W3C

- DRAFT -

Tracking Protection Working Group Brussels f2f

25 Jan 2012

See also: IRC log

Attendees

Present
Participants list
Regrets
Chair
Aleecia (aleecia) and Matthias (schunter)
Scribe
npd, rigo, npdoty, rvaneijk, sean, KevinT_

Contents


<npd> scribenick: npd

Nota bene: Because of inconsistent Internet access during this day's meeting, the minutes may be incomplete in some areas. If you took offline notes that should be merged into these minutes, please contact npdoty@w3.org.

Introductions

schunter: improved our understanding of each other's views
... but can do better at closing issues (we closed none yesterday)
... want to get more text, since we'll be judged on our text not just our good ideas and discussion
... aleecia and I will work on ways for our process, more structured and text-focused

johnsimpson: I agree with your analysis, but we might try developing text with 2 or 3 people going outside of the room and come back with text

dsinger: we do seem a lot better at improving bad text that creating new text

schunter: for each issue, we need to identify a few people who need to create the text

johnsimpson: and it might be useful to have diametrically opposed people do it together

wileys: agree

schunter: need to have more stringent project management; homework for schunter and aleecia
... fielding has done a great job editing, but david singer has volunteered to help edit the TPE spec, thanks david!

<applause>

scribe volunteers: ninja, jeff, sean, KevinT, amyC

Presentation from Rob, Article 29 Working Party

rvaneijk: new version will be announced this afternoon
... Recital 66
... in the EU framework, we always think in terms of purposes, rather than notice and consent
... "users be provided with clear and comprehensive information"
... in the revised directive, disclosure needs to be up front
... need to decide whether this is in scope of Do Not Track or not

WileyS: Recital 66 goes on to say that existing cookie management tools would be sufficient

rvaneijk: don't worry, there's more slides <laughter>
... graphic (nodes and arcs) about sites visited and trackers
... leaves out any sharing of information on the server-side
... Article 5.3, about storing and accessing under consent from the user
... having been provided clear and comprehensive information
... in accordance with the broader Directive 95/46/EC legal framework, must have a legitimate purpose
... regarding the purposes of processing
... need another legitimate purpose for the processing
... Article 5.3 doesn't apply where a service is requested explicitly by the user (perhaps like our definition of "meaningful interaction"); gives us hooks we can work with to make life easier
... Recitals are like the memoranda of understanding that explain the law

schunter: what does "strictly necessary" mean for cookies, for example?

rvaneijk: still under debate about what the list of purposes will be that count as "strictly necessary"; cookies to store language preferences, for example

karl: what about feed readers and web-based email clients?

aleecia: some industry have said that all cookies for advertising are strictly necessary since advertising is necessary for their business

rvaneijk: for each exception (like frequency capping) would have to be considered
... could include data minimization
... and purpose limitation (not reusing data from one exception for some other purpose), could make it easier

bryan: this doesn't apply to server-based storage, right? just client-based?

rvaneijk: yes, but it's been said that evading the law using server-based mechanisms won't be tolerated
... trying to explain where this comes from, and it comes from confidentiality of communications
... like secrecy of mail, not looking into the envelope
... different categories of third parties involved in the ad bidding and ad network process
... 1st/3rd party vs. controller/processor
... three different types of parties: the controller who decides and determines the purposes
... the processor who is bound by contractor (BCRs as we discussed yesterday)
... a third party is the residual category of actors who have no specific legitimacy or contract
... if you are in the third category and don't have a legitimate purpose in the EU context, that will be a problem
... Working Party 29 Opinion 16/2011
... could work if:
... mechanisms enable users to express consent on a case-by-case basis
... and aren't tracked by default (which might be out of scope for us)
... consent must be freely given, specific and informed; the "explicit consent" we've discussed could be very close
... Recital 66 notes that browser configuration could be used for that purpose, could definitely fit our DNT work

fielding: why don't we just re-use all of these definitions?

rvaneijk: may not work with the notice and consent model
... and the technical definitions may not always fit with these legal definitions
... user perspectives, business perspectives, technical perspectives and two different legal perspectives
... suggest we keep using the technical terms and use footnotes or explanation to explain the connection

Speed dating with issues

ninja and tl scribing

<npdoty> scribenick: rigo

<tlr> ISSUE-7 closed

<trackbot> ISSUE-7 What types of tracking exist, and what are the use cases for these types of tracking? closed

<tlr> ISSUE-8 closed

<trackbot> ISSUE-8 How do we enhance transparency and consumer awareness? closed

<tlr> issue-9 closed

<trackbot> ISSUE-9 Understand all the different first- and third-party cases. closed

<tlr> issue-7: lack of interest at 2012-01-26 meeting

<trackbot> ISSUE-7 What types of tracking exist, and what are the use cases for these types of tracking? notes added

<tlr> issue-8: lack of interest at 2012-01-26 meeting

<trackbot> ISSUE-8 How do we enhance transparency and consumer awareness? notes added

<tlr> issue-9: lack of interest at 2012-01-26 meeting

<trackbot> ISSUE-9 Understand all the different first- and third-party cases. notes added

<tlr> issue-12: lack of interest at 2012-01-26 meeting

<trackbot> ISSUE-12 How does tracking require relation to unique identities, pseudonyms, etc.? notes added

<tlr> issue-12 closed

<trackbot> ISSUE-12 How does tracking require relation to unique identities, pseudonyms, etc.? closed

<tlr> ISSUE-16: discussed collection vs retention, not otherwise needed

<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) notes added

<tlr> issue-16 closed

<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) closed

<tlr> issue-20: touch upon unidentified / unidentifiable in compliance; Shane: challenge to write text

<trackbot> ISSUE-20 Different types of data, what counts as PII, and what definition of PII notes added

<tlr> issue-20: touch upon unidentified / unidentifiable in compliance; Shane: challenge to write text

<trackbot> ISSUE-20 Different types of data, what counts as PII, and what definition of PII notes added

<tlr> issue-20 closed

<trackbot> ISSUE-20 Different types of data, what counts as PII, and what definition of PII closed

<tlr> ACTION: kevin to produce draft for ISSUE-21 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action01]

<trackbot> Sorry, amibiguous username (more than one match) - kevin

<trackbot> Try using a different identifier, such as family name or username (eg. ktrilli2, ksmith5)

<tlr> ACTION: trilli to produce draft for ISSUE-21 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action02]

<trackbot> Created ACTION-55 - Produce draft for ISSUE-21 [on Kevin Trilli - due 2012-02-01].

<tlr> ISSUE-21: jonathan mayer: difference between response header and technical verification is what brought this up initially.

<trackbot> ISSUE-21 Enable external audit of DNT compliance notes added

<tlr> ACTION: mayer to draft text for issue-28 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action03]

<trackbot> Created ACTION-57 - Draft text for issue-28 [on Jonathan Mayer - due 2012-02-01].

<tlr> ACTION: amy to draft text for issue-28 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action04]

<trackbot> Created ACTION-58 - Draft text for issue-28 [on Amy Colando - due 2012-02-01].

