'trackbot, drop Action-81'. Please refer to http://www.w3.org/2005/06/tracker/irc for help
<rigo> trackbot, close Action-81
<trackbot> ACTION-81 Validate whether the TPLs can also express a cluster of whitelists for use with the Javascript API as defined by Nick closed
<rigo> was duplicate
Issue 78: what's the difference between absence of DNT header and DNT=0
<tl> ACTION: tl to Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action33]
<trackbot> Sorry, amibiguous username (more than one match) - tl
<trackbot> Try using a different identifier, such as family name or username (eg. tleung2, tlowenth)
Roy: current text does not have consensus. could put an action item on roy to put an action item to edit & put a new draft into the spec.
<tl> ACTION: tlowenth to Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action34]
<trackbot> Created ACTION-82 - Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [on Thomas Lowenthal - due 2012-02-01].
Roy: this conversation relates to meanings of DNT 1 & 0, relative to compliance items (cross-tracking) being in the header spec
Shane: other issue was DNT=nothing instead of not sending a DNT header at all. related potentially to eprivacy.
Rigo: We should require the sending of DNT unset, because only then does the service know you can trigger an opt back in (if they get consent)
TL: disagrees. you'll know which ua version supports DNT
Nick: you could check for the js method.
Kevin: should be an option for DNT-OFF. e.g. if dnt is on by default, someone could set the preference globally to OFF
TL: when you see a DNT header, it's talking to you. so you should not be able to get anything on the state of the rest of the world.
Aleecia: don't think that's going to happen based on how we are building it. legislation might be that if you don't get a signal then you have to assume it is on
Shane: would help in knowing whether a given browser version is capable of passing DNT header
<scribe> ACTION: roy fielding to take the text from the email conversation & place it in the doc [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action35]
<trackbot> Created ACTION-83 - Fielding to take the text from the email conversation & place it in the doc [on Roy Fielding - due 2012-02-01].
Aleecia: need non-normative text that makes the purpose of 0 clearer
TL: not happy passing null for a mozilla user
... happy with the current proposal. Matthas asks we wait for Roy's next text version & we will comment further from there
<scribe> ACTION: describe the reason for setting DNT=null [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action36]
<trackbot> Sorry, couldn't find user - describe
<scribe> ACTION: shane wiley to describe the reason for setting DNT=null [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action37]
<trackbot> Created ACTION-84 - Wiley to describe the reason for setting DNT=null [on Shane Wiley - due 2012-02-01].
ISSUE 84 Do we need a JS API / DOM property for client side js access to DNT status
<rigo> trackbot, comment ACTION-83 take text from email about section for and DNT-header values
<trackbot> ACTION-83 Fielding to take the text from the email conversation & place it in the doc notes added
Jonathan: comfortable where we are now, no objections to text
Tom: remove the ability to set this within the DOM. it will always be an HTTP request. Shane seconds this.
Rigo: not sure why this can take different values
Shane: If you're a 3p on a 1p DOM, if i look into the DOM header the current signal is 1. but site specific exception is in place and that's 0. you would have to start building business rules on different signals from DOM vs HTTP request
Jonathan: agrees. there are ways of making JS DNT aware that is in the JS provided by the browser. website can serves some js that reflects what the server received in the header. not hard to write & will always be correct. also comfortable dropping DOM with some discussion explaining why.
Thomas; we want to figure out a way taht no party finds out the settings for other parties. it might be worth having a few people put their heads together & think it through a bit more. if we get site specific exceptions solved cleanly i suspect we will have this solved as well
Matthias: let's drop this & charge a group with leader to find a way to repair it. if not, drop it.
Rigo: which use cases will we love if we do not have JS API?
Thomas; everyone agrees API is not going to work. let's remove the text since we don't know how to fix it. if people come up with new proposal we can create a new issue.
much debate about whether or not we should close this issue, or open a new issue
<tlr> proposed: close issue-96, re-open issue-84
<aleecia> jmayer: difference between browser API and not. Is the issue one about should js be DNT aware? (If so, yes, we have a proposal.)
Jonathan: will send an email to the list on technical solutions (possible), or do we need an issue specifically on an API & leave that issue open?