<tlr> issue-33: likely duplicate

<trackbot> ISSUE-33 Complexity of user choice (are exemptions exposed to users?) notes added

<tlr> ACTION: npdoty to find duplicate for ISSUE-33, add note [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action05]

<trackbot> Created ACTION-59 - Find duplicate for ISSUE-33, add note [on Nick Doty - due 2012-02-01].

<tlr> issue-35?

<trackbot> ISSUE-35 -- How will DNT interact with existing opt-out programs (industry self-reg, other)? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/35

<tlr> issue-38 closed

<trackbot> ISSUE-38 Granularity for different people who share a device or browser closed

<tlr> issue-41 closed

<trackbot> ISSUE-41 Consistent way to discuss tracking with users (terminology matters!) closed

<tlr> issue-43: addressed by site-specific exceptions

<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track notes added

<tlr> issue-43 closed

<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track closed

<tlr> trackbot, reopen issue-43

<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track re-opened

<tlr> ACTION: npdoty to find out whether ISSUE-43 is a duplicate (and of what) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action06]

<trackbot> Created ACTION-60 - Find out whether ISSUE-43 is a duplicate (and of what) [on Nick Doty - due 2012-02-01].

<tlr> ACTION-60: close issue-43 with appropriate annotation

<trackbot> ACTION-60 Find out whether ISSUE-43 is a duplicate (and of what) notes added

<tlr> issue-45?

<trackbot> ISSUE-45 -- Companies making public commitments with a "regulatory hook" for US legal purposes -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/45

<tlr> ACTION: tl to write no-change proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action07]

<trackbot> Sorry, amibiguous username (more than one match) - tl

<trackbot> Try using a different identifier, such as family name or username (eg. tleung2, tlowenth)

<tlr> ACTION: lowenthal to write no-change proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action08]

<trackbot> Created ACTION-61 - Write no-change proposal for ISSUE-45 [on Thomas Lowenthal - due 2012-02-01].

<tlr> ACTION: mayer to write "text in privacy policy" proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action09]

<trackbot> Created ACTION-62 - Write "text in privacy policy" proposal for ISSUE-45 [on Jonathan Mayer - due 2012-02-01].

<tlr> issue-54?

<trackbot> ISSUE-54 -- Can first party provide targeting based on registration information even while sending DNT -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/54

<tlr> issue-15?

<trackbot> ISSUE-15 -- What special treatment should there be for children's data? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/15

<tlr> ISSUE-15: consensus this is not an issue we take on specifically; fall back to applicable law

<trackbot> ISSUE-15 What special treatment should there be for children's data? notes added

<npdoty> issue-15 pending review

<tlr> issue-15 closed

<trackbot> ISSUE-15 What special treatment should there be for children's data? closed

<npdoty> issue-36?

<trackbot> ISSUE-36 -- Should DNT opt-outs distinguish between behavioral targeting and other personalization? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/36

<tlr> ACTION: lowenthal to write counter-proposal for issue-36 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action10]

<trackbot> Created ACTION-63 - Write counter-proposal for issue-36 [on Thomas Lowenthal - due 2012-02-01].

<tlr> ISSUE-36: current text intended *specifically* for third parties

<trackbot> ISSUE-36 Should DNT opt-outs distinguish between behavioral targeting and other personalization? notes added

<npdoty> I think we probably need different action items for different counter-proposals

<npdoty> jeff, ninja, nick, tom are the interested parties for issue-36 counter-proposals

<tlr> ISSUE-36: JeffC, ninja, Nick, Tom will review action

<trackbot> ISSUE-36 Should DNT opt-outs distinguish between behavioral targeting and other personalization? notes added

<tlr> issue-39?

<trackbot> ISSUE-39 -- Tracking of geographic data (however it's determined, or used) -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/39

<tlr> issue-39: historic data covered; real-time use out of scope

<trackbot> ISSUE-39 Tracking of geographic data (however it's determined, or used) notes added

<tlr> ISSUE-16 reopened

<tlr> trackbot, reopen ISSUE-16

<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) re-opened

SW: issue 63 is out of scope of DNT

<tlr> ACTION: jonathan to propose new text for ISSUE-16 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action11]

<trackbot> Created ACTION-64 - Propose new text for ISSUE-16 [on Jonathan Mayer - due 2012-02-01].

<tlr> ACTION: lowenthal to propose clarification on ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action12]

<trackbot> Created ACTION-65 - Propose clarification on ISSUE-39 [on Thomas Lowenthal - due 2012-02-01].

<tlr> ACTION: chester to propose counterproposal for ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action13]

<trackbot> Created ACTION-66 - Propose counterproposal for ISSUE-39 [on Jeffrey Chester - due 2012-02-01].

issue-16: Jonathan to propose new text

<trackbot> ISSUE-16 What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) notes added

<tlr> ACTION: justin to propose text on ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action14]

<trackbot> Created ACTION-67 - Propose text on ISSUE-39 [on Justin Brookman - due 2012-02-01].

<tlr> issue-54?

<trackbot> ISSUE-54 -- Can first party provide targeting based on registration information even while sending DNT -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/54

SW: can third parties use registration information from first party

<tlr> SH: need to generalize beyond first registration data

Jeff: DNT should trump

Sean: this is more than registration data

Justin: information is not covered. That needs to be clarified

<tlr> ACTION: justin to provide text on ISSUE-54 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action15]

<trackbot> Created ACTION-68 - Provide text on ISSUE-54 [on Justin Brookman - due 2012-02-01].

<npdoty> action-68: we need to clarify that data collected while you're a first party can't be used later as a third-party (in a third-party ad context, for example)

<trackbot> ACTION-68 Provide text on ISSUE-54 notes added

<tlr> SW: argue that use of registration information in should only happen first-party contexts

MS: if advertising on Yahoo as first party, this trumps DNT signal

SW: we have some out of band agreement to have photo logged on Blog. That will be conflict with DNT
... explicit consent will trump DNT

TL: agree, but difference with real consent and some general conditions

Sean; specific registration, suggest to close this issue

<tlr> ACTION: harvey to propose renaming issue-54 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action16]

<trackbot> Created ACTION-69 - Propose renaming issue-54 [on Sean Harvey - due 2012-02-01].

Andy: we have issue 65

<tlr> issue-65?

<trackbot> ISSUE-65 -- How does logged in and logged out state work -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/65

JC: if we do that all social widgets will be disabled

TL: disagreed with the premise, disagreed to have anything in the text

<tlr> ACTION: lowenthal to review andy's text on issue-65 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action17]

<trackbot> Created ACTION-70 - Review andy's text on issue-65 [on Thomas Lowenthal - due 2012-02-01].

<tlr> ACTION: zeigler to link previous text proposal from issue-65 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action18]

<trackbot> Created ACTION-71 - Link previous text proposal from issue-65 [on Andy Zeigler - due 2012-02-01].

MS: to Tom, if you find to agree with Andy just send empty counterproposal

<tlr> issue-95?

<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95

issue-95?

<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95

SW: intermediaries that should not modify signal

<npdoty> action-71: Andy had already written a draft shared with Tom and some revisions, but would be good to link that directly to issue-65

<trackbot> ACTION-71 Link previous text proposal from issue-65 notes added

AM: not to be discussed now. Matthias business

<tlr> issue-74?

<trackbot> ISSUE-74 -- Are surveys out of scope? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/74

<tlr> issue-25?

<trackbot> ISSUE-25 -- Possible exemption for research purposes -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25

issue-74?

<trackbot> ISSUE-74 -- Are surveys out of scope? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/74

AM: action on me

<tlr> ACTION: kathy to review aleecia's draft on issue-25, issue-74 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action19]

<trackbot> Created ACTION-72 - Review aleecia's draft on issue-25, issue-74 [on Kathy Joe - due 2012-02-01].

Kathy offers to review that text

AM: please send directly to the mailing list

<npdoty> issue-74: could also connect to the Market Research exception discussed 24 January 2012

<trackbot> ISSUE-74 Are surveys out of scope? notes added

issue-91?

<trackbot> ISSUE-91 -- Might want prohibitions on first parties re-selling data to get around the intent of DNT -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/91

Justin: 4.1 of compliance spec

<tlr> issue-91 closed

AM: propose to close the issue

<trackbot> ISSUE-91 Might want prohibitions on first parties re-selling data to get around the intent of DNT closed

Resolution: current text accepted

<npdoty> issue-91: closed as per the existing text "If an operator of a first party domain stores a request to which a [DNT-ON] header is attached, that operator must not transmit information about that stored communication to a third party, outside of the explicitly expressed exceptions as defined in this standard."

<trackbot> ISSUE-91 Might want prohibitions on first parties re-selling data to get around the intent of DNT notes added

AM: editorial pass at the end of the process to get wording in line
... what is a user?

Ninja: Tom and I are still working on this

<tlr> issue-91?

<trackbot> ISSUE-91 -- Might want prohibitions on first parties re-selling data to get around the intent of DNT -- closed

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/91

<tlr> issue-101?

<trackbot> ISSUE-101 -- What is a user? add to defns -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/101

TL: Please put deadline on me and Ninja to come up with a wording until 3 Feb

<npdoty> the action is action-40

AM: issue-101 move from pending to open

<tlr> action-101?

<trackbot> ACTION-101 does not exist

<tlr> ISSUE-101?

<trackbot> ISSUE-101 -- What is a user? add to defns -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/101

issue-104?

<trackbot> ISSUE-104 -- Could use a better defn of user agent, rather than browser -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/104

AM: good text that came in from Roy.

<tlr> issue-104 closed

<trackbot> ISSUE-104 Could use a better defn of user agent, rather than browser closed

AM close issue 104

<tlr> ISSUE-104: section 3.11 user agent

<trackbot> ISSUE-104 Could use a better defn of user agent, rather than browser notes added

3.11 text accepted

DS: exception and exemption are not used consistently

AM: used in different ways, I'm mixed up too

<npdoty> scribenick: npdoty

What are we doing here?

aleecia: some things that I've heard

<rvaneijk> Aleecia: Do Not Track profile

<rvaneijk> ... Do not X-site track

aleecia: Do Not Profile -- continue to collect, but don't profile
... Do Not Cross-site Track
... Do Not Cross Time Track

rigo: a scenario where somebody visits a site on medical information to inform himself, and this is shared with his insurance which affects his fees when they assume that he's sick
... a pure 1st-party scenario
... can or should Do Not Track address that

?

aleecia: discuss this list or add to the categories first; later we can look at specific use cases

dsinger: do not build a database? is that different than "Do Not Profile"?

jimk: about data collection/retention, unlike the others

WileyS: I think do-not-profile can be characterized in that way

tl: treat me as someone about whom you know nothing and remember nothing about me

aleecia: every impression is a first impression, like "Do Not Track Across Time"

fielding: tl, do you intend that to also include 1st parties?

tl: this would only apply if I didn't intend to communicate with you, so 1st parties would be exempt

sean: concerned about 1st/3rd party distinction for these

dsinger: we can separately define the exceptions to tracking, but the definition of tracking is under discussion now

fielding: applying to ePrivacy directive
... including the first party issues that have to do with setting cookies
... setting cookies as a first party under the ePrivacy directive might be something we're trying to address here

rigo: recording consent in the first party context

<cross-talk: should we be having this high-level conversation?>

rvaneijk: tracking is "following user behavior across sites"

mzaneis: pretty clear that the Internet is based on data collection; everybody collects data and everybody tracks

karl: distinction of cross-site tracking between companies or by services

<jmayer> jmayer: If your views on web privacy reduce to one word, you are part of the problem, not part of the solution.

johnsimpson: do not track should mean do not collect

wileys: "do not target", even if it's not going to be popular in the room <some laughter>

<rvaneijk> vtoubiana: if do not profile means do not remember?

vincent: would recommend-- remember my interests, but not the sites that I visited

<rvaneijk> JC: pulling profiles out of a log file is different

scribe not sure he got that one right

<rvaneijk> DGINFSO: identifyability is enough of a disctinction

alex: do not collect data unique to a user

<rvaneijk> bsullivan: not including PII?

bryan: isn't that the same as not collecting PII?

aleecia: Google opt-out cookie might be an example in practice
... aggregation as another potential tool

collection, retention, use, minimization, aggregation

Do Not Target: still allows collection, allows retention, has a use limitation, could have minimization, aggregation unlikely

Do Not Profile: allows collection, allows retention, use limitation

Do Not Create A Profile: limits collection, limits retention, some kind of minimization?

Do Not Cross Site Track (dsinger): tunnel vision, don't remember anything about the interaction except what took place between you and the user

scribe: impacts collection, impacts retention (in a different way), doesn't limit use

Do Not Cross Time Track / Forget Me / Don't Remember Me / a stateless service: allows collection, prohibits retention, no other changes

Do Not Collect Identifiable Information: affects collection and retention

aleecia: collection will generally always involve retention, right?
... minimization and aggregation don't differentiate between these proposals

ninja: what's the difference between Do Not Target and Do Not Profile?

WileyS: Do Not Target would create a profile and keep it around in case the user changes their mind

Do Not Profile is just Do Not Create A Profile

Do Not Collect Identifiable Information might be mostly about aggregation

aleecia: Do Not Remember Me is the more-than-just-advertising view of Do Not Profile

<rvaneijk> ndoty: use limitation instead of data collection limitation

<rvaneijk> shane: categorisation is key in creating profiles

<scribe> scribenick: rvaneijk

rigo: can data that has been collected be shared to oter parties

rfielding: it is ok to customize for current session
... so targeting in current session based on data collected in current session

swiley: if we only can vote for one, then distinguise enough between options

<npdoty> no support for Do Not Target

<npdoty> some support for all others, perhaps less for the last one around which there was confusion

aleecia: humming result: do not target is off the list

<npdoty> ACTION: ninja to write-up Do Not Collect Identifiable Information [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action20]

<trackbot> Created ACTION-73 - Write-up Do Not Collect Identifiable Information [on Ninja Marnau - due 2012-02-01].