<scribe> ACTION: jonathan mayer to draft text to send out around a potential technical solution [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action38]
<trackbot> Created ACTION-85 - Mayer to draft text to send out around a potential technical solution [on Jonathan Mayer - due 2012-02-01].
ISSUE 87
<rigo> issue-87?
<trackbot> ISSUE-87 -- Should there be an option for the server to respond with "I don't know what my policy is" -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/87
<scribe> closed; Issue 87
<tlr> issue-86?
<trackbot> ISSUE-86 -- Do we have general extensibility capability for header response? -- closed
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/86
<npdoty> close issue-87
<trackbot> ISSUE-87 Should there be an option for the server to respond with "I don't know what my policy is" closed
<scribe> closed ISSUE-87
<scribe> closed: Issue-87
<rigo> trackbot, close issue-87
<trackbot> ISSUE-87 Should there be an option for the server to respond with "I don't know what my policy is" closed
Issue 95
<rigo> issue-95?
<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95
may an institution or a network provider set a TPE for a user?
y please
bryan sullivan: want the ability to express a preference by a corporation, for a family
david singer: is it ok i agree to be tracked because i am using wifi in a given hotel?
shane: a legal issue, but potentially yes
<rigo> the general setting would kill the user consent thingy as it wouldn't be the user's consent anymore
jim killock: believes setting DNT on is legitimate, setting it off is not
thomas; do we have any contributors in this room that want to propose changes to this text? would otherwise prefer we close the issue.
Bryan Sullivan: must the preference be managed just on the device
shane: no we excplicitly called out that it is not limited in this way
david singer: can we have some examples to back up this text? Shane -- we provided on the email chian
close: issue-95
<tlr> issue-95 closed
<trackbot> ISSUE-95 May an institution or network provider set a tracking preference for a user? closed
issue-96?
<trackbot> ISSUE-96 -- The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/96
<tlr> issue-96?
<trackbot> ISSUE-96 -- The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/96
<tlr> issue-96 closed
<trackbot> ISSUE-96 The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) closed
<tlr> issue-84?
<trackbot> ISSUE-84 -- Do we need a JavaScript API / DOM property for client-side js access to Do Not Track status? -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/84
close: issue-96
<rigo> trackbot, close issue-96
<trackbot> ISSUE-96 The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) closed
matthias: 3 high level areas: (1) Elements (fields) if we send the header, what elements go into it?
(2) when to send the response headers
(3) misc
RIgo: caching is likely to take up a lot of time
TL: main components: 1/3p, whether subject to exceptions, option for serer to tell users they're opted back in, response for catchable objects
no-dnt -- not allowed, means you're not in compliance. for now it is a reserved value
well-known URI: whatever exceptions you are claiming there. not sure if its human readable or not yet
<rigo> DNT: P3P-URI would be also nice :)
TL: main idea: on resources which tracking occurs, the access of that resource could produce data compatible with DNT, you get a response header.
caching situation: tracking doesn't take place here, so not needed
Rigo: concerned the solution is overly complex with too many values. also has URI that points to further documentation that might contradict the meaning
TL: feels this is covered in the spec. not allowed to contradict.
... header that says " we follow DNT" is not as useful to a client browser that wants to take dynamic actions based on levels of compliance
Alex: compliance is definitive, yes or no. if i the server have an exception with you through the user via a website visited, or through a backend contract. when a server comes in with DNT-on I don't know why that is the case.
Matthias: the concern here is that the server side third party may not be able to distinguish between these different values and may not know how to respond accurately.
Alex: would be easier to send a static header response
Kevin: this is very thorough. however i find it overly complicated & confusing and a little redundant. haven't heard a use case to presenta big enough advantage to justify the cost of the complexity involved here.
... greatly simplified when you look at it as cross site tracking instead of 1st v 3rd
<bryan> +1 to Kevin's concern over the complexity of including 1st and 3rd party distinction in the response
Nick: DNT=0 -- could we specify the syntax. DNT=0 indicates you don't comply. move some of this langauge to the compliance spec.
... if I know i am never going to track, what value should I set?