<npdoty> action-73 due 02-08

<trackbot> ACTION-73 Write-up Do Not Collect Identifiable Information due date now 02-08

<npdoty> ACTION: jeffc to write-up Do Not Create A Profile [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action21]

<trackbot> Sorry, couldn't find user - jeffc

<npdoty> ACTION: chester to write-up Do Not Create A Profile [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action22]

<trackbot> Created ACTION-74 - Write-up Do Not Create A Profile [on Jeffrey Chester - due 2012-02-01].

<npdoty> ACTION: shane to write-up a hybrid of Do Not Profile and Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action23]

<trackbot> Created ACTION-75 - Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track [on Shane Wiley - due 2012-02-01].

<npdoty> ACTION: kevin smith to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action24]

<trackbot> Sorry, amibiguous username (more than one match) - kevin

<trackbot> Try using a different identifier, such as family name or username (eg. ktrilli2, ksmith5)

<npdoty> ACTION: ksmith5 to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action25]

<trackbot> Created ACTION-76 - Write up Do Not Cross-Site Track [on Kevin Smith - due 2012-02-01].

<npdoty> ACTION: singer to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action26]

<trackbot> Created ACTION-77 - Write up Do Not Cross-Site Track [on David Singer - due 2012-02-01].

<tlr> issue-5?

<trackbot> ISSUE-5 -- What is the definition of tracking? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/5

rfielding: please attach all comments on these action items as issue-5

<npdoty> ACTION: karl to write up Forget Me/ Do Not Cross Time Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action27]

<trackbot> Created ACTION-78 - Write up Forget Me/ Do Not Cross Time Track [on Karl Dubost - due 2012-02-01].

<npdoty> aleecia: for each, please tag with issue-5, a description and use cases

dsinger: implications on structure of document and use of already drafted terms

aleecia: will take this into account in future process of dealing with the issuelist

ksmith: all depends on what we are going to do. THerefor it is important to choose as a group on what we are going to do. So we can answer the question: does this text meet our objectives?

<npdoty> back at 1:30

<dsinger> issue-25?

<trackbot> ISSUE-25 -- Possible exemption for research purposes -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25

<sean> We are online baby!

<sean> Matthias: we now move to TPE spec

Tracking Preference Expression issues

<npdoty> scribenick: sean

Matthias: goal is to assign as many of the issues as possible
... has a list of pending items on the screen: let's go through the list together

ISSUE-27 - how should opt back in mechanism be decided. draft text from shane & nick.

Nick: overview. the idea is taht some sites may want to ask for an exception. your browser will know all of your exceptions. no need to track out of band exceptions.
... A JS API keeps track of the exceptions asynchronously.
... DOM property could check for exceptiosn & wouldn't need to prompt the user.
... Exceptions limited to origin pair. while i browse site x, vendor y can "track" me

Adobe: does not currently pass first party info to third party, NIck/Shane: this is an open item.

RIgo: the way browsers work may clash with our party definitions. we need to measure pain of sticking iwth browser definitions vs benefits of enlarging first party definitions (multiple first parties, etc.)

NIK; spec is agnostic on how the data is stored, done on client side but client can choose how (in answer to Tom from Opera)

Shane: its up to each vendor to decide on the interface

Matthias: main issue: does this work where there are multiple first parties? and is the proposed format expressive enough.

ACTION ITEM for ISSUE 27 for Tom: validate whetherh TPE lists can be used to store opt-back-in features or not.

<trackbot> Sorry, couldn't find user - ITEM

ACTION ITEM for Issue 27: Shane to work with David Singer & Nick to determine whether David's party paradigm would resolve this issue.

<trackbot> Sorry, couldn't find user - ITEM

Shane: what you would store in the 1/3 party pair would be the parent. Nick is skeptical.

thx

<scribe> ACTION: Tom to validate whether TPE lists can be used to store opt-back-in features or not [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action28]

<trackbot> Sorry, couldn't find user - Tom

<aleecia> (helps to have a deadline too, like ACTION: Tom to make cookies by tuesday)

<aleecia> (Tom = tl)

<tl> No, that item was assigned to Karl?

yes sorry

<scribe> ACTION: karl dubost to validate whether TPE lists can be use to store opt-back-in features or not [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action29]

<trackbot> Created ACTION-79 - Dubost to validate whether TPE lists can be use to store opt-back-in features or not [on Karl Dubost - due 2012-02-01].

<scribe> ACTION: dsinger with shane to determine whether dave singer's new party paradigm would be a solution for Issue 27 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action30]

<trackbot> Sorry, couldn't find user - dsinger

<scribe> ACTION: david singer and shane wiley to determine whether dave singer's paradigm on parties would be a solution for Issue 27 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action31]

<trackbot> Created ACTION-80 - Singer and shane wiley to determine whether dave singer's paradigm on parties would be a solution for Issue 27 [on David Singer - due 2012-02-01].

<rigo> ACTION: Karl to validate whether the TPLs can also express a cluster of whitelists for use with the Javascript API as defined by Nick [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action32]

<trackbot> Created ACTION-81 - Validate whether the TPLs can also express a cluster of whitelists for use with the Javascript API as defined by Nick [on Karl Dubost - due 2012-02-01].

Matthias: Shane can get us an opinion on Action 81 in the next week
... close the discussion on Issue 27

<rigo> trackbot, drop Action-81

<trackbot> Sorry, rigo, I don't understand 'trackbot, drop Action-81'. Please refer to http://www.w3.org/2005/06/tracker/irc for help

<rigo> trackbot, close Action-81

<trackbot> ACTION-81 Validate whether the TPLs can also express a cluster of whitelists for use with the Javascript API as defined by Nick closed

<rigo> was duplicate

Issue 78: what's the difference between absence of DNT header and DNT=0

<tl> ACTION: tl to Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action33]

<trackbot> Sorry, amibiguous username (more than one match) - tl

<trackbot> Try using a different identifier, such as family name or username (eg. tleung2, tlowenth)

Roy: current text does not have consensus. could put an action item on roy to put an action item to edit & put a new draft into the spec.

<tl> ACTION: tlowenth to Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action34]

<trackbot> Created ACTION-82 - Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [on Thomas Lowenthal - due 2012-02-01].

Roy: this conversation relates to meanings of DNT 1 & 0, relative to compliance items (cross-tracking) being in the header spec

Shane: other issue was DNT=nothing instead of not sending a DNT header at all. related potentially to eprivacy.

Rigo: We should require the sending of DNT unset, because only then does the service know you can trigger an opt back in (if they get consent)

TL: disagrees. you'll know which ua version supports DNT

Nick: you could check for the js method.

Kevin: should be an option for DNT-OFF. e.g. if dnt is on by default, someone could set the preference globally to OFF

TL: when you see a DNT header, it's talking to you. so you should not be able to get anything on the state of the rest of the world.

Aleecia: don't think that's going to happen based on how we are building it. legislation might be that if you don't get a signal then you have to assume it is on

Shane: would help in knowing whether a given browser version is capable of passing DNT header

<scribe> ACTION: roy fielding to take the text from the email conversation & place it in the doc [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action35]

<trackbot> Created ACTION-83 - Fielding to take the text from the email conversation & place it in the doc [on Roy Fielding - due 2012-02-01].

Aleecia: need non-normative text that makes the purpose of 0 clearer

TL: not happy passing null for a mozilla user
... happy with the current proposal. Matthas asks we wait for Roy's next text version & we will comment further from there

<scribe> ACTION: describe the reason for setting DNT=null [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action36]

<trackbot> Sorry, couldn't find user - describe

<scribe> ACTION: shane wiley to describe the reason for setting DNT=null [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action37]

<trackbot> Created ACTION-84 - Wiley to describe the reason for setting DNT=null [on Shane Wiley - due 2012-02-01].

ISSUE 84 Do we need a JS API / DOM property for client side js access to DNT status

<rigo> trackbot, comment ACTION-83 take text from email about section for and DNT-header values

<trackbot> ACTION-83 Fielding to take the text from the email conversation & place it in the doc notes added

Jonathan: comfortable where we are now, no objections to text

Tom: remove the ability to set this within the DOM. it will always be an HTTP request. Shane seconds this.

Rigo: not sure why this can take different values

Shane: If you're a 3p on a 1p DOM, if i look into the DOM header the current signal is 1. but site specific exception is in place and that's 0. you would have to start building business rules on different signals from DOM vs HTTP request

Jonathan: agrees. there are ways of making JS DNT aware that is in the JS provided by the browser. website can serves some js that reflects what the server received in the header. not hard to write & will always be correct. also comfortable dropping DOM with some discussion explaining why.

Thomas; we want to figure out a way taht no party finds out the settings for other parties. it might be worth having a few people put their heads together & think it through a bit more. if we get site specific exceptions solved cleanly i suspect we will have this solved as well

Matthias: let's drop this & charge a group with leader to find a way to repair it. if not, drop it.

Rigo: which use cases will we love if we do not have JS API?

Thomas; everyone agrees API is not going to work. let's remove the text since we don't know how to fix it. if people come up with new proposal we can create a new issue.

much debate about whether or not we should close this issue, or open a new issue

<tlr> proposed: close issue-96, re-open issue-84

<aleecia> jmayer: difference between browser API and not. Is the issue one about should js be DNT aware? (If so, yes, we have a proposal.)

Jonathan: will send an email to the list on technical solutions (possible), or do we need an issue specifically on an API & leave that issue open?

<scribe> ACTION: jonathan mayer to draft text to send out around a potential technical solution [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action38]

<trackbot> Created ACTION-85 - Mayer to draft text to send out around a potential technical solution [on Jonathan Mayer - due 2012-02-01].

ISSUE 87

<rigo> issue-87?

<trackbot> ISSUE-87 -- Should there be an option for the server to respond with "I don't know what my policy is" -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/87

<scribe> closed; Issue 87

<tlr> issue-86?

<trackbot> ISSUE-86 -- Do we have general extensibility capability for header response? -- closed

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/86

<npdoty> close issue-87

<trackbot> ISSUE-87 Should there be an option for the server to respond with "I don't know what my policy is" closed

<scribe> closed ISSUE-87

<scribe> closed: Issue-87

<rigo> trackbot, close issue-87

<trackbot> ISSUE-87 Should there be an option for the server to respond with "I don't know what my policy is" closed

Issue 95

<rigo> issue-95?

<trackbot> ISSUE-95 -- May an institution or network provider set a tracking preference for a user? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/95

may an institution or a network provider set a TPE for a user?

y please

bryan sullivan: want the ability to express a preference by a corporation, for a family

david singer: is it ok i agree to be tracked because i am using wifi in a given hotel?

shane: a legal issue, but potentially yes

<rigo> the general setting would kill the user consent thingy as it wouldn't be the user's consent anymore

jim killock: believes setting DNT on is legitimate, setting it off is not

thomas; do we have any contributors in this room that want to propose changes to this text? would otherwise prefer we close the issue.

Bryan Sullivan: must the preference be managed just on the device

shane: no we excplicitly called out that it is not limited in this way

david singer: can we have some examples to back up this text? Shane -- we provided on the email chian

close: issue-95

<tlr> issue-95 closed

<trackbot> ISSUE-95 May an institution or network provider set a tracking preference for a user? closed

issue-96?

<trackbot> ISSUE-96 -- The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/96

<tlr> issue-96?

<trackbot> ISSUE-96 -- The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/96

<tlr> issue-96 closed

<trackbot> ISSUE-96 The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) closed

<tlr> issue-84?

<trackbot> ISSUE-84 -- Do we need a JavaScript API / DOM property for client-side js access to Do Not Track status? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/84

close: issue-96

<rigo> trackbot, close issue-96

<trackbot> ISSUE-96 The doNotTrack attribute should mirror the value of the header (potentially empty, extensions, etc.) closed

Response headers

matthias: 3 high level areas: (1) Elements (fields) if we send the header, what elements go into it?

(2) when to send the response headers

(3) misc

RIgo: caching is likely to take up a lot of time

TL: main components: 1/3p, whether subject to exceptions, option for serer to tell users they're opted back in, response for catchable objects

no-dnt -- not allowed, means you're not in compliance. for now it is a reserved value

well-known URI: whatever exceptions you are claiming there. not sure if its human readable or not yet

<rigo> DNT: P3P-URI would be also nice :)

TL: main idea: on resources which tracking occurs, the access of that resource could produce data compatible with DNT, you get a response header.

caching situation: tracking doesn't take place here, so not needed

Rigo: concerned the solution is overly complex with too many values. also has URI that points to further documentation that might contradict the meaning

TL: feels this is covered in the spec. not allowed to contradict.
... header that says " we follow DNT" is not as useful to a client browser that wants to take dynamic actions based on levels of compliance

Alex: compliance is definitive, yes or no. if i the server have an exception with you through the user via a website visited, or through a backend contract. when a server comes in with DNT-on I don't know why that is the case.

Matthias: the concern here is that the server side third party may not be able to distinguish between these different values and may not know how to respond accurately.

Alex: would be easier to send a static header response

Kevin: this is very thorough. however i find it overly complicated & confusing and a little redundant. haven't heard a use case to presenta big enough advantage to justify the cost of the complexity involved here.
... greatly simplified when you look at it as cross site tracking instead of 1st v 3rd

<bryan> +1 to Kevin's concern over the complexity of including 1st and 3rd party distinction in the response

Nick: DNT=0 -- could we specify the syntax. DNT=0 indicates you don't comply. move some of this langauge to the compliance spec.
... if I know i am never going to track, what value should I set?

<npdoty> I think we could clarify dnt:c to apply to any resource that surely won't be tracked

Roy: edit: if a message is marked as cacheable,it is considered compliant
... little o, big o and 0 seems like a bad idea. pick letters that are not confused with one another

TL: Ok to use 3 letters? people say yes

<npdoty> ACTION: doty to write a clarification of dnt:c to apply to never-tracked resources [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action39]

<trackbot> Created ACTION-86 - Write a clarification of dnt:c to apply to never-tracked resources [on Nick Doty - due 2012-02-01].

<scribe> ACTION: tom lowenthal to draft new letter indicators [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action40]

<trackbot> Sorry, couldn't find user - tom

<aleecia> (tl)

<scribe> ACTION: tl to draft new values for the DNT states [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action41]

<trackbot> Sorry, amibiguous username (more than one match) - tl

<trackbot> Try using a different identifier, such as family name or username (eg. tleung2, tlowenth)

<tlr> ACTION: lowenthal to color bikeshed in distinguishable colors [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action42]

<trackbot> Created ACTION-87 - Color bikeshed in distinguishable colors [on Thomas Lowenthal - due 2012-02-01].