<npdoty> I think we could clarify dnt:c to apply to any resource that surely won't be tracked
Roy: edit: if a message is marked as cacheable,it is considered compliant
... little o, big o and 0 seems like a bad idea. pick letters that are not confused with one another
TL: Ok to use 3 letters? people say yes
<npdoty> ACTION: doty to write a clarification of dnt:c to apply to never-tracked resources [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action39]
<trackbot> Created ACTION-86 - Write a clarification of dnt:c to apply to never-tracked resources [on Nick Doty - due 2012-02-01].
<scribe> ACTION: tom lowenthal to draft new letter indicators [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action40]
<trackbot> Sorry, couldn't find user - tom
<aleecia> (tl)
<scribe> ACTION: tl to draft new values for the DNT states [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action41]
<trackbot> Sorry, amibiguous username (more than one match) - tl
<trackbot> Try using a different identifier, such as family name or username (eg. tleung2, tlowenth)
<tlr> ACTION: lowenthal to color bikeshed in distinguishable colors [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action42]
<trackbot> Created ACTION-87 - Color bikeshed in distinguishable colors [on Thomas Lowenthal - due 2012-02-01].
<npdoty> tl, I think IanF and other Google employees will complain if you increase the length of the response, even if only by a character
<tlr> ACTION-87: this action item actually refers to the DNT response header coding. requirements: brief, pronounceable, distinguishable.
<trackbot> ACTION-87 Color bikeshed in distinguishable colors notes added
Rigo: main reason for pushing response header was consent mechanism. static dnt=1 would serve this purpose better
kevin: could get rid of opt-dnt 1 and 3 by rolling it into except dnt3
Matthias: let's have tom & kevin sit together & discuss further.
... we have 2 ways to move forward (1) fix this expressive solution (2) a much simpler solution with a completely different design
Karl: we're getting ahead of the compliance doc
Ed: are we discussing whether to have finer granularity in reasons for tracking, should server say why they're allowed to track in a given context?
Aleecia: if we have the framework on compliance, it probably doesn't change much. so let's go down this road.
<aleecia> "I don't like it" is not a proposal :-)
<karl> another option is to have a first version which is very simple and can be more expressive later if we think we need it
Rigo: volunteers to try a simpler alternative
<karl> later = after implementations experience
<scribe> ACTION: rigo shane wiley roy fielding sean harvey to draft a simpler version of the spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action43]
<trackbot> Created ACTION-88 - Shane wiley roy fielding sean harvey to draft a simpler version of the spec [on Rigo Wenning - due 2012-02-01].
Week of FEb 3 for Action 88 (rigo is the leader of the group)
<karl> many technologies failed because the first version was too complex to implement
<tlr> ACTION-88: refers to DNT HTTP response header
<trackbot> ACTION-88 Shane wiley roy fielding sean harvey to draft a simpler version of the spec notes added
shane: we have exceptions from compliance doc. this says you're employing one of these exceptions or not & it doesn't seem valuable & adds non-useful complexity to the response header
david singer: wants to make sure there is a simple binary response for the user
Roy: options for what to call this response header. DNT, T...
<karl> MrT
shane: T is a bad idea because it is often used e.g. for "time"
Aleecia/Roy: TK will be the header name for the moment
<npdoty> +1 on TK
<scribe> ACTION: roy fielding to make final decision on response header name [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action44]
<trackbot> Created ACTION-89 - Fielding to make final decision on response header name [on Roy Fielding - due 2012-02-01].
<karl> ER ~ Emergency Room
ed felten: from law enforcement standpoint. assume a bad actor. I'm trying to catch them lying to the user. the more specific, the easier it is to do that. if there is only one value and there are 8 exceptions to hide behind its harder to figure out what's happening.
<bryan> I'm concerned about the amount of data traffic that this will generate, given that operational exceptions and outsourcing exceptions will be common for example, and the explanations will amount to a lot of text over time. I would prefer if any static response aspects could be in a file (XML, JSON) at the "well-known" URL, and the DNT header was a simple ack of DNT:1 or DNT:0.
Kevin: need to account for user & also expert "auditor" or complier
Bryan: worried amount of data this is goign to generate. any extra data static & sent on a regular basis, potentially billions of times a day for large sites
TL: this was previously handled
<bryan> brief explanation of the result would be at least courteous....
Rigo: each of these values/states should be easily testable
TL: that's not possible
<bryan> if not informative for others that are also not aware of it...