<npdoty> tl, I think IanF and other Google employees will complain if you increase the length of the response, even if only by a character

<tlr> ACTION-87: this action item actually refers to the DNT response header coding. requirements: brief, pronounceable, distinguishable.

<trackbot> ACTION-87 Color bikeshed in distinguishable colors notes added

Rigo: main reason for pushing response header was consent mechanism. static dnt=1 would serve this purpose better

kevin: could get rid of opt-dnt 1 and 3 by rolling it into except dnt3

Matthias: let's have tom & kevin sit together & discuss further.
... we have 2 ways to move forward (1) fix this expressive solution (2) a much simpler solution with a completely different design

Karl: we're getting ahead of the compliance doc

Ed: are we discussing whether to have finer granularity in reasons for tracking, should server say why they're allowed to track in a given context?

Aleecia: if we have the framework on compliance, it probably doesn't change much. so let's go down this road.

<aleecia> "I don't like it" is not a proposal :-)

<karl> another option is to have a first version which is very simple and can be more expressive later if we think we need it

Rigo: volunteers to try a simpler alternative

<karl> later = after implementations experience

<scribe> ACTION: rigo shane wiley roy fielding sean harvey to draft a simpler version of the spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action43]

<trackbot> Created ACTION-88 - Shane wiley roy fielding sean harvey to draft a simpler version of the spec [on Rigo Wenning - due 2012-02-01].

Week of FEb 3 for Action 88 (rigo is the leader of the group)

<karl> many technologies failed because the first version was too complex to implement

<tlr> ACTION-88: refers to DNT HTTP response header

<trackbot> ACTION-88 Shane wiley roy fielding sean harvey to draft a simpler version of the spec notes added

shane: we have exceptions from compliance doc. this says you're employing one of these exceptions or not & it doesn't seem valuable & adds non-useful complexity to the response header

david singer: wants to make sure there is a simple binary response for the user

Roy: options for what to call this response header. DNT, T...

<karl> MrT

shane: T is a bad idea because it is often used e.g. for "time"

Aleecia/Roy: TK will be the header name for the moment

<npdoty> +1 on TK

<scribe> ACTION: roy fielding to make final decision on response header name [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action44]

<trackbot> Created ACTION-89 - Fielding to make final decision on response header name [on Roy Fielding - due 2012-02-01].

<karl> ER ~ Emergency Room

ed felten: from law enforcement standpoint. assume a bad actor. I'm trying to catch them lying to the user. the more specific, the easier it is to do that. if there is only one value and there are 8 exceptions to hide behind its harder to figure out what's happening.

<bryan> I'm concerned about the amount of data traffic that this will generate, given that operational exceptions and outsourcing exceptions will be common for example, and the explanations will amount to a lot of text over time. I would prefer if any static response aspects could be in a file (XML, JSON) at the "well-known" URL, and the DNT header was a simple ack of DNT:1 or DNT:0.

Kevin: need to account for user & also expert "auditor" or complier

Bryan: worried amount of data this is goign to generate. any extra data static & sent on a regular basis, potentially billions of times a day for large sites

TL: this was previously handled

<bryan> brief explanation of the result would be at least courteous....

Rigo: each of these values/states should be easily testable

TL: that's not possible

<bryan> if not informative for others that are also not aware of it...

<npdoty> how significant is the cost of data, bryan? 5 or 6 additional characters on responses (which tend to be much larger than requests)?

karl: concern about developers making mistakes on the server side

<bryan> every static response adds up quickly

<bryan> this is why accept: */* is very common now in mobile devices

<npdoty> you can see discussion in http://www.w3.org/2011/11/01-dnt-minutes.html, where Ian's suggestion was about keeping it down to a few characters per response rather than full URLs

jonathan: 2 reasons he preferes more granularity (1) complexity overstated. site doesn't have to implement all of them, only a very small subset.

<npdoty> within those minutes, Ctrl-F "bytes" is a quick way to find the relevant area

jonathan: (2) there is real value to this additional data. analytics to let us know how it is being used etc

<npdoty> (I think bytes cost has been discussed since too, but those Santa Clara minutes was in my immediate memory)

aaaaand break

<npdoty> thanks for scribing, sean!

<bryan> Ian's response is understood, but from a network operator perspective the cost of carrying unnecessary bytes is excessive

open issues

<npdoty> scribenick: KevinT_

issue 43?

trackbot, issue=43?

<trackbot> Sorry, KevinT_, I don't understand 'trackbot, issue=43?'. Please refer to http://www.w3.org/2005/06/tracker/irc for help

dsigner: agree in principle

<tlr> issue-23 closed

<trackbot> ISSUE-23 Possible exemption for analytics closed

<tlr> issue-43 closed

<trackbot> ISSUE-43 Sites should be able to let the user know their options when they arrive with Do Not Track closed

<tlr> trackbot, reopen issue-23

<trackbot> ISSUE-23 Possible exemption for analytics re-opened

<tlr> issue-105?

<trackbot> ISSUE-105 -- Response header without request header? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/105

<tlr> ACTION: Tom to modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action45]

<trackbot> Sorry, couldn't find user - Tom

<tlr> ACTION: Lowenthal to modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action46]

<trackbot> Created ACTION-90 - Modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [on Thomas Lowenthal - due 2012-02-01].

<aleecia> (Tom is tl)

<tlr> issue-105 closed

<trackbot> ISSUE-105 Response header without request header? closed

107, 90, 48, 51, 76, 79 are all issues related to response headers

<rigo> issue-61?

<trackbot> ISSUE-61 -- A site could publish a list of the other domains that are associated with them -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/61

dsinger and shane to add issue 61 to existing action item (need to find #)

matthias; issue 47 moved to response header team

<tlr> issue-61?

<trackbot> ISSUE-61 -- A site could publish a list of the other domains that are associated with them -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/61

next topic: raised TPE issues

issue-114?

<trackbot> ISSUE-114 -- Guidance or mitigation of fingerprinting risk for user-agent-managed site-specific tracking exceptions -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/114

ISSUE-109?

<trackbot> ISSUE-109 -- siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/109

<tlr> ACTION: zeigler to write text on fingerprinting risk (ISSUE-109, ISSUE-114), with Nick Doty [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action47]

<trackbot> Created ACTION-91 - Write text on fingerprinting risk (ISSUE-109, ISSUE-114), with Nick Doty [on Andy Zeigler - due 2012-02-01].

<tlr> issue-109 open

<tlr> trackbot, issue-109 is open

<trackbot> Sorry, tlr, I don't understand 'trackbot, issue-109 is open'. Please refer to http://www.w3.org/2005/06/tracker/irc for help

issue=113?

<tlr> issue-113?

<trackbot> ISSUE-113 -- Should there be a JavaScript API to prompt for a Web-wide exception? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/113

<tlr> issue-109?

<trackbot> ISSUE-109 -- siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/109

<tlr> issue-91?

<trackbot> ISSUE-91 -- Might want prohibitions on first parties re-selling data to get around the intent of DNT -- closed

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/91

<tlr> issue-114?

<trackbot> ISSUE-114 -- Guidance or mitigation of fingerprinting risk for user-agent-managed site-specific tracking exceptions -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/114

shane: first party context - ex: web-wide exception for widget (social network widget)

ksmith: can add widgets without going to widget publisher's site

ndoty: not a high priority

<tlr> ACTION: alan to write text for issue-113 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action48]

<trackbot> Created ACTION-92 - Write text for issue-113 [on Alan Chapell - due 2012-02-01].

<tlr> issue-113

<tlr> issue-113?

<trackbot> ISSUE-113 -- Should there be a JavaScript API to prompt for a Web-wide exception? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/113

issue=115?

<tlr> issue-115?

<trackbot> ISSUE-115 -- Should sites be able to manage site-specific tracking exceptions outside of the user-agent-managed system? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/115

issue-115?

<trackbot> ISSUE-115 -- Should sites be able to manage site-specific tracking exceptions outside of the user-agent-managed system? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/115

shane: need to consider existing opt-ins already in place, shouldnt be MUST

<rvaneijk> issue-14?

<trackbot> ISSUE-14 -- How does what we talk about with 1st/3rd party relate to European law about data controller vs data processor? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/14

andyzei: not cool to overnotify users, DNT-2 - please don't track me even if you think you can

jeff chester: concerns around lack of transparency for out of band --> suggest best practices

<tlr> ACTION: jeff to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim - due in 2 weeks [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action49]

<trackbot> Sorry, couldn't find user - jeff

<tlr> ACTION: chester to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim - due in 2 weeks [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action50]

<trackbot> Created ACTION-93 - write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim [on Jeffrey Chester - due 1970-01-01].

<tlr> action-93 due 2012-02-07

<trackbot> ACTION-93 write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim due date now 2012-02-07

<tlr> issue-115?

<trackbot> ISSUE-115 -- Should sites be able to manage site-specific tracking exceptions outside of the user-agent-managed system? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/115

<bryan> +1 to Rigo's comment

jimK: past precedent of tracking cookies deposited without consent don't qualify for consent in DNT

jmayer: browsers have better set of incentives to educate users vs. business use of privacy policy; if not in browser - have stronger language around notice to be accountability
... opt-in api - allow for adding text to make user message easier to understand (vs. domain only)

<bryan> Re sites managing user preferences using out of band methods, browsers are not the only user agents intended to be covered by DNT requirements. Users may not be able to manage DNT preferences across all HTTP-based applications effectively, thus out of band methods can help ensure users can more effectively manage DNT options across all their HTTP-based apps.

<tlr> ACTION: jmayer to write proposal to communicate information about consent to user as part of opt back in API [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action51]

<trackbot> Created ACTION-94 - Write proposal to communicate information about consent to user as part of opt back in API [on Jonathan Mayer - due 2012-02-01].

rigo: to bryan - tpl revisited

jc wants to rumble

issue-112?

<trackbot> ISSUE-112 -- How are sub-domains handled for site-specific exceptions? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/112

issue-118?

<trackbot> ISSUE-118 -- Should requesting a user-agent-managed site-specific exception be asynchronous? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/118

<tlr> ACTION: npdoty to write proposal for asynchronous API (ISSUE-118) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action52]

<trackbot> Created ACTION-95 - Write proposal for asynchronous API (ISSUE-118) [on Nick Doty - due 2012-02-01].

<npdoty> action-95 due 02-07

<trackbot> ACTION-95 Write proposal for asynchronous API (ISSUE-118) due date now 02-07

issue-62?

<trackbot> ISSUE-62 -- The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/62

issue-46?

<trackbot> ISSUE-46 -- Enable users to do more granular blocking based on whether the site responds honoring Do Not Track -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/46

<tlr> trackbot, ping

<tlr> action-95 due 2012-02-07

<tlr> issue-62?

<tlr> issue-62 closed

<trackbot> Sorry, tlr, I don't understand 'trackbot, ping'. Please refer to http://www.w3.org/2005/06/tracker/irc for help

<trackbot> ACTION-95 Write proposal for asynchronous API (ISSUE-118) due date now 2012-02-07

<trackbot> ISSUE-62 -- The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/62

<trackbot> ISSUE-62 The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context closed

<tlr> +1 to Tom. This is out of scope.

<karl> automatic is missing in that issue :)

tl: out of scope + matthias, rigo

<karl> issue-46?

<trackbot> ISSUE-46 -- Enable users to do more granular blocking based on whether the site responds honoring Do Not Track -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/46

<npdoty> issue-46?

<trackbot> ISSUE-46 -- Enable users to do more granular blocking based on whether the site responds honoring Do Not Track -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/46

issue-77?

<trackbot> ISSUE-77 -- How does a website determine if it is a first or third party and should this be included in the protocol? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/77

<tlr> issue-46: out of scope

<trackbot> ISSUE-46 Enable users to do more granular blocking based on whether the site responds honoring Do Not Track notes added

<tlr> issue-46 closed

<trackbot> ISSUE-46 Enable users to do more granular blocking based on whether the site responds honoring Do Not Track closed

discussed: don't need protocol close 77

trackbot, close issue-77

<trackbot> ISSUE-77 How does a website determine if it is a first or third party and should this be included in the protocol? closed

issue-108?

<trackbot> ISSUE-108 -- Should/could the tracking preference expression be extended to other protocols beyond HTTP? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/108

<tl> Revised response header spec: https://pad.riseup.net/p/3g4uYDAvNb1n

dsinger: suggest text: future documents can be built with same effects into future protocols

jmayer: intent to apply to all protocols.

aleccia: add to dsinger's comments - original intent was for http, but can be mirrored to other protocols and still remain DNT

roy: belongs in compliance spec?

<karl> HTTP Tracking Preference Expression

<npdoty> "our work is designed to apply to all HTTP communications (including mobile apps) and may additionally be applied to additional protocols (ex: SPDY). While we design for HTTP, there is nothing to prevent other protocols from adopting the approaches, definitions, etc. we work out."

<bryan> http://tools.ietf.org/html/draft-ietf-core-coap-08 is the current version of CoAP and for M2M this will be the transport for HTTP-based applications on constrained bearers for machine-to-machine applications.

<scribe> ACTION: issue-108 jmayer to create text for other protocols [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action53]

<trackbot> Sorry, couldn't find user - issue-108

<karl> HTTP Tracking Preference Expression is one possible implementation of Tracking compliance specification

<scribe> ACTION: jmayer for issue 108 for future protocols [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action54]

<trackbot> Created ACTION-96 - For issue 108 for future protocols [on Jonathan Mayer - due 2012-02-01].

<scribe> ACTION: dsinger issue 108 add similar protocol statements to TPE [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action55]

<trackbot> Sorry, couldn't find user - dsinger

<npdoty> dsinger, I think the existing text in a note on ISSUE-108 would be a good starting point for that sentence to add to TPE; we discussed it on a call in December

<scribe> ACTION: dsinger add similar protocol language to TPE spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action56]

<trackbot> Sorry, couldn't find user - dsinger

<npdoty> ACTION: singer to add similar protocol language to TPE spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action57]

<trackbot> Created ACTION-97 - Add similar protocol language to TPE spec [on David Singer - due 2012-02-01].