<npdoty> how significant is the cost of data, bryan? 5 or 6 additional characters on responses (which tend to be much larger than requests)?
karl: concern about developers making mistakes on the server side
<bryan> every static response adds up quickly
<bryan> this is why accept: */* is very common now in mobile devices
<npdoty> you can see discussion in http://www.w3.org/2011/11/01-dnt-minutes.html, where Ian's suggestion was about keeping it down to a few characters per response rather than full URLs
jonathan: 2 reasons he preferes more granularity (1) complexity overstated. site doesn't have to implement all of them, only a very small subset.
<npdoty> within those minutes, Ctrl-F "bytes" is a quick way to find the relevant area
jonathan: (2) there is real value to this additional data. analytics to let us know how it is being used etc
<npdoty> (I think bytes cost has been discussed since too, but those Santa Clara minutes was in my immediate memory)
aaaaand break
<npdoty> thanks for scribing, sean!
<bryan> Ian's response is understood, but from a network operator perspective the cost of carrying unnecessary bytes is excessive
<npdoty> scribenick: KevinT_
issue 43?
trackbot, issue=43?
<trackbot> Sorry, KevinT_, I don't understand 'trackbot, issue=43?'. Please refer to http://www.w3.org/2005/06/tracker/irc for help
dsigner: agree in principle
<tlr> issue-23 closed
<trackbot> ISSUE-23 Possible exemption for analytics closed
<tlr> issue-43 closed
<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track closed
<tlr> trackbot, reopen issue-23
<trackbot> ISSUE-23 Possible exemption for analytics re-opened
<tlr> issue-105?
<trackbot> ISSUE-105 -- Response header without request header? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/105
<tlr> ACTION: Tom to modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action45]
<trackbot> Sorry, couldn't find user - Tom
<tlr> ACTION: Lowenthal to modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action46]
<trackbot> Created ACTION-90 - Modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [on Thomas Lowenthal - due 2012-02-01].
<aleecia> (Tom is tl)
<tlr> issue-105 closed
<trackbot> ISSUE-105 Response header without request header? closed
107, 90, 48, 51, 76, 79 are all issues related to response headers
<rigo> issue-61?
<trackbot> ISSUE-61 -- A site could publish a list of the other domains that are associated with them -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/61
dsinger and shane to add issue 61 to existing action item (need to find #)
matthias; issue 47 moved to response header team
<tlr> issue-61?
<trackbot> ISSUE-61 -- A site could publish a list of the other domains that are associated with them -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/61
next topic: raised TPE issues
issue-114?
<trackbot> ISSUE-114 -- Guidance or mitigation of fingerprinting risk for user-agent-managed site-specific tracking exceptions -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/114
ISSUE-109?
<trackbot> ISSUE-109 -- siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/109
<tlr> ACTION: zeigler to write text on fingerprinting risk (ISSUE-109, ISSUE-114), with Nick Doty [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action47]
<trackbot> Created ACTION-91 - Write text on fingerprinting risk (ISSUE-109, ISSUE-114), with Nick Doty [on Andy Zeigler - due 2012-02-01].
<tlr> issue-109 open
<tlr> trackbot, issue-109 is open
<trackbot> Sorry, tlr, I don't understand 'trackbot, issue-109 is open'. Please refer to http://www.w3.org/2005/06/tracker/irc for help
issue=113?
<tlr> issue-113?
<trackbot> ISSUE-113 -- Should there be a JavaScript API to prompt for a Web-wide exception? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/113
<tlr> issue-109?
<trackbot> ISSUE-109 -- siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/109
<tlr> issue-91?
<trackbot> ISSUE-91 -- Might want prohibitions on first parties re-selling data to get around the intent of DNT -- closed
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/91
<tlr> issue-114?
<trackbot> ISSUE-114 -- Guidance or mitigation of fingerprinting risk for user-agent-managed site-specific tracking exceptions -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/114
shane: first party context - ex: web-wide exception for widget (social network widget)
ksmith: can add widgets without going to widget publisher's site
ndoty: not a high priority
<tlr> ACTION: alan to write text for issue-113 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action48]
<trackbot> Created ACTION-92 - Write text for issue-113 [on Alan Chapell - due 2012-02-01].
<tlr> issue-113
<tlr> issue-113?