<npdoty> action-97: dsinger, I think the existing text in a note on ISSUE-108 would be a good starting point for that sentence to add to TPE; we discussed it on a call in December

<trackbot> ACTION-97 Add similar protocol language to TPE spec notes added

trackbot, close issue-110

<trackbot> ISSUE-110 Is top-level-origin for outgoing requests workable for site-specific tracking exceptions? closed

issue-111?

<trackbot> ISSUE-111 -- Different DNT values to signify existence of associated exceptions -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/111

tl: feels this is covered already

rigo: +1 using p3p case example

ndoty: shane feels this is valuable use case for publishers (keep raised)

<karl> tl, does DNT:1 could block an HTTP referer? example an iframe. Thinking about the wikipedia just cited, where the tracking could occur just with the words in the URI.

<tlr> ACTION: shane to bring input on ISSUE-111 to the group; otherwise it's closed [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action58]

<trackbot> Created ACTION-98 - Bring input on ISSUE-111 to the group; otherwise it's closed [on Shane Wiley - due 2012-02-01].

<tl> karl, DNT not a technical measure, just a preference expression. Perhaps you could change your browser to add this behavior?

<karl> yup… but breaking a lot of things. :) hmmm difficult

<npdoty> action-98: Shane, since most of the people in the group were happy to close this issue now, we'd like to see an explanation of text/use cases for why we should continue to discuss it or adopt it

<trackbot> ACTION-98 Bring input on ISSUE-111 to the group; otherwise it's closed notes added

<clp> Hello, sorry to be late, I can't listen on phone but just wanted to drop in briefly.

<npdoty> trackbot, end meeting

Summary of Action Items

[NEW] ACTION: alan to write text for issue-113 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action48]
[NEW] ACTION: amy to draft text for issue-28 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action04]
[NEW] ACTION: chester to propose counterproposal for ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action13]
[NEW] ACTION: chester to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim - due in 2 weeks [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action50]
[NEW] ACTION: chester to write-up Do Not Create A Profile [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action22]
[NEW] ACTION: david singer and shane wiley to determine whether dave singer's paradigm on parties would be a solution for Issue 27 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action31]
[NEW] ACTION: describe the reason for setting DNT=null [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action36]
[NEW] ACTION: doty to write a clarification of dnt:c to apply to never-tracked resources [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action39]
[NEW] ACTION: dsinger add similar protocol language to TPE spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action56]
[NEW] ACTION: dsinger issue 108 add similar protocol statements to TPE [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action55]
[NEW] ACTION: dsinger with shane to determine whether dave singer's new party paradigm would be a solution for Issue 27 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action30]
[NEW] ACTION: harvey to propose renaming issue-54 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action16]
[NEW] ACTION: issue-108 jmayer to create text for other protocols [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action53]
[NEW] ACTION: jeff to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim - due in 2 weeks [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action49]
[NEW] ACTION: jeffc to write-up Do Not Create A Profile [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action21]
[NEW] ACTION: jmayer for issue 108 for future protocols [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action54]
[NEW] ACTION: jmayer to write proposal to communicate information about consent to user as part of opt back in API [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action51]
[NEW] ACTION: jonathan mayer to draft text to send out around a potential technical solution [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action38]
[NEW] ACTION: jonathan to propose new text for ISSUE-16 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action11]
[NEW] ACTION: justin to propose text on ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action14]
[NEW] ACTION: justin to provide text on ISSUE-54 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action15]
[NEW] ACTION: karl dubost to validate whether TPE lists can be use to store opt-back-in features or not [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action29]
[NEW] ACTION: Karl to validate whether the TPLs can also express a cluster of whitelists for use with the Javascript API as defined by Nick [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action32]
[NEW] ACTION: karl to write up Forget Me/ Do Not Cross Time Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action27]
[NEW] ACTION: kathy to review aleecia's draft on issue-25, issue-74 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action19]
[NEW] ACTION: kevin smith to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action24]
[NEW] ACTION: kevin to produce draft for ISSUE-21 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action01]
[NEW] ACTION: ksmith5 to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action25]
[NEW] ACTION: lowenthal to color bikeshed in distinguishable colors [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action42]
[NEW] ACTION: Lowenthal to modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action46]
[NEW] ACTION: lowenthal to propose clarification on ISSUE-39 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action12]
[NEW] ACTION: lowenthal to review andy's text on issue-65 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action17]
[NEW] ACTION: lowenthal to write counter-proposal for issue-36 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action10]
[NEW] ACTION: lowenthal to write no-change proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action08]
[NEW] ACTION: mayer to draft text for issue-28 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action03]
[NEW] ACTION: mayer to write "text in privacy policy" proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action09]
[NEW] ACTION: ninja to write-up Do Not Collect Identifiable Information [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action20]
[NEW] ACTION: npdoty to find duplicate for ISSUE-33, add note [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action05]
[NEW] ACTION: npdoty to find out whether ISSUE-43 is a duplicate (and of what) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action06]
[NEW] ACTION: npdoty to write proposal for asynchronous API (ISSUE-118) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action52]
[NEW] ACTION: rigo shane wiley roy fielding sean harvey to draft a simpler version of the spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action43]
[NEW] ACTION: roy fielding to make final decision on response header name [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action44]
[NEW] ACTION: roy fielding to take the text from the email conversation & place it in the doc [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action35]
[NEW] ACTION: shane to write-up a hybrid of Do Not Profile and Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action23]
[NEW] ACTION: shane wiley to describe the reason for setting DNT=null [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action37]
[NEW] ACTION: singer to add similar protocol language to TPE spec [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action57]
[NEW] ACTION: singer to write up Do Not Cross-Site Track [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action26]
[NEW] ACTION: tl to Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action33]
[NEW] ACTION: tl to draft new values for the DNT states [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action41]
[NEW] ACTION: tl to write no-change proposal for ISSUE-45 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action07]
[NEW] ACTION: tlowenth to Assess the proposed JavaScript opt-back-in API with Mozilla mothership's JS gurus [ISSUE-27]. [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action34]
[NEW] ACTION: tom lowenthal to draft new letter indicators [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action40]
[NEW] ACTION: Tom to modify response header text according to resolution of issue-105 (MUST, otherwise MAY) [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action45]
[NEW] ACTION: Tom to validate whether TPE lists can be used to store opt-back-in features or not [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action28]
[NEW] ACTION: trilli to produce draft for ISSUE-21 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action02]
[NEW] ACTION: zeigler to link previous text proposal from issue-65 [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action18]
[NEW] ACTION: zeigler to write text on fingerprinting risk (ISSUE-109, ISSUE-114), with Nick Doty [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action47]
 
[DONE] ACTION: shane to bring input on ISSUE-111 to the group; otherwise it's [recorded in http://www.w3.org/2012/01/25-dnt-minutes.html#action58]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2012/02/15 09:00:02 $