<trackbot> ISSUE-113 -- Should there be a JavaScript API to prompt for a Web-wide exception? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/113
issue=115?
<tlr> issue-115?
<trackbot> ISSUE-115 -- Should sites be able to manage site-specific tracking exceptions outside of the user-agent-managed system? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/115
issue-115?
<trackbot> ISSUE-115 -- Should sites be able to manage site-specific tracking exceptions outside of the user-agent-managed system? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/115
shane: need to consider existing opt-ins already in place, shouldnt be MUST
<rvaneijk> issue-14?
<trackbot> ISSUE-14 -- How does what we talk about with 1st/3rd party relate to European law about data controller vs data processor? -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/14
andyzei: not cool to overnotify users, DNT-2 - please don't track me even if you think you can
jeff chester: concerns around lack of transparency for out of band --> suggest best practices
<tlr> ACTION: jeff to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim - due in 2 weeks [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action49]
<trackbot> Sorry, couldn't find user - jeff
<tlr> ACTION: chester to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim - due in 2 weeks [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action50]
<trackbot> Created ACTION-93 - write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim [on Jeffrey Chester - due 1970-01-01].
<tlr> action-93 due 2012-02-07
<trackbot> ACTION-93 write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim due date now 2012-02-07
<tlr> issue-115?
<trackbot> ISSUE-115 -- Should sites be able to manage site-specific tracking exceptions outside of the user-agent-managed system? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/115
<bryan> +1 to Rigo's comment
jimK: past precedent of tracking cookies deposited without consent don't qualify for consent in DNT
jmayer: browsers have better set of incentives to educate users vs. business use of privacy policy; if not in browser - have stronger language around notice to be accountability
... opt-in api - allow for adding text to make user message easier to understand (vs. domain only)
<bryan> Re sites managing user preferences using out of band methods, browsers are not the only user agents intended to be covered by DNT requirements. Users may not be able to manage DNT preferences across all HTTP-based applications effectively, thus out of band methods can help ensure users can more effectively manage DNT options across all their HTTP-based apps.
<tlr> ACTION: jmayer to write proposal to communicate information about consent to user as part of opt back in API [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action51]
<trackbot> Created ACTION-94 - Write proposal to communicate information about consent to user as part of opt back in API [on Jonathan Mayer - due 2012-02-01].
rigo: to bryan - tpl revisited
jc wants to rumble
issue-112?
<trackbot> ISSUE-112 -- How are sub-domains handled for site-specific exceptions? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/112
issue-118?
<trackbot> ISSUE-118 -- Should requesting a user-agent-managed site-specific exception be asynchronous? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/118
<tlr> ACTION: npdoty to write proposal for asynchronous API (ISSUE-118) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action52]
<trackbot> Created ACTION-95 - Write proposal for asynchronous API (ISSUE-118) [on Nick Doty - due 2012-02-01].
<npdoty> action-95 due 02-07
<trackbot> ACTION-95 Write proposal for asynchronous API (ISSUE-118) due date now 02-07
issue-62?
<trackbot> ISSUE-62 -- The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/62
issue-46?
<trackbot> ISSUE-46 -- Enable users to do more granular blocking based on whether the site responds honoring Do Not Track -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/46
<tlr> trackbot, ping
<tlr> action-95 due 2012-02-07
<tlr> issue-62?
<tlr> issue-62 closed
<trackbot> Sorry, tlr, I don't understand 'trackbot, ping'. Please refer to http://www.w3.org/2005/06/tracker/irc for help
<trackbot> ACTION-95 Write proposal for asynchronous API (ISSUE-118) due date now 2012-02-07
<trackbot> ISSUE-62 -- The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/62
<trackbot> ISSUE-62 The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context closed
<tlr> +1 to Tom. This is out of scope.
<karl> automatic is missing in that issue :)
tl: out of scope + matthias, rigo
<karl> issue-46?
<trackbot> ISSUE-46 -- Enable users to do more granular blocking based on whether the site responds honoring Do Not Track -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/46
<npdoty> issue-46?
<trackbot> ISSUE-46 -- Enable users to do more granular blocking based on whether the site responds honoring Do Not Track -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/46
issue-77?
<trackbot> ISSUE-77 -- How does a website determine if it is a first or third party and should this be included in the protocol? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/77
<tlr> issue-46: out of scope
<trackbot> ISSUE-46 Enable users to do more granular blocking based on whether the site responds honoring Do Not Track notes added
<tlr> issue-46 closed
<trackbot> ISSUE-46 Enable users to do more granular blocking based on whether the site responds honoring Do Not Track closed
discussed: don't need protocol close 77
trackbot, close issue-77
<trackbot> ISSUE-77 How does a website determine if it is a first or third party and should this be included in the protocol? closed
issue-108?
<trackbot> ISSUE-108 -- Should/could the tracking preference expression be extended to other protocols beyond HTTP? -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/108
<tl> Revised response header spec: https://pad.riseup.net/p/3g4uYDAvNb1n
dsinger: suggest text: future documents can be built with same effects into future protocols
jmayer: intent to apply to all protocols.
aleccia: add to dsinger's comments - original intent was for http, but can be mirrored to other protocols and still remain DNT
roy: belongs in compliance spec?
<karl> HTTP Tracking Preference Expression
<npdoty> "our work is designed to apply to all HTTP communications (including mobile apps) and may additionally be applied to additional protocols (ex: SPDY). While we design for HTTP, there is nothing to prevent other protocols from adopting the approaches, definitions, etc. we work out."
<bryan> http://tools.ietf.org/html/draft-ietf-core-coap-08 is the current version of CoAP and for M2M this will be the transport for HTTP-based applications on constrained bearers for machine-to-machine applications.
<scribe> ACTION: issue-108 jmayer to create text for other protocols [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action53]
<trackbot> Sorry, couldn't find user - issue-108
<karl> HTTP Tracking Preference Expression is one possible implementation of Tracking compliance specification
<scribe> ACTION: jmayer for issue 108 for future protocols [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action54]
<trackbot> Created ACTION-96 - For issue 108 for future protocols [on Jonathan Mayer - due 2012-02-01].
<scribe> ACTION: dsinger issue 108 add similar protocol statements to TPE [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action55]
<trackbot> Sorry, couldn't find user - dsinger
<npdoty> dsinger, I think the existing text in a note on ISSUE-108 would be a good starting point for that sentence to add to TPE; we discussed it on a call in December
<scribe> ACTION: dsinger add similar protocol language to TPE spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action56]
<trackbot> Sorry, couldn't find user - dsinger
<npdoty> ACTION: singer to add similar protocol language to TPE spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action57]
<trackbot> Created ACTION-97 - Add similar protocol language to TPE spec [on David Singer - due 2012-02-01].
<npdoty> action-97: dsinger, I think the existing text in a note on ISSUE-108 would be a good starting point for that sentence to add to TPE; we discussed it on a call in December
<trackbot> ACTION-97 Add similar protocol language to TPE spec notes added
trackbot, close issue-110
<trackbot> ISSUE-110 Is top-level-origin for outgoing requests workable for site-specific tracking exceptions? closed
issue-111?
<trackbot> ISSUE-111 -- Different DNT values to signify existence of associated exceptions -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/111
tl: feels this is covered already
rigo: +1 using p3p case example
ndoty: shane feels this is valuable use case for publishers (keep raised)
<karl> tl, does DNT:1 could block an HTTP referer? example an iframe. Thinking about the wikipedia just cited, where the tracking could occur just with the words in the URI.
<tlr> ACTION: shane to bring input on ISSUE-111 to the group; otherwise it's closed [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action58]
<trackbot> Created ACTION-98 - Bring input on ISSUE-111 to the group; otherwise it's closed [on Shane Wiley - due 2012-02-01].
<tl> karl, DNT not a technical measure, just a preference expression. Perhaps you could change your browser to add this behavior?
<karl> yup… but breaking a lot of things. :) hmmm difficult
<npdoty> action-98: Shane, since most of the people in the group were happy to close this issue now, we'd like to see an explanation of text/use cases for why we should continue to discuss it or adopt it
<trackbot> ACTION-98 Bring input on ISSUE-111 to the group; otherwise it's closed notes added
<clp> Hello, sorry to be late, I can't listen on phone but just wanted to drop in briefly.
<npdoty> trackbot, end meeting